In our modern world we are accustomed to constant monitoring, be that video, email, or our browsing history. We accept (as terms of service) the complete loss of anonymity, and often-even identity all in the name of Siren servers* and the services they provide (I am looking at you Amazon, Facebook, and Google).
But where are these services when it comes to protecting our data? Name-your-huge-retailer is more than happy to collect every click, and nugget of shopping data about you. They want to profile you into a category; 35-50 years old, disposable income, and mid-level shopper. But what about using those techniques to profile would-be thieves and malicious actors? What about using that ‘spooks’ level knowledge for good rather than for cash? Why can’t we profile the malware makers, code wranglers, and exploiters?
We don’t because business models are too concerned with bottom lines, stock prices, and shareholder expectations that end users are lost, customers are lost, and so is our humanity.
I am suggesting that if we valued the relationships we have with our customers like we once did – you know in the way back days – if we treasured that data entrusted to us we might be able to do something useful.
Would Floyd the barber ever allow his customer list to leak out?
Lets imagine a world where the identity, and the personally identifiable information (PII) for our employees and customers was more than a headline or press release.
This begs the questions: Where is the Intelligence in Threat Intelligence? Maybe it’s a shift from HumINT (that’s Human Intelligence for you non Military types) to CompuINT? (is that a word for Computer Intelligence?).
The problem might be that we are not savvy like we used to be; remember the cold war? I don’t, but I can read. We had to worry about Russians under every table; your neighbor could be a spy. Guess what, that browser plugin is a spy, the website you're using is a spy. Threat researchers need to see the inherent threat in that.
Siren (stealing Jaron Lanier again*) servers are collecting mountains of data about us more information about us than we know about ourselves.
But who is watching the Sirens? Who protects us not from them (different blog). Who protects them from theft of the data? Why bother as an attacker to steal data from you as an individual when I can steal it from your dating website (see how I ambulance chased that?). Why is it OK to allow these websites the power to store this much data? Do they need it? Do you need them to?
It’s a spooky world we are moving into, maybe one where we need to challenge human behavior – and narcissism – to really combat the growing issues we have. Will biometrics solve the identity issue? What happens when that’s hacked?
Flipping this on its side now...how much data do you collect in your enterprise? Why are you not leveraging that to better profile human behavior? Why aren’t you using it to know what and why your users are doing the things they need to do – and should be doing – on your network and with your precious data.
Are you talking to your board like this? Talking about human relationships? Talking about what data really is? Why it’s really valuable, and what trust means? I’m not talking about Windows, or domains. I mean why don’t you shop at the large retailer now? Why don’t you use your credit card online? Why don’t you turn on your Bluetooth at DefCon? Or do you?
About Jamison Utter
Natural curiosity has taken Jamison beyond the technical hack into the workings of the criminal industry; how and why malware is written, how people make money at it (why do they keep doing it) and what are the motivations.
* Jaron Lanier (thanks dude)