ALL GEERED UP: AN INTERVIEW WITH DAN GEER
Dan Geer, @Stake CTO and the new president of USENIX, muses about
privacy, security culture and the importance of self-reliance in the age of
INTERVIEWED BY RICHARD THIEME
Editor’s Note: Dr. Dan Geer, chief technology officer of @Stake, was recently
elected president of the USENIX Association, an organization of 10,000
engineers, systems administrators, scientists and technicians working on the
cutting edge of computer technology. Geer earned his doctorate in biostatistics
from the Harvard University School of Public Health in 1988 while running the
Health Sciences Computing Facility. He also was manager of systems
development for MIT’s Project Athena, where the X Window System and
Kerberos were developed. Geer has held executive positions at Open Market,
OpenVision Technologies (now Veritas) and CertCo., and has testified before
congressional committees on public policy in the age of electronic commerce.
Q: You were elected president of USENIX. What’s the significance of that for you?
A: I think the best way to thank some- body is to give back to them. In lots of ways, USENIX made me what I am, and I want to return the favor. That may sound corny, but that’s the way my mamma raised me. USENIX has kept me from getting too satisfied. People who get satisfied stop growing. People who are never satisfied are always curious. Time and again, USENIX has exposed me to things I didn’t know. That’s what I’ve gotten out of it.
What is your vision for USENIX?
USENIX, like everyone, must be aware of what’s changing, what old opportunities are being eclipsed and what new ones are showing up. We need to make our products obsolete before someone else does, create more conferences by leveraging our existing profitable conferences, and expedite the development of our new products. In the venture capital arena, investors want companies that go straight down or straight up. They don’t want a 2 percent growth, which makes it impossible to get your money out or write it off. In some sense, intellectual capital has the same characteristics-I want prompt failure or success. I don’t want to spend 10 years on something that finally struggles to its feet.
Is it critical to keep moving out of your comfort zone to keep yourself on the edge?
Yes. I am not an adrenaline sports guy, but maybe it’s the same urge applied in a way that has greater long-term value.
Generational differences in the computer security space are becoming noticeable, especially since the younger generation has never lived without the ‘Net. Do you see a significant difference in terms of how they think about security…and life?
I am not a student of this like Sherry Turkle [an MIT professor and author], but I like to quote Phil Agre of the Red Rock Eater News Service about the threat to the development of a coherent self: ‘If you are online constantly with 27 nyms but no privacy, do you have a coherent self?’ Perhaps coherent self is a social construction of reality that emerged as a result of prior technologies, just as human rights and intellectual property rights did not exist before the printing press. Do you think that the ability to create our own aliases as spies do-what was once created by the sanction of nations-is now everyone’s by virtue of digital technologies? Yes, but that means compartmentalization. The degree to which
compartmentalization is spreading in a way that’s unconscious is remarkable. As late as when my father was born, life, work, community, home, field and forest were largely the same thing. My dad was born to a 16-year-old in a log cabin and didn’t go to school. I’m CTO of @Stake with a Harvard doctorate-now that’s scope. But let’s take your point a little further: If the coherent self is itself in question, then so is the existence of culture. How do you have an indigenous culture with a rich basis of superstition in the digital era?
As soon as someone in the village gets a radio, the village ceases to exist. Correct?
Correct. I was fascinated to learn how television changed the image of an attractive woman in the Fiji Islands. Overnight, the image changed from as round as possible to as flat as possible. The media excels in rubbing your nose in what you don’t have.
You, Bruce Schneier and Marcus Ranum seem to share a similar trajectory
from immersion in computer security as a discrete domain to being very
tuned in to marketplace realities. Bruce let go of a belief in mathematics as
the savior of the world to wrestle in the trenches with the messy world.
Marcus recognized that a company doing $600 million of business could
absorb a security lapse, so the task was to manage the risk. You recently
spoke at some length about risk management and the shift from technology per se to risk management and the insurance model. Does this
make you part of the security shift?
I like to think I am part of the cause of that shift. In 1997, the keynote speech I
gave at a conference had a lot of that in it. At the time of my remarks, the
audience was unimpressed and looked for the next speaker. A year later, I
reworked it and gave it at the Digital Commerce Society of Boston, and it spread
all over the place. I was quite surprised, but an idea whose time has come is a
powerful thing. The way you know you’ve given a good speech, I was once told,
is if one person says to another afterward, ‘That’s exactly how I’ve always felt.’
Robert Galvin of Motorola said that every breakthrough idea begins as a
minority opinion and moves from invisible and inaudible to ‘that’s
something I always believed.’ Same idea?
Yes. Malcolm Gladwell in The Tipping Point discusses the spread of ideas from
the point of view of an epidemiologist. I’m trained as an epidemiologist. My
degree is in biostatistics and epidemiology. Gladwell looks at re-infection rates
and herd immunity-how diseases grow or fade. It does not take much of a
change in the transmission rate to create an epidemic. Sometimes as little as a
1 percent change will make a difference-that’s ‘the tipping point’ that pushes the
idea over the edge. You can’t plan this, but you can recognize it when it’s
happening. That’s what happened with my ideas on risk management as the
critical piece in the security space-right time, right place.
You could have chosen several paths at this point in your career. Why did
you join @Stake?
I came to @Stake for a challenge, but for other reasons too. At the time, I was
going door to door in the venture capital community looking for investors in a
security consulting enterprise. I had done security consulting 10 years before,
but it wasn’t the right time. The VC people agreed the right time was now, and
they had the numbers to prove it. Still, being a cautious person, my previous
experience told me this route would be a long and difficult road.
When I worked at OpenVision, I learned that if you’re going to have a security
division in a company that’s trying to cover the whole ground of distributed
system management, you shouldn’t try to sell security as a product. Rather, it
should integrate security into all of your products. At CertCo, I learned that you
absolutely have to start with where your customers are, not where you want
them to be. Any startup that builds the world’s best anything runs the risk of
being too early to survive. I came to the conclusion that we will never sell this
security stuff as long as we use it to disable. It’s only viable when we use it to
enable. The @Stake crowd was already talking about using security as a
strategic advantage to enable things you couldn’t otherwise do.
The advantage of joining @Stake was clear: We would have the money to
quickly assemble a critical mass. In the Internet space, where it’s winner take
all, @Stake was a chance to get out in front and not have to spend a year
raising money. I could play the kind of role here that I was looking for. I have my
hand on the steering wheel and it’s the right idea at the right time.
You have said very clearly that B2B is where money will be made on the
Internet. What makes you think that?
It’s the obvious place to make money since a small percentage is enough to
keep things rolling. If I buy a sweater from L.L. Bean using a Visa card, it’s hard
to argue that security is worth much of an additional markup. But, when you
consider the volume of Treasury bill trading equals $3 million per minute and it
takes nine minutes to report that your certificate has been stolen, it should be
worth $3 million to reduce every minute in latency of revocation. With the
secret-key systems-for example, Kerberos, an authentication service for
open-network systems-you pay a lot of the systems cost up front, but revocation
is free. With public-key systems, you pay nearly nothing up front to issue keys
and a lot to revoke them. The cost of issuing and revoking is a constant.
When you look at DDoS attacks, if you’re trying to measure something and say
the vulnerability risk to DDoS is based on-and name a measurement-I believe
that measurement is ‘How much work does the system do before it can make an
authorization decision?’ With a TCP-based service I can send an open
connection and get a reply and reply to it. I say ‘Hello,’ you answer ‘Hello,’ and I
say ‘I’m Dan’ and we go from there. If I say ‘Hello’ 5,000 times and never finish
the conversation, you have allocated a lot of resources. That’s generally how
SYN flooding attacks work. It’s the measure of how much non-renewable
resources the system expends before it can make the authorization decision.
