Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Blamestorming

Blamestorming

  • Comments 4
  • Likes

So, let's recap the sequence of events:

  1. The Sun-Sentinel newspaper in Fort Lauderdale accidentally republishes a six-year-old news story about the bankruptcy of UAL. It wasn't on the home page, but instead buried somewhere inside the web site.
  2. Google's news crawler (an automated thing, remember) finds the story and incorporates it as part of its news feed.
  3. Investors see the story, and immediately react. When UAL's stock plunged 76% to a low of $3, Nasdaq shut down trading. Eventually trading resumed, and the stock closed at just under $11, losing about 11%.
  4. United blamed Tribune Company (the owner of the Sun-Sentinel) for "irresponsibly" changing the date on the story and demanded a retraction.
  5. Tribune Company blamed Google, claiming they've had issues with Google's crawler "for months."

Who will blame be shifted to next?

Look -- if people haven't realized by now that the Internet pretty much lacks a delete function, then (IMNSHO) it becomes the requirement of each and every one of us to pay close attention to what we're reading, to use our own big brains and fine-tuned bullshit detectors to suss out whether something makes sense.

Since this is my blog, I'm going to parcel out blame the way I see it:

  • United: 0%. If the concept of "negative blame" made any sense, then I'd actually write −∞ (that's a negative infinity, in case your character set is different than mine).
  • Google: 5%. How can an automated crawler know that a newly-dated story isn't really new? Well, those folks over there at Google are smart. Certainly it shouldn't be that difficult to compare a "new" article against existing ones. Content hashes won't work as a comparison tool, because the date would be included in the hash computation, thus making the hashes different anyway. Full-text comparisons? Sure, it would take a lot of horsepower. Perhaps not every "new" story needs comparison, but at least the crawler could submit to the comparator any stories that ought to be verified (say those with the word "bankruptcy" in them).
  • Tribune Company: 30%. Hey guys, you changed the date on the article. Don't go blaming someone else for your screw-up.
  • Investors: 65%. If you're using an automated news aggregator (remember, an aggregator is not a source of news) to make major financial decisions -- decisions that affect the livelihoods of thousands (maybe millions) of people -- well, you're a moron. You should know that incorrect information can be just as instantly available as correct information. Verify potentially damaging claims before engaging in reckless behavior.

What's this got to do with security? I don't know, maybe nothing directly related. But it certainly raises the question -- what if someone intentionally wanted to cause nearly permanent damage to a person or a corporation? Malicious content, disguised as "news," certainly seems to have become a potentially successful attack vector this week.

Worried about a social engineering attack on a massive scale? I suspect that what happened Monday (8 September) was the largest social engineering attack in history -- although I wouldn't classify it as intentionally malicious. Just you wait until the idea spreads.

Comments
  • Hey Steve,

    I read this story too, but you missed out a critical step which involved human error... Somebody at Bloomberg who scans the news headlines on various sites, saw the story on Google News and then posted it onto the Bloomberg wire which gets fed straight into the terminals of the Wall St traders. So when the traders saw the story, it was supposedly from a trusted source, and also removed from all previous context - so that's why they started bailing. So I'd say the 65% blame you gave investors would be split 50% to the clerk at Bloomberg that posted the story, and 15% to the traders. A quick phone call from any of the humans involved would have sorted it out pretty quick.

    Cheers - Stuart.

  • I heard that the blame should go to you and your montize buddy Scott. However this was from a feed and the details were a but fuzzy. :)

  • This kind of thing really makes you wonder how easy it would be to affect the US economy through running a serious of bogus stories to make investers react a certain way. I'm with you Steve...wouldn't you check the integrity of a story before acting on the information???

  • The good news is United did recover, although not back to the original share price, so they still have some work to do.  It terms of what it has to do with security, I suppose it's a good example of integrity, all it takes is some incorrect information to make it to the destination without sufficient validation and there is a serious issue. Security is all about the human element as much as it's about the bits and bytes moving around near the speed of light. I don't think there should be any blame for what is seemly a simple but expensive mistake, it could have been a lot bigger, so better it happens now while the impact is manageable and considering the state of the global economy we did ok. The focus should be on process or self improvement, I believe finger pointing and blaming is often a waste energy, finding the moment in time that set off the sequence of events won’t change the past and in some cases won’t make the current situation any less painless but it can be used to alter the future hopefully for the better.

    CB

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment