All Geered Up: An Interview with Dan Geer

by rthieme on October 27, 2000

ALL GEERED UP:  AN INTERVIEW WITH DAN GEER

Dan Geer, @Stake CTO and the new president of USENIX, muses about

privacy, security culture and the importance of self-reliance in the age of

ubiquitous networks.

INTERVIEWED BY RICHARD THIEME

Editor’s Note: Dr. Dan Geer, chief technology officer of @Stake, was recently

elected president of the USENIX Association, an organization of 10,000

engineers, systems administrators, scientists and technicians working on the

cutting edge of computer technology. Geer earned his doctorate in biostatistics

from the Harvard University School of Public Health in 1988 while running the

Health Sciences Computing Facility. He also was manager of systems

development for MIT’s Project Athena, where the X Window System and

Kerberos were developed. Geer has held executive positions at Open Market,

OpenVision Technologies (now Veritas) and CertCo., and has testified before

congressional committees on public policy in the age of electronic commerce.

Q: You were elected president of USENIX. What’s the significance of that for you?

A: I think the best way to thank some- body is to give back to them. In lots of ways, USENIX made me what I am, and I want to return the favor. That may sound corny, but that’s the way my mamma raised me. USENIX has kept me from getting too satisfied. People who get satisfied stop growing. People who are never satisfied are always curious. Time and again, USENIX has exposed me to things I didn’t know. That’s what I’ve gotten out of it.

What is your vision for USENIX?

USENIX, like everyone, must be aware of what’s changing, what old opportunities are being eclipsed and what new ones are showing up. We need to make our products obsolete before someone else does, create more conferences by leveraging our existing profitable conferences, and expedite the development of our new products. In the venture capital arena, investors want companies that go straight down or straight up. They don’t want a 2 percent growth, which makes it impossible to get your money out or write it off. In some sense, intellectual capital has the same characteristics-I want prompt failure or success. I don’t want to spend 10 years on something that finally struggles to its feet.

Is it critical to keep moving out of your comfort zone to keep yourself on the edge?

Yes. I am not an adrenaline sports guy, but maybe it’s the same urge applied in a way that has greater long-term value.

Generational differences in the computer security space are becoming noticeable, especially since the younger generation has never lived without the ‘Net. Do you see a significant difference in terms of how they think about security…and life?

I am not a student of this like Sherry Turkle [an MIT professor and author], but I like to quote Phil Agre of the Red Rock Eater News Service about the threat to the development of a coherent self: ‘If you are online constantly with 27 nyms but no privacy, do you have a coherent self?’ Perhaps coherent self is a social construction of reality that emerged as a result of prior technologies, just as human rights and intellectual property rights did not exist before the printing press. Do you think that the ability to create our own aliases as spies do-what was once created by the sanction of nations-is now everyone’s by virtue of digital technologies? Yes, but that means compartmentalization. The degree to which

compartmentalization is spreading in a way that’s unconscious is remarkable. As late as when my father was born, life, work, community, home, field and forest were largely the same thing. My dad was born to a 16-year-old in a log cabin and didn’t go to school. I’m CTO of @Stake with a Harvard doctorate-now that’s scope. But let’s take your point a little further: If the coherent self is itself in question, then so is the existence of culture. How do you have an indigenous culture with a rich basis of superstition in the digital era?

As soon as someone in the village gets a radio, the village ceases to exist. Correct?

Correct. I was fascinated to learn how television changed the image of an attractive woman in the Fiji Islands. Overnight, the image changed from as round as possible to as flat as possible. The media excels in rubbing your nose in what you don’t have.

You, Bruce Schneier and Marcus Ranum seem to share a similar trajectory

from immersion in computer security as a discrete domain to being very

tuned in to marketplace realities. Bruce let go of a belief in mathematics as

the savior of the world to wrestle in the trenches with the messy world.

Marcus recognized that a company doing $600 million of business could

absorb a security lapse, so the task was to manage the risk. You recently

spoke at some length about risk management and the shift from technology per se to risk management and the insurance model. Does this

make you part of the security shift?

