As the professor of security engineering at Cambridge University, Ross Anderson is one of the founders of security economics as an academic discipline.
He's written what Bruce Schneier says is "the best book on the topic there is" about security engineering [read the book], and given evidence to the Home Affairs Committee inquiry into the extension of time that the police can detain Her Majesty's subject's without trial.
Perhaps more impressively, though, he wants your ISP to send you cash every time you get spam.
Linux Format magazine caught up with him for a chat...
Linux Format: With all the time and money spent on security, why does it go wrong so often? Or is it just that the examples we read about in the media are the exceptional cases?
Ross Anderson: We understand the dynamics of bugs and vulnerabilities fairly well now from an economic point of view. We know, first of all, that the vendors don't have a proper incentive to ship good quality software, because the vendors don't pay the cost of failure; we do. That's something that the car industry took two generations to fix. It took litigation from 1917 to about 1965 to establish the principle in America that the car maker is responsible for design errors. Before that, the car makers just said: "So you got run into by a car, and you got hurt – sue the driver, and let him sue the person he bought the car from if he thinks the car was defective." And so on, back through the chain. Breaking that, and establishing vendor liability, took a whole human lifetime after the car was invented. It's going to be a similarly big task in software.
LXF: But surely there will always be bugs in software. How do you determine which are significant?
RA: Yes, since software is big and complex, there are bugs; there are statistically many bugs, and you can predict how many you'll get using statistical tools. So you end up having a process, such as regular patching, and you then have some idea of how many vulnerabilities will arrive in any one month, and how many will be fixed in any one month. You can get numbers for how many people get hacked as a result of vulnerabilities that vendors hadn't patched, although they could have. And then of course there's the other cases where somebody has discovered a vulnerability that wasn't reported to the vendors yet, so you've got a zero-day exploit.
Then you can look at it from the point of view of the economics of the people doing the patching. If you're a company, how much effort do you put into applying patches quickly, and what's the risk? There's a whole series of economic equilibria involved in decisions as to software quality, preconceived patching, diligence of application of patches, and so on.
LXF: That seems to put the blame on the software vendors rather than the hackers…
RA: In the criminal underworld, there's a set of separate economic forces that determine what the exploitation pattern will look like. What, for example, are the economics of running a botnet? Well, we know that when machines are captured, typically hackers do such high-value exploits as they can – keyloggers for bank data, and that sort of thing – and then they go down the food chain. Compromised machines may end up being used to send spam, and then once they're blacklisted by all the spam filters, they'll end up being used for distributed denial-of-service attacks.
There are all sorts of places in the chain where there are potential control points, where reasonable amounts of pressure haven't been applied. At present, if I get spam or a phishing email from an infected machine and I report it back to the ISP, then if the ISP is a small to medium sized firm, they'll usually fix it fairly quickly. Within a matter of an hour or so, they'll have that machine isolated into a walled garden, from which the user can get hold of anti-virus software, but not much else. The reason for this is that if you're a small ISP, and a machine starts sending a lot of spam, it screws up your peering arrangements. However, if you are a big ISP, you don't care.
LXF: Because nobody's going to block the whole of Hotmail, or whatever it is?
RA: Hotmail isn't that bad, but you could think of one or two of the big British ISPs, that I won't name for libel reasons. If you send mail to abuse@ one of these companies dot com, nobody will read it. You might as well complain to the spammer himself, for all the good it will do.
So the proposal that we have [Anderson recently completed a report for the European Network and Information Security Agency], is that if you complain to abuse@ somebody or other dot com, and more than three hours after that, you get more phish or spam from the same infected machine, then you should have a legal right to claim €10 from them. No need to prove malice, no need to prove actual damage, just "here's the bill". A similar scheme has largely sorted out late flights, cancellations and overbookings among cheap airlines in Europe, because now you get €250 EasyJet or Ryanair bump you off the flight to Barcelona. You don't have to produce a whole bundle of hotel bills and car rental vouchers and argue the toss, you just send them the bill. If they don't pay, you go to the county court, and if they still don't pay, you get the bailiffs to go and collect – believe me, I've done it!
Once you can do that to your ISP, they will all of a sudden find that it's in their best interests to act as the small to medium ISPs do. The kit that you need to firewall machines only costs a couple of hundred grand, and that's nothing to a big ISP. It's just a matter of them making the effort, and having the incentive.
LXF: With a lot of consumer products, like wireless routers, there's no incentive like that – it's pretty much left to the end user to patch these devices, or flash them with new firmware...
RA: Get real! Is my mum going to do that?
LXF: OK then, what steps should an ordinary citizen take to improve their data security?
RA: Buy a Linux box or a Mac. I bought my wife a Mac, last time the Windows box got filled up with loads of spyware.
LXF: So you just don't think the problems with Windows can be solved?
RA: The poor boys at Redmond are doing what they can, but they've got an enormous mountain of legacy codebase to deal with. Although they are beginning to do some semi-sensible things with Vista, in terms of not having users run as root all the time any more, this breaks so many applications that it's hard to get much traction. You end up with this learned helplessness phenomenon, whereby people are trained to keep clicking away these annoying dialog boxes that say: "Do you really want to override this? Do you really want to dismantle your security? Do you really want to run as root?" blah, blah, blah. They have to, to get their work done. That's a fundamental problem of the whole [software] architecture.
From the point of view of a user who's only going to use the PC for web browsing, word processing and one or two other simple tasks like that, the best solution is to move to an alternative platform. The big opportunity, which some Linux distributions are now obviously seizing, is to produce Linux PCs and Linux laptops that just work, which don't need anyone to know what a Tar file is, let alone how to compile stuff.
First published in Linux Format, Issue 114
Now read How to catch Linux system intruders
Sign up for the free weekly TechRadar newsletter
Get tech news delivered straight to your inbox. Register for the free TechRadar newsletter and stay on top of the week's biggest stories and product releases. Sign up at http://www.techradar.com/register