Entries Tagged "cost-benefit analysis"

Page 12 of 23

Outsourcing Passports

The U.S. is outsourcing the manufacture of its RFID passports to some questionable companies.

This is a great illustration of the maxim “security trade-offs are often made for non-security reasons.” I can imagine the manager in charge: “Yes, it’s insecure. But think of the savings!”

The Government Printing Office’s decision to export the work has proved lucrative, allowing the agency to book more than $100 million in recent profits by charging the State Department more money for blank passports than it actually costs to make them, according to interviews with federal officials and documents obtained by The Times.

Another story.

Posted on April 2, 2008 at 6:08 AMView Comments

Detecting Gunshots

Minneapolis—the city I live in—has an acoustic system that automatically detects and locates gunshots. It’s been in place for a year and a half.

The main system being considered by Minneapolis is called ShotSpotter. It could cost up to $350,000, and some community groups are hoping to pitch in.

That seems like a bargain to me.

Recently, I was asked about this system on Winnipeg radio. Actually, I kind of like it. I like it because it’s finely tuned to one particular problem: detecting gunfire. It doesn’t record everything. It doesn’t invade privacy. If there’s no gunfire, it’s silent. But if there is a gunshot, it figures out the location of the noise and automatically tells police.

From a privacy and liberties perspective, it’s a good system. Now all that has to be demonstrated is that it’s cost effective.

Posted on March 20, 2008 at 7:27 AMView Comments

Hacking Medical Devices

Okay, so this could be big news:

But a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker.

They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal—if the device had been in a person. In this case, the researcher were hacking into a device in a laboratory.

The researchers said they had also been able to glean personal patient data by eavesdropping on signals from the tiny wireless radio that Medtronic, the device’s maker, had embedded in the implant as a way to let doctors monitor and adjust it without surgery.

There’s only a little bit of hyperbole in the New York Times article. The research is being conducted by the Medical Device Security Center, with researchers from Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst, and the University of Washington. They have two published papers:

This is from the FAQ for the second paper (an ICD is a implantable cardiac defibrillator):

As part of our research we evaluated the security and privacy properties of a common ICD. We investigate whether a malicious party could create his or her own equipment capable of wirelessly communicating with this ICD.

Using our own equipment (an antenna, radio hardware, and a PC), we found that someone could violate the privacy of patient information and medical telemetry. The ICD wirelessly transmits patient information and telemetry without observable encryption. The adversary’s computer could intercept wireless signals from the ICD and learn information including: the patient’s name, the patient’s medical history, the patient’s date of birth, and so on.

Using our own equipment (an antenna, radio hardware, and a PC), we found that someone could also turn off or modify therapy settings stored on the ICD. Such a person could render the ICD incapable of responding to dangerous cardiac events. A malicious person could also make the ICD deliver a shock that could induce ventricular fibrillation, a potentially lethal arrhythmia.

Of course, we all know how this happened. It’s a story we’ve seen a zillion times before: the designers didn’t think about security, so the design wasn’t secure.

The researchers are making it very clear that this doesn’t mean people shouldn’t get pacemakers and ICDs. Again, from the FAQ:

We strongly believe that nothing in our report should deter patients from receiving these devices if recommended by their physician. The implantable cardiac defibrillator is a proven, life-saving technology. We believe that the risk to patients is low and that patients should not be alarmed. We do not know of a single case where an IMD patient has ever been harmed by a malicious security attack. To carry out the attacks we discuss in our paper would require: malicious intent, technical sophistication, and the ability to place electronic equipment close to the patient. Our goal in performing this study is to improve the security, privacy, safety, and effectiveness of future IMDs.

For all our experiments our antenna, radio hardware, and PC were near the ICD. Our experiments were conducted in a computer laboratory and utilized simulated patient data. We did not experiment with extending the distance between the antenna and the ICD.

I agree with this answer. The risks are there, but the benefits of these devices are much greater. The point of this research isn’t to help people hack into pacemakers and commit murder, but to enable medical device companies to design better implantable equipment in the future. I think it’s great work.

