Latest Essays
Page 47
When You Lose a Piece of Kit, the Real Loss Is The Data It Contains
These days, losing electronic devices is less about the hardware and more about the data. Hardly a week goes by without another newsworthy data loss. People leave thumb drives, memory sticks, mobile phones and even computers everywhere. And some of that data isn’t easily replaceable. Sure, you can blame it on personal or organisational sloppiness, but part of the problem is that more and more information fits on smaller and smaller devices.
My primary computer is an ultraportable laptop. It contains every email I’ve sent and received over the past 12 years – I think of it as my backup brain – as well as an enormous amount of personal and work-related documents…
Why Obama Should Keep His BlackBerry—But Won't
When he becomes president, Barack Obama will have to give up his BlackBerry. Aides are concerned that his unofficial conversations would become part of the presidential record, subject to subpoena and eventually made public as part of the country’s historical record.
This reality of the information age might be particularly stark for the president, but it’s no less true for all of us. Conversation used to be ephemeral. Whether face-to-face or by phone, we could be reasonably sure that what we said disappeared as soon as we said it. Organized crime bosses worried about phone taps and room bugs, but that was the exception. Privacy was just assumed…
America's Next Top Hash Function Begins
You might not have realized it, but the next great battle of cryptography began this month. It’s not a political battle over export laws or key escrow or NSA eavesdropping, but an academic battle over who gets to be the creator of the next hash standard.
Hash functions are the most commonly used cryptographic primitive, and the most poorly understood. You can think of them as fingerprint functions: They take an arbitrary long data stream and return a fixed length, and effectively unique, string. The security comes from the fact that while it’s easy to generate the fingerprint from a file, it’s infeasible to go the other way and generate a file given a fingerprint…
Passwords Are Not Broken, but How We Choose them Sure Is
This essay also appeared in The Hindu.
I’ve been reading a lot about how passwords are no longer good security. The reality is more complicated. Passwords are still secure enough for many applications, but you have to choose a good one. And that’s hard. The best way to explain how to choose a good password is to describe how they’re broken. The most serious attack is called offline password guessing. There are commercial programs that do this, sold primarily to police departments. There are also hacker tools that do the same thing.
As computers have become faster, the guessers have got better, sometimes being able to test hundreds of thousands of passwords per second. These guessers might run for months on many machines simultaneously…
CRB Checking
Since the UK’s Criminal Records Bureau (CRB) was established in 2002, an ever-increasing number of people are required to undergo a “CRB check” before they can interact with children. It’s not only teachers and daycare providers, but football coaches, scoutmasters and Guiders, church volunteers, bus drivers, and school janitors—3.4 million checks in 2007, 15 million since 2002. In 2009, it will include anyone who works or volunteers in a position where he or she comes into contact with children: 11.3 million people, or a quarter of the adult population…
Time to Show Bottle and Tackle the Real Issues
This essay also appeared in the Taipei Times.
Airport security found a bottle of saline in my luggage at Heathrow Airport last month. It was a 4oz bottle, slightly above the 100 ml limit. Airport security in the United States lets me through with it all the time, but UK security was stricter. The official confiscated it, because allowing it on the airplane with me would have been too dangerous. And to demonstrate how dangerous he really thought that bottle was, he blithely tossed it in a nearby bin of similar liquid bottles and sent me on my way…
Quantum Cryptography: As Awesome As It Is Pointless
Quantum cryptography is back in the news, and the basic idea is still unbelievably cool, in theory, and nearly useless in real life.
The idea behind quantum crypto is that two people communicating using a quantum channel can be absolutely sure no one is eavesdropping. Heisenberg’s uncertainty principle requires anyone measuring a quantum system to disturb it, and that disturbance alerts legitimate users as to the eavesdropper’s presence. No disturbance, no eavesdropper—period.
This month we’ve seen reports on a new working quantum-key distribution …
Why Society Should Pay the True Costs of Security
It’s not true that no one worries about terrorists attacking chemical plants. It’s just that our politics seem to leave us unable to deal with the threat. Toxins such as ammonia, chlorine, propane and flammable mixtures are being produced or stored as a result of legitimate industrial processes. Chlorine gas is particularly toxic; in addition to bombing a plant, someone could hijack a chlorine truck or blow up a railcar. Phosgene is even more dangerous. And many chemical plants are located in places where an act of sabotage – or an accident – could threaten thousands of people…
The Seven Habits of Highly Ineffective Terrorists
Most counterterrorism policies fail, not because of tactical problems, but because of a fundamental misunderstanding of what motivates terrorists in the first place. If we’re ever going to defeat terrorism, we need to understand what drives people to become terrorists in the first place.
Conventional wisdom holds that terrorism is inherently political, and that people become terrorists for political reasons. This is the “strategic” model of terrorism, and it’s basically an economic model. It posits that people resort to terrorism when they believe—rightly or wrongly—that terrorism is worth it; that is, when they believe the political gains of terrorism minus the political costs are greater than if they engaged in some other, more peaceful form of protest. It’s assumed, for example, that people join Hamas to achieve a Palestinian state; that people join the PKK to attain a Kurdish national homeland; and that people join al-Qaida to, among other things, get the United States out of the Persian Gulf…
Does Risk Management Make Sense?
This essay appeared as the first half of a point-counterpoint with Marcus Ranum. Marcus’s half is here.
We engage in risk management all the time, but it only makes sense if we do it right.
“Risk management” is just a fancy term for the cost-benefit tradeoff associated with any security decision. It’s what we do when we react to fear, or try to make ourselves feel secure. It’s the fight-or-flight reflex that evolved in primitive fish and remains in all vertebrates. It’s instinctual, intuitive and fundamental to life, and one of the brain’s primary functions…
Sidebar photo of Bruce Schneier by Joe MacInnis.