HitB2012Ams : Trust, Security & SocietyFrank Breedijk
Bruce keynote is about his new book “Liars and outliers”, which could also have been called “What I did in 2011”.
His research he did in 2001 made him think a lot about trust. Just this morning he woke up in a hotel in a strange town, in a room that undoubtly a lot of people had access too, ate food served by a stranger and walked in a strange town and didn’t get mugged. The number of times we trust people is enormous. Trust is crucial to society and unique to humans. Chimpanzees do not trust strangers at all.
While the talk is about trust it is really a security talk. Security enables trust and thus enables society.
We don’t really think about about how security enables trust.
Trust is a really complicated subject. Trust has a lot of different meanings.
There is a personal intimate sort of trust. When you trust a friend, you are not talking about their actions, but about their character.
This is also a less personal form, like trusting the taxi driver not to cheat you. You don’t know his character but you are trusting that he uses a good meter to determine your taxi fare. You don’t know if he want to steel, you are just convinced that he will not steal from you at this moment in time.
People are trustworthy in the sense that they are cooperative this socials norms. They do not rob or pickpocket you.
People trust organizations and institutions. When you trust that the plane will not crash, you trust that the airline has taken sufficient measures to make sure that there is a competent pilot in the cockpit.
The same applies to ATM machines which by some magic give you money if you supply it with a plastic card and the correct pin number.
For any cooperative system there is an alternative non-cooperative strategy. Parasites can only succeed if they are not too successful. If a tapeworm takes to much nourishment from its host, the host dies and thus the parasite dies.
We all want to have somebodies else’s stuff too, but we are better off as a society, but we are all better of is nobody steals. As an individual I benefit the most in a society where nobody steal, but me. I get the benefit of living in a theft free society and I get to get your stuff as well.
Security is about how to get the amount of parasites/defectors to an acceptable level. It makes society trustworthy and makes us feel better about society.
Security is how a group enforces norms. The goal of this game of group pressure is not to eliminate the defectors, but get them to acceptable levels.
The first force is morals. They are what is in our own head that makes us not to display unwanted behavior.
The second force is reputations. In general “what other people think about our actions”. We get praised for good behavior and snubbed for bad behavior. This is not a formal system, when a friend steals a sweater from my house, I’m not going to call the police, I just not going to invite him over again.
Morals and reputations are very old and are even present in other primates. They are very powerful mechanisms. But, humans are different in the sense that they communicate about reputation. Some even think that language started to develop specifically to be able to communicate this information.
The third force is institutions. Institutions that are created to enforce certain behavior like not speeding on the highway.
The last force is security systems. Thinks likes lock, audits, norms, CCTV. There are very many of these systems.
All four forces work together. Most people don’t steal because its wrong, because it is not accepted by society, because it is illegal to do so. Door locks are for individuals that these first three forces do not work for.
It is stunning that these first three forces are highly ignored when we think about, e.g. theft prevention.
The power of reputation is great. The amount of people paying in a trust box system increases if a picture of a pare of eyes is behind the trust box. This has been confirmed by experiments.
This pictures is oversimplified, just about any human science, history, psychology, etc, is involved in these systems.
Self interest vs. group interest is an oversimplification, there are often different competing interests. Professional interest vs. personal interest e.g.
Defectors can be both wrong and right. E.g. a police informant is a defector among thiefs, but doing the right thing for society.
Technology has changed society and thus change the defector vs. society balance. E.g. internet allows crime to easily cross borders. Technology changes the balance between how many defectors is acceptable or how many defectors there are. And in response to this society has to rebalance. It is not a scientific process, but it is how societies stay stable.
Unfortunately attackers have a natural advantage. They can make use of new technology faster. E.g. bank robbers were using cars before there were any police cars, simple because they don’t have to consider “the group” when making their decisions.
Because of this lag, there is always a security gap between what attackers can do and what defenders can do.
Our best hope is not the keep up with attackers, but to make sure we can keep the gap between the attackers and the defenders small enough.
Technology isn’t bad, it helps society grow. In the past if you wanted to have a loan and you got a loan based on your personal reputation because the bank manager knew you. Now you get 9or don’t) get you loan from a stranger in a random bank based on a technologically based reputation system. It is a way to scale reputation across society.
Unfortunatly society isn’t always right. When you talk about group vs. personal interest you imply that the group is right. But the group may be enforcing slavery or torture. Defectors are , in the end, the ones that change society.
Any society will have defectors. More enforcement is not always the right way. Any enforcement system is going to false alarms and punishing the wrong people will aways have an affect. There are good and bad defectors and telling them apart is hard.
Last but not least any society needs defectors.
ABOUT BRUCE SCHNEIER
Bruce Schneier is an internationally renowned security technologist, referred to by The Economist as a “security guru.” He is the author of eleven books — including the best sellers Liars and Outliers, Beyond Fear, and Secrets and Lies – as well as hundreds of articles and essays, and many more academic papers. His influential newsletter “Crypto-Gram,” and his blog “Schneier on Security,” are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, served on several government technical committees, and is regularly quoted in the press. Schneier is the Chief Security Technology Officer of BT.