Latest Essays
Page 67
Slouching Towards Big Brother
Last week the Supreme Court let stand the Justice Department’s right to secretly arrest noncitizen residents.
Combined with the government’s power to designate foreign prisoners of war as “enemy combatants” in order to ignore international treaties regulating their incarceration, and their power to indefinitely detain U.S. citizens without charge or access to an attorney, the United States is looking more and more like a police state.
Since the Sept. 11 attacks, the Justice Department has asked for, and largely received, additional powers that allow it to perform an unprecedented amount of surveillance of American citizens and visitors. The USA Patriot Act, passed in haste after Sept. 11, started the ball rolling…
Fingerprinting Visitors Won't Offer Security
Imagine that you’re going on vacation to some exotic country.
You get your visa, plan your trip and take a long flight. How would you feel if, at the border, you were photographed and fingerprinted? How would you feel if your biometrics stayed in that country’s computers for years? If your fingerprints could be sent back to your home country? Would you feel welcomed by that country, or would you feel like a criminal?
This month the U.S. government began giving such treatment to an expected 23 million visitors to the United States. The US-VISIT program is designed to capture biometric information at our borders. Only citizens of 27 countries who don’t need a visa to enter the United States, mostly Europeans, are exempt. Currently all 115 international airports and 14 seaports are covered, and over the next three years this program will be expanded to cover at least 50 land crossings and also to screen foreigners exiting the country…
Homeland Insecurity
The fact that U.S. intelligence agencies can't tell terrorists from children on passenger jets does little to inspire confidence.
Security can fail in two different ways. It can fail to work in the presence of an attack: a burglar alarm that a burglar successfully defeats. But security can also fail to work correctly when there’s no attack: a burglar alarm that goes off even if no one is there.
Citing “very credible” intelligence regarding terrorism threats, U.S. intelligence canceled 15 international flights in the last couple of weeks, diverted at least one more flight to Canada, and had F-16s shadow others as they approached their final destinations.
These seem to have been a bunch of false alarms. Sometimes it was a case of mistaken identity. For example, one of the “terrorists” on an Air France flight was a child whose name matched that of a terrorist leader; another was a Welsh insurance agent. Sometimes it was a case of assuming too much; British Airways Flight 223 was detained once and canceled twice, on three consecutive days, presumably because that flight number turned up on some communications intercept somewhere. In response to the public embarrassment from these false alarms, the government is slowly leaking information about a particular person who didn’t show up for his flight, and two non-Arab-looking men who may or may not have had bombs. But these seem more like efforts to save face than the very credible evidence that the government promised…
Better get used to routine loss of personal privacy
At a gas station in British Columbia, two employees installed a camera in the ceiling in front of an ATM machine. They recorded thousands of people as they typed in their PIN numbers. Combined with a false front on the ATM that recorded account numbers from the cards, the pair were able to steal millions before they were caught.
In at least 14 Kinko’s copy shops in New York City, Juju Jiang installed keystroke loggers on the rentable computers. For over a year he eavesdropped on people, capturing more than 450 user names and passwords and using them to access and open bank accounts online…
Blaster and the Great Blackout
Ten years ago our critical infrastructure was run by a series of specialized systems, both computerized and manual, on dedicated networks. Today, many of these computers have been replaced with standard mass-market computers connected via the Internet. This shift brings with it all sorts of cost savings, but it also brings additional risks. The same worms and viruses, the same vulnerabilities, the same Trojans and hacking tools that have so successfully ravaged the Internet can now affect our critical infrastructure.
For example, in late January 2003, the Slammer worm knocked out 911 emergency telephone service in Bellevue, Wash. The 911 data-entry terminals weren’t directly connected to the Internet, but they used the same servers that the rest of the city used, and when the servers started to fail (because the connected parts were hit by Slammer), the failure affected the 911 terminals…
Internet Worms and Critical Infrastructure
Did MSBlast cause the Aug. 14 blackout? The official analysis says “no,” but I’m not so sure. A November interim report a panel of government and industry officials issued concluded that the blackout was caused by a series of failures with the chain of events starting at FirstEnergy, a power company in Ohio. A series of human and computer failures then turned a small problem into a major one. And because critical alarm systems failed, workers at FirstEnergy did not stop the cascade, because they did not know what was happening.
This is where I think MSBlast, also known as Blaster, may have been involved…
Festung Amerika
Im Jahr 2004 werden die USA viele Milliarden Dollar für Sicherheit ausgeben. Leider ist das meiste davon zum Fenster herausgeworfen – wirklichen Schutz bringt diese Aufrüstung nicht
VON BRUCE SCHNEIER
Der 11. September 2001 hat ein Trauma hinterlassen. Seit den Terroranschlägen brauchen die Amerikaner das Gefühl von mehr Sicherheit. An Flughäfen wurden Soldaten der Nationalgarde stationiert, an vielen öffentlichen und gewerb-lichen Gebäuden wurden intensi-vere Passkontrollen eingeführt, die Polizei überwacht wichtige Brücken und Tunnels…
Liability changes everything
Computer security is not a problem that technology can solve. Security solutions have a technological component, but security is fundamentally a people problem. Businesses approach security as they do any other business uncertainty: in terms of risk management. Organizations optimize their activities to minimize their cost-risk product, and understanding those motivations is key to understanding computer security today.
It makes no sense to spend more on security than the original cost of the problem, just as it makes no sense to pay liability compensation for damage done when spending money on security is cheaper. Businesses look for financial sweet spots—-adequate security for a reasonable cost, for example—and if a security solution doesn’t make business sense, a company won’t do it…
Airplane Hackers
View or Download in PDF Format
Nathaniel Heatwole is a student at Guilford College. Several times between 7 February and 15 September 2003, he tested airline security. First, he smuggled in box cutters, clay resembling plastic explosives, and bleach simulating bomb-making chemicals through security. Then he hid these things in airplane lavatories, along with notes. Finally, he sent an email to the US Transportation Security Administration (TSA) titled “Information Regarding Six Recent Security Breaches.”
The problem is that the TSA never asked him to test its security. In this same vein, computer networks have been plagued for years by hackers breaking into them. But these people aren’t breaking into systems for profit; they don’t commit fraud or theft. They’re breaking into systems to satisfy their intellectual curiosity, for the thrill, and just to see if they can…
Sidebar photo of Bruce Schneier by Joe MacInnis.