Latest Essays
Page 59
The Scariest Terror Threat of All
For a while now, I have been writing about our penchant for “movie-plot threats”—terrorist fears based on very specific attack scenarios.
Terrorists with crop-dusters, terrorists exploding baby carriages in subways, terrorists filling school buses with explosives—these are all movie-plot threats. They’re good for scaring people, but it’s just silly to build national security policy around them.
But if we’re going to worry about unlikely attacks, why can’t they be exciting and innovative ones? If Americans are going to be scared, shouldn’t they be scared of things that are really scary? “Blowing up the Super Bowl” is a movie plot, to be sure, but it’s …
Make Vendors Liable for Bugs
Have you ever been to a retail store and seen this sign on the register: “Your purchase free if you don’t get a receipt”? You almost certainly didn’t see it in an expensive or high-end store. You saw it in a convenience store, or a fast-food restaurant. Or maybe a liquor store. That sign is a security device, and a clever one at that. And it illustrates a very important rule about security: It works best when you align interests with capability.
If you’re a store owner, one of your security worries is employee theft. Your employees handle cash all day, and dishonest ones will pocket some of it for themselves. The history of the cash register is mostly a history of preventing this kind of theft. Early cash registers were just boxes with a bell attached. The bell rang when an employee opened the box, alerting the store owner—who was presumably elsewhere in the store—that an employee was handling money…
We're Giving Up Privacy and Getting Little in Return
Better to Put People, Not Computers, in Charge of Investigating Potential Plots
Collecting information about every American’s phone calls is an example of data mining. The basic idea is to collect as much information as possible on everyone, sift through it with massive computers, and uncover terrorist plots. It’s a compelling idea, and convinces many. But it’s wrong. We’re not going to find terrorist plots through systems like this, and we’re going to waste valuable resources chasing down false alarms. To understand why, we have to look at the economics of the system.
Data mining works best when you’re searching for a well-defined profile, a reasonable number of attacks per year, and a low cost of false alarms. Credit-card fraud is one of data mining’s success stories: All credit-card companies mine their transaction databases for data for spending patterns that indicate a stolen card…
The Eternal Value of Privacy
Finnish translation
French translation [#1]
French translation [#2]
German translation
Italian translation
Japanese translation
Polish translation
Portuguese translation
Spanish translation
The most common retort against privacy advocates—by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures—is this line: “If you aren’t doing anything wrong, what do you have to hide?”
Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these—as right as they are—is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect…
Everyone Wants to 'Own' Your PC
When technology serves its owners, it is liberating. When it is designed to serve others, over the owner’s objection, it is oppressive. There’s a battle raging on your computer right now—one that pits you against worms and viruses, Trojans, spyware, automatic update features and digital rights management technologies. It’s the battle to determine who owns your computer.
You own your computer, of course. You bought it. You paid for it. But how much control do you really have over what happens on your machine? Technically you might have bought the hardware and software, but you have less control over what it’s doing behind the scenes…
The Anti-ID-Theft Bill That Isn't
California was the first state to pass a law requiring companies that keep personal data to disclose when that data is lost or stolen. Since then, many states have followed suit. Now Congress is debating federal legislation that would do the same thing nationwide.
Except that it won’t do the same thing: The federal bill has become so watered down that it won’t be very effective. I would still be in favor of it—a poor federal law is better than none—if it didn’t also pre-empt more-effective state laws, which makes it a net loss.
Identity theft is the fastest-growing area of crime. It’s badly named—your identity is the one thing that cannot be stolen—and is better thought of as fraud by impersonation. A criminal collects enough personal information about you to be able to impersonate you to banks, credit card companies, brokerage houses, etc. Posing as you, he steals your money, or takes a destructive joyride on your good credit…
Why VOIP Needs Crypto
There are basically four ways to eavesdrop on a telephone call.
One, you can listen in on another phone extension. This is the method preferred by siblings everywhere. If you have the right access, it’s the easiest. While it doesn’t work for cell phones, cordless phones are vulnerable to a variant of this attack: A radio receiver set to the right frequency can act as another extension.
Two, you can attach some eavesdropping equipment to the wire with a pair of alligator clips. It takes some expertise, but you can do it anywhere along the phone line’s path—even outside the home. This used to be the way the police eavesdropped on your phone line. These days it’s probably most often used by criminals. This method doesn’t work for cell phones, either…
Is User Education Working?
This essay appeared as part of a point-counterpoint with Marcus Ranum. Marcus’s side can be found on his website.
Marcus, you ignorant slut.
Okay; that’s unfair. You’re not ignorant. You understand technology and security. You’ve spent years steeping in the stuff. You’re fluent in computers – and most importantly – in computer security.
The average users are not. They might be fluent in spreadsheets, or eBay, or sending stupid jokes over e-mail; but they’re not technologists, let alone security people. So of course they’re making all sorts of security mistakes. I too have tried educating users, and I agree that it’s largely futile…
Let Computers Screen Air Baggage
It seems like every time someone tests airport security, airport security fails. In tests between November 2001 and February 2002, screeners missed 70 percent of knives, 30 percent of guns and 60 percent of (fake) bombs. And recently, testers were able to smuggle bomb-making parts through airport security in 21 of 21 attempts. It makes you wonder why we’re all putting our laptops in a separate bin and taking off our shoes. (Although we should all be glad that Richard Reid wasn’t the “underwear bomber.”)
The failure to detect bomb-making parts is easier to understand. Break up something into small enough parts, and it’s going to slip past the screeners pretty easily. The explosive material won’t show up on the metal detector, and the associated electronics can look benign when disassembled. This isn’t even a new problem. It’s widely believed that the Chechen women who blew up the two Russian planes in August 2004 probably smuggled their bombs aboard the planes in pieces…
Your Vanishing Privacy
Over the past 20 years, there’s been a sea change in the battle for personal privacy.
The pervasiveness of computers has resulted in the almost constant surveillance of everyone, with profound implications for our society and our freedoms. Corporations and the police are both using this new trove of surveillance data. We as a society need to understand the technological trends and discuss their implications. If we ignore the problem and leave it to the “market,” we’ll all find that we have almost no privacy left.
Most people think of surveillance in terms of police procedure: Follow that car, watch that person, listen in on his phone conversations. This kind of surveillance still occurs. But today’s surveillance is more like the NSA’s model, recently turned against Americans: Eavesdrop on every phone call, listening for certain keywords. It’s still surveillance, but it’s wholesale surveillance…
Sidebar photo of Bruce Schneier by Joe MacInnis.