Schneier on Security
A blog covering security and security technology.
« Privacy and the "Nothing to Hide" Argument |
| Friday Squid Blogging: Octosquid »
July 13, 2007
Posted on July 13, 2007 at 2:33 PM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
How is this funny?
All you commies do is sneer at the efforts to prevent another 9/11. Well Mr "Expert" how come we haven't had another attack!!
If the President didn't send our boys to kill Saddam and allow easy wiretaps of enemies of the state then we would probably be speaking Arabic by now.
Well go and snigger, but leave the real security to those who deal in facts, not in hippie fantasies.
You know, I read the first post and am still trying to figure out if it's real (though hyperbole) or parody.
How about we assume it was hyperbole and save ourselves the pain of considering the consequences if it's not? :)
I sure hope that was (bad) parody. Otherwise, I just feel sorry for this country, with folks like that actually contributing to the voting masses.
Cute picture btw. Certainly not surprising, but amusing all the same. At least there weren't any popups for Travelocity ;-)
I love the first post... bad day at work, so I really needed this laugh
>but leave the real security to those who deal in facts, not in hippie fantasies
Yeah. Bruce is a hippie. Cause he has a beard, I guess.
Ok, if I follow the logic of the first post, then GWB as prez causes serious terrorist attacks on the WTC. In 1993, there was a terrorist attack on the WTC which killed 6 people. But once GWB was elected, the next WTC attack killed 2603 people.
(Both attacks and the election results are facts.)
The scariest part of the story for me, is the comments on flickr. Its like traveling back in time to an aol chat room circa 1996.
He is an academic, not a hippy. There is a clear and distinct difference.
Reminds me of a few years ago, a couple co-workers and I were waiting for a red-eye to the mid-West and one of the screens for the airline was black with a failed boot. All the details of the network setup were on the screen (remember the old Win3.x and DOS network configs? And, this was pre-9/11, but in 2001!). I thought, hmmm ... note down all the IP's and the displayed settings, and bet I can hack to their servers PDQ. No one seemed concerned then.
Yeah, right, you're safe in the airports and flying those heavier-than-air vehicles.
It's only airport's display of arrivals and departures man. I don't think TSA has anything to do with them
Bruce sneer? That is not what I've seen through this blog.
I see him pointing at clothes that aren't there, and speaking his mind. He does this country a service by doing so, and it'd be doing it a disservice if he was not allowed to do so. I can't imagine a real American who'd deny him his right to say whatever he wished, let alone to enlighten, educate and (in this case), entertain (the photo *was* hilarious).
The first post sounds angry and I'd normally have ignored it. I can't claim to be a real American, as I'm quite frankly a foreigner. Even worse, Arabic is one of the languages I speak (though I think that has more to do with my education than the efforts of terrorists). I do however think that this is a great country, and worthy of all efforts to protect it ... including Bruce's efforts to educate people about a subject in which he is indeed an expert.
I don't know what the story is with the author of the first post. I hope he realizes just how silly it is to imply that somebody means this country harm by voicing opinions on effective security (if he doesn't already). I known first-hand what it's like to suffer a loss due to terrorism, and I'm sorry to have to say this, but it's blind misdirected anger that can be found behind many criminals who carry out acts of violence. It hurt to read that first post, and if that was the author's intent, good for you, it worked. If it wasn't, I apologize. If you simply don't like what you read on this blog, don't read it. If you'd rather it wasn't written, lobby for censorship (it's something called the first amendment that you're probably having an issue with). If you disagree, you're more than welcome to say so and I respect your right to have your opinion (even if I cannot respect your opinion).
I apologize to anyone who wastes their time reading this and feels it's a particularly naive and obvious reply (if I've just "taken the bait").
Geez, guys, have we forgotten what a troll is? ;-)
How dare you folks make fun of the exceptional effort those people but into securing the airport. It's obvious that a so-called heat window isn't needed, everyone knows that Windows is secure by default. The real reason you communists point out so-called security flaws is to help the terrorists, because if it wasn't for the likes of you 9/11 would of never occurred. If you expect the world to be safe if you point out its vulnerabilities, you're nuts. Obviously, you're in league with the French Coalition to Destroy America. America, Fuck Yeah!
(i) Why should an airport arrivals display system be connected to the Internet? Is not an "air gap" is one of best security measures around?
(ii) Does one really need a software firewall and virus checking on a system protected by an air gap?
(iii) Which major computer software supplier has difficulty conceiving of computers not connected to the Internet?
It is trivial to get rid of those "security hints" in Windows. Not getting rid of them if, as you assume, the computer is not connected to a network is just plain lazy. If the person who set up this computer is as thoughtful as this also in other tasks...
BTW, in larger companies the attacks by worms, viruses, and other malware does NOT come "from the internet" but from employees who connect their infected notebooks to the internal network. It isn't necessary that this very computer is connected to the internet. A connection to ANY network is sufficient.
@shoobe01: "Yeah. Bruce is a hippie. Cause he has a beard, I guess."
