(2010-06-17) Am I evil? Or why evil people won't say yes

There's an old riddle that I've heard told in many different ways. Here's my version:

"Assume you're surfing to three web sites and want to know which you can trust. Youve been told that Good sites have a banner certifying them as malware free. They will never spread malware and everything they say is true. Bad sites always spread malware and will never have a banner stating otherwise. They always lie. And then there are sites that may or may not have a banner and may or may not spread malware. They randomly lie and and tell the truth.

Of those three sites one site will always say the truth, one will always lie and one will be truthful or lying depending on who's controlling it.

Site 1 has a banner stating "This site is always malware free"
Site 2 states has no banner but states that "Site 1 is indeed always malware free"
Site 3 states "you may be attacked by me or maybe I'm malware free."

Which is which?"
(The answer is in the bottom of the post)

If only life was this simple. But its not like Im making this up. There are plenty of banners certifying sites as safe, secure, family safe or whatever. There are lots of sites out there making no claims of being either and then off course sites saying that we take no responsibility for what people publish here. Then there are sites claiming things about other sites. So, the old knights and knaves riddle is not totally wrong as a metaphor. The problem is: which is which? That is a riddle that cannot be solved so easily.

The solution that works best is the web of trust-model. You do it all the day. When you hear about a new brand, you ask your friends if its any good. You may buy a magazine, whose reviewers you trust. Maybe you buy some of the new brands cheaper products just to see if its good without spending cash on a risk. Your gut-feeling can tell you about it.

On the Internet its harder, but not by any means impossible. Links from a site you trust will probably not point to untrustworthy sites. But what about links from those sites? For every jump away from the centre of trust, the risk increases. Brand recognition can help you. Tieto is trustworthy, so tieto.com should be fine. But if you get an email from an unknown source, telling you to go to the new patch site for Tieto servers which is located at pathes-tieto.trust-me.nu, you will probably be a bit more skeptical.

For every day that passes, bad guys find new ways to abuse trust. The whole idea of phishing is based on the fact that you can look trustworthy by looking like someone everyone trusts. Wolves in sheep-skins do exist outside the story books, Im afraid.

Then there are even more insidious ways to abuse trust. Links encoded to look like they point to a site but really goes somewhere else. And someone figured out a way to abuse UTF in IDN-domain names by using an obscure letter that looked like an A and then registering domain names with well known brand names where the a was replaced with thats right the obscure letter. So a user surfing to citibank.com may still get tricked.

And the list goes on and on. The attacks often targets weaknesses in software, but as patches and better security designs comes along, the human behind the key board becomes a more useful target.

The only way we can solve this is to apply skepticism and thinking about how to validate trust. In a perfect world, white listing everything would make everything better. That is, only allow people to do what is deemed safe. This cannot be done here, as its against the nature of the Internet. Doing it on the users computers can work, but users will complain about the annoying do you want this program to access the internet prompts. Bruce Schneier recently wrote an article about it. 2) I like it, because he writes what Ive thought about for many years: is blacklisting (like Antivirus software does) still a good solution? Still the world is not perfect, so we have to decide how to decrease our own risk and how to act to protect others.

But to wrap it up: Im pretty sure about one thing, censoring the Internet or putting up block lists is a poor solution. Prosecution of hackers, spammers and other cyber-criminals is probably better spent money. We cannot protect people from themselves, but we can teach them a more secure behavior when theyre surfing. Teach a man how to fish (and how not to get phished) and all of that, you know.

Answer to the riddle
Site 3 cannot always be malware free because it says it can have malware sometimes. It can't be truthful, since it's claiming to be random. A truthful system would never do that.

Site 2 cannot be malware free because it claims that another site is malware free. If it were truthful, then both site 1 and 2 would be truthful. If it was lying then both site 1 and 2 would be lying.

Site 1 is therefore malware free.

Which site is bad and which is random?

Site 2 is actually saying something that is true, so it must be the site randomly lying and randomly telling the truth. This leaves site 3 as the liar.


1) http://en.wikipedia.org/wiki/IDN_homograph_attack

The unicode way to bypass spam filters:

2) Cryptogram for November 2009, Is Antivirus dead?

Tags: Ethics
Posted: 2010-06-17 by Erik Zalitis
Changed: 2010-06-17 by Erik Zalitis

News archive