An old Paul Newman movie features a government official leaving his office for a moment. His visitor finds on his cluttered desk some confidential information, intended for her eyes. The official has arranged it so he cannot be convicted of handing over any secrets, even though he has.
In today’s hacking universe, this trick is repeated creatively, and the perpetrators are well-paid for their “safe betrayal.” Virtually every successful hacking is built on a variety of unprosecutable acts where partners in crime have only their own conscience to wrestle with. There’s certainly no fear of the law.
Yet, deterrence is the cheapest law-enforcement tool. We invest a fortune in overblown security measures, ignoring the power of this simple security measure.
The twin of deterrence is entrapment. The average hacker tries, and retries, his luck on his target without worrying that if he does get in, he will fall into a trap, and his acts will convict him. Even a shadow of such concern would build nervousness, which will often deter and will always degrade concentration and performance.
A while ago, word got out that a password file for access to a juicy merchant database included unused passwords. Any attempt to use them would indicate foul play, triggering a tracking procedure aimed at exposing the hacker. The chilling effect was widespread.
Entrapment is double-edged. If it lures the criminal, you get him. If it scares the criminal, you deter him. This creates the temptation for security planners to abuse this measure. For example, some falsely announce entrapment procedures, counting on a sort of “any way you win” logic, but their deceit is short-lived. The word gets out.
The best way to use deterrence and entrapment is to design effective entrapments. That is, catch hackers and then publicize the catch, while keeping much of the entrapment procedure confidential. If you catch a shark in your net, all the lesser fish will swim away.
Entrapments range from a sophisticated, subtle, and creative computing procedure to simple, plain, low-tech protocols. The idea is that a hacker is lured to exploit an opportunity that presents itself with apparently no downside.
In quite a few cases, “rotten apples” in a department have been rooted out by simply leaving on the manager’s screen or desk some confidential access information. Some will simply not pay attention or ignore what they see. But others will use this access data the first chance they get, exposing themselves for who they are. The trouble is that a third category of spotters will pass this information to an external party, who might sell it. This creates a hard-to-establish link between the original thief and the end of the chain, where the data may be used in a criminal exploit.
Here’s an example of an effective entrapment. A distinguished panel is given highly confidential data to review. In the past, copies of that data leaked out. It’s clear that someone is betraying his or her trust. But how to find the culprit without resorting to Gestapo tactics? The solution: the reams of data to be evaluated by the panel were ever so slightly “personalized,” namely some numeric changes introduced. So minor were they that there would be no impact on the analysis of the data. The copy that was later exposed in the press fingered the “bad apple.”
The very same trick may be used by mixing entrapment with deterrence—warning the panel that each got a personalized copy of the data. If a member of the panel approaches another with a request to see his or her data, then somewhere an alarm bell should ring.
Some of us who get consultant-access to top-secret systems agree to work with full tracking of every keystroke. Why not similarly compel convicted hackers? They will hate it!
As far as deterrence is concerned, there is simply a lack of imagination. I have often repeated my simple, inexpensive suggestion for very effective deterrence. I always get a positive response, but that is as far as it goes.
Let me try again. Let the government establish a plain server that would grant email access to convicted data thieves. Their sentence would include a court order to exclusively use this email address for all communication for the next five years or more: [first name].[last name]@ConvictedHacker.gov.
This modern-day “Scarlet Letter” will work. Shame is a powerful deterrent.
—Gideon Samid • Gideon@BitMint.com