That's a typical commie straw-man argument. Bruce isn't a hippie because he has a beard. He's a hippie because he's a commie.
FACT: He has long hair.
FACT: He *hides* it in the photo at the top of *every* blog post, by tying it back, to brainwash Americans who don't know the truth.
FACT: He doesn't kiss Dubya's sainted ass.
He's an *obvious* hippie, you're just too blinded by liberal media bias to see it. Wake up and smell the napalm, man, the commies are coming to get all of us. I intend to be ready for them. You need to buy yourself a couple of shotguns and shut the hell up.
Saw couple bluescreens on airport terminals. I am not that frequent flyer, so it is probably pretty common. Putting Windows in place where a stripped down embedded terminal would do the job - using overly complex system where a simple one would do the same job - is begging for trouble.
@A Real American: "...how come we haven't had another attack!!" Did you consider the hypothesis that nobody competent actually tried to attack? In the context of the results of penetration tests (e.g. getting a bomb through while getting a water bottle confiscated) and the overall abysmal performance of "real" security (in comparison with pretend security), this possibility may deserve closer attention.
There almost certainly is not an AIR GAP separating that computer from the internet. The information it shows is likely to come from a database which also feeds traffic information on the airport's website. Thus, in theory, an attack from the network could subvert the website first, then the database, and then the passenger-information-display driver. As these parts are all connected by data-carrying wires (or fibers), there is by definition no "air gap".
It is also not clear to me that there would be any security value in installing a software firewall and virus filter on a dumb box whose only job is to drive an information display. When there is no human user browsing the web, reading email, or doing ANYTHING on the machine, the risk of catching bad code that a software firewall could conceivably help protect against appears to be so small that one must also consider the risk of the software firewall ITSELF being the point of entry for an attack.
The only joke I can see is that the display-driving box runs Windows at all. Windows seems to have a deep-rooted assumption that when any trouble develops, the right course of action is to display a pop-up on the attached monitor and wait for input from the attached keyboard/mouse. This is more or less orthogonal to the fact that the pop-up in this case is a security nag; it could just as well have been "cannot contact database server" or "an update is available, click here to install". On Linux and BSD based systems it is much easier to prevent such things showing up on the monitor (and perhaps even being sent to some appropriate operations center) in situations where the people actually looking at the monitor are not the ones who need to react to trouble with the computer driving it. The fact that Linux and BSD are easier to strip down to the bare minimum of running software (kernel, X server, passenger info application, sshd for remote maintenance) would be a security bonus, of course.
first post comment:
You are with us or you are the enemy. Right thinking, NOT!
I have seen the enemy and we are it.
They should be using Windows Embedded, with only the barebones OS components, database access drivers and the schedule display application. There should not be a software firewall or antivirus installed. Network access should be protected by external hardware routers. Preferably restrict network connections to the MAC address of database server.
A funnier one was seen by yours truly a few years ago at an airport that used a mac for this type of display. It was showing the mac 'bomb'.
(Of course that was pre 911)
Terrorism is like fighting a fire. There are many ways to deal with it. Our approach after 9/11 seems to be putting more water on it to put it out. What Bruce does is point out the true sources of the problem and how to effectively deal with it. His insight is practical and pragmatic with the continued incidents his subject for further investigation and commentary. In the case of fire, we need to know is it caused by gas and would it be better to cut off the source of fuel?
Bruce has been very beneficial to us in the HS industry - we want to deal with terrorism effectively and uphold our values as Americans.
"Report Mainz" reported today about airport-security in Germany. Obviously two reporters (one with a hidden cam) were able to get into freight-areas at the airports of Hamburg, Munich and iirc Frankfurt without any problems. No one asked them for id let alone checked if they'd have something "peculiar" with them.
Sorry, no tv-clip available.
I guess our Secretary of the Interior gorgeous W. Schäuble will propose that innocent citizens should stay at home from tomorrow on, so police could identify terrorist more easily ;)
I am surprised at what a short memory people have. Remember when the skyjacking started in the 60's and 70's and then we got skymarshalls the first time but they were a problem themselves to security and then we forgot about it and rewarded Yasar Arafat with a peace prize and a visit to the white house instead of exterminating him and his ilk? Well now the US likes the cops and robbers game to consolidate their power and control so don't think any of this is anything but a sham of trying.
"It is also not clear to me that there would be any security value in installing a software firewall and virus filter on a dumb box whose only job is to drive an information display."
Seems to me a malicious type could easily snarl up traffic-patterns by changing gate-specifications and flight-times on the display. In the right airport, this could create a backlog throughout the country. Amusing enough by itself, and possibly even "of use" to someone: force a brief drop in airline stock-prices, for example. I'm sure creative types could come up with more-nefarious uses for a national snarl-up of air traffic.
@X the Unknown: The point is not whether anyone might wish to attack the passenger display. The point is whether or not it will make such an attack easier or harder that the passenger display runs a software firewall. I assert that the added risk of running a software firewall (which could itself be attacked if there are bugs in it) in this case is larger than the security it would provide to a single-purpose box with no local user and only minimal software running.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.