Latest Essays
Page 63
Who says safe computing must remain a pipe dream?
I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, “Nothing—you’re screwed.”
But that’s not true, and the reality is more complicated. You’re screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.
Two years ago, I published a list of PC security recommendations. The idea was to give home users concrete actions they could take to improve security. This is an update of that list: a dozen things you can do to improve your security…
Desktop Google Finds Holes
Last month, Google released a beta version of its desktop search software: Google Desktop Search. Install it on your Windows machine, and it creates a searchable index of your data files, including word processing files, spreadsheets, presentations, e-mail messages, cached Web pages and chat sessions. It’s a great idea. Windows’ searching capability has always been mediocre, and Google fixes the problem nicely.
There are some security issues, though. The problem is that GDS indexes and finds documents that you may prefer not be found. For example, GDS searches your browser’s cache. This allows it to find old Web pages you’ve visited, including online banking summaries, personal messages sent from Web e-mail programs and password-protected personal Web pages…
Profile: "hinky"
ON DEC. 14, 1999, Ahmed Ressam tried to enter the United States from Canada at Port Angeles, Wash. He had a suitcase bomb in the trunk of his car. A US customs agent, Diana Dean, questioned him at the border. He was fidgeting, sweaty, and jittery. He avoided eye contact. In Dean’s own words, he was acting “hinky.” Ressam’s car was eventually searched, and he was arrested.
It wasn’t any one thing that tipped Dean off; it was everything encompassed in the slang term “hinky.” But it worked. The reason there wasn’t a bombing at Los Angeles International Airport around Christmas 1999 was because a trained, knowledgeable security person was paying attention…
What's Wrong With Electronic Voting Machines?
In the aftermath of the American presidential election on 2 November 2004, electronic voting machines are again in the news. Computerised machines lost votes, subtracted votes, and doubled some votes too. And because many of these machines have no paper audit trails, a large number of votes will never be counted.
While it is unlikely that deliberate voting-machine fraud changed the result of this presidential election, the internet is buzzing with rumours and allegations in a number of different jurisdictions and races. It is still too early to tell if any of these problems affected any individual state’s election, but the next few weeks will reveal whether any of the information crystallises into something significant…
Getting Out the Vote
Why is it so hard to run an honest election?
Four years after the Florida debacle of 2000 and two years after Congress passed the Help America Vote Act, voting problems are again in the news: confusing ballots, malfunctioning voting machines, problems over who’s registered and who isn’t. All this brings up a basic question: Why is it so hard to run an election?
A fundamental requirement for a democratic election is a secret ballot, and that’s the first reason. Computers regularly handle multimillion-dollar financial transactions, but much of their security comes from the ability to audit the transactions after the fact and correct problems that arise. Much of what they do can be done the next day if the system is down. Neither of these solutions works for elections…
Information Security: How Liable Should Vendors Be?
An update to this essay was published in ENISA Quarterly in January 2007.
Information insecurity is costing us billions. We pay for it in theft: information theft, financial theft. We pay for it in productivity loss, both when networks stop working and in the dozens of minor security inconveniences we all have to endure. We pay for it when we have to buy security products and services to reduce those other two losses. We pay for security, year after year.
The problem is that all the money we spend isn’t fixing the problem. We’re paying, but we still end up with insecurities…
The Security of Checks and Balances
Much of the political rhetoric surrounding the US presidential election centers around the relative security posturings of President George W. Bush and Senator John Kerry, with each side loudly proclaiming that his opponent will do irrevocable harm to national security.
Terrorism is a serious issue facing our nation in the early 21st century, and the contrasting views of these candidates is important. But this debate obscures another security risk, one much more central to the US: the increasing centralisation of American political power in the hands of the executive branch of the government…
Outside View: Security at the World Series
The World Series is no stranger to security. Fans try to sneak into the ballpark without tickets or with counterfeit tickets. Often foods and alcohol are prohibited from being brought into the ballpark, to enforce the monopoly of the high-priced concessions.
Violence is always a risk: both small fights and larger-scale riots that result from fans from both teams being in such close proximity—like the one that almost happened during the sixth game of the American League Championship Series.
Today, the new risk is terrorism. Security at the Olympics cost $1.5 billion. Some $50 million each was spent at the Democratic and Republican conventions on security. There has been no public statement about the security bill for the World Series, but it’s reasonable to assume it will be impressive…
Bigger Brother
The Baltimore housing department has a new tool to find homeowners who have been building rooftop decks without a permit: aerial mapping. Baltimore bought aerial photographs of the entire city and used software to correlate the images with databases of address information and permit records. Inspectors have just begun knocking on doors of residents who built decks without permission.
On the face of it, this is nothing new. Police always have been able to inspect buildings for permit violations. The difference is they would do it manually, and that limited its use. It simply wasn’t feasible for the police to automatically document every building code violation in any city. What’s different isn’t the police tactic but the efficiency of the process…
Does Big Brother want to watch?
Since the terrorist attacks of 2001, the Bush administration—specifically, the Department of Homeland Security—has wanted the world to agree on a standard for machine-readable passports. Countries whose citizens currently do not have visa requirements to enter the United States will have to issue passports that conform to the standard or risk losing their nonvisa status.
These future passports, currently being tested, will include an embedded computer chip. This chip will allow the passport to contain much more information than a simple machine-readable character font, and will allow passport officials to quickly and easily read that information. That is a reasonable requirement and a good idea for bringing passport technology into the 21st century…
Sidebar photo of Bruce Schneier by Joe MacInnis.