Of course, that will only happen if the medical device companies don’t react like idiots:

Medtronic, the industry leader in cardiac regulating implants, said Tuesday that it welcomed the chance to look at security issues with doctors, regulators and researchers, adding that it had never encountered illegal or unauthorized hacking of its devices that have telemetry, or wireless control, capabilities.

“To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide,” a Medtronic spokesman, Robert Clark, said. Mr. Clark added that newer implants with longer transmission ranges than Maximo also had enhanced security.

[…]

St. Jude Medical, the third major defibrillator company, said it used “proprietary techniques” to protect the security of its implants and had not heard of any unauthorized or illegal manipulation of them.

Just because you have no knowledge of something happening does not mean it’s not a risk.

Another article.

The general moral here: more and more, computer technology is becoming intimately embedded into our lives. And with each new application comes new security risks. And we have to take those risks seriously.

Posted on March 12, 2008 at 10:39 AMView Comments

Hijacking in New Zealand

There are a couple of interesting things about the hijacking in New Zealand two weeks ago. First, it was a traditional hijacking. Remember after 9/11 when people said that the era of airplane hijacking was over, that it would no longer be possible to hijack an airplane and demand a ransom or demand passage to some exotic location? Turns out that’s just not true; there still can be traditional non-terrorist hijackings.

And even more interesting, the media coverage reflected that. Read the links above. They’re calm and reasoned. There’s no mention of the T-word. We’re not all cautioned that we’re going to die. If anything, they’re recommending that everyone not overreact.

Refreshing, really.

EDITED TO ADD (2/25): And this:

Mr Williamson today said the idea behind anything involving transport was “safety at reasonable cost”.

He said the Government needed to weigh up the cost of x-ray screening every passenger on a small plane against the risk of such an attempted hijacking happening again.

“I just think it’s over the top, sledgehammer to crack a nut stuff and my advice to the Cabinet this morning is just make sure you’re very careful. . .to consider what the costs are.”

Posted on February 20, 2008 at 7:26 AMView Comments

Locked Call Boxes and Banned Geiger Counters

Fire Engineering magazine points out that fire alarms used to be kept locked to prevent false alarms:

Q: Prior to 1870, street corner fire alarm pull boxes were kept locked. Why were they kept locked and how did a person gain access to ‘pull the box?’

A: They were kept locked due to false alarms. Nearby shopkeepers or beat cops carried the keys.

According to Robert Cromie in The Great Chicago Fire (Thomas Nelson: 1994, p. 33), this may have been one reason for the slow response to the fire:

William Lee, the O’Leary’s neighbor, rushed into Goll’s drugstore, and gasped out a request for the key to the alarm box. The new boxes were attached to the walls of stores or other convenient locations. To prevent false alarms and crank calls, the boxes were locked, and the keys given to trustworthy citizens nearby.

What happened when Lee made his request is not clear. Only one fact emerges from the confusion: No alarm was registered from any box in the vicinity of the fire until it was too late to do any good.

Apparently, Lee said that Goll refused to give him the key because he’d already seen a fire engine go past; Goll said he actually did pull the alarm, twice, but if so it must not have worked.

(There’s more about what sounds like a really bad communications failure, but it’s a little too hard for me to read on the Amazon website.)

Here’s more:

But did you know that the fire burned for over half an hour before an alarm was ever sounded? Alarm boxes were actually kept locked in those days, to prevent false alarms!

When the first alarm box was finally opened and the lever pulled, the alarm somehow did not get through. The fire dispatcher was playing a guitar for a couple of girls at the time and he kept on serenely strumming, completely unawares. After the fire had been growing and blazing for nearly an hour a watchman screamed at the dispatcher to sound an alarm, which he did, and the first three engines, two hose wagons, and two hook and ladders were sent out—but in the wrong direction!

At first the dispatcher refused to sound another alarm, hoping to avoid further confusion.

