All Geered Up: An Interview With Dan Geer
Interviewed By Richard Thieme

Dan Geer, @Stake CTO and the new president of USENIX, muses about privacy, security culture and the importance of self-reliance in the age of ubiquitous networks.

Editor's Note: Dr. Dan Geer, chief technology officer of @Stake, was recently elected president of the USENIX Association, an organization of 10,000 engineers, systems administrators, scientists and technicians working on the cutting edge of computer technology. Geer earned his doctorate in biostatistics from the Harvard University School of Public Health in 1988 while running the Health Sciences Computing Facility. He also was manager of systems development for MIT's Project Athena, where the X Window System and Kerberos were developed. Geer has held executive positions at Open Market, OpenVision Technologies (now Veritas) and CertCo., and has testified before congressional committees on public policy in the age of electronic commerce.

Q: You were elected president of USENIX. What's the significance of that for you?

A: I think the best way to thank some- body is to give back to them. In lots of ways, USENIX made me what I am, and I want to return the favor. That may sound corny, but that's the way my mamma raised me. USENIX has kept me from getting too satisfied. People who get satisfied stop growing. People who are never satisfied are always curious. Time and again, USENIX has exposed me to things I didn't know. That's what I've gotten out of it.

What is your vision for USENIX?

USENIX, like everyone, must be aware of what's changing, what old opportunities are being eclipsed and what new ones are showing up. We need to make our products obsolete before someone else does, create more conferences by leveraging our existing profitable conferences, and expedite the development of our new products. In the venture capital arena, investors want companies that go straight down or straight up. They don't want a 2 percent growth, which makes it impossible to get your money out or write it off. In some sense, intellectual capital has the same characteristics-I want prompt failure or success. I don't want to spend 10 years on something that finally struggles to its feet.

Is it critical to keep moving out of your comfort zone to keep yourself on the edge?

Yes. I am not an adrenaline sports guy, but maybe it's the same urge applied in a way that has greater long-term value.

Generational differences in the computer security space are becoming noticeable, especially since the younger generation has never lived without the 'Net. Do you see a significant difference in terms of how they think about security...and life?

I am not a student of this like Sherry Turkle [an MIT professor and author], but I like to quote Phil Agre of the Red Rock Eater News Service about the threat to the development of a coherent self: 'If you are online constantly with 27 nyms but no privacy, do you have a coherent self?' Perhaps coherent self is a social construction of reality that emerged as a result of prior technologies, just as human rights and intellectual property rights did not exist before the printing press. Do you think that the ability to create our own aliases as spies do-what was once created by the sanction of nations-is now everyone's by virtue of digital technologies? Yes, but that means compartmentalization. The degree to which compartmentalization is spreading in a way that's unconscious is remarkable. As late as when my father was born, life, work, community, home, field and forest were largely the same thing. My dad was born to a 16-year-old in a log cabin and didn't go to school. I'm CTO of @Stake with a Harvard doctorate-now that's scope. But let's take your point a little further: If the coherent self is itself in question, then so is the existence of culture. How do you have an indigenous culture with a rich basis of superstition in the digital era?

As soon as someone in the village gets a radio, the village ceases to exist. Correct?

Correct. I was fascinated to learn how television changed the image of an attractive woman in the Fiji Islands. Overnight, the image changed from as round as possible to as flat as possible. The media excels in rubbing your nose in what you don't have.

You, Bruce Schneier and Marcus Ranum seem to share a similar trajectory from immersion in computer security as a discrete domain to being very tuned in to marketplace realities. Bruce let go of a belief in mathematics as the savior of the world to wrestle in the trenches with the messy world. Marcus recognized that a company doing $600 million of business could absorb a security lapse, so the task was to manage the risk. You recently spoke at some length about risk management and the shift from technology per se to risk management and the insurance model.
Does this make you part of the security shift?

I like to think I am part of the cause of that shift. In 1997, the keynote speech I gave at a conference had a lot of that in it. At the time of my remarks, the audience was unimpressed and looked for the next speaker. A year later, I reworked it and gave it at the Digital Commerce Society of Boston, and it spread all over the place. I was quite surprised, but an idea whose time has come is a powerful thing. The way you know you've given a good speech, I was once told, is if one person says to another afterward, 'That's exactly how I've always felt.'

Robert Galvin of Motorola said that every breakthrough idea begins as a minority opinion and moves from invisible and inaudible to 'that's something I always believed.' Same idea? Yes. Malcolm Gladwell in The Tipping Point discusses the spread of ideas from the point of view of an epidemiologist. I'm trained as an epidemiologist. My degree is in biostatistics and epidemiology. Gladwell looks at re-infection rates and herd immunity-how diseases grow or fade. It does not take much of a change in the transmission rate to create an epidemic. Sometimes as little as a 1 percent change will make a difference-that's 'the tipping point' that pushes the idea over the edge. You can't plan this, but you can recognize it when it's happening. That's what happened with my ideas on risk management as the critical piece in the security space-right time, right place.