I like to think I am part of the cause of that shift. In 1997, the keynote speech I

gave at a conference had a lot of that in it. At the time of my remarks, the

audience was unimpressed and looked for the next speaker. A year later, I

reworked it and gave it at the Digital Commerce Society of Boston, and it spread

all over the place. I was quite surprised, but an idea whose time has come is a

powerful thing. The way you know you’ve given a good speech, I was once told,

is if one person says to another afterward, ‘That’s exactly how I’ve always felt.’

Robert Galvin of Motorola said that every breakthrough idea begins as a

minority opinion and moves from invisible and inaudible to ‘that’s

something I always believed.’ Same idea?

Yes. Malcolm Gladwell in The Tipping Point discusses the spread of ideas from

the point of view of an epidemiologist. I’m trained as an epidemiologist. My

degree is in biostatistics and epidemiology. Gladwell looks at re-infection rates

and herd immunity-how diseases grow or fade. It does not take much of a

change in the transmission rate to create an epidemic. Sometimes as little as a

1 percent change will make a difference-that’s ‘the tipping point’ that pushes the

idea over the edge. You can’t plan this, but you can recognize it when it’s

happening. That’s what happened with my ideas on risk management as the

critical piece in the security space-right time, right place.

You could have chosen several paths at this point in your career. Why did

you join @Stake?

I came to @Stake for a challenge, but for other reasons too. At the time, I was

going door to door in the venture capital community looking for investors in a

security consulting enterprise. I had done security consulting 10 years before,

but it wasn’t the right time. The VC people agreed the right time was now, and

they had the numbers to prove it. Still, being a cautious person, my previous

experience told me this route would be a long and difficult road.

When I worked at OpenVision, I learned that if you’re going to have a security

division in a company that’s trying to cover the whole ground of distributed

system management, you shouldn’t try to sell security as a product. Rather, it

should integrate security into all of your products. At CertCo, I learned that you

absolutely have to start with where your customers are, not where you want

them to be. Any startup that builds the world’s best anything runs the risk of

being too early to survive. I came to the conclusion that we will never sell this

security stuff as long as we use it to disable. It’s only viable when we use it to

enable. The @Stake crowd was already talking about using security as a

strategic advantage to enable things you couldn’t otherwise do.

The advantage of joining @Stake was clear: We would have the money to

quickly assemble a critical mass. In the Internet space, where it’s winner take

all, @Stake was a chance to get out in front and not have to spend a year

raising money. I could play the kind of role here that I was looking for. I have my

hand on the steering wheel and it’s the right idea at the right time.

You have said very clearly that B2B is where money will be made on the

Internet. What makes you think that?

It’s the obvious place to make money since a small percentage is enough to

keep things rolling. If I buy a sweater from L.L. Bean using a Visa card, it’s hard

to argue that security is worth much of an additional markup. But, when you

consider the volume of Treasury bill trading equals $3 million per minute and it

takes nine minutes to report that your certificate has been stolen, it should be

worth $3 million to reduce every minute in latency of revocation. With the

secret-key systems-for example, Kerberos, an authentication service for

open-network systems-you pay a lot of the systems cost up front, but revocation

is free. With public-key systems, you pay nearly nothing up front to issue keys

and a lot to revoke them. The cost of issuing and revoking is a constant.

When you look at DDoS attacks, if you’re trying to measure something and say

the vulnerability risk to DDoS is based on-and name a measurement-I believe

that measurement is ‘How much work does the system do before it can make an

authorization decision?’ With a TCP-based service I can send an open

connection and get a reply and reply to it. I say ‘Hello,’ you answer ‘Hello,’ and I

say ‘I’m Dan’ and we go from there. If I say ‘Hello’ 5,000 times and never finish

the conversation, you have allocated a lot of resources. That’s generally how

SYN flooding attacks work. It’s the measure of how much non-renewable

resources the system expends before it can make the authorization decision.