Compare this with a proposed law in New York City that will require people to get a license before they can buy chemical, biological, or radiological attack detectors:

The legislation—which was proposed by the Bloomberg administration and would be the first of its kind in the nation—would empower the police commissioner to decide whether to grant a free five-year permit to individuals and companies seeking to “possess or deploy such detectors.” Common smoke alarms and carbon monoxide detectors would not be covered by the law, the Police Department said. Violations of the law would be considered a misdemeanor.

Why does the administration think such a law is necessary? Richard A. Falkenrath, the Police Department’s deputy commissioner for counterterrorism, told the Council’s Public Safety Committee at a hearing today, “Our mutual goal is to prevent false alarms and unnecessary public concern by making sure that we know where these detectors are located and that they conform to standards of quality and reliability.”

The law would also require anyone using such a detector—regardless of whether they have obtained the required permit—to notify the Police Department if the detector alerted them to a biological, chemical or radiological agent. “In this way, emergency response personnel will be able to assess threats and take appropriate action based on the maximum information available,” Dr. Falkenrath said.

False positives are a problem with any detection system, and certainly putting Geiger counters in the hands of everyone will mean a lot of amateurs calling false alarms into the police. But the way to handle that isn’t to ban Geiger counters. (Just as the way to deal with false fire alarms 100 years ago wasn’t to lock the alarm boxes.) The way to deal with it is by 1) putting a system in place to quickly separate the real alarms from the false alarms, and 2) prosecuting those who maliciously sound false alarms.

We don’t want to encourage people to report everything; that’s too many false alarms. Nor do we want to discourage them from reporting things they feel are serious. In the end, it’s the job of the police to figure out what’s what. I said this in an essay last year:

…these incidents only reinforce the need to realistically assess, not automatically escalate, citizen tips. In criminal matters, law enforcement is experienced in separating legitimate tips from unsubstantiated fears, and allocating resources accordingly; we should expect no less from them when it comes to terrorism.

EDITED TO ADD (1/18): Two commenters pointed to a 1938 invention: an alarm box that locks up your arm until the fire department sets you free. Yikes.

Posted on January 18, 2008 at 7:44 AMView Comments

My Open Wireless Network

Whenever I talk or write about my own security setup, the one thing that surprises people—and attracts the most criticism—is the fact that I run an open wireless network at home. There’s no password. There’s no encryption. Anyone with wireless capability who can see my network can use it to access the internet.

To me, it’s basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it’s both wrong and dangerous.

I’m told that uninvited strangers may sit in their cars in front of my house, and use my network to send spam, eavesdrop on my passwords, and upload and download everything from pirated movies to child pornography. As a result, I risk all sorts of bad things happening to me, from seeing my IP address blacklisted to having the police crash through my door.

While this is technically true, I don’t think it’s much of a risk. I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house. And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.

This is not to say that the new wireless security protocol, WPA, isn’t very good. It is. But there are going to be security flaws in it; there always are.

I spoke to several lawyers about this, and in their lawyerly way they outlined several other risks with leaving your network open.

While none thought you could be successfully prosecuted just because someone else used your network to commit a crime, any investigation could be time-consuming and expensive. You might have your computer equipment seized, and if you have any contraband of your own on your machine, it could be a delicate situation. Also, prosecutors aren’t always the most technically savvy bunch, and you might end up being charged despite your innocence. The lawyers I spoke with say most defense attorneys will advise you to reach a plea agreement rather than risk going to trial on child-pornography charges.

In a less far-fetched scenario, the Recording Industry Association of America is known to sue copyright infringers based on nothing more than an IP address. The accuser’s chance of winning is higher than in a criminal case, because in civil litigation the burden of proof is lower. And again, lawyers argue that even if you win it’s not worth the risk or expense, and that you should settle and pay a few thousand dollars.

I remain unconvinced of this threat, though. The RIAA has conducted about 26,000 lawsuits, and there are more than 15 million music downloaders. Mark Mulligan of Jupiter Research said it best: “If you’re a file sharer, you know that the likelihood of you being caught is very similar to that of being hit by an asteroid.”

I’m also unmoved by those who say I’m putting my own data at risk, because hackers might park in front of my house, log on to my open network and eavesdrop on my internet traffic or break into my computers. This is true, but my computers are much more at risk when I use them on wireless networks in airports, coffee shops and other public places. If I configure my computer to be secure regardless of the network it’s on, then it simply doesn’t matter. And if my computer isn’t secure on a public network, securing my own network isn’t going to reduce my risk very much.

Yes, computer security is hard. But if your computers leave your house, you have to solve it anyway. And any solution will apply to your desktop machines as well.

Finally, critics say someone might steal bandwidth from me. Despite isolated court rulings that this is illegal, my feeling is that they’re welcome to it. I really don’t mind if neighbors use my wireless network when they need it, and I’ve heard several stories of people who have been rescued from connectivity emergencies by open wireless networks in the neighborhood.

Similarly, I appreciate an open network when I am otherwise without bandwidth. If someone were using my network to the point that it affected my own traffic or if some neighbor kid was dinking around, I might want to do something about it; but as long as we’re all polite, why should this concern me? Pay it forward, I say.

Certainly this does concern ISPs. Running an open wireless network will often violate your terms of service. But despite the occasional cease-and-desist letter and providers getting pissy at people who exceed some secret bandwidth limit, this isn’t a big risk either. The worst that will happen to you is that you’ll have to find a new ISP.

A company called Fon has an interesting approach to this problem. Fon wireless access points have two wireless networks: a secure one for you, and an open one for everyone else. You can configure your open network in either “Bill” or “Linus” mode: In the former, people pay you to use your network, and you have to pay to use any other Fon wireless network. In Linus mode, anyone can use your network, and you can use any other Fon wireless network for free. It’s a really clever idea.

Security is always a trade-off. I know people who rarely lock their front door, who drive in the rain (and, while using a cell phone) and who talk to strangers. In my opinion, securing my wireless network isn’t worth it. And I appreciate everyone else who keeps an open wireless network, including all the coffee shops, bars and libraries I have visited in the past, the Dayton International Airport where I started writing this and the Four Points Sheraton where I finished. You all make the world a better place.

This essay originally appeared on Wired.com, and has since generated a lot of controversy. There’s a Slashdot thread. And here are three opposing essays and three supporting essays. Presumably there will be a lot of back and forth in the comments section here as well.

EDITED TO ADD (1/15): There has been lots more commentary.

EDITED TO ADD (1/16): Even more commentary. And still more.

EDITED TO ADD (1/17): Two more.

EDITED TO ADD (1/18): Another. In the beginning, comments agreeing with me and disagreeing with me were about tied. By now, those that disagree with me are firmly in the lead.

Posted on January 15, 2008 at 3:33 AMView Comments

How Well "See Something, Say Something" Actually Works

I’ve written about the “War on the Unexpected,” and how normal people can’t figure out what’s an actual threat and what isn’t:

All they know is that something makes them uneasy, usually based on fear, media hype, or just something being different.

[…]

If you ask amateurs to act as front-line security personnel, you shouldn’t be surprised when you get amateur security.

Yesterday The New York Times wrote about New York City’s campaign:

Now, an overview of police data relating to calls to the hot line over the past two years reveals the answer and provides a unique snapshot of post-9/11 New York, part paranoia and part well-founded caution. Indeed, no terrorists were arrested, but a wide spectrum of other activity was reported.

[…]

In all, the hot line received 8,999 calls in 2006, including calls that were transferred from 911 and the 311 help line, Mr. Browne said. They included a significant number of calls about suspicious packages, many in the transit system. Most involved backpacks, briefcases or other items accidentally left behind by their owners. None of them, Mr. Browne said, were bombs.