The more complex the authorization tests are, on the one hand, the more
precise you can make them to control who can do what and to whom. But
complex authorization tests increase the vulnerability to DDoS attacks if an
attacker can cause the remote system to do that complex test a million times.
Those are trade-offs. I think there are a lot of trade-offs like that and I am looking
for lots of places where there is some characteristic like the amount of energy
spent on key management, in which I can find a constant of proportionality.
The way to rank technologies is: Where do they cut the line? For example,
standard PKI cuts the line way over toward ‘the work is in revocation, not in
issuance because revocation is a rare event.’ Now, that doesn’t mean
implementers don’t have to put most of their work into revocation handling-they
do, as a direct consequence of the revocation latency question. In this case, the
only way to limit vulnerability to DDoS is to think of some other heuristic that
approximates the authorization decision and is vastly cheaper.
It sounds to me like you’re searching for a formula or algorithm that will
quantify the value of time or energy. If you can turn that into a quantifiable
formula that makes sense to those who practice risk management, they will
immediately see how it meets their need to minimize risk and lower cost. Is
that the idea?
Exactly. It’s almost surely a macro-scale equivalent of the Heisenberg
Uncertainty Principle. I can know exactly where something is or how fast it’s
going, but to find out, both will result in errors. I wonder if we’re not missing some
kind of macro-level physics here, by which I mean something which is indivisible,
immutable and not subject to argument.
The Internet was not developed in or for the marketplace, and many
security experts were trained in the military or academia as they built the
World Wide Web. There is now a convergence of people from different
domains as everyone is ported into the marketplace, as e-commerce
becomes the way of doing business. What is the language of the
marketplace that will ‘port’ what you’re saying into those diverse economic
That particular insight, and maybe this entire effort, might be a function of
maturity. It’s like making a sculpture: you get rid of everything that does not look
like an elephant and you’re left with an elephant. We have been at this long
enough, knocking away parts that don’t look much like an elephant, and this is
what’s left. What we have today is elephant-like, but it is hardly perfect. Maturity
is more than experience, though. It’s a particular kind of experience. When I
interview people, I look for ‘sadder, but wiser.’ I don’t think you can do security
unless you have seen something up close that was bad. Or if you can, you must
have an unusual amount of will power.
Brian Snow of the NSA spoke about his numerous encounters with ‘the real
bad guys’ during his keynote address at the Black Hat Briefings. I said, ‘You
really have seen the face of evil.’ The look in his eyes gave me his answer.
Is this why security is necessary?
Yes. I worked with someone who was in the Middle East for the CIA, but later
entered corporate life. I asked how he made the change. Remember when
terrorists kidnapped the CIA’s Beirut Stadium Chief and how they videotaped his
torture? My colleague had to watch those tapes after he had already done his
two weeks on a runway in a hijacked jetliner. That video took him over the edge.
For everyone out there who says, ‘There is no God,’ I want them to look me in
the eye and say, ‘There is no Evil.’ If they can’t do that, I will argue they can’t say
the other, either.
And yet it’s increasingly difficult in the security space to identify the
enemy. Borders or boundaries are dissolving around nations as well as
organizational structures and individuals.
Let’s get this straight: The surest enemy of democracy is an absence of borders.
Now you have the basis for linking the changing identities of nations to
organizations to individuals. That connects privacy for the individual with
security for the organization or nation. We don’t have names for talking
about this, but does identity or ‘self’ scale in the digital world?
No, we don’t have names for these emergent structures, and I don’t think we
have time to develop the words for them, either. Without words to clarify the
concepts, we don’t have a way of getting our minds around them.
When you look up ahead, where do you see the security trajectory going?
What is the next critical piece?
We are on the cusp of orders of magnitude increases in things connected to the
‘Net. The interface is no longer just keyboards and screens, but many other
things. The day is coming when refrigerators will automatically order groceries.
