My ol’ buddy and former colleague Steve Lodin mailed me to chide that I hadn’t yet passed comment on the Chip’n’Pin scandal that my-favourite-anarchist-in-a-dickie-bow-tie Professor Ross Anderson has splatted all over the news.

The thing is: I feel my opinions are kinda redundant in this matter. The wise person will read Ross’s team’s blog, watch Paxo rather crudely (and not entirely honourably) dicing the bank’s representative on the Newsnight interview, and to a first approximation they will have as much information about the attack as I do.

There’s an effect that happens after you’ve been hanging with the technically capable bright lights in the security industry for a while: beyond a few questions of style and personal ethics[1], the rest of the discipline can be viewed in fairly absolute terms:

Axiom:

There is no such thing as perfect security.

Issues:

1. has there been a breach of integrity?
2. has there been a breach of secrecy?
3. is the “360-degree cost” of a foreseeable breach, times its likelihood, economically worth mitigating?
4. who’s responsible?

The first two of these are booleans (ie: yes/no) and leave very little wiggle room; the safe has been blown, the wall has got a sodding enormous crack in it, the hordes invaded and everyone’s been killed. The third is a matter of judgement and encompasses everything from fire and flood through legal compliance to DDoS and thence to extortion. The fourth is human matter which is hard to quantify, especially when those ostensibly responsible have a limited view of the potential risk.

Back to the point, regards chip-and-pin the answers are:

1. yes
2. yes
3. probably not quite yet, but soon, and the banks are behaving abominably by pretending there is no problem at all
4. those who decided where the banks drew the cost/benefit line when they created C’n’P; and their paymasters

The first two are demonstrable because they have been demonstrated; the third is the pragmatic view that the banks should start addressing the problem now because what people can do in university labs one year, criminal nerds can do at home 5 years later. The fourth: someone saved money in technical investment back then, because they thought they had raised the bar high enough to last 20 years rather than a mere 5.

So much, so obvious. Sorry, Steve…

Me personally I think the better story comes from Patrick J. Dempsey, Chief Information Security Officer for Janney Montgomery Scott and former FBI agent who got covered in Slashdot for writing:

However, knowing all the possibilities with disguising or “spoofing” one’s information on the Web, I’m not sure that there is a way to truly “protect our borders” when it comes to the Internet. The solution might be to establish two Internets — the current Internet and a new, more secure Internet where users would be required to register prior to gaining access.

In a comment on his own posting, he then goes on to “clarify”:

Unfortunately, my reason for writing this article has been overshadowed by the focus people are putting on my suggestion of a second, more secure Internet. The main catalyst for writing this article was to bring to everyone’s attention the fact that the same positives that the Internet provides for information sharing, also create negatives in terms of “bringing to task” those that wish to use the Internet for illicit purposes. I am certainly not talking about revamping the current Internet, nor do I think we should.

[…]

What I am suggesting, if anything, is to provide people with a choice. In other words, you can access “Internet #1” if you so choose, but you can also access “Internet #2” for a more secure experience.

In response to which I can only say that I would love his invitation to visit “America #2” – a land he could surely create with no crime, no fraud, no muggings, no junk mail, no traffic jams, no prawnography, no infectious disease, and where everyone would want to be and work – and all that you would need to create this wonderful land would be for everyone to hang identity cards around their neck.

It’s that simple, surely? And there’s nothing you’d want to import from America #1, of course, to prevent importing anything nasty.

Like, for instance, access to the rest of the world?

Sheesh.

—
[1] amongst which we include eternal questions like “full, timed, partial, or no disclosure? (of vulnerabilities in a public place)”; or “is [FOO]
evil?” where FOO = {Microsoft, NAT, Sendmail, …}