The more complex the authorization tests are, on the one hand, the more

precise you can make them to control who can do what and to whom. But

complex authorization tests increase the vulnerability to DDoS attacks if an

attacker can cause the remote system to do that complex test a million times.

Those are trade-offs. I think there are a lot of trade-offs like that and I am looking

for lots of places where there is some characteristic like the amount of energy

spent on key management, in which I can find a constant of proportionality.

The way to rank technologies is: Where do they cut the line? For example,

standard PKI cuts the line way over toward ‘the work is in revocation, not in

issuance because revocation is a rare event.’ Now, that doesn’t mean

implementers don’t have to put most of their work into revocation handling-they

do, as a direct consequence of the revocation latency question. In this case, the

only way to limit vulnerability to DDoS is to think of some other heuristic that

approximates the authorization decision and is vastly cheaper.

It sounds to me like you’re searching for a formula or algorithm that will

quantify the value of time or energy. If you can turn that into a quantifiable

formula that makes sense to those who practice risk management, they will

immediately see how it meets their need to minimize risk and lower cost. Is

that the idea?

Exactly. It’s almost surely a macro-scale equivalent of the Heisenberg

Uncertainty Principle. I can know exactly where something is or how fast it’s

going, but to find out, both will result in errors. I wonder if we’re not missing some

kind of macro-level physics here, by which I mean something which is indivisible,

immutable and not subject to argument.

The Internet was not developed in or for the marketplace, and many

security experts were trained in the military or academia as they built the

World Wide Web. There is now a convergence of people from different

domains as everyone is ported into the marketplace, as e-commerce

becomes the way of doing business. What is the language of the

marketplace that will ‘port’ what you’re saying into those diverse economic

models?

That particular insight, and maybe this entire effort, might be a function of

maturity. It’s like making a sculpture: you get rid of everything that does not look

like an elephant and you’re left with an elephant. We have been at this long

enough, knocking away parts that don’t look much like an elephant, and this is

what’s left. What we have today is elephant-like, but it is hardly perfect. Maturity

is more than experience, though. It’s a particular kind of experience. When I

interview people, I look for ‘sadder, but wiser.’ I don’t think you can do security

unless you have seen something up close that was bad. Or if you can, you must

have an unusual amount of will power.

Brian Snow of the NSA spoke about his numerous encounters with ‘the real

bad guys’ during his keynote address at the Black Hat Briefings. I said, ‘You

really have seen the face of evil.’ The look in his eyes gave me his answer.

Is this why security is necessary?

Yes. I worked with someone who was in the Middle East for the CIA, but later

entered corporate life. I asked how he made the change. Remember when

terrorists kidnapped the CIA’s Beirut Stadium Chief and how they videotaped his

torture? My colleague had to watch those tapes after he had already done his

two weeks on a runway in a hijacked jetliner. That video took him over the edge.

For everyone out there who says, ‘There is no God,’ I want them to look me in

the eye and say, ‘There is no Evil.’ If they can’t do that, I will argue they can’t say

the other, either.

And yet it’s increasingly difficult in the security space to identify the

enemy. Borders or boundaries are dissolving around nations as well as

organizational structures and individuals.

Let’s get this straight: The surest enemy of democracy is an absence of borders.

Now you have the basis for linking the changing identities of nations to

organizations to individuals. That connects privacy for the individual with

security for the organization or nation. We don’t have names for talking

about this, but does identity or ‘self’ scale in the digital world?

No, we don’t have names for these emergent structures, and I don’t think we

have time to develop the words for them, either. Without words to clarify the

concepts, we don’t have a way of getting our minds around them.

When you look up ahead, where do you see the security trajectory going?

What is the next critical piece?

We are on the cusp of orders of magnitude increases in things connected to the

‘Net. The interface is no longer just keyboards and screens, but many other

things. The day is coming when refrigerators will automatically order groceries.