Now, everything we know about security involves making authorization decisions
after authentication decisions. Authentication involves using a password leading
to a key, to prove that a name is what it says it is. How will you name your three
refrigerators? How will you tell the grocery store that only ‘the one in the middle’
can order dairy products? We are going to run out of name space. Of all the
words in Webster’s Collegiate Dictionary, 90 percent have been registered as
domain names. If authentication is name based, what will we do for names? That
problem will not get easier as the Web becomes truly multilingual.
The embedded technology will stretch our ability to name things, and if we can’t
name them, what are we going to do for authentication? If we don’t have
authentication, what will we do for authorization? What will we do for all the rest?
The answer, I think, will be delegation, but delegation has been a security design
problem for some time. Making a trustable delegation is very hard. If I say, ‘Here
are the keys to my car,’ how do I keep you from giving them to my neighbor?
This is not to say that there are not elaborate schemes to support delegation,
but the Internet derives from academia and the military. Academia’s limit is, ‘Is it
too complex to think about?’ The military’s limit is, ‘Is it too expensive to buy and
can it be operated under adverse conditions?’ Ordi-nary peoples’ limiting factors
are much more prosaic: ‘Can I understand it?’ ‘Will it hurt me?’ ‘Can I leave the
kids alone in the house with it?’ I don’t know how to do delegation under those
Like President Lyndon Johnson’s definition of trust: It’s when I have you
where I want you.
Exactly. But in terms of the challenge we face, I’m at the opposite end of the
spectrum from people who want to do trust management. I just don’t think it’s
possible, because I don’t see how on earth we can develop a language that all
people can understand. This is really about Big Brother, not just trust
management. The best government of all is a benevolent dictator and a good
succession plan. Yes, machines are immortal and obviate the succession
problem, but I don’t want to find us there. That’s what made the movie “The
Matrix” so prophetic. The Matrix was doing everything wonderful for us until we
wanted to kill it and discovered that we couldn’t. The risk is that the complexity
of what we develop will exceed our ability to grasp it, and not enough people will
remain that care.
Hasn’t that been part of civilization for a long time-in the sense that
humanity has always had difficulty including everything we know and
everything we invent in a single mental space?
I think we can agree that the rate of possible change is accelerating. I don’t think
our genetic component or educational capacity is accelerating at that same rate.
Where do they diverge? That’s the question. The rate constants are different, just
as physicists like to marvel that if you change the energy of hydrogen’s first
electron’s orbit by ever so little, life as we know it would evaporate. Everything
about where we are is hypercritically interdependent.
Which makes it a people problem, because people are the network.
So, if we need to secure the electronic network using anomaly detection,
misuse detection, ubiquitous surveillance and other methods, isn’t it
inevitable that real security in a networked society is only possible if we
apply the same standards to the whole of society?
So maybe, in some gray area, we must compromise and that’s where risk
management comes in. We may never achieve a balance at the level of
totalitarian control, but are we moving in that direction?
It’s highly unlikely that someone will come up to you personally and take your
privacy away. Children do not have an expectation of privacy; they develop it over
time. For adults, if they don’t know they have privacy, how much of a fight will
they put up when they don’t get it? I don’t think it’s possible to go much further in
our technological world on a ‘small is beautiful,’ egalitarian basis. We need to
modify the coming culture before it washes over us like a wave.
Any last thoughts?
It’s dangerous to make your last words an off-the-cuff statement, but I would say
that self-reliance is unavoidably a lonely phenomenon, but it is, as far as I know,
the only source of purpose or satisfaction or honor. In the interconnected world of
a networked society, it becomes ever more difficult. When will we get to the
point at which we decide, for example, that no one may use paper cash and
everyone must have access to the Internet? A lot of phone systems no longer
have options for rotary telephone users. A lot of information no longer appears in
forms that you expect to find in a library. We will all be part of the network one
way or another because if you are not, you are simply going to have to live
outside mass society, fending for yourself in increasingly smaller spaces.
Originally appeared in the October 2000 issue of Information Security Magazine (infosecuritymag.com). Copyright (c) 2000. All rights reserved.