Page 499

Peter Neumann Profile

Really nice profile in the New York Times. It includes a discussion of the Clean Slate program:

Run by Dr. Howard Shrobe, an M.I.T. computer scientist who is now a Darpa program manager, the effort began with a premise: If the computer industry got a do-over, what should it do differently?

The program includes two separate but related efforts: Crash, for Clean-Slate Design of Resilient Adaptive Secure Hosts; and MRC, for Mission-Oriented Resilient Clouds. The idea is to reconsider computing entirely, from the silicon wafers on which circuits are etched to the application programs run by users, as well as services that are placing more private and personal data in remote data centers.

Clean Slate is financing research to explore how to design computer systems that are less vulnerable to computer intruders and recover more readily once securityis breached.

Tags: , ,

Posted on November 1, 2012 at 6:34 AMView Comments

Protecting (and Collecting) the DNA of World Leaders

There’s a lot of hype and hyperbole in this story, but here’s the interesting bit:

According to Ronald Kessler, the author of the 2009 book In the President’s Secret Service, Navy stewards gather bedsheets, drinking glasses, and other objects the president has touched­they are later sanitized or destroyed­in an effort to keep would be malefactors from obtaining his genetic material. (The Secret Service would neither confirm nor deny this practice, nor would it comment on any other aspect of this article.) And according to a 2010 release of secret cables by WikiLeaks, Secretary of State Hillary Clinton directed our embassies to surreptitiously collect DNA samples from foreign heads of state and senior United Nations officials. Clearly, the U.S. sees strategic advantage in knowing the specific biology of world leaders; it would be surprising if other nations didn’t feel the same.

The rest of the article is about individually targeted bioweapons.

Tags: , , ,

Posted on October 29, 2012 at 1:53 PMView Comments

Hacking TSA PreCheck

I have a hard time getting worked up about this story:

I have X’d out any information that you could use to change my reservation. But it’s all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.

What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode. Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created. Even more scary is that people can do this to change names. So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID. The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information. So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.

What a dumb way to design the system. It would be easier—and far more secure—if the boarding pass checker just randomly chose 10%, or whatever percentage they want, of PreCheck passengers to send through regular screening. Why go through the trouble of encoding it in the barcode and then reading it?

And—of course—this means that you can still print your own boarding pass.

On the other hand, I think the PreCheck level of airport screening is what everyone should get, and that the no-fly list and the photo ID check add nothing to security. So I don’t feel any less safe because of this vulnerability.

Still, I am surprised. Is this the same in other countries? Lots of countries scan my boarding pass before allowing me through security: France, the Netherlands, the UK, Japan, even Uruguay at Montevideo Airport when I flew out of there yesterday. I always assumed that those systems were connected to the airlines’ reservation databases. Does anyone know?

Tags: , , , , , , ,

Posted on October 26, 2012 at 6:46 AMView Comments

The Risks of Trusting Experts

I’m not sure what to think about this story:

Six Italian scientists and an ex-government official have been sentenced to six years in prison over the 2009 deadly earthquake in L’Aquila.

A regional court found them guilty of multiple manslaughter.

Prosecutors said the defendants gave a falsely reassuring statement before the quake, while the defence maintained there was no way to predict major quakes.

The 6.3 magnitude quake devastated the city and killed 309 people.

These were all members of the National Commission for the Forecast and Prevention of Major Risks, and some of Italy’s most prominent and internationally respected seismologists and geological experts. Basically, the problem was that they failed to hedge their bets against the earthquake. In a press conference just before the earthquake, they incorrectly assured locals that there was no danger. This, according to the court, was equivalent to manslaughter.

No, it doesn’t make any sense.

David Rothery, of the UK’s Open University, said earthquakes were “inherently unpredictable”.

“The best estimate at the time was that the low-level seismicity was not likely to herald a bigger quake, but there are no certainties in this game,” he said.

Even the defendants were confused:

Another, Enzo Boschi, described himself as “dejected” and “desperate” after the verdict was read.

“I thought I would have been acquitted. I still don’t understand what I was convicted of.”

I do. He was convicted because the public wanted revenge—and the scientists were their most obvious targets.

Needless to say, this is having a chilling effect on scientists talking to the public. Enzo Boschi, president of Italy’s National Institute of Geophysics and Volcanology (INGV) in Rome, said: “When people, when journalists, asked my opinion about things, I used to tell them, but no more. Scientists have to shut up.” Also, as part of their conviction, those scientists are prohibited from ever holding public office again.

From a security perspective, this seems like the worst possible outcome. The last thing we want of our experts is for them to refuse to give us the benefits of their expertise.

To be fair, the verdict isn’t final. There are always appeals in Italy, and at least one level of appeal is certain in this case. Everything might be overturned, but I’m sure the chilling effect will remain, regardless.

As someone who constantly makes predictions about security that could potentially affect the livelihood and lives of those who listen to them, this really made me stop and think. Could I be arrested, or sued, for telling people that this particular security product is effective when in fact it is not? I am forever minimizing the risks of terrorism in general and airplane terrorism in particular. Sooner or later, there will be another terrorist event. Will that make me guilty of manslaughter as well? Italy is a long way away, but everything I write on the Internet reaches there.

Oddly enough, there is a large of amount of case law in this area, with weathermen as the target. This twopart article, “Bad Weather? Then Sue the Weatherman,” is fascinating.

EDITED TO ADD (11/13): Here is an article in “New Scientist” that gives the prosecutor’s side of things. According to the prosecutor, this case was not about prediction. It was about communication. It wasn’t about the odds of the quake, it was about how those odds were communicated to the public.

Tags:

Posted on October 25, 2012 at 6:27 AMView Comments

← Earlier EntriesLater Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.