Schneier on Security

Its not a bug, its an undocumented feature.

Bruce,

Once again Marcus Ranum has shown he is way ahead of you. He commented on this back Feb of 2004.
http://www.ranum.com/security/homeland_security/...

Here's the direct url:
http://www.ranum.com/security/homeland_security/...

Thanks for the Ranum link. I added it to the post.

"Cold" war? Sounds quite hot enough to me. If a foreign nation did this to the USA or the UK, I know our governments would call it "terrorism". This is a good example of the relative nature of ethics when it comes to international relations.

@Tom -
The report is that information or equipment was compromised and then passed to agents who thought they were stealing the real thing. If the reverse happened to the US, you'd never hear about it, because we'd never admit having stolen the technology.

The ethics of this policy are confusing. Giving out disinformation is one thing, but having people get killed because we deliberately introduced safety defects is another.

Hmm, it this not the normal way of shipping SW? At least the SW I get from shops is always full of bugs.

It this the reason, why there is no way of getting compensation for malfunctioning SW?

The US definitely has a two faced policy.
While I wouldn't refer to the pipeline as terrorism (though know doubt Bush would if it was done to the US), it certainly could be considered an act of war, and it wouldn't be unreasonable for Russia to ask for reparations.
The US has a very two faced view of policies. If the US wants to do it is good. If other countries want to do the same thing it is bad.
For example complaining about Iran's attempt to develop nuclear weapons as a deterent to attack (by the US no less) while the US is actively developing new tactical nukes that it intends on using offensively in the war on terror.

@Martin

I don't believe anyone died from this, at least according to my reading of the article. I agree though that the ethics are confusing (or the lack thereof.) I don't think it is quite the same as terrorism though. If we heard that Usama wanted to steal (steal being the operative word here, as that is what the Soviets were doing), some technology from us to make some terrible weapon, and so we purposely fed him information that caused him to be killed, would we be terrorizing him? Maybe terrorism is a word like liberal which has garnered a bad connotation, even though it's original meaning is neutral or good. Like, did we terrorize the Nazi's during WWII by bombing them night and day. Well sure, but it's not automatically evil because of that word. Maybe I'm rambling...

Did anyone die in that explosion?

>Did anyone die in that explosion?

http://www.taipeitimes.com/News/editorials/...

Farewell stayed secret because the blast in June 1982, estimated at three kilotons, took place in the Siberian wilderness, with no casualties known.

we could have just as dropped a few million copies of dos 1.1 and let soviets try make that dandy work !!!
Probably would have been cheaper

>Did anyone die in that explosion?

http://www.fcw.com/fcw/articles/2004/0426/...

While there were no physical casualties from the pipeline explosion, there was significant damage to the Soviet economy.

Josh: The rules and laws around war declarations changes things. So, bombing arbitrary German cities may be morally wrong during WWII (depending on the circumstances and how much you want to argue the point) but it cannot be considered "terrorism" by any stretch of that word's meaning.

The argument can be made that an act of war made outside of the legal meaning of war can be framed as a terrorist action. Not so for "legal" wartime activities by one combatant on another.

If no one died when the world's largest non-nuclear explosion was set off by a purposely introduced software timebomb, then this is only luck. Of course, knowing the Soviets, who knows if they actually reported real numbers. Same would go for the US government, naturally.

One question I have is did the Canadian country who provided the timebomb know (at any level) they were doing so? Did the Canadian government?

I liked the line: "Our science was supporting their national defense."

The Bush regime has an answer to this: put a stop to our science.

Ranum, whatever, it's still interesting. I read about this in the RISKS forum several years ago.

From the MSNBC report:
"In time the Soviets came to understand that they had been stealing bogus technology..."

Regarding the pipeline problem, I am not sure what the point is with the comments here. It is not like they actually bought the software with some expectation of quality/guarantee. The linked articles stated they STOLE the technology. Seems they got what they deserved.

See, there can be dangers in pirating software.

That what they get for stealing....

@ Theif

I am not going to say that I disagree with you, but I know that your argument, when applied to protection of my home, does not permit me to install potentially lethal booby traps.

I will say that I believe that it is a valid discussion/debate to have in a public forum.

@ranum-fan:

What is this, a competition? Does it bother you that Schneier does so much better than Ranum?

Maybe you are Ranum himself?

Any link to Chernobyl? I've heard there's a debate over whether it was caused by design flaws, operator error, or a combination. Maybe software fits in there somewhere.

So the DoD should not be allowed to use the RIMM, too much information in the hands of the Canadians. And there probably is a lot of Chinese manufacturing in the unit too.

>Maybe you are Ranum himself?
Uhh, no. Marcus always posts as himself.

>Does it bother you that Schneier does so much better than Ranum?

Uhh, how do you measure better?
Book sales, Bruce does better.
Influence on technology, I think Marcus has a larger impact.
Cryptography, Bruce has a larger impact.
Influence on security developers, I would give it a tie.
Involvement in security organizations and the influence of those organizations, that would go to Marcus (IMHO)

So please how do you measure who does "better".

>What is this, a competition?
Yes, a friendly one. They have had a friendly rivalry for a while.

See the following:

"I don't always agree with everything Marcus says..." from Bruce
http://www.schneier.com/blog/archives/2005/09/...

""Monoculture" - it sounds very cool, I want one!! Oh, wait, I'm told I don't - by none other than a concerned group of security industry luminaries including my long-time associates and friends Dan Geer and Bruce Schneier."
http://www.ranum.com/security/computer_security/...

I think Bruce took it well and was gracious in his reply. But for the record (as my name hints) I usully side with Marcus arguments more then Bruce's.

> Any link to Chernobyl?

Design and operation were both at fault. The design did not resemble a western one and was old in 1986 - comfortably predating Reagan.

Intentional "bugs" are nothing new.

Here's story from my blog about MiGs, the 6-day war, and malfunctioning valves:

http://www.opinionatedbastard.com/archives/...

"The design did not resemble a western one and was old in 1986 -
comfortably predating Reagan."

That's true for the design of the reactor, but what about the software in, say, the warning and control systems? That seems like an area they might change things without calling it a different design. Some of it would be dependent on the reactor design, but some wouldn't.

I'm just speculating. I think it was the newest reactor that melted down while older ones of the same design didn't. (I may be wrong on that.) Was the reactor that melted down built after '82?

I've heard that when the Soviet was building the Concorde-ski (Tu-144), they stole secret design data which was deliberately crippled by the west.

I wonder if they've improved the "nsakey" for the next version of Windows.

Call me old fashioned but I always think "Oh not another whopper" when I here stuff from the Regan era,

Do you rmember StarWars, and a couple of Ronnies ScFI Writer friends claiming it was all just a plan to bring about the end of the cold war?

These days I just look at the cost/complexity and usually decide that infact what they are claiming is just window dressing to try and make a monumental and expensive policy cockup appear the work of a missunderstood genius....