Latest Essays
Page 68
Terror Profiles by Computers Are Ineffective
In September 2002, JetBlue Airways secretly turned over data about 1.5 million of its passengers to a company called Torch Concepts, under contract with the Department of Defense.
Torch Concepts merged this data with Social Security numbers, home addresses, income levels and automobile records that it purchased from another company, Acxiom Corp. All this was to test an automatic profiling system to automatically give each person a terrorist threat ranking.
Many JetBlue customers feel angry and betrayed that their data was shared without their consent. JetBlue’s privacy policy clearly states that “the financial and personal information collected on this site is not shared with any third parties.” Several lawsuits against JetBlue are pending. CAPPS II is the new system designed to profile air passengers—a system that would eventually single out certain passengers for extra screening and other passengers who would not be permitted to fly. After this incident, Congress has delayed the entire CAPPS II air passenger profiling system pending further review…
Outside View: Fixing intelligence
A joint congressional intelligence inquiry has concluded that 9/11 could have been prevented if our nation’s intelligence agencies shared information better and coordinated more effectively. This is both a trite platitude and a profound proscription.
Intelligence is easy to understand after the fact. With the benefit of hindsight, it’s easy to draw lines from people in flight school here, to secret meetings in foreign countries there, over to interesting tips from informants, and maybe to INS records. Connecting the dots is child’s play.
Doing it before the fact is another matter entirely and, before 9/11, it wasn’t so easy. There’s a world of difference between intelligence data and intelligence information. Some data did, before the fact, point to 9/11, but it was buried in an enormous amount of irrelevant data leading to blind alleys, false conclusions, and innocent people…
CyberInsecurity: The Cost of Monopoly
How the Dominance of Microsoft's Products Poses a Risk to Security
Table of Contents
- 1. Author Listing
- 2. Introduction by Computer & Communications Industry Association (CCIA)
- 3. CyberInsecurity Report
- 4. Biographies of Authors
Authors of the report
Daniel Geer, Sc.D—Chief Technical Officer, @Stake
Charles P. Pfleeger, Ph.D—Master Security Architect, Exodus Communications, Inc.
Bruce Schneier—Founder, Chief Technical Officer, Counterpane Internet Security
John S. Quarterman—Founder, InternetPerils, Matrix NetSystems, Inc.
Perry Metzger—Independent Consultant
Rebecca Bace—CEO, Infidel
Peter Gutmann—Researcher, Department of Computer Science, University of Auckland…
Voting and Technology: Who Gets to Count Your Vote?
Paperless voting machines threaten the integrity of democratic process by what they don't do.
Voting problems associated with the 2000 U.S. Presidential election have spurred calls for more accurate voting systems. Unfortunately, many of the new computerized voting systems purchased today have major security and reliability problems.
The ideal voting technology would have five attributes: anonymity, scalability, speed, audit, and accuracy (direct mapping from intent to counted vote). In the rush to improve the first four, accuracy is being sacrificed. Accuracy is not how well the ballots are counted; it’s how well the process maps voter intent into counted votes and the final tally. People misread ballots, punch cards don’t tabulate properly, machines break down, ballots get lost. Mistakes, even fraud, happen…
The Speed of Security
View or Download in PDF Format
“The Slammer worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes.” (See “Inside the Slammer Worm,” p. 33 of this issue.)For the six months prior to the Sapphire (or SQL Slammer) worm’s release, the particular vulnerability that Slammer exploited was one of literally hundreds already known. Microsoft provided a patch, but many ignored it (so many patches, so little time). However, on 25 January 2003 at 05:30 UTC, installing that one patch suddenly became the most important thing system administrators could do to improve their security. A day later, a system administrator could install hundreds of other patches, but no one knows which patch will become the next vitally important one, or when…
Testimony before the Subcommittee on Cybersecurity, Science, and Research and Development
Testimony and Statement for the Record of Bruce Schneier
Chief Technical Officer, Counterpane Internet Security, Inc.
Hearing on “Overview of the Cyber Problem-A Nation Dependent and Dealing with Risk”
Before the Subcommittee on Cybersecurity, Science, and Research and Development
Committee on Homeland Security
United States House of Representatives
June 25, 2003
2318 Rayburn House Office Building
Mr. Chairman, members of the Committee, thank you for the opportunity to testify today regarding cybersecurity, particularly in its relation to homeland defense and our nation’s critical infrastructure. My name is Bruce Schneier, and I have worked in the field of computer security for my entire career. I am the author of seven books on the topic, including the best-selling Secrets and Lies: Digital Security in a Networked World [1]. My newest book is entitled Beyond Fear: Thinking Sensibly About Security in an Uncertain World [2], and will be published in September. In 1999, I founded Counterpane Internet Security, Inc., where I hold the position of Chief Technical Officer. Counterpane Internet Security provides real-time security monitoring for hundreds of organizations, including several offices of the federal government…
Walls Don't Work in Cyberspace
Internet security is usually described as a fortress, with the good guys inside the wall and the bad guys outside. Network owners buy products to shore up the barrier, on the logic that a stronger wall will give them better security. Flaws in the network are holes in the barricade, patches the mortar that closes them.
This metaphor might have been appropriate 10 years ago, when the Internet was made up of disparate networks that occasionally communicated, but it’s outdated today. There are too many of us, doing too many things, interacting in too many ways. The Internet is more like a town…
Guilty Until Proven Innocent?
View or Download in PDF Format
In April 2003, the US Justice Department administratively discharged the FBI of its statutory duty to ensure the accuracy and completeness of the National Crime Information Center (NCIC) database. This enormous database contains over 39 million criminal records and information on wanted persons, missing persons, and gang members, as well as information about stolen cars and boats. More than 80,000 law enforcement agencies have access to this database. On average, the database processes 2.8 million transactions each day…
American Cyberspace: Can We Fend off Attackers?
Forget It: Bland PR Document Has Only Recommendations
AT 60 pages, the White House’s National Strategy to Secure Cyberspace is an interesting read, but it won’t help to secure cyberspace. It’s a product of consensus, so it doesn’t make any of the hard choices necessary to radically increase cyberspace security. Consensus doesn’t work in security design, and invariably results in bad decisions. It’s the compromises that are harmful, because the more parties you have in the discussion, the more interests there are that conflict with security. Consensus doesn’t work because the one crucial party in these negotiations—the attackers—aren’t sitting around the negotiating table with everyone else. They don’t negotiate, and they won’t abide by any security agreements…
Internet Shield: Secrecy and security
THERE’S considerable confusion between the concepts of secrecy and security, and it is causing a lot of bad security and some surprising political arguments. Secrecy is not the same as security, and most of the time secrecy contributes to a false feeling of security instead of to real security.
Last month, the SQL Slammer worm ravished the Internet, infecting in some 15 minutes about 13 root servers that direct information traffic, and thus disrupting services as diverse as the 911 network in Seattle and much of Bank of America’s 13,000 ATM machines. The worm took advantage of a software vulnerability in a Microsoft database management program, one that allowed a malicious piece of software to take control of the computer…
Sidebar photo of Bruce Schneier by Joe MacInnis.