A Different Kind of Crime Thriller

Over at BLDBLOG, Geoff Manaugh has been conjuring up a new literary genre: the bank heist master plan — rethinking the city as a “maze of unrealized break-ins.”

Talk about exploring the hidden side of everything. In pursuit of the prize for most beautifully crafted bank heist plan, Manaugh writes:

You describe, in extraordinary detail — down to timetables and distances — how all the banks in your city might someday be robbed. Every issue of The New Yorker, for instance, includes an 800-word essay about breaking into different banks throughout Manhattan, one by one, in every neighborhood. Ideas, plans, possibilities. Scenarios. Time Out London does the same.

It soon becomes a topic of regular conversation at dinner parties; parents lull their kids to sleep describing imaginary bank robberies, tales of theft, and architectural transgression. Buildings are something to be broken into, the parents say. It’s what buildings have inside that’s the goal.

The idea brings us back to the question of what makes us safer: divulging and exploring our vulnerabilities or trying to keep them secret.


michael donnelly

Bruce Schneier just wrote an article about this related to the MIT students who figured out a way to hack the Boston subway system: http://www.wired.com/politics/security/commentary/securitymatters/2008/08/securitymatters_0821

The bottom line is that covering up vulnerabilities is only useful if you assume that criminals can't do their own research.

Walter Wimberly

A lot of (computer) security experts who find vulnerabilities try to work with the developing companies first so they can fix the issue, then release the information about the error after a given period of time.

This does a couple of things:

1) Gives the companies to be responsible on their own.

2) Forces the companies to be responsible - the notification is going out after a set period of time whether they do something about it or not.

3) Allows the discoverer a chance to be recognized for their work in the detection process.

As for Open Source software not being attacked because it doesn't have the user base to create damage/news. Think of it as an opportunity cost: If I can exploit 15% of all web browsers, or 80% of all web browsers, for the less than 4x the amount of time, which yields the greater payout (controlled computers, notoriety, etc.)?

Kirilius

To #6: I was answering the question in the article ("divulging and exploring our vulnerabilities or trying to keep them secret?")for myself.

If ALL vulnerabilities of a bank, you or myself are known and open to the public, then the bank, you and I will have to concentrate a significant amount of effort and resources to mitigate the risk. Said in economic terms: it will become very expensive to take care of EVERY vulnerability.

There has to be a balance between the two approaches. Otherwise a bank's main business will become "fill in security holes" (as opposed to "make money") and on individual level a person will become an obsessive compulsive paranoid ;-)

CandyKay

I agree with #4. Bank robberies aren't "cute" or "fun" or "exciting".

I work at a bank, and we have to offer psychological services to our employees who have been traumatized by robberies.

Michael Casp

Divulge and explore. Because somebody is going to find your weakness eventually, and you'd better hope they're a good guy.

I think about computer/network security, and the Firefox browser. It is an open source browser that allows any and all to easily find it's flaws. It is also one of the most secure internet browsers in town. Coincidence?

Vizeroth

In the IT world, though, there are also questions about how the information is divulged. Normally, if you find a security vulnerability you would divulge it to the people responsible for maintaining that software first, in private, giving them time for a fix before publicizing the vulnerability. To just tell the world there's a weakness in a bank's security without first giving the bank a chance to fix it is opening a can of worms, but of course if the bank doesn't take it seriously, or tries to prevent you from divulging the information once they've been given time to fix it, that's another matter.

Not Kirilius

I don't understand the last post. Who asked to make this you life's work? This exercise is akin to a hobby, kind of like model railroading or writing. Sure, it takes a lot of time. You do it because you love it.

Robin

I think it is a matter of taste to some degree. I think hiding weakness provides some people with a sense of control that isn't present when weakness is out in the open. That said, my personal preference is for openness because I'm curious and always want to see things as they really are.

David Zetland

Yeah -- except that innocent people get killed in bank robberies, people are taking other people's stuff in bank robberies and bank robbers are not really the robin hood types we'd root for.

Let's stick with crimes of passion and corruption and root for the solvers instead of the criminals.

[unless, of course, you're just joking...]

Kirilius

Divulging and exploring my vulnerabilities seems to be the right thing to do because presumably it will lead to a concentrated effort to improve myself by removing these vulnerabilities.

However, this task will take up a lot of time and energy - something I'd rather spend somewhere else. In other words I don't want to spend my live building walls to protect me.

Of course this does not mean I will pretend I don't see my weaknesses. If I see that I am vulnerable in some way I will use my common sense to try to improve myself in that respect but I will not make this my life quest ;-)

Jimmy

The former, as long as the banks are party to this exploration. (That is, they don't ignore vulnerabilities as they come up)

edel

I had asked myself for years the same question… but I am inclined to think that if we must choose one way or another for every scenario, the “openness” way is preferable.

The IT security professionals have pondered the same question for years too and the majority is now also for the Open Source way too. It is well known among them that some fairly equally attacked proprietary software is more vulnerable than opensource ones. (No, I was not referring to MS Windows!)

J High

I have a friend who is a detective on a bank robbery task force. His job is to intercept and predict bank robberies. Apparently, robbers are VERY predictable.

But really, if you wanted to get a lot more money, and have little to no criminal charges, just apply for a bunch of credit cards and only partially pay them back. Your credit will take a 7 year hit, but you could net 100,000- Much more than you'll ever get from a bank robbery and without the criminal charges and high stakes.