Latest Essays
Page 61
The Hackers are Coming!
Over the past few years, we have seen hacking transform from a hobbyist activity to a criminal one. Hobbyist threats included defacing web pages, releasing worms that did damage, and running denial-of-service attacks against major networks. The goal was fun, notoriety, or just plain malice.
The new criminal attacks have a more focused goal: profit. This difference makes the new attackers more dangerous and potentially more damaging.
Criminals differ from hobbyists in several respects. One, they care less about finesse. Hobbyist hackers looked for new and clever attacks, while criminals will use whatever works. Hobbyists regularly advertised their presence, while criminals are more likely to be stealthy. Hobbyists generally didn’t care who they attacked, while criminals are more likely to target individual organizations. Criminal attackers are less risk-averse; they’re willing to risk jail, which hobbyists are largely not. As such, criminal attackers will engage in behavior that hobbyists avoid…
Airline Security a Waste of Cash
Since 9/11, our nation has been obsessed with air-travel security. Terrorist attacks from the air have been the threat that looms largest in Americans’ minds. As a result, we’ve wasted millions on misguided programs to separate the regular travelers from the suspected terrorists—money that could have been spent to actually make us safer.
Consider CAPPS and its replacement, Secure Flight. These are programs to check travelers against the 30,000 to 40,000 names on the government’s No-Fly list, and another 30,000 to 40,000 on its Selectee list…
Airplane Security and Metal Knives
This essay also appeared in The Age.
Two weeks ago, Immigration Minister Amanda Vanstone caused a stir by ridiculing airplane security in a public speech. She derided much of post-9/11 airline security, especially the use of plastic knives instead of metal ones, and said “a lot of what we do is to make people feel better as opposed to actually achieve an outcome.”
As a foreigner, I know very little about Australian politics. I don’t know anything about Senator Vanstone, her politics, her policies, or her party. I have no idea what she stands for. But as a security technologist, I agree 100% with her comments. Most airplane security is what I call “security theater”: ineffective measures designed to make people feel better about flying…
The Erosion of Freedom
Spying tools are now routinely used against ordinary, law-abiding Americans who have no connection to terrorism.
Christmas 2003, Las Vegas. Intelligence hinted at a terrorist attack on New Year’s Eve. In the absence of any real evidence, the FBI tried to compile a real-time database of everyone who was visiting the city. It collected customer data from airlines, hotels, casinos, rental car companies, even storage locker rental companies. All this information went into a massive database—probably close to a million people overall—that the FBI’s computers analyzed, looking for links to known terrorists. Of course, no terrorist attack occurred and no plot was discovered: The intelligence was wrong…
Real Story of the Rogue Rootkit
It’s a David and Goliath story of the tech blogs defeating a mega-corporation.
On Oct. 31, Mark Russinovich broke the story in his blog: Sony BMG Music Entertainment distributed a copy-protection scheme with music CDs that secretly installed a rootkit on computers. This software tool is run without your knowledge or consent—if it’s loaded on your computer with a CD, a hacker can gain and maintain access to your system and you wouldn’t know it.
The Sony code modifies Windows so you can’t tell it’s there, a process called “cloaking” in the hacker world. It acts as spyware, surreptitiously sending information about you to Sony. And it can’t be removed; trying to get rid of it …
Fatal Flaw Weakens RFID Passports
In 2004, when the U.S. State Department first started talking about embedding RFID chips in passports, the outcry from privacy advocates was huge. When the State Department issued its draft regulation in February, it got 2,335 comments, 98.5 percent negative. In response, the final State Department regulations, issued last week, contain two features that attempt to address security and privacy concerns. But one serious problem remains.
Before I describe the problem, some context on the surrounding controversy may be helpful. RFID chips are passive, and broadcast information to any reader that queries the chip. So critics, myself …
The Zotob Storm
View or Download in PDF Format
If you’ll forgive the possible comparison to hurricanes, Internet epidemics are much like severe weather: they happen randomly, they affect some segments of the population more than others, and your previous preparation determines how effective your defense is.
Zotob was the first major worm outbreak since MyDoom in January 2004. It happened quickly—less than five days after Microsoft published a critical security bulletin (its 39th of the year). Zotob’s effects varied greatly from organization to organization: some networks were brought to their knees, while others didn’t even notice…
Sue Companies, Not Coders
At a security conference last week, Howard Schmidt, the former White House cybersecurity adviser, took the bold step of arguing that software developers should be held personally accountable for the security of the code they write.
He’s on the right track, but he’s made a dangerous mistake. It’s the software manufacturers that should be held liable, not the individual programmers. Getting this one right will result in more-secure software for everyone; getting it wrong will simply result in a lot of messy lawsuits.
To understand the difference, it’s necessary to understand the basic economic incentives of companies, and how businesses are affected by liabilities. In a capitalist society, businesses are profit-making ventures, and they make decisions based on both short- and long-term profitability. They try to balance the costs of more-secure software—extra developers, fewer features, longer time to market—against the costs of insecure software: expense to patch, occasional bad press, potential loss of sales…
A Sci-Fi Future Awaits the Court
At John Roberts’ confirmation hearings last week, there weren’t enough discussions about science fiction. Technologies that are science fiction today will become constitutional questions before Roberts retires from the bench. The same goes for technologies that cannot even be conceived of now. And many of these questions involve privacy.
According to Roberts, there is a “right to privacy” in the Constitution. At least, that’s what he said during his Senate hearings last week. It’s a politically charged question, because the two decisions that established the right to contraceptives and abortion—Griswold v. Connecticut (1965) and Roe v. Wade (1973)—are based in part on a right to privacy. “Where do you stand on privacy?” can be code for “Where do you stand on abortion?”…
Sidebar photo of Bruce Schneier by Joe MacInnis.