Stealing without taking

If your data is stolen, how do you really know that is was? CNET's Robert Vamosi speaks with Verdasys CTO Dan Geer about data theft.

Verdasys CTO Dan Geer says one of the problems with data theft is that it has nothing in common with our current attitudes toward possession and loss. I recently talked with Geer about protecting your computer assets, and at one point he started quoting that famous Joni Mitchell line, "You don't know what you've got till it's gone."

(Data theft) is one place where our intuition about physical objects and our intuition about data can't be the same.

If I steal your car, you are likely to notice. Or putting it differently, if I have your whatever it is, your car, then you don't. This is, I think, technically called an exclusion principle.

But, that's one characteristic of the physical world that does not apply to the digital world in as much as I can have your data and you do too. The fact that I can have it and you do too means at least, as a matter of logic, that if I steal it you will not have evidence that it is gone unless you stumble over it being misused somewhere.

With respect to the TJX firm, I believe that's in fact what was happening; they were finding evidence in misuse. With respect to the loss of e-mail addresses from Ameritrade, they discovered that people who had used an e-mail address that was fabricated purely for the purpose of being used at Ameritrade, ended up showing up in other places. Therefore (the e-mail) had to have been stolen, and you know where it came from.

There are many examples like this where just because I took your data doesn't mean you lost a thing. It's only when I misuse it--and unless you are in a position to see this misused, strictly speaking--you won't know it's gone. Which is, again, different than your car, your lawn mower, the pillow under your head at night, or anything. That's both a challenge and an interesting problem.

You can hear more of my interview with Geer in this Security Bites podcast.

Tags:
Security
About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments
    Latest Galleries from CNET
    Tech industry's high-flying 2014
    Uber's tumultuous ups and downs in 2014 (pictures)
    The best and worst quotes of 2014 (pictures)
    A roomy range from LG (pictures)
    This plain GE range has all of the essentials (pictures)
    Sony's 'Interview' heard 'round the world (pictures)