Monday, October 25, 2010

pity the anti-virus naysayer

pity the anti-virus naysayer, for when one decries the failure of anti-virus one reveals the failure in oneself
i don't think it's necessarily all that interesting to talk about the AV is dead movement anymore - saying anti-virus (or anything else security-wise) is dead is a pretty obvious cry for attention. instead in this post i want to look at the popular notion of "the failure of AV".

when one talks about the failure of anti-virus, what has anti-virus failed to do in the most general sense? failed to stop malware XYZ? failed to protect the endpoint from a specific attack? no, those are all reasonable failures not really worthy of being harped on if you accept that no preventative measure is perfect. in the most general sense, when one talks about the failure of anti-virus one is talking about the failure of anti-virus to live up to one's own expectations.

but are those expectations reasonable? in all likelihood they aren't. they are expectations born not out of an understanding of AV, but rather out of listening to marketing (stop listening to marketing!). if you truly understood AV then your expectations would be a pretty close match to reality, so incidental failures wouldn't surprise you or be a cause for concern. if you really understand AV then those incidental failures should be anticipated and planned for.

therefore, when one decries the failure of AV, it is because one doesn't actually understand it, one hasn't anticipated the incidental failures and made plans for them. it is a failure of understanding that happens all too often, where one tries to use marketing bullshit as a substitute for actual knowledge but only winds up with mismatched expectations. actual knowledge has no substitute and can often be hard to come by. "the failure of AV" may get you brownie points in populist crowds, but it's too facile a conclusion to be useful in the larger scheme of things.

Wednesday, October 20, 2010

social networking vs. privacy

the privacy issues surrounding social networking sites are nothing new by any stretch of the imagination, but it seems to me that many people have mismatched expectations when it comes to privacy and social networks - and i'm not just talking about the people who are not yet aware of the issues. even those people who are actively criticizing the privacy implications of the technologies and policies in play at social networking sites seem to be experiencing a fundamental disconnect from the reality of social networking.

the fact of the matter is, no social networking site can be both socially useful and promote privacy in a meaningful way at the same time. if we ignore the practical concerns of how to get funding or similar topics that lead us to call social networking users products rather than customers - even an ideal social networking site must necessarily be a privacy failure.

before i explain why, i think it's important to understand what social networking sites are for and by extension what successful ones (including our ideal one) must do in order to be compelling. the core goal of a social networking site is to enrich our social experiences, either by allowing us to have rewarding social experiences with more convenience (like keeping up to date when you've got a spare moment, even if it's in the dead of night) and less expenditure of resources (time, energy, money, or some combination of the three) than we would otherwise be able to have, or by allowing us social experiences that wouldn't otherwise be possible at all (such as reconnecting with long lost friends).

to that end it should come as no surprise that social networking sites have to focus on facilitating the establishment, maintenance, and strengthening of social connections. it should also come as no surprise that social connections flounder in the absence of openness. that is a social network's undoing from a privacy perspective, because openness is incompatible with the guardedness engendered by the strategies we use to protect our privacy.

now there are a couple of specific complaints that i'm sure come to the reader's mind at this point, chief among them being that sites like facebook should still be able to use an opt-in model for information sharing instead of an opt-out one. you have to understand, however, that the opt-in model is essentially equivalent to being guarded-by-default (you could also liken it to default-deny or even whitelisting). no one can dispute that this would be a superior model from a privacy perspective, but as someone who is guarded-by-default in real life i can assure you that it is not a winning social strategy. by going with an opt-in model you put people in the position of having to make conscious decisions about what they need to be open about in order to get the most rewarding experience for themselves (where such calculating behaviour might be familiar only to a select few) as well as figuring out precisely how to go about being open about those things. in other words the opt-in model forces the user into a kind of simulated social awkwardness, which would not be a compelling user experience at all.