There were, however, 816 calls to the hot line in 2006 that were deemed serious enough to require investigation by the department’s intelligence division or its joint terrorism task force with the F.B.I. Mr. Browne said that 109 of those calls had a connection to the transit system and included reports of suspicious people in tunnels and yards, and of people taking pictures of the tracks.

The hot line received many more calls in 2007, possibly because of the authority’s advertising campaign, Mr. Browne said. Through early December, the counterterrorism hot line received 13,473 calls, with 644 of those meriting investigation. Of that group, 45 calls were transit related.

Then there were the 11 calls about people counting.

Mr. Browne said several callers reported seeing men clicking hand-held counting devices while riding on subway trains or waiting on platforms.

The callers said that the men appeared to be Muslims and that they seemed to be counting the number of people boarding subway trains or the number of trains passing through a station. They feared the men might be collecting data to maximize the casualties in a terror attack.

But when the police looked into the claims, they determined that the men were counting prayers with the devices, essentially a modern version of rosary beads.

None of those calls led to arrests, but several others did. At least three calls resulted in arrests for trying to sell false identification, including driver’s licenses and Social Security cards. One informer told the police about a Staten Island man who was later found to have a cache of firearms. A Queens man was charged with having an illegal gun and with unlawful dealing in fireworks.

A Brooklyn man was charged with making anti-Semitic threats against his landlord and threatening to use sarin gas on him. At least two men arrested on tips from the hot line were turned over to immigration officials for deportation, Mr. Browne said.

And as long as we’re on the topic, read about the couple branded as terrorists in the UK for taking photographs in a mall. And this about a rail fan being branded a terrorist for trying to film a train. (Note that the member of the train’s crew was trying to incite the other passengers to do something about the filmer.) And about this Icelandic woman’s experience with U.S. customs because she overstayed a visa in 1995.

And lastly, this funny piece of (I trust) fiction.

Remember that every one of these incidents requires police resources to investigate, resources that almost certainly could be better spent keeping us actually safe.

Refuse to be terrorized!

Posted on January 8, 2008 at 7:53 AMView Comments

Airport Behavioral Profiling Leads to an Arrest

I’m generally a fan of behavioral profiling. While it sounds weird and creepy and has been likened to Orwell’s “facecrime”, there’s no doubt that—when done properly—it works at catching common criminals:

On Dec. 4, Juan Carlos Berriel-Castillo, 22, and Bernardo Carmona-Olivares, 20, were planning to fly to Maui but were instead arrested on suspicion of forgery.

They tried to pass through a Terminal 4 security checkpoint with suspicious documents, Phoenix police spokeswoman Stacie Derge said.

The pair had false permanent-resident identification, and authorities also found false Social Security cards, officials say.

While the pair were questioned about the papers, a TSA official who had received behavior-recognition training observed a third man in the area who appeared to be connected to Berriel-Castillo and Carmona-Olivares, Melendez said.

As a result, police later arrested Samuel Gonzalez, 32. A background check revealed that Gonzalez was wanted on two misdemeanor warrants.

TSA press release here.

Security is a trade-off. The question is whether the expense of the Screening Passengers by Observation Techniques (SPOT) program, given the minor criminals it catches, is worth it. (Remember, it’s supposed to catch terrorists, not people with outstanding misdemeanor warrants.) Especially with the 99% false alarm rate:

Since January 2006, behavior-detection officers have referred about 70,000 people for secondary screening, Maccario said. Of those, about 600 to 700 were arrested on a variety of charges, including possession of drugs, weapons violations and outstanding warrants.

And the other social costs, including loss of liberty, restriction of fundamental freedoms, and the creation of a thoughtcrime. Is this the sort of power we want to give a police force in a constitutional democracy, or does it feel more like a police-state sort of thing?

This “Bizarro” cartoon sums it up nicely.

Posted on January 3, 2008 at 12:49 PMView Comments

1 10 11 12 13 14 23

Sidebar photo of Bruce Schneier by Joe MacInnis.