Bruce Schneier Speaks on Conceptualizing Security at LISA 2008
By Matthew Sacks

Bruce Schneier, Chief Security Technology Officer, British Telecom, presented some abstract and cutting edge ideas about security at the LISA conference this year. The topic of re-conceptualizing security presented some new insights and perspectives into what we think of security.

One example Schneier gave was about risk heuristics. The best way to describe risk heuristics is to present some of the example Schneier speaks of: Take afree collector mug, for example, . If one were to give the mug away (or any other object) the object automatically has value. Schneier spoke about some other examples of the components of risk heuristics:

“There are a number of other heuristics involved, the optimism bias, which is that bad things always happen to certain people.”

Another common security misnomer made by the general public is that we tend to exaggerate rarities, because they are well, rare. For example, try to think of some words with K as the first letter, you can rattle off a list of words starting with K. Now try to think of words with K as the third letter. Which is much more difficult.

Take these two statements, for example:
Linda is a bank teller.
Linda is a bank teller and active in the feminist movement.

With these two statements, the second one causes the reader to focus more on the fact that Linda is a feminist, rather than a bank teller, even though the fact she is a feminist is merely a small attribute to her more accurate identity as a bank teller.

Schneier spoke about the difference between the feeling of security, and the reality of security. He made the point that the feeling of security is much more important to most people, because it is their perception which causes them to feel secure or not.

Scheneir speaks about “Security Theater” and Security Models

Security, by design is supposed to make you feel better, so if the market drives security, then the economic incentive is to make people feel secure, rather than to actually make them secure. Schneier refers to this behavior as “Security Theater”. Security Theater is necessary to a certain extent reasons Schneier, but it is also most obvious when there is no realized increase in security, yet claims are being made to make people simply feel better.

Child kidnapping is exaggerated by the media and is an exaggerated security model. Schneier makes the point that very few child kidnappings happen each year, and family members commit the majority of kidnappings; however, the media exaggerates this security model using elements of Security Theater.

The new global warming crisis is much closer to reality than feeling, which is why most people reject it or simply do not care as much. Compare this to child kidnapping, which plays on peoples emotions and feelings of security, so it gets much more attention.

Suggestions on Security

When analyzing security models, look for agendas and subjectivity. In these cases most likely they are trying to manipulate you to benefit them.

We use proxies to get good information. We trust our doctor as a proxy to prescribe us the right medication; we do not prescribe the medication ourselves.

There is a certain value in security theater, for example, it saved the over the counter drug companies with the poisoned Tylenol incident. The simple fact is that if someone wanted to poison Tylenol and put it back on the shelf, there are many ways they could still do this and subvert the “tamper-proof” cap.

Schneier made the point that we need to focus on giving better models to bring security and the way we utilize security back to facts.

“Every year, there is a new reality in a world of technology”.
– Bruce Schneier

At this year’s LISA Conference, Clem Cole, President of USENIX and I discussed some of the pressing issues for using software around the time of USENIX’s beginnings. Clem Cole was (and still is) one of the original hackers of the era and we spoke about some of their troubles writing software with looming, possessive giants such as AT&T and DEC.

If you used code that was derived from AT&T’s Intellectual property, you could only share that with others that had the same license.  But a developer has always been free to share anything they owned, although traditionally before sharing you add a copyright and simple terms of usage license – a.k.a. the CMU/MIT/UCB (– sometimes called the Dead Fish style License). So if you wrote something original, you as the author could and did do what you wanted with it and traditionally most Unix developers gave it away to other users to use - consider any of the tools that came out of Harvard, Purdue, CMU, MIT, UCB et al - e.g. CMU Emacs, and UCB Pascal,  GCC ; the list is quite long.

Another way to think of this say - since the Universities were using Unix as a research tool, they could and did use Unix for as they wished, but they could not give out the AT&T derived Unix technology.

In order to get a copy of AT&T Unix at the time, Universities had to pay a $100 license fee to AT&T and
the source code was delivered on a magnetic tape (”abandoned on your doorstep” as it was sometimes referred). The problem with this
model is that you could not legally share source code that was ported from
Unix derived technology unless the recipients had their own license.

Cole revealed some intricacies related to the discrepancies between AT8T Unix and BSD Unix:

UCB, like many research users using Unix made a distribution of it’s tools and modifications - BSD - Berkeley Software Distribution. Numerous Berkeley distributions were made over time, and since all were based on the AT&T technology, to get a copy of BSD you needed to be show that you too possessed an AT&T Unix licensee.

Originally, BSD Unix could be licensed by any institution (research or commercial actually) that could demonstrate they had an AT&T license.  It was just easier to check for that license since “everyone” could get one (although commercial users paid more to AT&T). Remember, the cost of the hardware to use the AT&T code was at minimum $100K and often 5 or 10 times that.  So
the $100 for an AT&T license for a University was peanuts, and cost to UCB were equally small to pay for the duplication etc.

Note that at that time… the owner of the code would add a copyright
and a “license” to the top the file, and the different license were created to solve different issues.  The non-viral “dead-fish” style used by UCB is probably the longest-lived and basically says something like:  Hey we wrote this.  Use it at your own risk - i.e. don’t try to collect damages. If you do anything with it, you have to mention it came from us originally, but you can do what ever you want with it”  - i.e. wrap dead fish in it for market, make a product with it, study it, etc - have fun.

Over the course of a number years and after many different BSD releases, Berkeley’s team said, “hang on” - very little of what is now in BSD is based on AT&T’s code.  So a number of folks at UCB began to make two piles of code in BSD depending on the “providence” (“AT&T derived – a.k.a. tainted” and “non-AT&T – a.k.a. clean” code).   Eventually the non-AT&T owned pile was nearly the entire set.   So, the UCB Team eventually released as the BSD NET2 distribution (the non-AT&T version) and it was made available to anyone - you only needed to obey the licenses and copyrights in the code itself.  All of this occurs during this time, when BSD was being ported to more and more systems other than the original VAX system it was designed for - such as the Sun2, 386, etc.

Once NET2 was released, some of the developers formed a company called BSD, Inc.  The BSD Inc. folks then started with NET2 and add the “missing” parts that they wrote themselves and created an “open source” “product” for Intel based PC’s running 386’s and 486s - called BSDi.

Shortly thereafter AT&T sued both BSDi and UCB for improper use of their IP.   UC Berkeley & BSDi eventually won the case, although I believe the court forced a handful more of files to be removed from NET2”

Us hacker types thought the AT&T/UCB case was about copyright.  It turns out it was not.  The case was about trade secrets - which is much more serious.   In fact, we were later told that if AT&T had won, any Unix/POSIX-like system is a derivative of the ideas used to build Unix - not just system built using AT&T based source code.  This means any Unix-like system would have to been not allowed – not just BSD.  If this definition had come into play, it would been that any Unix or POSIX system would an “AT&T derivitive work.”  Which to modern users it would have meant that not only BSD but Linux [and Minux, et al] would have to been licensed from AT&T to be made available for use.

According to Cole, “A user would obtain the source, then modified the software, and then fed the modified version back into the community.” It is a model that has pioneered some of the greatest and widely adopted software projects to do date, many of them incubated on Unix or Unix-like systems. To this day, this practice continues - but at a scale never before imagined.