May 2008

Dr. Laura, Wikipedia, and computer security--what do they have in common?

People struggling with daunting personal issues are flocking to Dr. Laura's radio show, realizing that others have similar issues. By listening to Dr. Laura's advice, they can help themselves without experiencing the discomfort of self exposure.

The Encylcopedia Britannica never saw it coming. The established queen of knowledge has been outmaneuvered by a chaotic enterprise that goes by the "undignified" name of Wikipedia (sounds like a skin condition). But visitors to any particular topic on the site benefit from the combined wisdom of hundreds of other readers.

Do we have a similar case with computer security, where vulnerabilities are embarrassing, where silence is the preferred strategy, but where the experience of many others could prove useful?

The reason most of us visit the Wikipedia site to learn things is that it draws on the wisdom of crowds, which, as James Surowiecki has shown in his landmark book by that name, has a systemic superiority over any titular sage of the day. For example, I am in the consulting business, but I usually shock my clients when I say, "I can only protect you against a hacker who is dumber than myself. If you are unfortunate enough to be a victim of a hacker who can imagine access pathways to your data thatI never thought of, then you are done for."

I am able to be bold with that self-defeating statement because I quickly add that this limitation applies also to whomever my dear client decides to replace me with. One day, it occurred to me that these juicy cybertargets are usually protected by a single hired consultant like me, while they are being attacked by a worldwide crowd of hackers who quickly and efficiently share their knowledge. Why not devise a way to put that concept to work for the good guys?

From Dr. Laura we can take the notion of the anonymous presentation of issues to be resolved. But she relies on a single-source solution-her own experience, education, and judgment--and we're looking for a network effect when it comes to solutions. For this, we turn to the Wikipedia approach, where we find solutions bubbling up from a stew of contributions from a wide variety of contributors. The result is a new Web site called WeSecure.net, which I am launching jointly with Digital Transactions.

On this new site, anyone can post a computer-security issue for the community to take on. Complete anonymity will be facilitated, if requested. Even the site managers won't know who posted a particular question. The readers of Digital Transactions are well-disposed to appreciate most of those security challenges, perhaps having wrestled with a similar one. Each question will be addressed by the host of the site (I will start the ball rolling, then pass the baton). Readers will be prompted to challenge my solution ideas, and instantly offer their views.

All of these alternatives (minus the frivolous ones) will be posted for all to review. Each posted solution could be elaborated on by another reader, and then confirmed or challenged by more readers. We have developed a fair ranking system to advance the solution ideas that become increasingly popular.

This security-solutions network will handle a wide range of issues. Some could be very common questions. For example, how to minimize the burden of a security dialogue for site visitors without compromising security. Some are very technical: What's the best cipher system to use if you need to memorize your passcode? And a great majority of the issues involve human relationships. In one example, a security officer was approached by a secretary claiming she had had an affair with a married executive in the company, and had overheard him on the phone selling customers' data to someone. The officer suspected a lover's grudge, but could he afford to dismiss this allegation outright?

A posting on WeSecure.net would have given the baffled officer a clear solution idea. As it was, his own teenage daughter gave him the answer. Instead of investigating the executive (and stirring a hornet's nest), he hired a detective who found out that the young woman habitually accuses her former lovers of a host of transgressions.

So visit and contribute to WeSecure.net and help make it a We-Win initiative!