Latest Essays
Page 64
Do Terror Alerts Work?
How would we know? An essay by one of the world’s busiest security experts.
As I read the litany of terror threat warnings that the government has issued in the past three years, the thing that jumps out at me is how vague they are. The careful wording implies everything without actually saying anything. We hear “terrorists might try to bomb buses and rail lines in major U.S. cities this summer,” and there’s “increasing concern about the possibility of a major terrorist attack.” “At least one of these attacks could be executed by the end of the summer 2003.” Warnings are based on “uncorroborated intelligence,” and issued even though “there is no credible, specific information about targets or method of attack.” And, of course, “weapons of mass destruction, including those containing chemical, biological, or radiological agents or materials, cannot be discounted.”…
The Non-Security of Secrecy
Considerable confusion exists between the different concepts of secrecy and security, which often causes bad security and surprising political arguments. Secrecy usually contributes only to a false sense of security.
In June 2004, the U.S. Department of Homeland Security urged regulators to keep network outage information secret. The Federal Communications Commission requires telephone companies to report large disruptions of telephone service, and wants to extend that to high-speed data lines and wireless networks. DHS fears that such information would give cyberterrorists a “virtual road map” to target critical infrastructures…
Saluting the data encryption legacy
The Data Encryption Standard, or DES, was a mid-’70s brainchild of the National Bureau of Standards: the first modern, public, freely available encryption algorithm. For over two decades, DES was the workhorse of commercial cryptography.
Over the decades, DES has been used to protect everything from databases in mainframe computers, to the communications links between ATMs and banks, to data transmissions between police cars and police stations. Whoever you are, I can guarantee that many times in your life, the security of your data was protected by DES…
Academics locked out by tight visa controls
U.S. Security Blocks Free Exchange of Ideas
Cryptography is the science of secret codes, and it is a primary Internet security tool to fight hackers, cyber crime, and cyber terrorism. CRYPTO is the world’s premier cryptography conference. It’s held every August in Santa Barbara.
This year, 400 people from 30 countries came to listen to dozens of talks. Lu Yi was not one of them. Her paper was accepted at the conference. But because she is a Chinese Ph.D. student in Switzerland, she was not able to get a visa in time to attend the conference…
City Cops' Plate Scanner is a License to Snoop
New Haven police have a new law enforcement tool: a license-plate scanner. Similar to a radar gun, it reads the license plates of moving or parked cars and links with remote police databases, immediately providing information about the car and owner. Right now the police check if there are any taxes owed on the car, if the car or license plate is stolen, and if the car is unregistered or uninsured. A car that comes up positive is towed.
On the face of it, this is nothing new. The police have always been able to run a license plate. The difference is they would do it manually, and that limited its use. It simply wasn’t feasible for the police to run the plates of every car in a parking garage, or every car that passed through an intersection. What’s different isn’t the police tactic, but the efficiency of the process…
Security Information Management Systems: Solution, or Part of the Problem?
View or Download in PDF Format
We in the computer security industry are guilty of over-hyping and under-delivering. Again and again, we tell customers that they need to buy this or that product in order to be secure. Again and again, customers buy the products and are still not secure.
Firewalls didn’t keep out network attackers, and ignored the fact that the notion of “perimeter” is severely flawed. Intrusion detection systems didn’t keep networks safe, and worms and viruses do considerable damage despite the prevalence of anti-virus products. Intrusion prevention systems are being hyped as the new solution, but we all know that they won’t prevent intrusions…
We Owe Much to DES
It was a historic moment when, last month, the National Institute of Standards and Technology proposed withdrawing the Data Encryption Standard as an encryption standard.
DES has been the most popular encryption algorithm for 25 years. Developed at IBM, it was chosen by the National Bureau of Standards (now NIST) as the government-standard encryption algorithm in 1976. Since then, it has become an international encryption standard and has been used in thousands of applications, despite concerns about its short key length.
In 1972, the NBS initiated a program to protect computer and communications data that included a standard encryption algorithm. IBM submitted an algorithm that used simple logical operations on small groups of bits and could be implemented efficiently in mid-1970s hardware. The algorithm’s key strength comes from an S-box, a nonlinear table-lookup specified by strings of constants…
How Long Can the Country Stay Scared?
Want to learn how to create and sustain psychosis on a national scale? Look carefully at the public statements made by the Department of Homeland Security.
Here are a few random examples: “Weapons of mass destruction, including those containing chemical, biological or radiological agents or materials, cannot be discounted.” “At least one of these attacks could be executed by the end of the summer 2003.” “These credible sources suggest the possibility of attacks against the homeland around the holiday season and beyond.”
The DHS’s threat warnings have been vague, indeterminate, and unspecific. The threat index goes from yellow to orange and back again, although no one is entirely sure what either level means. We’ve been warned that the terrorists might use helicopters, scuba gear, even cheap prescription drugs from Canada. New York and Washington, D.C., were put on high alert one day, and the next day told that the alert was based on information years old. The careful wording of these alerts allows them not to require any sound, confirmed, accurate intelligence information, while at the same time guaranteeing hysterical media coverage. This headline-grabbing stuff might make for good movie plots, but it doesn’t make us safer…
Olympic Security
If you’re watching the Olympic games on television, you’ve already seen the unprecedented security surrounding the 2004 Games. You’re seen shots of guards and soldiers, and gunboats and frogmen patrolling the harbors.
But there’s a lot more security behind the scenes. Olympic press materials state that there is a system of 1250 infrared and high-resolution surveillance cameras mounted on concrete poles. Additional surveillance data is collected from sensors on 12 patrol boats, 4000 vehicles, 9 helicopters, four mobile command centres, and a blimp…
U.S. 'No-Fly' List Curtails Liberties
Intended as a counterterrorism tool, it doesn't work and tramples on travelers' rights
Imagine a list of suspected terrorists so dangerous that we can’t ever let them fly, yet so innocent that we can’t arrest them – even under the draconian provisions of the Patriot Act.
This is the federal government’s “no-fly” list. First circulated in the weeks after 9/11 as a counterterrorism tool, its details are shrouded in secrecy.
But, because the list is filled with inaccuracies and ambiguities, thousands of innocent, law-abiding Americans have been subjected to lengthy interrogations and invasive searches every time they fly, and sometimes forbidden to board airplanes…
Sidebar photo of Bruce Schneier by Joe MacInnis.