Schneier on Security

Home Secretary John Reid sweeps.

Finally, something Microsoft is good at.

Interesting post! To add more fuel to this, earlier this morning I had a conversation with the Director of Risk Management and Security for a very well known satellite company over a security issue I discovered in their authentication. This security issue reveals username and passwords for their users. With this security hole an unscrupulous person can get account information, billing data, serial numbers for satellite equipment, and of course the subscription service. The response I received from the Director was comical. "If this issue is the least of my worries, I can sleep just fine. I have more important security concerns that keep me up at night." I’m glad I’m not a customer of this company, their arrogance and lack of concern for personal customer data is overwhelming. If this person worked for my company and had such disregard, I’d ask for a resignation. What is sadder is that this is not an isolation insolent; I’ve had several conversations like this with other large companies.

Austin Kauffman
Security Research

It'd be great if they could merge this with the "Information Security Executive of the Year" awards: http://www.infosecaward.com/

Im voting for Sourcefire.

A security company that tries to spy on it competitors and goes through all the trouble to make a fake web businesses and contact its competitors about evaluating their products yet is so dumb that there actually use real Sourcefire information in the DNS record.

Hands down winner of the Most Inexplicably Stupid Award!

Surely the NSA will get an honourable mention for their domestic spying under the thin veil of "security".

Spying is used for breaking security, not testing or providing security.

I had not read the 2003 entries before

Mother made to drink her own breast milk
Packet of "Gunpoweder tea" opened; tea allowed but packet confiscated
Soldiers allowed personal firearms but made to check in knives
And many others!

And I thought paranoia was recent!

Silly me.

Paranoid

@TMR- got a reference for the Sourcefire incident?

A person was required remove a t-shirt that had Arabic writings on it before allowed to board a plane: http://www.parkerstudio.com/AAW/JFK_story.html

@uninformed
Im sure you could Google but this when to the Information Security mailing list

By Nick Booth
14 June 2006

SECURITY FIRMS must be ruthlessly cunning and intelligent to stay
ahead of the fiendish legions of hackers, crackers and cunning con
artists they constantly warn us about.

Or so you'd think.

But not if this recent example of 'intelligence' is typical.

All companies keep tabs on the opposition. Usually, they employ
competitive intelligence companies, who use all kinds of dirty tricks
to find out about rival's products, their marketing strategies and the
incentives offered to resellers.

A typically fiendish scam would be to set up a phoney head hunting
agency, then invite everyone that matters, at the target firm, for an
"off the record" interview. Flattered by the attention, most CTOs and
marketing directors are only too pleased to boast of the projects
they're working on, the budgets they're in charge of and how many
people are under them.

This information is all tabulated, and sold for hundreds of thousands
of dollars, to the client. Clients like to outsource this furtive
behaviour so they can distance themselves from it if they get caught.

Very cunning. Some security firms are slightly less sophisticated, it
seems.

When security vendor Countersnipe launched its latest product, it
expected a few bogus enquiries from its rivals. But a request from an
outfit calling themselves Ychange seemed genuine enough.

'Jeff' from Ychange saw a demo and was so impressed he promised to
show the product to Superluminal, his financial services client, which
was just gagging to place a multi-million dollar order.

But a quick Whois check revealed that Superluminal's web site was
owned by one of Countersnipe's rivals, Sourcefire. Perhaps Sourcefire
didn't think anyone else would know about this new-fangled Internet
thing.

"This has to be the least sophisticated attempt at spying I've ever
seen," laughed Countersnipe's Amar Rathore, "I wouldn't mind, but
they're a security firm, for God's sake. You'd think they'd know some
cleverer tricks than that."

Sourcefire was unavailable for comment.

The spineless us congress for Most Egregiously Stupid Award, Most Inexplicably Stupid Award, Most Flagrantly Intrusive Award and Most Stupidly Counter Productive Award for allowing the continued perversions of the DMCA to threaten people, and jail them, for conducting research into data protection measures that would otherwise be guaranteed protection by the first amendment.
http://www.eff.org/IP/DMCA/unintended_consequences.php

The abominations, that is.

In Charlotte yesterday, I was informed that I could bring my salad on the plane, but only if I dumped the dressing on the salad first. Of course, I could have just put the salad and dressing in a paper bag and walked right in. The person in front of me, however, was able to walk in with his Cinnabon and tub of extra icing because Cinnabon goo was not on USAirways gate agents' list of banned substances.

The terrorists are making us stupider.

Now accustomed to the frantic excavation of my pockets and parsels into plastic bins- removing laptops and electronics from their prophilactic canvas bags, cell phone, change, etc. into a dish garnished with my keys, and removing my shoes as I crossed a threshold into sacred space- I had just finished my ritualistic passenger self-pat-down when I nearly collided with the man in front of me. The amateur! The Neophite! I filled my lungs. But before I could imbue my sigh with indignation and schadenfreude to- let's be honest- demonstrate to the impatient blonde behind me that it was not I who had interrupted the frantic procession, I realized the man had mastered the incantation, but the priests of the checkpoint were uncertain if he sought to profane the temple with his Boston Cremes.

After submitting his fried pastries to an x-ray scan, no fewer than eight TSA employees were gathered around the box, stroking their chins, and debating: do we confiscate only the liquid-filled donuts? What of the powdered, jelly-filled? Surely something that has both white powder and liquid is contraband, but what of icing? After about ten minutes, the man received all his donuts- the screeners had tired of the debate- and I continued to my flight, secure both in my person and my knowledge that my safety was certain.

I'll point out to those wrestling with finding someone to report a security issue _to_ - that insurance companies are usually very very interested in what kinds of risks their customers take. Now figuring out who insures that sattelite company that Austin Kauffman was referring to might be harder.

Business intelligence, anyone?
-r.

BTW, Stupid Security is also a web site, that has been up for years now (and been mentioned in Crypto-Gram). See http://www.stupidsecurity.com/. Tell 'em I sent ya!

This is pretty egregious ...
http://thedailywtf.com/forums/thread/88714.aspx

It's not a surprise to most that airport security is smoke and mirrors, an act to fool the traveling public into thinking they are safe. The real threat comes from the backside of the airport, the baggage handlers, fuelers, aircraft cleaners, that never go through security. They have the ability to place a weapon onboard an aircraft for use at a future time. Each aircraft is suppossed to be inspected each morning before going into service but it is a half-hearted effort on the part of those that are assigned this task as it is a burden and time consuming ordeal that takes time away from their real tasks. As passengers we can only hope that the pilots are armed and have kept their training current. There is no doubt that a terrorist with a weapon to the head or throat of a flight attendant will gain access to the cockpit. We just have to hope that the pilot(s) will not think twice about firing their weapons.

This is one of the most productive contests you can think of!
There are so many possible nominees for all of these awards... The most stupid thing about government/business security is that they always put most of their energy in 'smoke screens', aimed at preventing some particular scenarios that have happened before... What makes them think that the attackers will use exactly the same method of assault again?
Instead of learning from previous events and finding a true, practical way of reducing the risks, they just put up more bureaucracy and more inconveniences on the citizens, and leaving huge security holes unchecked...

This is one of the most productive contests you can think of!
There are so many possible nominees for all of these awards... The most stupid thing about government/business security is that they always put most of their energy in 'smoke screens', aimed at preventing some particular scenarios that have happened before... What makes them think that the attackers will use exactly the same method of assault again?
Instead of learning from previous events and finding a true, practical way of reducing the risks, they just put up more bureaucracy and more inconveniences on the citizens, and leaving huge security holes unchecked...
http://conspil.com