Security - What is it and what is it good for ?
Disclaimer, I am NOT a security expert. This commentary is more focused on the societal and social concepts then any particular technology - from the perspective of a normal reasonably educated and informed human. In fact I suggest that you miss the forest through the trees if you focus on security-as-technology.
"Security" is a simple sounding word that most people think has an obvious meaning. It doesn't. "Security" is complicated, its not black and white, and there aren't even enough colors in the rainbow to fully describe it. The Industry tosses around the word as if it had tangible meaning because, well, who doesn't want to be "Secure"? Security is good, right ? Everyone wants it, everyone needs it so if you sell a product or service slapping "Secure" on it is a no-brainer. Its good.
"Security" is a simple sounding word that most people think has an obvious meaning. It doesn't. "Security" is complicated, its not black and white, and there aren't even enough colors in the rainbow to fully describe it. The Industry tosses around the word as if it had tangible meaning because, well, who doesn't want to be "Secure"? Security is good, right ? Everyone wants it, everyone needs it so if you sell a product or service slapping "Secure" on it is a no-brainer. Its good.
Possession is ownership
First off, generally physical items can be characterized by
their tangible nature. You can touch
them, you can hold them, you can own them.
Generally physically possessing something is synonymous with ownership. So if you can secure possession you can
secure ownership. And if you secure
ownership you secure value.
But what is "Security" ? Security is often used as a placeholder for
"Protection". But protection
from what? For physical things, security
usually means protection from loss of ownership. Since there is only one of a particular
thing, loss means taking something away depriving you of it. Loss of possession becomes loss of ownership
which becomes loss of value.
Protection
A "Bank
Vault" is a typical image of physical security. You put things in it so people can't take
them. But if something is in a vault
you can't use it. If you put your car
in a vault you couldn't drive it. If
your money is in a vault you can't spend it.
If your physical life needs to be secure should you lock yourself in a
vault?
Physical security is at direct odds with usability. If something is perfectly secure its
generally completely unusable. So what
good is owning or possessing something if you can't use it? Sometimes securing something for future use
is sufficient, such as saving money to spend later. But often you want to secure something AND
use it. And in either case the moment
you remove your item from the valut it is no longer protected so it may simply
be reducing the window of opportunity for loss not total protection from it.
Usability
This leads to comprises in security in order to have a
measure of usability. Instead of
putting your car in a vault, you put locks on the doors so you can drive
it. Its not as secure, but its more
usable. Another way of compromising
security with usability is using a proxy
for the item. You put your real jewlery
in the vault but wear glass and knowing you actually own the real thing you feel like you're getting the benefit of
it without putting it at risk. You can
associate trust with a proxy
vendor. For example you create Bank Notes, Checks, Credit Lines,
Certificates of Ownership etc which you
can use to buy things without actually putting at risk your actual money (or
gold or gems). This lets your money
stay safe but still be used. But now
the recipient has lost some security.
How do they know the check you wrote is good since its not 'the real
thing'? This is where the Proxy comes
in. You are trading on a promise based on a shared faith (the proxy). Both parties have faith that you really have
the money in the bank and the check is a proxy for transferring money from one
party to the next. You both have faith
in the proxy vendor (the bank in this case) to honor the transaction - to
mirror the transaction of the proxy with an equal transaction of the real
thing.
Getting complicated isnt it?
Trust
But now not only have you added a layer of trust (and hence
risk) but because the instrument of the proxy (the check) is not the real thing
it can be copied! How do you know your
getting the original ? In the case of money which itself is yet another proxy
for value, it itself could be copied (counterfeited) so now we have multiple
levels of trust and risk and even less security all in the name of usability.
Insurance
How is this solved ?
Insurance. You add another party
to the transaction which is neither the of the parties of the transaction nor
the proxy for value. This party
”insures" the system still works by guarenteeing a replacement in kind or value if the system breaks
down. You leverage insurance at many
levels. At the bank, if your money is
stolen it is insured against theft by the bank.
If the currency itself is copied (counterfeit) you are insured by the
treasury. If a check is duplicated you
are insured against loss by the bank or a seperate insurance agency. If your car gets stolen you are insured by
car insurance for replacement.
