Ivan Ristić

A parallel world is being created on the Internet, as many science fiction writers had predicted. Our faults and virtues, the same ones that have existed for thousands of years, are now shaping the virtual world, and it's not pretty. The criminals are taking over. To commit crime on the Internet is so easy, so convenient, that they are abandoning their real-life efforts in great numbers.

I've recently had a pleasure of attending a talk by Merlin, the Earl of Erroll, where he discussed the changes forced upon our society by rapid adoption of technology. The talk was sponsored by Breach Security, as part of a promotional party organised here in London, at the Company of Information Technologists. Merlin is a well-know figure in Britain, and it was refreshing to hear someone give an honest opinion about where we are heading, and about the state of security and privacy in the UK.

One thing that made an impact on me was his account of how criminals are actively taking advantage of Internet technologies, and exploiting the loopholes in the current organisation of the police force and the justice system. One problem is that these organisations were designed to tackle large problems, whereas most crime that takes place on the Internet is, individually, low in value. The cost of pursuing a large number of small cases is simply prohibitive. In aggregate, however, the cost to the society is much higher, but we are lacking mechanisms to deal with it. It's even worse when you take into account inefficiencies of collaboration across jurisdictional boundaries. These have a significant impact even within one country, but really are devastating when crime crosses over.

Can we do anything to deal with the problem? It's obvious that we stand no chance to investigate and prosecute most of such crime cases, so we should focus on prevention. We should focus on making it more difficult for criminals to make money. What that exactly means is not clear, but I'd really like us to start by adopting a method of payment more secure than credit cards. The technology is already available, all we now need is will.

One of the side effects of Open Source is that it effectively pushes the cost of software down to zero. You can argue that I can charge whatever I want for the software I license as open source, but that argument doesn't work very well. For as long as my licensees have the right to distribute my product free of charge, an informed market is not going to want to pay to get it. Open Source seems to be very good at preserving the rights of users, but not any good at preserving the rights of authors.

I can cheat, as many companies do these days, scaring people with words such as warranty, indemnification and support. I can also repackage my product as a subscription, which seems to work for some companies. But that just wouldn't feel right. It's essentially doing the same thing as before, just calling it something else. Furthermore, doing business this way creates an incentive to make the software just good enough to attract the user base, but not really solid to enable them to use it without my help. Other companies prefer to leave the critical piece out of the open source package for the same reason.

While I can do all these other things—I do not want to. It is just not the life I want to lead. You see, I believe in one's right to make a living by doing what they love. I love writing software and I am good at it—it's only natural to expect to be able to write (and sell) software for a living.

But Open Source wouldn't let me have none of that. I am condemned to a life of compromise instead.

Threat modelling is a risk assessment technique. Simplified, you systematically assess your environment to identify your true assets and the likely adversaries, along with the possible ways for them (the adversaries) to obtain the assets. The main point is to base the analysis in reality, allowing you to identify what is likely to happen while ignoring the ever-present noise. At the end of the process you end up with a prioritised list of threats, and then use your budget (resources) to address the most dangerous one, using one of the mitigation strategies available to you. You then repeat the process until you run out of resources. It is a simple and elegant technique, and one of my favourite security tools.

One of the most useful generic mitigation strategies is asset devaluation. The logic behind the concept is simple. Attackers are typically driven by their desire to obtain assets. If you remove the asset from your environment, or lower its value, then you also remove the reason the attacker is looking at your system. Without the asset to obtain, he will simply go elsewhere.

One of the best examples of asset devaluation is not storing credit card numbers on e-commerce web sites. While some merchants do need to store them, most need the credit card numbers only initially—to process the transactions they were submitted with—and never use them again. What a wonderful opportunity to reduce one's attractiveness to attackers! By removing the credit card numbers from your systems, and telling the adversaries about it, you stay out of trouble.

Although I've used this example many times during my talks on threat modelling, yesterday was the first time I actually saw the technique used in real life, as I was making a purchase from Introversion, an indie game developer from Britain. Here's a partial screenshot:

An added bonus is that this kind of thinking also makes consumers happy. When I saw the note, I instantly perked up, happy in knowing my beloved credit card number is not going to be stored at yet another web site.

Wouldn't it be great if all web sites disclosed details of their inner workings in a similar manner?

Solid Information Technology is a database vendor founded in Finland in 1992. After operating as a pure closed-source company for 14 years, Solid announced in 2006 that it had adapted its storage engine to work with MySQL, and that it would be releasing the project as open source. The move appeared to be an attempt to capitalise on the confusion created by Oracle's purchase of InnoDB, also a MySQL storage engine. (It wasn't clear at the time what impact the purchase of InnoDB would have on MySQL.) After being acquired by IBM in January of 2008, we now hear from Solid that it will be ending further development of the solidDB backend for MySQL. The code remains available through SourceForge. It looks like the company will cease to operate standalone.

This is not an open source story, but there's an important lesson here for all aspiring entrepreneurs using, or planning to use, open source as an aspect of their business strategy. Companies live and they die. They change directions in an effort to stay afloat or grow. They get acquired and assimilated by companies with different goals. Open sourcing a product is not enough on its own; it must be accompanied by community-building efforts. Such efforts are best carried out at the time the project is announced or open sourced, because that is when the project will be in the spotlight and resources will be available. If you care about the open source nature of your project then you need to realise that the clock is ticking from the moment you go live. Sure, your company may continue to go in the same direction for many years, but you never know if a disruptive change is lurking around the corner. If you want your project to survive, you need to ensure a healthy community forms before the change takes place. Without the protective shield of the community the chances of project survival are slim.