Page 498
From the Department of Homeland Security, a handy list of 19 suspicious behaviors that could indicate that a hotel guest is actually a terrorist.
I myself have done several of these.
More generally, this is another example of why all the “see something say something” campaigns fail: “If you ask amateurs to act as front-line security personnel, you shouldn’t be surprised when you get amateur security.“
Interesting research from RAND:
Abstract: How do terrorist groups end? The evidence since 1968 indicates that terrorist groups rarely cease to exist as a result of winning or losing a military campaign. Rather, most groups end because of operations carried out by local police or intelligence agencies or because they join the political process. This suggests that the United States should pursue a counterterrorism strategy against al Qa’ida that emphasizes policing and intelligence gathering rather than a “war on terrorism” approach that relies heavily on military force.
This, of course, should surprise no one. Remember the work of Max Abrahms.
Good essay, making the point that cyberattack and counterattack aren’t very useful—actual cyberdefense is what’s wanted.
Creating a cyber-rock is cheap. Buying a cyber-rock is even cheaper since zero-day attacks exist on the open market for sale to the highest bidder. In fact, if the bad guy is willing to invest time rather than dollars and become an insider, cyber-rocks may in fact be free of charge, but that is a topic for another time.
Given these price tags, it is safe to assume that some nations have already developed a collection of cyber-rocks, and that many other nations will develop a handful of specialized cyber-rocks (e.g., as an extension of many-year-old regional conflicts). If we follow the advice of Hayden and Chabinsky, we may even distribute cyber-rocks to private corporations.
Obviously, active defense is folly if all it means is unleashing the cyber-rocks from inside of our glass houses since everyone can or will have cyber-rocks. Even worse, unlike very high explosives, or nuclear materials, or other easily trackable munitions (part of whose deterrence value lies in others knowing about them), no one will ever know just how many or what kind of cyber-rocks a particular group actually has.
Now that we have established that cyber-offense is relatively easy and can be accomplished on the cheap, we can see why reliance on offense alone is inadvisable. What are we going to do to stop cyberwar from starting in the first place? The good news is that war has both defensive and offensive aspects, and understanding this fundamental dynamic is central to understanding cyberwar and deterrence.
The kind of defense I advocate (called “passive defense” or “protection” above) involves security engineering—building security in as we create our systems, knowing full well that they will be attacked in the future. One of the problems to overcome is that exploits are sexy and engineering is, well, not so sexy.
Here’s a great concept: a micromort:
Shopping for coffee you would not ask for 0.00025 tons (unless you were naturally irritating), you would ask for 250 grams. In the same way, talking about a 1/125,000 or 0.000008 risk of death associated with a hang-gliding flight is rather awkward. With that in mind. Howard coined the term “microprobability” (μp) to refer to an event with a chance of 1 in 1 million and a 1 in 1 million chance of death he calls a “micromort” (μmt). We can now describe the risk of hang-gliding as 8 micromorts and you would have to drive around 3,000km in a car before accumulating a risk of 8 μmt, which helps compare these two remote risks.
There’s a related term, microlife, for things that reduce your lifespan. A microlife is 30 minutes off your life expectancy. So smoking two cigarettes has a cost of one microlife.
It’s hard for me to get too worked up about this vulnerability:
Many popular applications, HTTP(S) and WebSocket transport libraries, and SOAP and REST Web-services middleware use SSL/TLS libraries incorrectly, breaking or disabling certificate validation. Their SSL and TLS connections are not authenticated, thus they—and any software using them—are completely insecure against a man-in-the-middle attacker.
Great research, and—yes—the vulnerability should be fixed, but it doesn’t feel like a crisis issue.
Another article.
This is the sort of thing I wrote about in my latest book.
The Prisoners Dilemma as outlined above can be seen in action in two variants within regulatory activities, and offers a clear insight into why those involved in regulation act as they do. The first relationship is that between the various people and organisations being regulated banks, nuclear power stations, council departments, police agencies, journalists, etc, and the clear lessons from history are that even for those organisations that are theoretically in competition with each other, it is beneficial to both/all sides in the long run to use mutual cooperation in order to maximise their personal benefit. Whether it was Virgin and British Airways forming an illegal cartel to fix the price of fuel surcharges (a benefit to themselves which was paid for in increased prices for passengers); football shirt retailers (and Manchester United) being fined £16m for fixing the price of replica football shirts, or Barclays (and undoubtedly other banks) working together to fix the LIBOR rate, the reason why they do it is simple and unanswerable—it is in their benefit to do so.
[…]
However, when it comes down to the relationship between the regulators and those being regulated, then a completely different strategic dynamic comes into play. The ability of the regulated organisation to maximise personal benefit is then based on the ability to predict what the other side will do in response to the two options cooperate (play nicely) or betray (screw the customer). Given that in almost all cases the regulatory body has less funds, personnel, resources and expertise than the organisation it is regulating, then it becomes clear that there is little to be gained in the long run by cooperating / playing nicely, and much to be gained by ignoring the regulator and developing a strategy that focuses purely on maximising its own personal benefit. This is not an issue of ‘right’ or ‘wrong,’ but purely, in its own terms at least (maximisation of profit, increased market share, annual bonuses, career prospects), of whether it is ‘effective’ or ‘ineffective.’
Expensive, but it’s in complete working order. They’re also auctioning off a complete set of rotors; those are even rarer than the machines—which are often missing their rotors.
Is anyone out there interested in buying a pile of copies of my Liars and Outliers for a giveaway and book signing at the RSA Conference? I can guarantee enormous crowds at your booth for as long as there are books to give away. This could also work for an after-hours event.
Please let me know. I can get you a great bulk order price with my publisher.
These are often called SCADA vulnerabilities, although it isn’t SCADA that’s involved here. They’re against programmable logic controllers (PLCs): the same industrial controllers that Stuxnet attacked.
EDITED TO ADD (11/13): More info.
I’m not filled with confidence, but this seems like the best of a bunch of bad alternatives.
EDITED TO ADD (11/6): Matt Blaze, Ed Felten, and Andrew Appel have a lot more to say about this.
Sidebar photo of Bruce Schneier by Joe MacInnis.