[e-lang] Eyes on the goal: real phishing solutions
marcs at skyhunter.com
Thu Feb 10 16:41:30 EST 2005
> On Wed, 9 Feb 2005, marcs wrote:
> > It's fine to disagree about whether we have a known complete real
> > solution. But figuring out what a real solution would be is
> a crucial
> > first step. If one builds a bunch of short term fixes
> without a long
> > term plan, you aren't solving the problem, you're writing
> Service Pack
> > 2.
> Would anyone who has a proposal for a complete real solution
> please explain what they have in mind?
> (I'm not clear on what one would be right now, and it might
> be helpful to have some places to start, even imperfect ones.)
Oooooh, for the next few minutes, I get to live in FantasyLand.
Before that, however, with a nod to Ian's correct observation that we have
to bound the problem, and note the things outside the area we are trying to
solve, let me do a little constraining of the problem. I am not satisfied
enough with Tyler's definition of phishing to settle on it...but I do not
have a counterproposal, which is why I haven't muttered about it before. But
I will point out a couple of things that phishing is not, and are outside of
scope. Attacks that involve viruses that break the subsystems are not in
scope. And "pure social attacks" are not in scope. Pure social attacks are
attacks like the Nigerian Hoax, which have the interesting property that
they only happen to use computers as a communications medium, and could
reasonably be performed using paper mail, telephones, and magazines. Most
modern computer attacks have a social element, but in the end they depend on
exploiting a characteristic of our computers that people can't handle
properly for one reason or another.
I'm so excited about laying out a complete solution, I'm not gonna give you
just one complete solution, I'm gonna give you 2! :-) But, uh, the first one
does not count.
Solution1: Put government tracking devices in all computers and routers. Put
government video recorders in every room in every building on earth. Trace
every transaction beginning to end. Shoot anyone who does phishing on the
Jerry Springer show.
Solution 1 is not to be taken seriously, of course. I prefer a world with
Solution2: Solution2 has 3 general components.
-- Pet Names Everywhere: Full fledged pet naming systems, built on
unforgeable ids. Graphical pet logos as appropriate. Not just in the
browser, but in the mail tool, the chat tool, the desktop, everything. We do
pet names as best we can, which is not a complete solution in itself for
reasons described here so far. But it is harder. Phishing via the email
tool, for example, has to pass the hurdle of coming from an unknown source,
in addition to sending you to a web site that is an unknown destination.
-- Capabilities, Not Passwords: Phishing must somehow capture an authority
to be a success. Put all the authorities in capabilities. To exercise the
authority in a capability, you do not send it over the line like a password.
Rather, you invoke it on your own machine. I believe the rules to follow
with respect to sending other people your capabilities -- whether via email,
chat, or browser, are pretty easy to follow. The rules start with a big
DoNotDoThat. We need some work on how you build POLA-based restricted
capabilities for delegation, but my best assessment at the moment is that we
can make this very user friendly as well, so people can delegate effectively
and safely, for the most part. It seems plausible that the rules will be
simple enough, and followed so reliably, that attacks that succeed in
persuading people to send their caps will need a social element so large
that they look more like the Nigerian Hoax than they look like phishing. (A
necessary problem with a long term solution is, by definition, you can't
"know" it will work, your best effort is to assess plausibility. Don't know
how to avoid that. Of course, it opens up a whole new vista of arguments you
can have :-). To put this another way, people who are vulnerable to the
Nigerian Hoax are probably an already-saturated market. If we compel all the
people who currently phish to instead hoax, we probably don't get
significant growth in successful hoaxes, we just slightly alter the list of
who the successful hoaxers are.
-- Make Lightweight Digital Cash a Core Filtering Element for Message
Acceptance: Having made phishing a much lower probability game, now we make
it cost significantly more every time it fails: if strangers must send money
to get your attention, and it is etiquette to send the money back only if
the message was valuable to you, people who get hit by phish who recognize
it will just keep the money. I don't see how phishing via email can survive
this. If the cost of getting a successful phish is greater than the expected
value of the successful phish, phishing is truly dead.
Ping, how's that for a start? Let me say, the conversations of the last few
days were critical to my composition of this plan. All the parts of the plan
are "stock parts" out of the capability community, but my first effort would
not have include so many of these stock parts without the discussion of the
past few days.
It is perhaps worth noting that these three pieces of the plan are
separable, each has benefits all by itself, and can be done in any order or
concurrently. Indeed, I have heard pretty lightweight proposals, which
require only a small change in user behavior, and reasonably constrained
development costs, for each of the three. And, I would further claim, we
need each of these three anyway, for other reasons besides just phishing.
The hard part is the widespread adoption needed. But there's nothing new in
that, adoption is always the farthest bridge :-)
More information about the e-lang