Latest Essays
Page 52
The Psychology of Security (Part 1)
Introduction
Security is both a feeling and a reality. And they’re not the same.
The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We can calculate how secure your home is from burglary, based on such factors as the crime rate in the neighborhood you live in and your door-locking habits. We can calculate how likely it is for you to be murdered, either on the streets by a stranger or in your home by a family member. Or how likely you are to be the victim of identity theft. Given a large enough set of statistics on criminal acts, it’s not even hard; insurance companies do it all the time…
Steal This Wi-Fi
Whenever I talk or write about my own security setup, the one thing that surprises people—and attracts the most criticism—is the fact that I run an open wireless network at home. There’s no password. There’s no encryption. Anyone with wireless capability who can see my network can use it to access the internet.
To me, it’s basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it’s both wrong and dangerous.
I’m told that uninvited strangers may sit in their cars in front of my house, and use my network to send spam, eavesdrop on my passwords, and upload and download everything from pirated movies to child pornography. As a result, I risk all sorts of bad things happening to me, from seeing my IP address blacklisted to having the police crash through my door…
Why "Anonymous" Data Sometimes Isn't
Last year, Netflix published 10 million movie rankings by 500,000 customers, as part of a challenge for people to come up with better recommendation systems than the one the company was using. The data was anonymized by removing personal details and replacing names with random numbers, to protect the privacy of the recommenders.
Arvind Narayanan and Vitaly Shmatikov, researchers at the University of Texas at Austin, de-anonymized some of the Netflix data by comparing rankings and timestamps with public information in the Internet Movie Database…
Caution: Turbulence Ahead
Bruce Schneier and Marcus Ranum look at the security landscape of the next 10 years.
Bruce Schneier
Predictions are easy and difficult. Roy Amara of the Institute for the Future once said: “We tend to overestimate the effect of a technology in the short run and underestimate the effect in the long run.”
Moore’s Law is easy: In 10 years, computers will be 100 times more powerful. My desktop will fit into my cell phone, we’ll have gigabit wireless connectivity everywhere, and personal networks will connect our computing devices and the remote services we subscribe to. Other aspects of the future are much more difficult to predict. I don’t think anyone can predict what the emergent properties of 100x computing power will bring: new uses for computing, new paradigms of com- munication. A 100x world will be different, in ways that will be surprising…
How Does Bruce Schneier Protect His Laptop Data? With His Fists—and PGP
Computer security is hard. Software, computer and network security are all ongoing battles between attacker and defender. And in many cases the attacker has an inherent advantage: He only has to find one network flaw, while the defender has to find and fix every flaw.
Cryptography is an exception. As long as you don’t write your own algorithm, secure encryption is easy. And the defender has an inherent mathematical advantage: Longer keys increase the amount of work the defender has to do linearly, while geometrically increasing the amount of work the attacker has to do…
Did NSA Put a Secret Backdoor in New Encryption Standard?
Random numbers are critical for cryptography: for encryption keys, random authentication challenges, initialization vectors, nonces, key-agreement schemes, generating prime numbers and so on. Break the random-number generator, and most of the time you break the entire security system. Which is why you should worry about a new random-number standard that includes an algorithm that is slow, badly designed and just might contain a backdoor for the National Security Agency.
Generating random numbers isn’t easy, and researchers have discovered lots of …
Cyberwar: Myth or Reality?
This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus’s half is here.
The biggest problems in discussing cyberwar are the definitions. The things most often described as cyberwar are really cyberterrorism, and the things most often described as cyberterrorism are more like cybercrime, cybervandalism or cyberhooliganism—or maybe cyberespionage.
At first glance there’s nothing new about these terms except the “cyber” prefix. War, terrorism, crime and vandalism are old concepts. What’s new is the domain; it’s the same old stuff occurring in a new arena. But because cyberspace is different, there are differences worth considering…
The Death of the Security Industry
The hardest thing about working in IT security is convincing users to buy our technologies. An enormous amount of energy has been focused on this problem—risk analyses, ROI models, audits—yet critical technologies still remain uninstalled and important networks remain insecure. I’m constantly asked how to solve this by frustrated security vendors and—sadly—I have no good answer. But I know the problem is temporary: in the long run, the information security industry as we know it will disappear.
The entire IT security industry is an accident: an artifact of how the computer industry developed. Computers are hard to use, and you need an IT department staffed with experts to make it work. Contrast this with other mature high-tech products such as those for power and lighting, heating and air conditioning, automobiles and airplanes. No company has an automotive-technology department, filled with car geeks to install the latest engine mods and help users recover from the inevitable crashes…
How We Won the War on Thai Chili Sauce
We’ve opened up a new front on the war on terror. It’s an attack on the unique, the unorthodox, the unexpected. It’s a war on different. If you act different, you might find yourself investigated, questioned and even arrested—even if you did nothing wrong, and had no intention of doing anything wrong.
The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats.
This isn’t the way counterterrorism is supposed to work, but it’s happening everywhere. It’s a result of our relentless campaign to convince ordinary citizens that they’re the front line of terrorism defense. “If you see something, say something,” is how the …
Economics, Not Apathy, Exposes Chemical Plants To Danger
It’s not true that no one worries about terrorists attacking chemical plants, it’s just that our politics seem to leave us unable to deal with the threat.
Toxins such as ammonia, chlorine, propane and flammable mixtures are constantly being produced or stored in the United States as a result of legitimate industrial processes. Chlorine gas is particularly toxic; in addition to bombing a plant, someone could hijack a chlorine truck or blow up a railcar. Phosgene is even more dangerous. According to the Environmental Protection Agency, there are…
Sidebar photo of Bruce Schneier by Joe MacInnis.