By now the system is so complicated you have absolutely no
security of the actual physical items themselves but only their value (declared
in some currency or unit). None is
promising to give your your same car back
only something of equivalent value.
And what if the original item is truely irreplaceable - say
a one of a kind painting, or your life, or health. These things have no intrinsic value; you
must declare one and agree on the replacement.
How much is your life worth to you ? How about that rare coin ?
Cost Compromise
None of this comes for free. All the physical security, third party
proxies, records of transactions of ownership and insurance all cost. The cost could conceivably be more than the
value of the item you want secured. Or
maybe just more then you are willing to spend.
Maybe it simply isnt worth the cost or effect and you take your chances
and you weight the cost vs benefit of "security" and decide what cost is worth the benefit to you.
Intellectual Property
What about "Intellectual Property" ... Thats a
funny term. Think of IP as a thought, or
rather the recording of a thought. It
might be a recipe, a picture, a movie, software. Like physical, tangible, items, IP has a
value. Unlike Physical items however,
the cost of copying the property is generally small compared to the cost of
creating the original. A copy of
intellectual property may be completely
indistinguishable from the original.
This is an interesting property that some tangible items share. An extremely good copy of a say a gold coin
may be just as valuable as the original.
But then there is no such thing as a copy of your life. There is also the issue of theft vs
copying. If I take a physical item from
you, I deprive you of it. If I *copy*
an item I may or may not deprive you of its value. If I even *see* something I may deprive you
of its value (for example a photo of you committing a crime).
So what is "security" of intellectual property
mean? Is it similar to tangible items
?
Start with Nothing
Lets take for example a simple IP - an event. For example you ran a red light. If you want to secure this event whats the
best way? Dont do it. If you dont do something then it can't be
taken from you. It is secure. "Freedom is nothing left to
lose". And if you do run the red light certianly dont
take a picture of it! Learn from our
congressmen. Any events that dont
occur you dont need to secure. Any
events that arnt recorded are secure.
Simple right ? Or is
it.
What about the traffic cam you didnt see ? Simply not
recording something yourself doesnt secure you, it can be recorded by
others. So not recording something yourself is not sufficient. You must make sure it is not recorded by
anyone. Ever.
But what if there was no recording?
Suppose the police *claimed* you ran the red light. You are not secure! You have no proof that you didn't do it. But if you had a picture of the light at the
time claimed and it was green, you are secure.
Or if you have a record of you at a different place at the same time you
are secure.
So for security against events that never even occurred you
need IP! This is why many people in
Russia have camera recorders going all the time. To protect themselves from events that didn't
happen.
So to secure an event, you need both records of it happening
(to assert the positive) AND records of it not happening (to assert the
negetive). This may ultimately be why
"life bloging" devices start getting used - Not just to record events
we want to remember and share later, but to protect ourselves (and others)
against accusations of events that didnt occur or occurred to others who were not currently recording them.
Pictures
What is the classic example of a record of an event? A Picture. How would you protect it ? First off, what
are you protecting against ? Do you want
to make sure noone gets it without your consent? Or do you want to make sure it
is never lost? Or both?
To make sure a picture is never acquired the best solution
is to never take it in the first place.
Second best is to destroy it and
all evidence of it and that it ever was taken. If there is evidence that a picture exists
or existed that may be less secure then either the picture itself or nothing at
all. Amazing, but consider this. If during the security checkpoint on a trip
the boarder patrol finds encrypted files on your disk, you may be under more
suspicion (less secure) then if they found the pictures and they were clearly
of your sunny vacation from Mexico.
The absence of a murder weapon from its case may be more suspicious than
finding the weapon itself (unused).
Privacy
The above examples of the modern world lead to some
uncomfortable conclusions. The same with tangible items where you trade
value and usability for security, for your life You may willingly trade security for privacy. In fact you already are giving up
your privacy, likely unknowingly or unwillingly, by the existence of
omnipresent surveillance. Every time you
go into public, make a purchase (even with cash), travel, almost every action
leaves a trail of electronic bits. You simply cannot prevent this. Even trying to "leave the grid"
will leave a trail of your absence.
Since you cannot stop the collection of data about your every
life, one way to combat some of the negative consequences is to collect your
own. The more evidence you collect
about your daily life and control
yourself the more secure you
are against misuse of information and the more control you have over your
digital life. Securing yourself
against events you are willingly involved in which you dont want others to find
out about is a different topic entirely.
