[Infowarrior] - Schneier: Aligning Interest with Capability

Richard Forno rforno at infowarrior.org
Thu Jun 1 10:17:11 EDT 2006


Aligning Interest with Capability
http://www.schneier.com/blog/archives/2006/06/aligning_intere.html

Have you ever been to a retail store and seen this sign on the register:
"Your purchase free if you don't get a receipt"? You almost certainly didn't
see it in an expensive or high-end store. You saw it in a convenience store,
or a fast-food restaurant. Or maybe a liquor store. That sign is a security
device, and a clever one at that. And it illustrates a very important rule
about security: it works best when you align interests with capability.

If you're a store owner, one of your security worries is employee theft.
Your employees handle cash all day, and dishonest ones will pocket some of
it for themselves. The history of the cash register is mostly a history of
preventing this kind of theft. Early cash registers were just boxes with a
bell attached. The bell rang when an employee opened the box, alerting the
store owner -- who was presumably elsewhere in the store -- that an employee
was handling money.

The register tape was an important development in security against employee
theft. Every transaction is recorded in write-only media, in such a way that
it's impossible to insert or delete transactions. It's an audit trail. Using
that audit trail, the store owner can count the cash in the drawer, and
compare the amount with what the register. Any discrepancies can be docked
from the employee's paycheck.

If you're a dishonest employee, you have to keep transactions off the
register. If someone hands you money for an item and walks out, you can
pocket that money without anyone being the wiser. And, in fact, that's how
employees steal cash in retail stores.

What can the store owner do? He can stand there and watch the employee, of
course. But that's not very efficient; the whole point of having employees
is so that the store owner can do other things. The customer is standing
there anyway, but the customer doesn't care one way or another about a
receipt.

So here's what the employer does: he hires the customer. By putting up a
sign saying "Your purchase free if you don't get a receipt," the employer is
getting the customer to guard the employee. The customer makes sure the
employee gives him a receipt, and employee theft is reduced accordingly.

There is a general rule in security to align interest with capability. The
customer has the capability of watching the employee; the sign gives him the
interest.

In Beyond Fear I wrote about ATM fraud; you can see the same mechanism at
work:

"When ATM cardholders in the US complained about phantom withdrawals from
their accounts, the courts generally held that the banks had to prove fraud.
Hence, the banks' agenda was to improve security and keep fraud low, because
they paid the costs of any fraud. In the UK, the reverse was true: The
courts generally sided with the banks and assumed that any attempts to
repudiate withdrawals were cardholder fraud, and the cardholder had to prove
otherwise. This caused the banks to have the opposite agenda; they didn't
care about improving security, because they were content to blame the
problems on the customers and send them to jail for complaining. The result
was that in the US, the banks improved ATM security to forestall additional
losses--most of the fraud actually was not the cardholder's fault--while in
the UK, the banks did nothing."

The banks had the capability to improve security. In the US, they also had
the interest. But in the UK, only the customer had the interest. It wasn't
until the UK courts reversed themselves and aligned interest with capability
that ATM security improved.

Computer security is no different. For years I have argued in favor of
software liabilities. Software vendors are in the best position to improve
software security; they have the capability. But, unfortunately, they don't
have much interest. Features, schedule, and profitability are far more
important. Software liabilities will change that. They'll align interest
with capability, and they'll improve software security.

One last storyŠ In Italy, tax fraud used to be a national hobby. (It may
still be; I don't know.) The government was tired of retail stores not
reporting sales and paying taxes, so they passed a law regulating the
customers. Any customer having just purchased an item and stopped within a
certain distance of a retail store, has to produce a receipt or they would
be fined. Just as in the "Your purchase free if you don't get a receipt"
story, the law turned the customers into tax inspectors. They demanded
receipts from merchants, which in turn forced the merchants to create a
paper audit trail for the purchase and pay the required tax.

This was a great idea, but it didn't work very well. Customers, especially
tourists, didn't like to be stopped by police. People started demanding that
the police prove they just purchased the item. Threatening people with fines
if they didn't guard merchants wasn't as effective an enticement as offering
people a reward if they didn't get a receipt.

Interest must be aligned with capability, but you need to be careful how you
generate interest.

This essay originally appeared on Wired.com.




More information about the Infowarrior mailing list