Shostack + Friends Blog Archive


Lessons for security from "Social Networks"

There are a couple of blog posts that I’ve read lately that link together for me, and I’m still working through the reasons why. I’d love your feedback or thoughts.

A blogger by the name of Lhooqtius ov Borg has a long screed on why he doesn’t like the “Social Futilities.” Tyler Cowan has a short on “fake following.”

I think the futility of these systems involves a poor understanding of how people interact. The systems I like and use (LinkedIn, Dopplr) are very purpose specific. I really like how Dopplr doesn’t even bother with a friend concept–feel free to tell me where you’re going, I don’t have to reciprocate. It’s useful because it doesn’t try to replace a real, complex relationship (“friendship”) with a narrowly defined shadow of the world. (In this vein, Austin Hill links a great video in his Facebook in Reality [link to no longer works] post.)

In information technology, we often replace these rich, nuanced concepts with much more narrow, focused replacements which serve some business purpose. Credit granting has gone from an assessment of the person to an assessment of data about the person to an assessment of the person’s data shadow. There are some benefits to this: race is less of a factor than it was. There are also downsides, as data shadows, blurry things, get confused after fraud. (Speaking of credit scoring, BusinessWeek’s “Your lifestyle may hurt credit score” is not to be missed.)

We’ve replaced the idea of ‘identity’ with ‘account.’ (I’ll once again plug Gelfman’s Presentation of Self for one understanding of how people fluidly and easily manage their personas, and why federated identity will never take off.) Cryptographers model people as Alice and Bob, universal turing machines. But as Adi Shamir says, “If there’s one thing Alice and Bob are not, it’s universal turing machines.” Many people have stopped Understanding Privacy and talk only about identity theft, or, if we’re lucky, about fair information practices.

So the key lesson is that the world is a complex, confusing, emergent and chaotic system. Simplifications all come at a cost. Without an understanding of those costs, we risk creating more security systems as frustrating as those “social networks.”

[Update: It turns out Bruce Schneier has a closely related essay in today’s LA Times, “The TSA’s useless photo ID rules” in which he talks about the dangers of simplifying identity into intent. Had I seen it earlier, I’d have integrated it in.]