Now, everything we know about security involves making authorization decisions

after authentication decisions. Authentication involves using a password leading

to a key, to prove that a name is what it says it is. How will you name your three

refrigerators? How will you tell the grocery store that only ‘the one in the middle’

can order dairy products? We are going to run out of name space. Of all the

words in Webster’s Collegiate Dictionary, 90 percent have been registered as

domain names. If authentication is name based, what will we do for names? That

problem will not get easier as the Web becomes truly multilingual.

The embedded technology will stretch our ability to name things, and if we can’t

name them, what are we going to do for authentication? If we don’t have

authentication, what will we do for authorization? What will we do for all the rest?

The answer, I think, will be delegation, but delegation has been a security design

problem for some time. Making a trustable delegation is very hard. If I say, ‘Here

are the keys to my car,’ how do I keep you from giving them to my neighbor?

This is not to say that there are not elaborate schemes to support delegation,

but the Internet derives from academia and the military. Academia’s limit is, ‘Is it

too complex to think about?’ The military’s limit is, ‘Is it too expensive to buy and

can it be operated under adverse conditions?’ Ordi-nary peoples’ limiting factors

are much more prosaic: ‘Can I understand it?’ ‘Will it hurt me?’ ‘Can I leave the

kids alone in the house with it?’ I don’t know how to do delegation under those

circumstances.

Like President Lyndon Johnson’s definition of trust: It’s when I have you

where I want you.

Exactly. But in terms of the challenge we face, I’m at the opposite end of the

spectrum from people who want to do trust management. I just don’t think it’s

possible, because I don’t see how on earth we can develop a language that all

people can understand. This is really about Big Brother, not just trust

management. The best government of all is a benevolent dictator and a good

succession plan. Yes, machines are immortal and obviate the succession

problem, but I don’t want to find us there. That’s what made the movie “The

Matrix” so prophetic. The Matrix was doing everything wonderful for us until we

wanted to kill it and discovered that we couldn’t. The risk is that the complexity

of what we develop will exceed our ability to grasp it, and not enough people will

remain that care.

Hasn’t that been part of civilization for a long time-in the sense that

humanity has always had difficulty including everything we know and

everything we invent in a single mental space?

I think we can agree that the rate of possible change is accelerating. I don’t think

our genetic component or educational capacity is accelerating at that same rate.

Where do they diverge? That’s the question. The rate constants are different, just

as physicists like to marvel that if you change the energy of hydrogen’s first

electron’s orbit by ever so little, life as we know it would evaporate. Everything

about where we are is hypercritically interdependent.

Which makes it a people problem, because people are the network.

Right.

So, if we need to secure the electronic network using anomaly detection,

misuse detection, ubiquitous surveillance and other methods, isn’t it

inevitable that real security in a networked society is only possible if we

apply the same standards to the whole of society?

Yes.

So maybe, in some gray area, we must compromise and that’s where risk

management comes in. We may never achieve a balance at the level of

totalitarian control, but are we moving in that direction?

It’s highly unlikely that someone will come up to you personally and take your

privacy away. Children do not have an expectation of privacy; they develop it over

time. For adults, if they don’t know they have privacy, how much of a fight will

they put up when they don’t get it? I don’t think it’s possible to go much further in

our technological world on a ‘small is beautiful,’ egalitarian basis. We need to

modify the coming culture before it washes over us like a wave.

Any last thoughts?

It’s dangerous to make your last words an off-the-cuff statement, but I would say

that self-reliance is unavoidably a lonely phenomenon, but it is, as far as I know,

the only source of purpose or satisfaction or honor. In the interconnected world of

a networked society, it becomes ever more difficult. When will we get to the

point at which we decide, for example, that no one may use paper cash and

everyone must have access to the Internet? A lot of phone systems no longer

have options for rotary telephone users. A lot of information no longer appears in

forms that you expect to find in a library. We will all be part of the network one

way or another because if you are not, you are simply going to have to live

outside mass society, fending for yourself in increasingly smaller spaces.

Originally appeared in the October 2000 issue of Information Security Magazine (infosecuritymag.com). Copyright (c) 2000. All rights reserved.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: