Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Friday Squid Blogging: Squids Have Personality | Main | Counterfeiting an Entire Company »

April 29, 2006

Security in Comics: Missing the Threat

Over the Hedge.

Attackers are adaptable.

Posted on April 29, 2006 at 10:53 AM12 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

DaleApril 29, 2006 12:08 PM

Another great example of layered security at it's best. :-)

David DonahueApril 29, 2006 2:03 PM

Cute cartoon, but in reality of course, they would have simply broken into a neighbor's garbage.

There is a value to overt overkill in a front line defence, deterrence. However this doesn't work if you are being specifically targeted only if you are "one of a pack".

That's why these impressive front line defences work against most burglars and muggers, but do not work against assassins or (for countries) terrorists.

Assassins will not choose another victim because it's convenient or easier.

Terrorists will not choose another country/target group because some points of their defence is well/over defended.

This is what comes from using simple personal analogies (burglars/muggers) for security versus actually thinking through the attackers complex motivations and likely actions to achieve what their goals may be.

Sun Tzu said (from memory) "know yourself and know your opponent, and you will be victorious in every battle".

It would seem to me that if you choose to ignore your actual vulnerabilities and don't wish to think about what your opponent will likely do, you are doomed to failure.

Sadly there is a lot of this going on these days and we are fortunate that our attackers aren't pressing the attack locally.

UnixroninApril 29, 2006 5:09 PM

Extremely perceptive, David. We need people who think that way in Washington DC.

AndrewApril 30, 2006 12:53 AM

Attacker modes and motives vary. So do defensive strategies. There is such a thing as too much security creating a new vulnerability. You need to be prepared for threats ranging from the mild to the extreme, but spending too much time on preventing sniper attack is very embarrassing when your protectee dies of a heart attack and his bodyguards didn't know CPR . . .

Criminologists identified displacement theory many, many moons ago. You don't have to have security good enough to keep out criminals -- you just need to have better security than your neighbors.

Gentlemen, start your engines. Arms race, anyone?

Geoff LaneApril 30, 2006 1:40 AM

There was a saying, "Generals are always fighting the previous war." Meaning that the first response is always one that was known to work in the past; which may or may not be useful in current conditions.

Sadly, we now see the same error being made within homeland security in many countries. Unless an airline with extrordinaryly bad security is discovered, the next major attack will not be via aircraft yet that seems to be the start and end of thinking in many parts of government.

We saw the effect of a small number of bombs on public transport within London. This resulted in clueless politicians calling for "airport style" security checks on the underground and buses. With this level of stupidity we are all doomed.

simpleApril 30, 2006 8:47 AM

What happen to the one time use credit card number that been around since 2000.
The financial intitutions using this method says it keep your credit card number from being transmitted over the Internet and are still able complete the transaction. So why isn't this method being used. This sound like a solution for the credit card number and the third party storage of data problem. Now if we can solve the authentication problem, we would have this whole mess beaten.
Maybe there is something that I don't know
So can someone enlighten me
Thanks

Cenk Kaan ORNEKApril 30, 2006 5:11 PM

Unfortunately, these does not happen only in cartoons. Sadly I see it in company environment also. Almost everyone is resistant to change even the way they do is hard or costly. It is likely that we will experience many such cases in the future.

JakeSMay 1, 2006 3:41 AM

@Jim Dermitt:
Not sure exactly what Citibank are doing, but it can't be truly a one-time card number;  in a 16-digit number, with some structure to it, they have relatively few digits to play with (relative to the number of card transactions).  They must be generating a 'random' number out of a certain range that's under their control, then presumably they mark that number not to be reused for a while, but they must reuse it sometime.

solutionMay 1, 2006 7:52 AM

@Jim Dermitt-The answer is to use an offline encryption device (there are many of them) not connected to the OS. Any solution that is connected to the OS has been hackable. The "one time use credit card number" (google for more information) combine with the offline card reader will solve the problems: Authentication (Card Present, Multi-Factor), Personal information never transmitted over Internet, and no third party data storage. No need to educate on phishing, key logging, etc. Personal information is safe because it never leave you.

Alun JonesMay 1, 2006 11:03 AM

"Better security than your neighbour" only works if your neighbour's garbage smells as good as yours. If yours smells better - if what you're protecting has greater value to your attackers - you have to have significantly better security.

linnenMay 1, 2006 11:05 AM

The displacement bit reminds me of some of the jokes heard while camping. These are the ones with the punch-line, "I don't have to run faster than the wolves / climb higher than the cougar, I just have to run faster / climb higher than you."

breathMay 1, 2006 6:31 PM

It is impossib;e to defend against terrorism.

The only way to defeat terrorists is to eliminate their need or their ability to continue. You eliminate their need by succumbing to their demands. You eliminate their ability by either killing each and ever one of them or by having their own social structure: in which they hide, nurture and feed themselves and their ideas: deem thier terroristic practices are no longer beneficial/acceptable

You must win the people.

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Subscribe
Atom Feed Facebook Twitter E-Mail Newsletter (Crypto-Gram)
Subscribe via Kindle
Blog Menu

Search

Powered by DuckDuckGo


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Tags

more tags

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier