Essays Tagged "Guardian"
Page 4 of 5
We Shouldn't Poison Our Minds with Fear of Bioterrorism
Terrorists attacking our food supply is a nightmare scenario that has been given new life during the recent swine flu outbreak. Although it seems easy to do, understanding why it hasn’t happened is important. GR Dalziel, at the Nanyang Technological University in Singapore, has written a report chronicling every confirmed case of malicious food contamination in the world since 1950: 365 cases in all, plus 126 additional unconfirmed cases. What he found demonstrates the reality of terrorist food attacks.
It turns out 72% of the food poisonings occurred at the end of the food supply chain – at home – typically by a friend, relative, neighbour, or co-worker trying to kill or injure a specific person. A characteristic example is Heather Mook of York, who in 2007 tried to kill her husband by putting rat poison in his spaghetti…
How the Great Conficker Panic Hacked into Human Credulity
This essay also appeared in the Gulf Times.
Conficker’s April Fool’s joke—the huge, menacing build-up and then nothing—is a good case study on how we think about risks, one whose lessons are applicable far outside computer security. Generally, our brains aren’t very good at probability and risk analysis. We tend to use cognitive shortcuts instead of thoughtful analysis. This worked fine for the simple risks we encountered for most of our species’s existence, but it’s less effective against the complex risks society forces us to face today.
We tend to judge the probability of something happening on how easily we can bring examples to mind. It’s why people tend to buy earthquake insurance after an earthquake, when the risk is lowest. It’s why those of us who have been the victims of a crime tend to fear crime more than those who haven’t. And it’s why we fear a repeat of 9/11 more than other types of terrorism…
An Enterprising Criminal Has Spotted a Gap in the Market
Before his arrest, Tom Berge stole lead roof tiles from several buildings in south-east England, including the Honeywood Museum in Carshalton, the Croydon parish church, and the Sutton high school for girls. He then sold those tiles to scrap metal dealers.
As a security expert, I find this story interesting for two reasons. First, among attempts to ban, or at least censor, Google Earth, lest it help the terrorists, here is an actual crime that relied on the service: Berge needed Google Earth for reconnaissance.
But more interesting is the discrepancy between the value of the lead tiles to the original owner and to the thief. The Sutton school had to spend £10,000 to buy new lead tiles; the Croydon Church had to repair extensive water damage after the theft. But Berge only received £700 a tonne from London scrap metal dealers…
Blaming The User Is Easy—But It's Better to Bypass Them Altogether
Blaming the victim is common in IT: users are to blame because they don’t patch their systems, choose lousy passwords, fall for phishing attacks, and so on. But, while users are, and will continue to be, a major source of security problems, focusing on them is an unhelpful way to think.
People regularly don’t do things they are supposed to: changing the oil in their cars, going to the dentist, replacing the batteries in their smoke detectors. Why? Because people learn from experience. If something is immediately harmful, ie, touching a hot stove or petting a live tiger, they quickly learn not to do it. But if someone skips an oil change, ignores a computer patch, or …
The Secret Question Is: Why Do IT Systems Use Insecure Passwords?
Since January, the Conficker.B worm has been spreading like wildfire across the internet, infecting the French navy, hospitals in Sheffield, the court system in Houston, Texas, and millions of computers worldwide. One of the ways it spreads is by cracking administrator passwords on networks. Which leads to the important question: why are IT administrators still using easy-to-guess passwords?
Computer authentication systems have two basic requirements. They need to keep the bad guys from accessing your account, and they need to allow you to access your account. Both are important, and every system is a balancing act between the two. Too little security, and the bad guys will get in too easily. But if the authentication system is too complicated, restrictive, or hard to use, you won’t be able, or won’t bother, to use it…
Terrorists May Use Google Earth, But Fear Is No Reason to Ban It
This essay also appeared in The Hindu, Brisbane Times, and The Sydney Morning Herald.
It regularly comes as a surprise to people that our own infrastructure can be used against us. And in the wake of terrorist attacks or plots, there are fear-induced calls to ban, disrupt or control that infrastructure. According to officials investigating the Mumbai attacks, the terrorists used images from Google Earth to help learn their way around. This isn’t the first time Google Earth has been charged with helping terrorists: in 2007, Google Earth images of British military bases were found in the homes of …
Tigers Use Scent, Birds Use Calls—Biometrics Are Just Animal Instinct
Biometrics may seem new, but they’re the oldest form of identification. Tigers recognise each other’s scent; penguins recognise calls. Humans recognise each other by sight from across the room, voices on the phone, signatures on contracts and photographs on drivers’ licences. Fingerprints have been used to identify people at crime scenes for more than 100 years.
What is new about biometrics is that computers are now doing the recognising: thumbprints, retinal scans, voiceprints, and typing patterns. There’s a lot of technology involved here, in trying to both limit the number of false positives (someone else being mistakenly recognised as you) and false negatives (you being mistakenly not recognised). Generally, a system can choose to have less of one or the other; less of both is very hard…
When You Lose a Piece of Kit, the Real Loss Is The Data It Contains
These days, losing electronic devices is less about the hardware and more about the data. Hardly a week goes by without another newsworthy data loss. People leave thumb drives, memory sticks, mobile phones and even computers everywhere. And some of that data isn’t easily replaceable. Sure, you can blame it on personal or organisational sloppiness, but part of the problem is that more and more information fits on smaller and smaller devices.
My primary computer is an ultraportable laptop. It contains every email I’ve sent and received over the past 12 years – I think of it as my backup brain – as well as an enormous amount of personal and work-related documents…
Passwords Are Not Broken, but How We Choose them Sure Is
This essay also appeared in The Hindu.
I’ve been reading a lot about how passwords are no longer good security. The reality is more complicated. Passwords are still secure enough for many applications, but you have to choose a good one. And that’s hard. The best way to explain how to choose a good password is to describe how they’re broken. The most serious attack is called offline password guessing. There are commercial programs that do this, sold primarily to police departments. There are also hacker tools that do the same thing.
As computers have become faster, the guessers have got better, sometimes being able to test hundreds of thousands of passwords per second. These guessers might run for months on many machines simultaneously…
Time to Show Bottle and Tackle the Real Issues
This essay also appeared in the Taipei Times.
Airport security found a bottle of saline in my luggage at Heathrow Airport last month. It was a 4oz bottle, slightly above the 100 ml limit. Airport security in the United States lets me through with it all the time, but UK security was stricter. The official confiscated it, because allowing it on the airplane with me would have been too dangerous. And to demonstrate how dangerous he really thought that bottle was, he blithely tossed it in a nearby bin of similar liquid bottles and sent me on my way…
Sidebar photo of Bruce Schneier by Joe MacInnis.