Schneier on Security
A blog covering security and security technology.
« Mariposa Botnet Shut Down |
| Friday Squid Blogging: Squid Teapot »
March 5, 2010
Another Interview with Me
I gave this one two days ago, at the RSA Conference.
Posted on March 5, 2010 at 12:53 PM
• 11 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
In what is either a funny coincidence or a brilliant stroke of contextual advertising, the ad that loaded alongside the interview when I looked at it depicted an online threat as a squid tentacle.
I do think people still fail to grasp that online security is a weakest link problem.
When I was a kid, my parents owned a furniture store, and my mom went in after hours and walked in on a robbery. She got a good look at the guy and he fled.
Scared since she was a witness and may be a target, my mom had the locks changed at home (she was afraid that the culprit may have somehow gotten my dad's back up keys and copied them or something since there was no evidence of forced entry at the store). In any case, it wouldn't have helped much considering our front and back doors had breakable glass. It would have been easy to break a glass in back with no witnesses and unlock the door, or just shoot someone through a window. Nonetheless, it made her feel a bit safer, which alone was probably worth it.
Point being, as Bruce has noted, attackers will take the easy path. Many tend to get tunnel vision and focus on strengthening one real or preceived weakness, and meanwhile attackers exploit anothyer while they are looking the other way.
That last question makes this qualify as "Friday Squid Blogging."
Encryption may not be "the answer" but there really isn't one answer. Encryption can prevent MITM attacks, and is thus part of the answer. Good server security (physical and logical) and good client security (don't click e-mail links saying they're from your bank, run anti-virus scans from a known-good medium like the UBCD4Win, have a good firewall, etc) combined with encryption are the answer. Sadly the server admins often don't care, and the clients pretty much never care/know better.
Seriously... what's with the squid... is it because they have 3 hearts, and that could lend itself to "failing gracefully" with two others to pick up the slack if one should fail or miss a beat? They have eight arms and two tentacles? (an octopus that goes to "11" if you will)
I'll give it to you that they are mysterious and enigmatic, they are probably tasty as well (never tried em)... perhaps your just sharing your curiosity with others on your blog. Do they embody other security traits perhaps?
@Carl "SAI" Mitchell at March 5, 2010 2:18 PM
Good post. There isn't one solution, there are many.
I talked to an acquaintance really that isn't tech savy, and explained why stronger encryption usually doesn't help because the implementation and usage is usually the problem. Imagine the following scenario:
* Front door locked, key under the mat, someone goes in and robs the home blind.
* They respond by changing the locks. Crook comes, gets key from under the mat, and robs them blind.
* They respond by adding a deadbolt, crook comes and gets key from under the mat and robs them blind.
* They respond by adding an alarm, the crook comes, gets key from under the mat, sees disarm code written down under the mat, disarms the alarm and robs them blind.
It could go on and on. Point being, one must fix what is actually exploited. Upping encryption strength does little if it was broken by keystroke logging, SSL won't help if it was stolen insecure at rest, protection of personal information won't help if the fraudster uses legitiate work access to get it, and so on.
Happy squid day.
I have conditioned my eyes to ignore any squid blogging so I don't even notice it anymore. As long as Bruce keeps sharing his wealth of security knowledge pool I am a happy reader:)
Huh? I thought this was a squid blog that happened to also have cryptography posts. ;P
Seriously though, I love coming in to work on monday and reading the squid posts. I think they act as 'bookends' for all of the posts that week, if that makes any sense.
I see you have adapted well to working in Britain.
Mustn't grumble, it all be all right, worse things happen at sea, .....
You're one serious looking dude in that photo. The SSL issue is a bit of "security through obscurity" ... i.e. there is so much online traffic the odds you get hit are minimal. So many stories have come out about hundreds of thousands of credit card numbers being lost when a company's server was hacked that you'd think everyone now knows where the weakest link is. From the "bad guys" point of view he/she has potentially a larger ROI by hacking the web site (100,000+ credit cards) versus hacking an SSL link (1 credit card).
@Petréa Mitchell: I got the same ad. I was amused.
We hear so much about the trade-off between security and privacy, when the real issue is apparently the trade-off between security and squid.
“SSL doesn't matter.”
There have not been eavesdropper or man-in-the middle attacks BECAUSE we use SSL (TLS). If there would be successful attacks against SSL there would surely be more breaches than there are today.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.