Latest Essays
Page 42
Fixing a Security Problem Isn't Always the Right Answer
An unidentified man breached airport security at Newark Airport on Sunday, walking into the secured area through the exit, prompting an evacuation of a terminal and flight delays that continued into the next day. This problem isn’t common, but it happens regularly. The result is always the same, and it’s not obvious that fixing the problem is the right solution.
This kind of security breach is inevitable, simply because human guards are not perfect. Sometimes it’s someone going in through the out door, unnoticed by a bored guard. Sometimes it’s someone running through the checkpoint and getting lost in the crowd. Sometimes it’s an open door that should be locked. Amazing as it seems to frequent fliers, the perpetrator often doesn’t even know he did anything wrong…
Profiling Makes Us Less Safe
There are two kinds of profiling. There’s behavioral profiling based on how someone acts, and there’s automatic profiling based on name, nationality, method of ticket purchase, and so on. The first one can be effective, but is very hard to do right. The second one makes us all less safe. The problem with automatic profiling is that it doesn’t work.
Terrorists don’t fit a profile and cannot be plucked out of crowds by computers. They’re European, Asian, African, Hispanic, and Middle Eastern, male and female, young and old. Umar Farouk Abdul Mutallab was Nigerian. Richard Reid, the shoe bomber, was British with a Jamaican father. Germaine Lindsay, one of the 7/7 London bombers, was Afro-Caribbean. Dirty bomb suspect Jose Padilla was Hispanic-American. The 2002 Bali terrorists were Indonesian. Timothy McVeigh was a white American. So was the Unabomber. The Chechen terrorists who blew up two Russian planes in 2004 were female. Palestinian terrorists routinely recruit “clean” suicide bombers, and have used unsuspecting Westerners as bomb carriers…
Security and Function Creep
View or Download in PDF Format
Security is rarely static. Technology changes the capabilities of both security systems and attackers. But there’s something else that changes security’s cost/benefit trade-off: how the underlying systems being secured are used. Far too often we build security for one purpose, only to find it being used for another purpose—one it wasn’t suited for in the first place. And then the security system has to play catch-up.
Take driver’s licenses, for example. Originally designed to demonstrate a credential—the ability to drive a car—they looked like other credentials: medical licenses or elevator certificates of inspection. They were wallet-sized, of course, but they didn’t have much security associated with them. Then, slowly, driver’s licenses took on a second application: they became age-verification tokens in bars and liquor stores. Of course the security wasn’t up to the task—teenagers can be extraordinarily resourceful if they set their minds to it—and over the decades driver’s licenses got photographs, tamper-resistant features (once, it was easy to modify the birth year), and technologies that made counterfeiting harder. There was little value in counterfeiting a driver’s license, but a lot of value in counterfeiting an age-verification token…
Is Aviation Security Mostly for Show?
Last week’s attempted terror attack on an airplane heading from Amsterdam to Detroit has given rise to a bunch of familiar questions.
How did the explosives get past security screening? What steps could be taken to avert similar attacks? Why wasn’t there an air marshal on the flight? And, predictably, government officials have rushed to institute new safety measures to close holes in the system exposed by the incident.
Reviewing what happened is important, but a lot of the discussion is off-base, a reflection of the fundamentally wrong conception most people have of terrorism and how to combat it…
Cold War Encryption is Unrealistic in Today's Trenches
Sometimes mediocre encryption is better than strong encryption, and sometimes no encryption is better still.
The Wall Street Journal reported this week that Iraqi, and possibly also Afghan, militants are using commercial software to eavesdrop on U.S. Predators, other unmanned aerial vehicles, or UAVs, and even piloted planes. The systems weren’t “hacked”—the insurgents can’t control them—but because the downlink is unencrypted, they can watch the same video stream as the coalition troops on the ground.
The naive reaction is to ridicule the military. Encryption is …
Virus and Protocol Scares Happen Every Day—But Don't Let Them Worry You
An SSL security flaw got bloggers hot and bothered, but it's the vendors who need to take action
Last month, researchers found a security flaw in the SSL protocol, which is used to protect sensitive web data. The protocol is used for online commerce, webmail, and social networking sites. Basically, hackers could hijack an SSL session and execute commands without the knowledge of either the client or the server. The list of affected products is enormous.
If this sounds serious to you, you’re right. It is serious. Given that, what should you do now? Should you not use SSL until it’s fixed, and only pay for internet purchases over the phone? Should you download some kind of protection? Should you take some other remedial action? What?…
News Media Strategies for Survival for Journalists
Those of us living through the Internet-caused revolution in journalism can’t see what’s going to come out the other side: how readers will interact with journalism, what the sources of journalism will be, how journalists will make money. All we do know is that mass-market journalism is hurting, badly, and may not survive. And that we have no idea how to thrive in this new world of digital media.
I have five pieces of advice to those trying to survive and wanting to thrive: based both on experiences as a successful Internet pundit and blogger, and my observations of others, successful and unsuccessful. I’ll talk about writing, but everything I say applies to audio and video as well…
Reputation is Everything in IT Security
In the past, our relationship with our computers was technical. We cared what CPU they had and what software they ran. We understood our networks and how they worked. We were experts, or we depended on someone else for expertise. And security was part of that expertise.
This is changing. We access our email via the web, from any computer or from our phones. We use Facebook, Google Docs, even our corporate networks, regardless of hardware or network. We, especially the younger of us, no longer care about the technical details. Computing is infrastructure; it’s a commodity. It’s less about products and more about services; we simply expect it to work, like telephone service or electricity or a transportation network…
"Zero Tolerance" Really Means Zero Discretion
Recent stories have documented the ridiculous effects of zero-tolerance weapons policies in a Delaware school district: a first-grader expelled for taking a camping utensil to school, a 13-year-old expelled after another student dropped a pocketknife in his lap, and a seventh-grader expelled for cutting paper with a utility knife for a class project. Where’s the common sense? the editorials cry.
These so-called zero-tolerance policies are actually zero-discretion policies. They’re policies that must be followed, no situational discretion allowed. We encounter them whenever we go through airport security: no liquids, gels or aerosols. Some workplaces have them for sexual harassment incidents; in some sports a banned substance found in a urine sample means suspension, even if it’s for a real medical condition. Judges have zero discretion when faced with mandatory sentencing laws: three strikes for drug offences and you go to jail, mandatory sentencing for statutory rape (underage sex), etc. A national restaurant chain won’t serve hamburgers rare, even if you offer to sign a waiver. Whenever you hear “that’s the rule, and I can’t do anything about it”—and they’re not lying to get rid of you—you’re butting against a zero discretion policy…
Nature’s Fears Extend to Online Behavior
This essay also appeared in Dark Reading.
It’s hard work being prey. Watch the birds at a feeder. They’re constantly on alert, and will fly away from food—from easy nutrition—at the slightest movement or sound. Given that I’ve never, ever seen a bird plucked from a feeder by a predator, it seems like a whole lot of wasted effort against a small threat.
Assessing and reacting to risk is one of the most important things a living creature has to deal with. The amygdala, an ancient part of the brain that first evolved in primitive fishes, has that job. It’s what’s responsible for the fight-or-flight reflex. Adrenaline in the bloodstream, increased heart rate, increased muscle tension, sweaty palms; that’s the amygdala in action. You notice it when you fear a dark alley, have vague fears of terrorism, or worry about predators stalking your children on the Internet. And it works fast, faster than consciousnesses: show someone a snake and their amygdala will react before their conscious brain registers that they’re looking at a snake…
Sidebar photo of Bruce Schneier by Joe MacInnis.