You could have chosen several paths at this point in your career. Why did you join @Stake? I came to @Stake for a challenge, but for other reasons too. At the time, I was going door to door in the venture capital community looking for investors in a security consulting enterprise. I had done security consulting 10 years before, but it wasn't the right time. The VC people agreed the right time was now, and they had the numbers to prove it. Still, being a cautious person, my previous experience told me this route would be a long and difficult road.

When I worked at OpenVision, I learned that if you're going to have a security division in a company that's trying to cover the whole ground of distributed system management, you shouldn't try to sell security as a product. Rather, it should integrate security into all of your products. At CertCo, I learned that you absolutely have to start with where your customers are, not where you want them to be. Any startup that builds the world's best anything runs the risk of being too early to survive. I came to the conclusion that we will never sell this security stuff as long as we use it to disable. It's only viable when we use it to enable. The @Stake crowd was already talking about using security as a strategic advantage to enable things you couldn't otherwise do.

The advantage of joining @Stake was clear: We would have the money to quickly assemble a critical mass. In the Internet space, where it's winner take all, @Stake was a chance to get out in front and not have to spend a year raising money. I could play the kind of role here that I was looking for. I have my hand on the steering wheel and it's the right idea at the right time.

You have said very clearly that B2B is where money will be made on the Internet. What makes you think that?

It's the obvious place to make money since a small percentage is enough to keep things rolling. If I buy a sweater from L.L. Bean using a Visa card, it's hard to argue that security is worth much of an additional markup. But, when you consider the volume of Treasury bill trading equals $3 million per minute and it takes nine minutes to report that your certificate has been stolen, it should be worth $3 million to reduce every minute in latency of revocation. With the secret-key systems-for example, Kerberos, an authentication service for open-network systems-you pay a lot of the systems cost up front, but revocation is free. With public-key systems, you pay nearly nothing up front to issue keys and a lot to revoke them. The cost of issuing and revoking is a constant.

When you look at DDoS attacks, if you're trying to measure something and say the vulnerability risk to DDoS is based on-and name a measurement-I believe that measurement is 'How much work does the system do before it can make an authorization decision?' With a TCP-based service I can send an open connection and get a reply and reply to it. I say 'Hello,' you answer 'Hello,' and I say 'I'm Dan' and we go from there. If I say 'Hello' 5,000 times and never finish the conversation, you have allocated a lot of resources. That's generally how SYN flooding attacks work. It's the measure of how much non-renewable resources the system expends before it can make the authorization decision.

The more complex the authorization tests are, on the one hand, the more precise you can make them to control who can do what and to whom. But complex authorization tests increase the vulnerability to DDoS attacks if an attacker can cause the remote system to do that complex test a million times. Those are trade-offs. I think there are a lot of trade-offs like that and I am looking for lots of places where there is some characteristic like the amount of energy spent on key management, in which I can find a constant of proportionality.

The way to rank technologies is: Where do they cut the line? For example, standard PKI cuts the line way over toward 'the work is in revocation, not in issuance because revocation is a rare event.' Now, that doesn't mean implementers don't have to put most of their work into revocation handling-they do, as a direct consequence of the revocation latency question. In this case, the only way to limit vulnerability to DDoS is to think of some other heuristic that approximates the authorization decision and is vastly cheaper.

It sounds to me like you're searching for a formula or algorithm that will quantify the value of time or energy. If you can turn that into a quantifiable formula that makes sense to those who practice risk management, they will immediately see how it meets their need to minimize risk and lower cost. Is that the idea? Exactly. It's almost surely a macro-scale equivalent of the Heisenberg Uncertainty Principle. I can know exactly where something is or how fast it's going, but to find out, both will result in errors. I wonder if we're not missing some kind of macro-level physics here, by which I mean something which is indivisible, immutable and not subject to argument.

The Internet was not developed in or for the marketplace, and many security experts were trained in the military or academia as they built the World Wide Web. There is now a convergence of people from different domains as everyone is ported into the marketplace, as e-commerce becomes the way of doing business.

What is the language of the marketplace that will 'port' what you're saying into those diverse economic models?

That particular insight, and maybe this entire effort, might be a function of maturity. It's like making a sculpture: you get rid of everything that does not look like an elephant and you're left with an elephant. We have been at this long enough, knocking away parts that don't look much like an elephant, and this is what's left. What we have today is elephant-like, but it is hardly perfect. Maturity is more than experience, though. It's a particular kind of experience. When I interview people, I look for 'sadder, but wiser.' I don't think you can do security unless you have seen something up close that was bad. Or if you can, you must have an unusual amount of will power.

Brian Snow of the NSA spoke about his numerous encounters with 'the real bad guys' during his keynote address at the Black Hat Briefings. I said, 'You really have seen the face of evil.' The look in his eyes gave me his answer.

Is this why security is necessary?

