Episteme

Mike's random thoughts and ramblings

Alarmism and Distributed Systems

Early on in the publication of this blog, I got in a few conversations about being alarmist about the possibility of security attacks.

Today, I read an article that nearly made me fall off my chair. The subject is the potential of "identity terrorism" - the article suggests that the next terrorist attack will come from "terrorists armed with computer keyboards, credit cards, and Social Security numbers".

The basic thrust is that terrorists are going to go out and delete a few million identities completely - just wipe a few million people's information from every database on the planet.

How, you ask, are they going to accomplish such a massive, widely distributed hack? From the article:

"what terrorists would have to do is “write a little piece of software, weapons of identity destruction, all sitting on a Web server on the Internet, timed and waiting to go. “"

Sounds pretty simple: All Mr. Evil Terrorist has to do is "write a little piece of software" that breaks in to the online presences of all major banks, government institutions, and financial and insurance companies. While he's at it, why doesn't he "write a little piece of software" that crashes all the airplanes, turns off all of the power and makes all of the food supplies spontaneously combust?

Seriously. The kind of massive coordinated attack that this would require would be beyond the capability of any organization - you would have to compromise so many different locations to actually delete a person's identity that it would be fundamentally impossible.

If you remember, that was the design goal of the internet: by creating massively distributed systems, they become reisistant to an attack that can wipe out the system. A person's identity is a system in the same way. By being distributed widely, the identity is nearly impossible to delete. (Though, like the internet, it's easy to quietly add on additional pieces - that's the idea behind identity theft... I can add things [e.g. a new mortgage] to your identity without you noticing specifically because it's not stored in one place).

What really scares me is that I'm sure someone who read the article is out there implementing all sorts of "anti-weapons-of-identity-destruction" technologies, with a plan to pitch a bunch of VC's later this week.

Share this post

About the author

Michael Murray

Michael Murray