Curtis Koenig

I love Microsoft! There I said it. Even though my first computer was an Apple I was quickly drawn into the PC world. I have spent most of my gainful, and not so gainful, computer life on a PC. I talk about Microsoft, its products and its culture even though I have not worked there for almost 2 years now (and yes I miss it). I talked about Microsoft even before I worked there, it changed everything for me. So if I must I will admit it.

“My name is Curtis, and I am Microsoft fanboy.

It’s no secret that today is the last day for its founder and chief nerd Mr. Bill Gates. For an awkward kid who loved computers Bill and Microsoft represented a future where my intellect would be respected by peers instead of getting me a wedgie. It was (and probably still is) a culture that was largely predicated on the idea that if we challenge very bright people and then leave them alone, then they will take on great challenges and achieve them without being overly managed. Where my success was judged on what I achieved, not on what I wore or the school I attended or the hours I kept to achieve those goals. I honestly believe it was a meritocracy and I was only limited by my abilities and my willingness to apply them to interesting problems….and the free soda was a nice touch.

So today I say farewell and thank you to the creator of that visionary company, Mr. Bill Gates and Microsoft. Even though my career has taken me elsewhere the experience of my first real job at Microsoft will live with me forever. Working at Microsoft after I got my masters degree was like a Ph.D in business and computer science in some sense. There were/are lots of smart folks willing to share the knowledge they had with me, resources galore for accomplishing our tasks and the freedom to think of some really wild stuff (if you ever get a chance to see what MS Research is up to go). Not to mention my own personality of competition was nurtured and allowed to be applied and encouraged.

To that end, thank Mr. Gates. God speed you on your next journey. And if I am really lucky maybe we will cross paths somewhere along the way.

I was listening to an NPR interview of George Soros the other day and a particular item really caught my attention. Mr. Soros mentioned a concept we have all heard from Adam Smith. Loosely this concept is:

When individuals in the market act in their own best self-interest then the market itself will act in the best interest as a whole.

The idea here is that when we all do what is best for us, then overall allocation of resources and actions will also derive the best benefit overall. Soros was challenging this concept, noting a problem of information. The problem arises in that the current investors are all getting information from what is essentially a common source. Thus the ability to act independently in ones own self-interest is compromised. This is an even greater effect in his opinion when bad (incorrect or misleading) information is injected into and disseminated throughout the market. Mr. Soros was illustrating this using the current economic difficulties as an example where he felt that "bad" information caused large groups to act in ways that ultimately led to negative effects.

What struck me here in terms of computers and computer security is how this same concept could apply to computer networks and tools like IDS, IPS or even anti-virus; essentially any network where information about actions is exchanged. A corollary link could be made to the way computers in a network act when connected to a security system of this nature and to that of the market described above. This is not the perfect market example but the example that is described as acting sub-optimally.

So to set the stage, each computer in a network is an individual actor within the network with some subset of information. In this case the information of interest allows the computer to protect itself from negative interactions (virus infection, worms, etc.) and that information is shared among other connected systems. Each system is acting in the self-interest of protecting itself and when all systems are acting in this way the shared resources (network, storage, etc.) are optimally utilized by all players and are conferred optimal protection. Thus, it is setting a Smith-like system of individual interest conferring market optimization.

Shared Resource
Lets constrain the model a bit. Here, all the systems in the network are using the same security software and the same set of signatures or behavioral rules in order to make "security decisions"†. Each system acts as it should when presented with known "bad" actors and follows some set of heuristics or preset actions when unknowns are presented. When the information is good, the systems will have no problem dealing with anything presented, whether that be good or bad. It should also be noted that the focus here is solely on the security or security software layer, not on the OS, application, or other software that may be present.

Now we can interject some bad information, which could be either classifying a positive or allowed action as a negative, or applying a positive to a negative, the difference is negligible. The only variable here is whether this information is applied to one system or all systems simultaneously. I submit that this is just a matter of rate-of-dispersion and only has an effect such that the rate-of-outcome is affected and not the overall outcome and thus can be ignored for the purpose of this experiment. Each system should be acting in its own best self-interest, which they still are. However, they are now acting on a subset of information that has a flaw causing a sub-optimal outcome; and if you ever used AV software you know that this does happen (I am not going to discuss rates of error here this is already a nebulous topic as is) as the humans who make the signatures do make mistakes from time to time.

In this particular case I would submit that the greater security threat is on the case where a "bad" action has been classified as good (a false positive). This example is a close corollary to what is deployed in corporate networks; a closed network with shared resources with the actors all playing from the same handbook (set of software and signatures or algorithms). Thus, the interjection of such information would have the largest negative effect†† in that actions taken would be contrary to self-interest and contrary to the interest of the "market" overall.

Partial Solution
I say "partial" as I am still unsure whether this actually constitutes a solution.  In this case the model for the network is the Internet itself. The same base issue exists in that you have a shared network with individual actors attempting to make the best security decisions. However, the model is much less common as actors in this space may or may not have security software and even those that do are only somewhat likely to share the same software as all the other users. Again in this model we are constraining the topic to the security software only, not the OS or other application software.

At its face value this would appear to have an advantage over the shared resources example. However, I would submit that overall it is not that different at first. While systems in the network may have signatures and underlying software from different vendors, this is undermined by information sharing among the vendors (sample sharing not signature sharing). So the possibility exists such that bad information injected into the underlying security network could still propagate among all players assuming that the sample is exchanged in some format that also conveys that the sender has rated the sample in some fashion.  This would also rely on vendors taking that recommendation without first doing a full self-evaluation and making an individual determination. While not likely when things are heated and humans are group-thinking I would argue that this possibility grows in likelihood.

This is where I believe advantage appears, using a framework of multiples or some type of protection scheme where the software and signatures of multiple vendors are used.  Yes, the vulnerability of the shared information example exists, but I believe it is much less likely than 3-5 signature sets having the same flaw on the same item at the same time. So if the networks are run in such a way as to cause a stop when one of them does not agree with the others a greater level of protection is conferred. At this point I see a systems management problem that is beyond the scope of the initial postulate that I may discuss another time.

While I may have not conferred an actual solution I think at the minimum this is an interesting space to spend some thought in. As security professionals we spend a fair amount of time designing networked solutions of the first example without thinking of the threats that "bad" information my ultimately have. Perhaps you will even re-evaluate your stock portfolio based on the fact that you're likely getting the exact information I and the rest of the world is receiving and consider acting in a contrary fashion.

† Computers don't really make "decisions" but for lack of a better term at this point I am using this.
†† This would seem to support the mono-culture argument presented by Dan Geer, however he argues this on a system level which I disagree with and would submit that this particular model is more appropriate that the target area of interest should be the security software layer and not the OS layer. But this digression is best left for a topic at another time.

BT bundles smartphone with broadband

I really do wish it were this easy to get a mobile phone with great internet connectivity and be encouraged to use it. I am jonesing for a smartphone as it is, my place of employment is so draconian that any kind of personal use of the internet for any reason is frowned upon. You would think companies would want to encourage users to stay at their desks and work late and just accept some personal computer use.

Kids on spring break = less blogging from me but this was too good to pass up.

So the folks at Microsoft do appear to be taking a more holistic view of trust. We can only hope that said view is not MS technology specific. I personally want to see MS embrace its roots a bit more; creating tools that allow developers to create great experiences for users. By no means should Windows be abandoned as a stable common platform is also good for developers, for now I think that is Windows, in the future the "web" will be more of a platform and then those that make great tools will be kind. Here's hoping Visual Studio continues to be a great tool to build those experiences.

Read Scott Charney’s Full Article about End to End Trust
Read Microsoft's End to End Trust White Paper