But protecting your life against misuse of information collected by
others can be improved by collecting as much information you can yourself and
securing it. And at the same time you may also be
protecting others by providing an independent information source.
The Tradeoff for Securing IP
For whatever reasons you have collected a lot of intellectual
property (pictures, videos, emails, software, documents, sales reciept
etc). And for whatever reason you've
decided that securing this IP is important.
As with physical items there is always a tradeoff, always a cost, and
always side effects.
Delete it
As mentioned before, one way of protecting IP is getting rid of it. None can take what you dont have. For some,
that is a good idea. It takes a lot of
effort to do however, and actually its impossible to completely eliminate your
e-trail. Its even extremely hard to do
a half-decent job. But suppose you
could, and you delete all your emails, all your photos, even destroy your old
hard drives, phones etc. Lets forget for
the moment that copies of most of this stuff is still lying around somewhere on
internet servers and the NSA's private vault.
But for your purposes you have
secured your IP by deleting it. But now it is unusable. If you've done your best to get rid of
things so noone can use them, then certainly you cant either. Thats one way to go, but in fact you have not
really protected yourself against dedicated e-hungers but you have completely
removed all value to yourself. Thats
generally not the compromise most people want.
Encryption
Encryption is a false god.
It is often touted as a panacea of IP security. The idea is good. You encrypt your data then no one else can
get it but you. The problem is in the
details. In one way encryption is like a
safe. Only you (with the key) can get
in. But also like safes, there are safe crackers
and there are lost keys. In order to
use the data you need the key. The
harder the key is to find (or remember) the harder it is to use the data. Roughly, encryption can be thought of like
locks. The better the encryption the
harder the lock to open but the less accessible the data. Some locks, like your car or front door, are to prevent casual thieves but wont deter
a persistent professional. On the other
hand, if you lose the key you can call a locksmith or look under the mat for
the spare. Really good locks can be
like Fort Nox. Really hard to use,
really expensive and noone is going to get your data - probably not even you
because if you lose your key your toast.
Consider also what is the purpose of securing your data? Is
it to prevent it from being accessed ? or is it prevent it from being lost
? Encryption can be a good tool, but
needs to be used with care because it actively makes it harder to get at your data and a higher risk of losing it all together.
Duplication
Sometimes the best
kept secret is the one you tell everyone.
This is actually used by security agencies if they discover a skeleton
in your closet. You write a letter to
everyone you care about admitting to it then you no longer are at risk for
blackmail. Your secret is no longer a
security problem because its not a secret.
IP can be the same.
If you copy your data all over the place you are less likely to lose
it. You are secure against data
loss. Interestingly you can actually
improve ownership by giving it away. If
you embed in your data your claim of ownership (for example a copywrite
notice) then it becomes harder for
anyone to claim it was theirs. They can
remove the notice themselve but it is
very hard to remove it from all copies all over the world. Similar to Life Event, by trading privacy
(hiding) for security you are actually increasing your security against misuse
of information. The security you gain
is both security against physical loss and at the same time the security
against misuse of information.
But like Life Events, you probably shouldn't use this
technique to secure IP you dont want
people to know about.
Insurance and IP Law
Like physical property, IP can be secured with
insurance. Like physical items,
complete loss may not be recoverable by identical data, but loss of value may
be recovered by forms of insurance. This
might be insurance from a IP provider against loss, copyright infringement
lawsuits for stolen data or actual IP insurance from an insurance agency. Loss by either physical loss or loss of
value can be mitigated. And like with
physical property everything has a cost and it is up to you to decide if your
IP is worth the cost of the security or insurance and how to make the right
compromise.
Conclusion
There is a lot more to security then can be covered in this
discussion but there are some important takeaways.
·
Security is not a simple concept.
·
Security can be protection from loss or
protection from discovery. These are often at odds with each other.
·
There are intrinsic tradeoffs of security vs
privacy vs costs vs usability.
·
Information security has similar properties to
physical security.
·
Collecting information yourself and managing it
can help protect against misuse of information collected about you by others,
adding to your personal security.
·
There is no single solution but there are
methods and considerations to maximize protection and mitigate loss.
No comments:
Post a Comment