Yes. I worked with someone who was in the Middle East for the CIA, but later entered corporate life. I asked how he made the change. Remember when terrorists kidnapped the CIA's Beirut Stadium Chief and how they videotaped his torture? My colleague had to watch those tapes after he had already done his two weeks on a runway in a hijacked jetliner. That video took him over the edge. For everyone out there who says, 'There is no God,' I want them to look me in the eye and say, 'There is no Evil.' If they can't do that, I will argue they can't say the other, either.

And yet it's increasingly difficult in the security space to identify the enemy. Borders or boundaries are dissolving around nations as well as organizational structures and individuals. Let's get this straight: The surest enemy of democracy is an absence of borders.

Now you have the basis for linking the changing identities of nations to organizations to individuals. That connects privacy for the individual with security for the organization or nation. We don't have names for talking about this, but does identity or 'self' scale in the digital world? No, we don't have names for these emergent structures, and I don't think we have time to develop the words for them, either. Without words to clarify the concepts, we don't have a way of getting our minds around them.

When you look up ahead, where do you see the security trajectory going? What is the next critical piece?

We are on the cusp of orders of magnitude increases in things connected to the 'Net. The interface is no longer just keyboards and screens, but many other things. The day is coming when refrigerators will automatically order groceries. Now, everything we know about security involves making authorization decisions after authentication decisions. Authentication involves using a password leading to a key, to prove that a name is what it says it is. How will you name your three refrigerators? How will you tell the grocery store that only 'the one in the middle' can order dairy products? We are going to run out of name space. Of all the words in Webster's Collegiate Dictionary, 90 percent have been registered as domain names. If authentication is name based, what will we do for names? That problem will not get easier as the Web becomes truly multilingual.

The embedded technology will stretch our ability to name things, and if we can't name them, what are we going to do for authentication? If we don't have authentication, what will we do for authorization? What will we do for all the rest? The answer, I think, will be delegation, but delegation has been a security design problem for some time. Making a trustable delegation is very hard. If I say, 'Here are the keys to my car,' how do I keep you from giving them to my neighbor? This is not to say that there are not elaborate schemes to support delegation, but the Internet derives from academia and the military. Academia's limit is, 'Is it too complex to think about?' The military's limit is, 'Is it too expensive to buy and can it be operated under adverse conditions?' Ordi-nary peoples' limiting factors are much more prosaic: 'Can I understand it?' 'Will it hurt me?' 'Can I leave the kids alone in the house with it?' I don't know how to do delegation under those circumstances.

Like President Lyndon Johnson's definition of trust: It's when I have you where I want you.

Exactly. But in terms of the challenge we face, I'm at the opposite end of the spectrum from people who want to do trust management. I just don't think it's possible, because I don't see how on earth we can develop a language that all people can understand. This is really about Big Brother, not just trust management. The best government of all is a benevolent dictator and a good succession plan. Yes, machines are immortal and obviate the succession problem, but I don't want to find us there. That's what made the movie "The Matrix" so prophetic. The Matrix was doing everything wonderful for us until we wanted to kill it and discovered that we couldn't. The risk is that the complexity of what we develop will exceed our ability to grasp it, and not enough people will remain that care.

Hasn't that been part of civilization for a long time-in the sense that humanity has always had difficulty including everything we know and everything we invent in a single mental space?

I think we can agree that the rate of possible change is accelerating. I don't think our genetic component or educational capacity is accelerating at that same rate. Where do they diverge? That's the question. The rate constants are different, just as physicists like to marvel that if you change the energy of hydrogen's first electron's orbit by ever so little, life as we know it would evaporate. Everything about where we are is hypercritically interdependent.

Which makes it a people problem, because people are the network.
Right.

So, if we need to secure the electronic network using anomaly detection, misuse detection, ubiquitous surveillance and other methods, isn't it inevitable that real security in a networked society is only possible if we apply the same standards to the whole of society?
Yes.

So maybe, in some gray area, we must compromise and that's where risk management comes in. We may never achieve a balance at the level of totalitarian control, but are we moving in that direction?

It's highly unlikely that someone will come up to you personally and take your privacy away. Children do not have an expectation of privacy; they develop it over time. For adults, if they don't know they have privacy, how much of a fight will they put up when they don't get it? I don't think it's possible to go much further in our technological world on a 'small is beautiful,' egalitarian basis. We need to modify the coming culture before it washes over us like a wave.

Any last thoughts?

It's dangerous to make your last words an off-the-cuff statement, but I would say that self-reliance is unavoidably a lonely phenomenon, but it is, as far as I know, the only source of purpose or satisfaction or honor. In the interconnected world of a networked society, it becomes ever more difficult. When will we get to the point at which we decide, for example, that no one may use paper cash and everyone must have access to the Internet? A lot of phone systems no longer have options for rotary telephone users. A lot of information no longer appears in forms that you expect to find in a library. We will all be part of the network one way or another because if you are not, you are simply going to have to live outside mass society, fending for yourself in increasingly smaller spaces.

Originally appeared in the Octoberv 2000 issue of Information Security Magazine (infosecuritymag.com). Copyright (c) 2000. All rights reserved.

BACK