Latest Essays
Page 60
Security in the Cloud
One of the basic philosophies of security is defense in depth: overlapping systems designed to provide security even if one of them fails. An example is a firewall coupled with an intrusion-detection system (IDS). Defense in depth provides security, because there’s no single point of failure and no assumed single vector for attacks.
It is for this reason that a choice between implementing network security in the middle of the network—in the cloud—or at the endpoints is a false dichotomy. No single security system is a panacea, and it’s far better to do both…
Fighting Fat-Wallet Syndrome
I don’t know about your wallet, but mine contains a driver’s license, three credit cards, two bank ATM cards, frequent-flier cards for three airlines and frequent-guest cards for three hotel chains, memberships cards to two airline clubs, a library card, a AAA card, a Costco membership, and a bunch of other ID-type cards.
Any technologist who looks at the pile would reasonably ask: why all those cards? Most of them are not intended to be hard-to-forge identification cards; they’re simply ways of carrying around unique numbers that are pointers into a database. Why does Visa bother issuing credit cards in the first place? Clearly you don’t need the physical card in order to complete the transaction, as anyone who has bought something over the phone or the internet knows. Your bank could just use your driver’s license number as an account number…
Big Risks Come in Small Packages
Some years ago, I left my laptop computer on a train from Washington to New York. Replacing the computer was expensive, but at the time I was more worried about the data.
Of course I had good backups, but now a copy of all my e-mail, client files, personal writings and book manuscripts were … well, somewhere. Probably the drive would be erased by the computer’s new owner, but maybe my personal and professional life would end up in places I didn’t want them to be.
If anything, this problem has gotten worse. Our digital devices have all gotten smaller, while at the same time they’re carrying more and more sensitive information…
Anonymity Won't Kill the Internet
In a recent essay, Kevin Kelly warns of the dangers of anonymity. It’s OK in small doses, he maintains, but too much of it is a problem: “(I)n every system that I have seen where anonymity becomes common, the system fails. The recent taint in the honor of Wikipedia stems from the extreme ease which anonymous declarations can be put into a very visible public record. Communities infected with anonymity will either collapse, or shift the anonymous to pseudo-anonymous, as in eBay, where you have a traceable identity behind an invented nickname.”…
Unchecked Presidential Power
In the weeks after 9/11, while America and the world were grieving, President Bush built a legal rationale for a dictatorship. Then he started using it to avoid the law.
This past Thursday, the New York Times exposed the most significant violation of federal surveillance law in the post-Watergate era. President Bush secretly authorized the National Security Agency to engage in domestic spying, wiretapping thousands of Americans and bypassing the legal procedures regulating this activity.
This isn’t about the spying, although that’s a major issue in itself. This is about the Fourth Amendment protections against illegal search. This is about circumventing a teeny tiny check by the judicial branch, placed there by the legislative branch, placed there 27 years ago—on the last occasion that the executive branch abused its power so broadly…
Uncle Sam is Listening
Bush may have bypassed federal wiretap law to deploy more high-tech methods of surveillance.
When President Bush directed the National Security Agency to secretly eavesdrop on American citizens, he transferred an authority previously under the purview of the Justice Department to the Defense Department and bypassed the very laws put in place to protect Americans against widespread government eavesdropping. The reason may have been to tap the NSA’s capability for data mining and widespread surveillance.
Illegal wiretapping of Americans is nothing new. In the 1950s and ’60s, in a program called “Project Shamrock,” the NSA intercepted every single telegram coming in or going out of the United States. It conducted eavesdropping without a warrant on behalf of the CIA and other agencies. Much of this became public during the 1975 Church Committee hearings and resulted in the now famous Foreign Intelligence Surveillance Act …
Hold the Photons!
How would you feel if you invested millions of dollars in quantum cryptography, and then learned that you could do the same thing with a few 25-cent Radio Shack components?
I’m exaggerating a little here, but if a new idea out of Texas A&M University turns out to be secure, we’ve come close.
Earlier this month, Laszlo Kish proposed securing a communications link, like a phone or computer line, with a pair of resistors. By adding electronic noise, or using the natural thermal noise of the resistors—called “Johnson noise”—Kish can prevent eavesdroppers from listening in…
The Hackers are Coming!
Over the past few years, we have seen hacking transform from a hobbyist activity to a criminal one. Hobbyist threats included defacing web pages, releasing worms that did damage, and running denial-of-service attacks against major networks. The goal was fun, notoriety, or just plain malice.
The new criminal attacks have a more focused goal: profit. This difference makes the new attackers more dangerous and potentially more damaging.
Criminals differ from hobbyists in several respects. One, they care less about finesse. Hobbyist hackers looked for new and clever attacks, while criminals will use whatever works. Hobbyists regularly advertised their presence, while criminals are more likely to be stealthy. Hobbyists generally didn’t care who they attacked, while criminals are more likely to target individual organizations. Criminal attackers are less risk-averse; they’re willing to risk jail, which hobbyists are largely not. As such, criminal attackers will engage in behavior that hobbyists avoid…
Airline Security a Waste of Cash
Since 9/11, our nation has been obsessed with air-travel security. Terrorist attacks from the air have been the threat that looms largest in Americans’ minds. As a result, we’ve wasted millions on misguided programs to separate the regular travelers from the suspected terrorists—money that could have been spent to actually make us safer.
Consider CAPPS and its replacement, Secure Flight. These are programs to check travelers against the 30,000 to 40,000 names on the government’s No-Fly list, and another 30,000 to 40,000 on its Selectee list…
Airplane Security and Metal Knives
This essay also appeared in The Age.
Two weeks ago, Immigration Minister Amanda Vanstone caused a stir by ridiculing airplane security in a public speech. She derided much of post-9/11 airline security, especially the use of plastic knives instead of metal ones, and said “a lot of what we do is to make people feel better as opposed to actually achieve an outcome.”
As a foreigner, I know very little about Australian politics. I don’t know anything about Senator Vanstone, her politics, her policies, or her party. I have no idea what she stands for. But as a security technologist, I agree 100% with her comments. Most airplane security is what I call “security theater”: ineffective measures designed to make people feel better about flying…
Sidebar photo of Bruce Schneier by Joe MacInnis.