Latest Essays
Page 54
Portrait of the Modern Terrorist as an Idiot
The recently publicized terrorist plot to blow up John F. Kennedy International Airport, like so many of the terrorist plots over the past few years, is a study in alarmism and incompetence: on the part of the terrorists, our government and the press.
Terrorism is a real threat, and one that needs to be addressed by appropriate means. But allowing ourselves to be terrorized by wannabe terrorists and unrealistic plots—and worse, allowing our essential freedoms to be lost by using them as an excuse—is wrong.
The alleged plan, to blow up JFK’s fuel tanks and a small segment of the 40-mile petroleum pipeline that supplies the airport, …
Don't Look a Leopard in the Eye, and Other Security Advice
If you encounter an aggressive lion, stare him down. But not a leopard; avoid his gaze at all costs. In both cases, back away slowly; don’t run. If you stumble on a pack of hyenas, run and climb a tree; hyenas can’t climb trees. But don’t do that if you’re being chased by an elephant; he’ll just knock the tree down. Stand still until he forgets about you.
I spent the last few days on safari in a South African game park, and this was just some of the security advice we were all given. What’s interesting about this advice is how well-defined it is. The defenses might not be terribly effective—you still might get eaten, gored or trampled—but they’re your best hope. Doing something else isn’t advised, because animals do the same things over and over again. These are security countermeasures against specific tactics…
Virginia Tech Lesson: Rare Risks Breed Irrational Responses
Everyone had a reaction to the horrific events of the Virginia Tech shootings. Some of those reactions were rational. Others were not.
A high school student was suspended for customizing a first-person shooter game with a map of his school. A contractor was fired from his government job for talking about a gun, and then visited by the FBI when he created a comic about the incident. A dean at Yale banned realistic stage weapons from the university theaters—a policy that was reversed within a day. And some teachers terrorized…
Testimony before the Senate Judiciary Committee
Testimony of Bruce Schneier
Security technologist, author, founder and CTO of BT Counterpane
“Will REAL ID Actually Make Us Safer?
An Examination of Privacy and Civil Liberties Concerns”
Senate Judiciary Committee
Room 226, Dirksen Senate Office Building
Tuesday, May 8, 2007
STATEMENT
I appreciate the opportunity to appear before the Committee today to discuss privacy issues. My name is Bruce Schneier. I am a security technologist, author, and CTO of BT Counterpane. The expertise I bring to this committee is less in the privacy and civil liberties realms, and more in the security realm. As such, I will focus my comments on the insecurities of the REAL ID system, the ineffectiveness of identity-based security systems, and the need to find smart and effective solutions to new security challenges. I’d like to emphasize at the start that this is an enormously interesting, important, and subtle topic, and I appreciate the decision of the Committee to hold these hearings…
Do We Really Need a Security Industry?
Last week I attended the Infosecurity Europe conference in London. Like at the RSA Conference in February, the show floor was chockablock full of network, computer and information security companies. As I often do, I mused about what it means for the IT industry that there are thousands of dedicated security products on the market: some good, more lousy, many difficult even to describe. Why aren’t IT products and services naturally secure, and what would it mean for the industry if they were?
I mentioned this in an interview with Silicon.com, and the published article …
Nonsecurity Considerations in Security Decisions
View or Download in PDF Format
Security decisions are generally made for nonsecurity reasons. For security professionals and technologists, this can be a hard lesson. We like to think that security is vitally important. But anyone who has tried to convince the sales VP to give up her department’s Blackberries or the CFO to stop sharing his password with his secretary knows security is often viewed as a minor consideration in a larger decision. This issue’s articles on managing organizational security make this point clear.
Below is a diagram of a security decision. At its core are assets, which a security system protects. Security can fail in two ways: either attackers can successfully bypass it, or it can mistakenly block legitimate users. There are, of course, more users than attackers, so the second kind of failure is often more important. There’s also a feedback mechanism with respect to security countermeasures: both users and attackers learn about the security and its failings. Sometimes they learn how to bypass security, and sometimes they learn not to bother with the asset at all…
Psychology of Security
The security literature is filled with risk pathologies, heuristics that we use to help us evaluate risks. I’ve collected them from many different sources.
| Exaggerated Risks | Downplayed Risks |
|---|---|
| Spectacular | Pedestrian |
| Rare | Common |
| Personified | Anonymous |
| Beyond one’s control | More under control |
| Externally imposed | Taken willingly |
| Talked about | Not discussed |
| Intentional or man-made | Natural |
| Immediate | Long-term or diffuse |
| Sudden | Evolving slowly over time |
| Affecting them personally | Affecting others |
| New and unfamiliar… |
Is Big Brother a Big Deal?
This essay appeared as part of a point-counterpoint with Marcus Ranum. Marcus’s side, to which this is a response, can be found on his website.
Big Brother isn’t what he used to be. George Orwell extrapolated his totalitarian state from the 1940s. Today’s information society looks nothing like Orwell’s world, and watching and intimidating a population today isn’t anything like what Winston Smith experienced.
Data collection in 1984 was deliberate; today’s is inadvertent. In the information society, we generate data naturally. In Orwell’s world, people were naturally anonymous; today, we leave digital footprints everywhere…
How Security Companies Sucker Us With Lemons
More than a year ago, I wrote about the increasing risks of data loss because more and more data fits in smaller and smaller packages. Today I use a 4-GB USB memory stick for backup while I am traveling. I like the convenience, but if I lose the tiny thing I risk all my data.
Encryption is the obvious solution for this problem—I use PGPdisk—but Secustick sounds even better: It automatically erases itself after a set number of bad password attempts. The company makes a bunch of other impressive claims: The product was commissioned, and eventually approved, by the French intelligence service; it is used by many militaries and banks; its technology is revolutionary…
Vigilantism Is a Poor Response to Cyberattack
Last month Marine Gen. James Cartwright told the House Armed Services Committee that the best cyberdefense is a good offense.
As reported in Federal Computer Week, Cartwright said: “History teaches us that a purely defensive posture poses significant risks,” and that if “we apply the principle of warfare to the cyberdomain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests.”
The general isn’t alone. In 2003, the entertainment industry tried to get a …
Sidebar photo of Bruce Schneier by Joe MacInnis.