you could be thinking right now that even if an 100% opt-in model would scare users away, a more balanced model than 100% opt-out should be possible - and yes, it certainly is. privacy lobbyists (for lack of a better term) have certainly managed to pressure facebook (and i assume others) to change various features to be more privacy-friendly. that being said, without such pressures (representing a broadly held preference to the contrary), social networking sites should be expected to go with the opt-out model and let those who feel they need to protect the information in question actually make the conscious effort to opt-out. the reason for this is purely practical (and i don't mean in the making things easier for lazy programmers sort of way). there is no single sharing strategy that both optimally meets everyone's social needs and their privacy needs as well. that means any attempt at making more balanced sharing defaults amounts to trying to second-guess what's going to work best for users at the risk of making it more difficult to be open in a way they may have found rewarding. defaulting to opt-out is essentially erring on the side of caution with respect to not compromising the primary goal of an ideal social networking site.

all this being said, when it comes to sharing data with advertising partners or other third party organizations, that has nothing to do with enriching the social experiences of the user. those are entirely business-driven decisions, and while they make sense for the business, they provide no direct benefit to the user and so there is no reason to believe the user would appreciate that sort of openness being facilitated (or rather foisted on them) by default. those sharing practices rightly deserve to be made opt-in rather than opt-out, but i don't expect the business people running the social networking sites to draw this distinction between sharing that facilitates social connection and sharing that facilitates advertising revenue. at least not without a good swift kick in the arse on a regular basis.

(2010/10/21: edited to correct typo spotted by @ChetWisniewski)

Thursday, October 14, 2010

i am a hacker...

... but i am not a crook.

i have previously touched on the fact that the word hacker gets used inappropriately to mean criminal, and i've objected to it on semantic (pedantic?) 'that is not what it originally meant' grounds. that's only one dimension, however.

while i do object on semantic grounds and take that objection seriously in it's own right, the fact is that because i self-identify as a hacker (among a variety of other things) i also happen to find the characterization of hackers as criminals to be rather insulting. not that i expect the people using that characterization to bend over backwards for little old me, of course, but guess what - i'm not the only non-criminal who self-identifies as a hacker.

in fact there are so many of them, especially in the security domain, that a conference that (among other things) fosters the spirit of hacking in children was held for the first time this year (called hackid). i can't help but think that a lot of those parents/infosec professionals would be less than enthusiastic about the idea of imparting the spirit of hacking onto their little tykes if they were willing to accept a world where the term has taken on such a pejorative meaning. it's not just me who is insulted by the 'criminal' insinuation, it's all these people and their kids too.

really there's only two reasons to misuse the term hacker this way: stupidity or laziness. stupidity requires no explanation, but by laziness i mean too lazy to find a better term - and there are better terms, such as criminal or computer criminal or online criminal or even (gasp!) cybercriminal. these were what was being implied by using the term hacker anyways, so why not cut out the middleman?

well because apparently the unwashed masses are more familiar with the term hacker ({ahem} who's fault is that, exactly?) and it's too much work (laziness rears it's head again) to dispel that misconception and actually educate them properly. and this at a time when we're actually winning the war against the misuse of the term virus as an umbrella term (the media is increasingly and correctly using the term malware as the catch-all term for bad software and as a result malware is becoming the term the public uses as well). would you believe some of the same lazy bums who use that 'too much work' line of reasoning actually fancy themselves educators? i'm sorry but if you can't be arsed to dispel misconceptions and educate about the social dimension of the security space, why should anyone believe you'll do your due diligence with respect to dispelling misconceptions and educating about the technical dimensions? uh huh, yeah, i thought so - there is no good reason for anyone to believe that.

stupid media uses the term everybody else uses because they don't know any better. lazy media uses the term everybody else uses because it's easier to just go with what the experts say, and lazy experts use the term everybody else uses because it's too much work to change the tide. but the tide changed with virus - no doubt in part because viruses stopped being the primary issue and experts for the most part couldn't bring themselves to call a non-viral piece of malware a virus, so the proper umbrella term for malicious software started to trickle down.

that same trickle-down effect could work for the term hacker too, but only if the lazy bums out there (and you know who you are) actually start taking their supposed roles as educators seriously and start doing their job properly instead of half-assed.