The OpSec Blog

Security and privacy information and advice at home and abroad.

Three Interesting Papers from WEIS 2011

with 2 comments

The 10th annual Workshop on the Economics of Information Security (WEIS 2011) was held at George Mason University in June.  WEIS is “the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science” and almost never fails to produce interesting papers.  Here are the three I found most interesting and relevant to the average person.

Nevena Vratonjic, Julien Freudiger, Vincent Bindschaedler, and Jean-Pierre Hubaux of EPFL, Switzerland presented, “The Inconvenient Truth about Web Certificates” (PDF).  This paper lends more fuel to the growing fire being lit under one of the most popular security protocols on the internet – HTTPS, a protocol I’ve highlighted in a previous post.  The paper presents solid evidence for the case that the current system of large, for-profit Certificate Authorities as arbiters of what is a legitimate website and what is not (and possibly malicious in nature) is broken.  One of the more interesting pieces of information gleaned from the data is that only 22.6% of web pages asking a user for a password were implemented in HTTPS [Bindschaedler et al., 10].  In a crude analysis, this means that almost one in four passwords are being sent in the clear.  They conclude;

“We can compare the current situation to a market for lemons: information asymmetry occurs because CAs know more about certificates than websites and users. … Only a fraction of elite website administrators achieves high security by obtaining EV certificates and installing them properly. …We believe that the right incentives are not in place and suggest multiple policy changes to solve this issue [of economic disincentives that promote good security]. Notably, we suggest to make CAs liable for the proper use of certificates, web browsers to trust only top performing CAs, and the creation of an open-source community checking on root CAs.”  [Bindschaedler et al., 24]

The paper’s closing suggestions also raise some interesting issues; who would enforce a statute governing proper use of certificates?  How would a measurement (or measurer) of “CA performance” be transparent enough to be universally accepted?  An open source community check on root CAs seems feasible, but a critical mass of people with the dedication and technical ability to make meaningful contributions is hard to come by.

Dallas Wood and Brent Rowe pose a provocative question; “Assessing Home Internet Users’ Demand for Security: Will They Pay ISPs?” (PDF).  With general outcry over even modest price increases of internet services (just take a look at Netflix), I would have thought asking this question to the general public would result in a resounding “NO” followed by a lawsuit when the data breach the increased security measures (and increased cost) were supposed to defend against.   Wood and Rowe’s results suggest that, in general, customers would actually be willing to pay more in exchange for more robust security controls on the ISP’s part.

Specifically, we found that home Internet users were willing to pay up to $6.51 per month to greatly reduce the risk of identity theft, $4.40 per month to greatly reduce the risk of their computer crashing, and $2.94 per month to reduce the risks other individuals and businesses might face as a result of their personal insecurity.

ISPs have maintained that customers are not willing to pay more for increased security.  The study suggests that – for once – big business is actually ignoring what could be a profitable market with a larger societal benefit as a side effect.

Lastly, Daegon Cho of Carnegie Mellon University presents a statistical analysis on the effect of a law that I had never heard about in his paper, “Real Name Verification Law on the Internet: A Poison or Cure for Privacy?” (PDF).  The Real Name Verification Law requires all websites with a daily viewership of over 100,000 to require user registration with a national ID number to verify their identity in order to make postings to that website.  Fans of Reddit would realize what a disaster this could be for their internet habits.

His analysis shows that requiring one’s real name when leaving comments on popular websites were significantly changed for the better;

…identification of postings had significant effects on reducing uninhibited behaviors (swear words and antinormative expressions), suggesting that Real Name Verification Law encouraged users’ behavioral changes in the positive direction to some extent. … Also, discussion participants with their real names showed more discreet behaviors regardless of the enforcement of the law. It seems that users have recognized that the level of anonymity was shifted by the law, from complete dissociation of real and online identities to only visual anonymity by pseudonyms in which their real identity can be detectable.

I found this study worth noting because this issue has cropped up multiple times at State, mostly concerning use of a popular, internal “Idea Submission” forum called “The Sounding Board.”  Currently, Sounding Board profiles are linked to employees’ Active Directory accounts, which use their real names with no option to comment on ideas anonymously (although you can submit new ideas anonymously).  The Sounding Board moderators have repeatedly refused to admit anonymous comments for the reasons this paper supports in the inverse (i.e. while the Real Name Verification Law aims to improve the quality of discourse by eliminating anonymity, The Sounding Board (TSB) moderators hope to maintain it by not allowing anonymity in the first place).

As a “lurker” (someone who frequently reads the discussions on TSB but rarely participates actively), I can safely say that even without the warm, cozy blanket of anonymity, the discussions get heated enough.  Some individuals don’t even seem to care that their coworkers and superiors can read their comments, and while I haven’t heard of any obvious cases in which one’s “Sounding Board” reputation has affected their career, I’m sure it has happened already.  While it’s debatable whether or not any Department-owned forum is truly “anonymous” (after all, State employees have no expectation of privacy when using government-owned machines on a government network), this paper has me slightly curious to see what would happen if anonymous comments were allowed for a short period of time.

State people- what do you think would happen if The Sounding Board went anonymous?


2 Responses

Subscribe to comments with RSS.

  1. I imagine the number of anonymous commenters, with valid comment content, would be overlooked due to the majority of flamers and trolls ready to pounce with no accountability. The Sounding Board has morphed into something beyond what it was intended for. I think it’s best to keep names linked to comments.


    26/07/2011 at 12:56

    • That’s probably true. The moderators are pretty good about removing the really outlandish comments though – but they’d have a lot more work to do so maybe that’s why they don’t allow anonymous comments.


      26/07/2011 at 21:42

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: