Entries Tagged "risk assessment"

Page 17 of 21

Declan McCullagh on the Politicization of Security

Good essay:

Politicians of both major parties wield this as the ultimate political threat. Its invocation typically predicts that if a certain piece of legislation is passed (or not passed) Americans will die. Variations may warn that children will die or troops will die. Any version is difficult for the target to combat.

This leads me to propose McCullagh’s Law of Politics:

As the certainty that legislation violates the U.S. Constitution increases, so does the probability of predictions that severe harm or death will come to Americans if the proposal is not swiftly enacted.

McCullagh’s Law describes a promise of political violence. It goes like this: “If you, my esteemed political adversary, are insufficiently wise as to heed my advice, I will direct my staff and members of my political apparatus to unearth examples of dead {Americans|women|children|troops} so I can later accuse you of responsibility for their deaths.”

Posted on October 22, 2007 at 1:13 PMView Comments

Perceptions of Risk

Another article about risk perception, and why we worry about the wrong things:

Newsrooms are full of English majors who acknowledge that they are not good at math, but still rush to make confident pronouncements about a global-warming “crisis” and the coming of bird flu.

Bird flu was called the No. 1 threat to the world. But bird flu has killed no one in America, while regular flu—the boring kind—kills tens of thousands. New York City internist Marc Siegel says that after the media hype, his patients didn’t want to hear that.

“I say, ‘You need a flu shot.’ You know the regular flu is killing 36,000 per year. They say, ‘Don’t talk to me about regular flu. What about bird flu?'”

Here’s another example. What do you think is more dangerous, a house with a pool or a house with a gun? When, for “20/20,” I asked some kids, all said the house with the gun is more dangerous. I’m sure their parents would agree. Yet a child is 100 times more likely to die in a swimming pool than in a gun accident.

Parents don’t know that partly because the media hate guns and gun accidents make bigger headlines. Ask yourself which incident would be more likely to be covered on TV.

Media exposure clouds our judgment about real-life odds. Of course, it doesn’t help that viewers are as ignorant about probability as reporters are.

Much of what’s written here I’ve said previously, and it echoes this article from Time Magazine (and also this great op-ed from the Los Angeles Times).

EDITED TO ADD (7/13): A great graphic.

Posted on August 22, 2007 at 1:43 PMView Comments

Security Theater

Nice article on security theater from Government Executive:

John Mueller suspects he might have become cable news programs’ go-to foil on terrorism. The author of Overblown: How Politicians and the Terrorism Industry Inflate National Security Threats, and Why We Believe Them (Free Press, 2006) thinks America has overreacted. The greatly exaggerated threat of terrorism, he says, has cost the country far more than terrorist attacks ever did.

Watching his Sept. 12, 2006, appearance on Fox & Friends is unintentionally hilarious. Mueller calmly and politely asks the hosts to at least consider his thesis. But filled with alarm and urgency, they appear bewildered and exasperated. They speak to Mueller as if he is from another planet and cannot be reasoned with.

That reaction is one measure of the contagion of alarmism. Mueller’s book is filled with statistics meant to put terrorism in context. For example, international terrorism annually causes the same number of deaths as drowning in bathtubs or bee stings. It would take a repeat of Sept. 11 every month of the year to make flying as dangerous as driving. Over a lifetime, the chance of being killed by a terrorist is about the same as being struck by a meteor. Mueller’s conclusions: An American’s risk of dying at the hands of a terrorist is microscopic. The likelihood of another Sept. 11-style attack is nearly nil because it would lack the element of surprise. America can easily absorb the damage from most conceivable attacks. And the suggestion that al Qaeda poses an existential threat to the United States is ridiculous. Mueller’s statistics and conclusions are jarring only because they so starkly contradict the widely disseminated and broadly accepted image of terrorism as an urgent and all-encompassing threat.

American reaction to two failed attacks in Britain in June further illustrates our national hysteria. British police found and defused two car bombs before they could be detonated, and two would-be bombers rammed their car into a terminal at Glasgow Airport. Even though no bystanders were hurt and British authorities labeled both episodes failures, the response on American cable television and Capitol Hill was frenzied, frequently emphasizing how many people could have been killed. “The discovery of a deadly car bomb in London today is another harsh reminder that we are in a war against an enemy that will target us anywhere and everywhere,” read an e-mailed statement from Sen. Joe Lieberman, I-Conn. “Terrorism is not just a threat. It is a reality, and we must confront and defeat it.” The bombs that never detonated were “deadly.” Terrorists are “anywhere and everywhere.” Even those who believe it is a threat are understating; it’s “more than a threat.”

Mueller, an Ohio State University political science professor, is more analytical than shrill. Politicians are being politicians, and security businesses are being security businesses, he says. “It’s just like selling insurance – you say, ‘Your house could burn down.’ You don’t have an incentive to say, ‘Your house will never burn down.’ And you’re not lying,” he says. Social science research suggests that humans tend to glom onto the most alarmist perspective even if they are told how unlikely it is, he adds. We inflate the danger of things we don’t control and exaggerate the risk of spectacular events while downplaying the likelihood of common ones. We are more afraid of terrorism than car accidents or street crime, even though the latter are far more common. Statistical outliers like the Sept. 11 terrorist attacks are viewed not as anomalies, but as harbingers of what’s to come.

Lots more in the article.

Posted on August 15, 2007 at 6:18 AMView Comments

TSA Uses Monte Carlo Simulations to Weigh Airplane Risks

Does this make sense to anyone?

TSA said Boeing would use its Monte Carlo simulation model “to identify U.S. commercial aviation system vulnerabilities against a wide variety of attack scenarios.”

The Monte Carlo method refers to several ways of using randomly generated numbers fed into a computer simulation many times to estimate the likelihood of an event, specialists in the field say.

The Monte Carlo method plays an important role in many statistical techniques used to characterize risks, such as the probabilistic risk analysis approach used to evaluate possible problems at a nuclear power plant and their consequences.

Boeing engineers have pushed the mathematical usefulness of the Monte Carlo method forward largely by applying the technique to evaluating the risks and consequences of aircraft component failures.

A DHS source said the work of the U.S. Commercial Aviation Partnership, a group of government and industry organizations, had made TSA officials aware of the potential applicability of the Monte Carlo method to building an RMAT for the air travel system.

A paper by four Boeing technologists and a TSA official describing the RMAT model appeared recently in Interfaces, a scholarly journal covering operations research.

I can’t imagine how random simulations are going to be all that useful in evaluating airplane threats, as the adversary we’re worried about isn’t particularly random—and, in fact, is motivated to target his attacks directly at the weak points in any security measures.

Maybe “chatter” has tipped the TSA off to a Muta al-Stochastic.

Posted on June 22, 2007 at 12:58 PMView Comments

Portrait of the Modern Terrorist as an Idiot

The recently publicized terrorist plot to blow up John F. Kennedy International Airport, like so many of the terrorist plots over the past few years, is a study in alarmism and incompetence: on the part of the terrorists, our government and the press.

Terrorism is a real threat, and one that needs to be addressed by appropriate means. But allowing ourselves to be terrorized by wannabe terrorists and unrealistic plots—and worse, allowing our essential freedoms to be lost by using them as an excuse—is wrong.

The alleged plan, to blow up JFK’s fuel tanks and a small segment of the 40-mile petroleum pipeline that supplies the airport, was ridiculous. The fuel tanks are thick-walled, making them hard to damage. The airport tanks are separated from the pipelines by cutoff valves, so even if a fire broke out at the tanks, it would not back up into the pipelines. And the pipeline couldn’t blow up in any case, since there’s no oxygen to aid combustion. Not that the terrorists ever got to the stage—or demonstrated that they could get there—where they actually obtained explosives. Or even a current map of the airport’s infrastructure.

But read what Russell Defreitas, the lead terrorist, had to say: “Anytime you hit Kennedy, it is the most hurtful thing to the United States. To hit John F. Kennedy, wow…. They love JFK—he’s like the man. If you hit that, the whole country will be in mourning. It’s like you can kill the man twice.”

If these are the terrorists we’re fighting, we’ve got a pretty incompetent enemy.

You couldn’t tell that from the press reports, though. “The devastation that would be caused had this plot succeeded is just unthinkable,” U.S. Attorney Roslynn R. Mauskopf said at a news conference, calling it “one of the most chilling plots imaginable.” Sen. Arlen Specter (R-Pennsylvania) added, “It had the potential to be another 9/11.”

These people are just as deluded as Defreitas.

The only voice of reason out there seemed to be New York’s Mayor Michael Bloomberg, who said: “There are lots of threats to you in the world. There’s the threat of a heart attack for genetic reasons. You can’t sit there and worry about everything. Get a life…. You have a much greater danger of being hit by lightning than being struck by a terrorist.”

And he was widely excoriated for it.

This isn’t the first time a bunch of incompetent terrorists with an infeasible plot have been painted by the media as poised to do all sorts of damage to America. In May we learned about a six-man plan to stage an attack on Fort Dix by getting in disguised as pizza deliverymen and shooting as many soldiers and Humvees as they could, then retreating without losses to fight again another day. Their plan, such as it was, went awry when they took a videotape of themselves at weapons practice to a store for duplication and transfer to DVD. The store clerk contacted the police, who in turn contacted the FBI. (Thank you to the video store clerk for not overreacting, and to the FBI agent for infiltrating the group.)

The “Miami 7,” caught last year for plotting—among other things—to blow up the Sears Tower, were another incompetent group: no weapons, no bombs, no expertise, no money and no operational skill. And don’t forget Iyman Faris, the Ohio trucker who was convicted in 2003 for the laughable plot to take out the Brooklyn Bridge with a blowtorch. At least he eventually decided that the plan was unlikely to succeed.

I don’t think these nut jobs, with their movie-plot threats, even deserve the moniker “terrorist.” But in this country, while you have to be competent to pull off a terrorist attack, you don’t have to be competent to cause terror. All you need to do is start plotting an attack and—regardless of whether or not you have a viable plan, weapons or even the faintest clue—the media will aid you in terrorizing the entire population.

The most ridiculous JFK Airport-related story goes to the New York Daily News, with its interview with a waitress who served Defreitas salmon; the front-page headline blared, “Evil Ate at Table Eight.”

Following one of these abortive terror misadventures, the administration invariably jumps on the news to trumpet whatever ineffective “security” measure they’re trying to push, whether it be national ID cards, wholesale National Security Agency eavesdropping or massive data mining. Never mind that in all these cases, what caught the bad guys was old-fashioned police work—the kind of thing you’d see in decades-old spy movies.

The administration repeatedly credited the apprehension of Faris to the NSA’s warrantless eavesdropping programs, even though it’s just not true. The 9/11 terrorists were no different; they succeeded partly because the FBI and CIA didn’t follow the leads before the attacks.

Even the London liquid bombers were caught through traditional investigation and intelligence, but this doesn’t stop Secretary of Homeland Security Michael Chertoff from using them to justify (.pdf) access to airline passenger data.

Of course, even incompetent terrorists can cause damage. This has been repeatedly proven in Israel, and if shoe-bomber Richard Reid had been just a little less stupid and ignited his shoes in the lavatory, he might have taken out an airplane.

So these people should be locked up … assuming they are actually guilty, that is. Despite the initial press frenzies, the actual details of the cases frequently turn out to be far less damning. Too often it’s unclear whether the defendants are actually guilty, or if the police created a crime where none existed before.

The JFK Airport plotters seem to have been egged on by an informant, a twice-convicted drug dealer. An FBI informant almost certainly pushed the Fort Dix plotters to do things they wouldn’t have ordinarily done. The Miami gang’s Sears Tower plot was suggested by an FBI undercover agent who infiltrated the group. And in 2003, it took an elaborate sting operation involving three countries to arrest an arms dealer for selling a surface-to-air missile to an ostensible Muslim extremist. Entrapment is a very real possibility in all of these cases.

The rest of them stink of exaggeration. Jose Padilla was not actually prepared to detonate a dirty bomb in the United States, despite histrionic administration claims to the contrary. Now that the trial is proceeding, the best the government can charge him with is conspiracy to murder, kidnap and maim, and it seems unlikely that the charges will stick. An alleged ringleader of the U.K. liquid bombers, Rashid Rauf, had charges of terrorism dropped for lack of evidence (of the 25 arrested, only 16 were charged). And now it seems like the JFK mastermind was more talk than action, too.

Remember the “Lackawanna Six,” those terrorists from upstate New York who pleaded guilty in 2003 to “providing support or resources to a foreign terrorist organization”? They entered their plea because they were threatened with being removed from the legal system altogether. We have no idea if they were actually guilty, or of what.

Even under the best of circumstances, these are difficult prosecutions. Arresting people before they’ve carried out their plans means trying to prove intent, which rapidly slips into the province of thought crime. Regularly the prosecution uses obtuse religious literature in the defendants’ homes to prove what they believe, and this can result in courtroom debates on Islamic theology. And then there’s the issue of demonstrating a connection between a book on a shelf and an idea in the defendant’s head, as if your reading of this article—or purchasing of my book—proves that you agree with everything I say. (The Atlantic recently published a fascinating article on this.)

I’ll be the first to admit that I don’t have all the facts in any of these cases. None of us do. So let’s have some healthy skepticism. Skepticism when we read about these terrorist masterminds who were poised to kill thousands of people and do incalculable damage. Skepticism when we’re told that their arrest proves that we need to give away our own freedoms and liberties. And skepticism that those arrested are even guilty in the first place.

There is a real threat of terrorism. And while I’m all in favor of the terrorists’ continuing incompetence, I know that some will prove more capable. We need real security that doesn’t require us to guess the tactic or the target: intelligence and investigation—the very things that caught all these terrorist wannabes—and emergency response. But the “war on terror” rhetoric is more politics than rationality. We shouldn’t let the politics of fear make us less safe.

This essay originally appeared on Wired.com.

EDITED TO ADD (6/14): Another essay on the topic.

Posted on June 14, 2007 at 8:28 AMView Comments

Childhood Risks: Perception vs. Reality

Great article on perceived vs actual risks to children:

The risk of abduction remains tiny. In Britain, there are now half as many children killed every year in road accidents as there were in 1922—despite a more than 25-fold increase in traffic.

Today the figure is under 9%. Escorting children is now the norm—often in the back of a 4×4.

We are rearing our children in captivity—their habitat shrinking almost daily.

In 1970 the average nine-year-old girl would have been free to wander 840 metres from her front door. By 1997 it was 280 metres.

Now the limit appears to have come down to the front doorstep.

[…]

The picket fence marks the limit of their play area. They wouldn’t dare venture beyond it.

“You might get kidnapped or taken by a stranger,” says Jojo.

“In the park you might get raped,” agrees Holly.

Don’t they yearn to go off to the woods, to climb trees and get muddy?

No, they tell me. The woods are scary. Climbing trees is dangerous. Muddy clothes get you in trouble.

One wonders what they think of Just William, Swallows And Amazons or The Famous Five—fictional tales of strange children from another time, an age of adventures where parents apparently allowed their offspring to be out all day and didn’t worry about a bit of mud.

There is increasing concern that today’s “cotton-wool kids” are having their development hampered.

They are likely to be risk-averse, stifled by fears which are more phobic than real.

EDITED TO ADD (6/9): More commentary.

Posted on June 7, 2007 at 5:54 AMView Comments

Terrorism Statistics

Interesting:

The majority of terrorist attacks result in no fatalities, with just 1 percent of such attacks causing the deaths of 25 or more people.

And terror incidents began rising some in 1998, and that level remained relatively constant through 2004.

These and other myth-busting facts about global terrorism are now available on a new online database open to the public.

The database identifies more than 30,000 bombings, 13,400 assassinations and 3,200 kidnappings. Also, it details more than 1,200 terrorist attacks within the United States.

A lot of this depends on your definition of “terrorism,” but it’s interesting stuff.

The database was developed by the National Consortium for the Study of Terrorism and Responses to Terrorism (START) based at the University of Maryland, with funding from the U.S. Department of Homeland Security. It includes unclassified information about 80,000 terror incidents that occurred from 1970 through 2004.

The database is here:

The Global Terrorism Database (GTD) is an open-source database including information on terrorist events around the world since 1970 (currently updated through 2004). Unlike many other event databases, the GTD includes systematic data on international as well as domestic terrorist incidents that have occurred during this time period and now includes almost 80,000 cases. For each GTD incident, information is available on the date and location of the incident, the weapons used and nature of the target, the number of casualties, and—when identifiable—the identity of the perpetrator.

Posted on June 5, 2007 at 2:38 PM

Rare Risk and Overreactions

Everyone had a reaction to the horrific events of the Virginia Tech shootings. Some of those reactions were rational. Others were not.

A high school student was suspended for customizing a first-person shooter game with a map of his school. A contractor was fired from his government job for talking about a gun, and then visited by the police when he created a comic about the incident. A dean at Yale banned realistic stage weapons from the university theaters—a policy that was reversed within a day. And some teachers terrorized a sixth-grade class by staging a fake gunman attack, without telling them that it was a drill.

These things all happened, even though shootings like this are incredibly rare; even though—for all the press—less than one percent (.pdf) of homicides and suicides of children ages 5 to 19 occur in schools. In fact, these overreactions occurred, not despite these facts, but because of them.

The Virginia Tech massacre is precisely the sort of event we humans tend to overreact to. Our brains aren’t very good at probability and risk analysis, especially when it comes to rare occurrences. We tend to exaggerate spectacular, strange and rare events, and downplay ordinary, familiar and common ones. There’s a lot of research in the psychological community about how the brain responds to risk—some of it I have already written about—but the gist is this: Our brains are much better at processing the simple risks we’ve had to deal with throughout most of our species’ existence, and much poorer at evaluating the complex risks society forces us to face today.

Novelty plus dread equals overreaction.

We can see the effects of this all the time. We fear being murdered, kidnapped, raped and assaulted by strangers, when it’s far more likely that the perpetrator of such offenses is a relative or a friend. We worry about airplane crashes and rampaging shooters instead of automobile crashes and domestic violence—both far more common.

In the United States, dogs, snakes, bees and pigs each kill more people per year (.pdf) than sharks. In fact, dogs kill more humans than any animal except for other humans. Sharks are more dangerous than dogs, yes, but we’re far more likely to encounter dogs than sharks.

Our greatest recent overreaction to a rare event was our response to the terrorist attacks of 9/11. I remember then-Attorney General John Ashcroft giving a speech in Minnesota—where I live—in 2003, and claiming that the fact there were no new terrorist attacks since 9/11 was proof that his policies were working. I thought: “There were no terrorist attacks in the two years preceding 9/11, and you didn’t have any policies. What does that prove?”

What it proves is that terrorist attacks are very rare, and maybe our reaction wasn’t worth the enormous expense, loss of liberty, attacks on our Constitution and damage to our credibility on the world stage. Still, overreacting was the natural thing for us to do. Yes, it’s security theater, but it makes us feel safer.

People tend to base risk analysis more on personal story than on data, despite the old joke that “the plural of anecdote is not data.” If a friend gets mugged in a foreign country, that story is more likely to affect how safe you feel traveling to that country than abstract crime statistics.

We give storytellers we have a relationship with more credibility than strangers, and stories that are close to us more weight than stories from foreign lands. In other words, proximity of relationship affects our risk assessment. And who is everyone’s major storyteller these days? Television. (Nassim Nicholas Taleb’s great book, The Black Swan: The Impact of the Highly Improbable, discusses this.)

Consider the reaction to another event from last month: professional baseball player Josh Hancock got drunk and died in a car crash. As a result, several baseball teams are banning alcohol in their clubhouses after games. Aside from this being a ridiculous reaction to an incredibly rare event (2,430 baseball games per season, 35 people per clubhouse, two clubhouses per game. And how often has this happened?), it makes no sense as a solution. Hancock didn’t get drunk in the clubhouse; he got drunk at a bar. But Major League Baseball needs to be seen as doing something, even if that something doesn’t make sense—even if that something actually increases risk by forcing players to drink at bars instead of at the clubhouse, where there’s more control over the practice.

I tell people that if it’s in the news, don’t worry about it. The very definition of “news” is “something that hardly ever happens.” It’s when something isn’t in the news, when it’s so common that it’s no longer news—car crashes, domestic violence—that you should start worrying.

But that’s not the way we think. Psychologist Scott Plous said it well in The Psychology of Judgment and Decision Making: “In very general terms: (1) The more available an event is, the more frequent or probable it will seem; (2) the more vivid a piece of information is, the more easily recalled and convincing it will be; and (3) the more salient something is, the more likely it will be to appear causal.”

So, when faced with a very available and highly vivid event like 9/11 or the Virginia Tech shootings, we overreact. And when faced with all the salient related events, we assume causality. We pass the Patriot Act. We think if we give guns out to students, or maybe make it harder for students to get guns, we’ll have solved the problem. We don’t let our children go to playgrounds unsupervised. We stay out of the ocean because we read about a shark attack somewhere.

It’s our brains again. We need to “do something,” even if that something doesn’t make sense; even if it is ineffective. And we need to do something directly related to the details of the actual event. So instead of implementing effective, but more general, security measures to reduce the risk of terrorism, we ban box cutters on airplanes. And we look back on the Virginia Tech massacre with 20-20 hindsight and recriminate ourselves about the things we should have done.

Lastly, our brains need to find someone or something to blame. (Jon Stewart has an excellent bit on the Virginia Tech scapegoat search, and media coverage in general.) But sometimes there is no scapegoat to be found; sometimes we did everything right, but just got unlucky. We simply can’t prevent a lone nutcase from shooting people at random; there’s no security measure that would work.

As circular as it sounds, rare events are rare primarily because they don’t occur very often, and not because of any preventive security measures. And implementing security measures to make these rare events even rarer is like the joke about the guy who stomps around his house to keep the elephants away.

“Elephants? There are no elephants in this neighborhood,” says a neighbor.

“See how well it works!”

If you want to do something that makes security sense, figure out what’s common among a bunch of rare events, and concentrate your countermeasures there. Focus on the general risk of terrorism, and not the specific threat of airplane bombings using liquid explosives. Focus on the general risk of troubled young adults, and not the specific threat of a lone gunman wandering around a college campus. Ignore the movie-plot threats, and concentrate on the real risks.

This essay originally appeared on Wired.com, my 42nd essay on that site.

EDITED TO ADD (6/5): Archiloque has translated this essay into French.

EDITED TO ADD (6/14): The British academic risk researcher Prof. John Adams wrote an insightful essay on this topic called “What Kills You Matters—Not Numbers.”

Posted on May 17, 2007 at 2:16 PMView Comments

Is Penetration Testing Worth it?

There are security experts who insist penetration testing is essential for network security, and you have no hope of being secure unless you do it regularly. And there are contrarian security experts who tell you penetration testing is a waste of time; you might as well throw your money away. Both of these views are wrong. The reality of penetration testing is more complicated and nuanced.

Penetration testing is a broad term. It might mean breaking into a network to demonstrate you can. It might mean trying to break into a network to document vulnerabilities. It might involve a remote attack, physical penetration of a data center or social engineering attacks. It might use commercial or proprietary vulnerability scanning tools, or rely on skilled white-hat hackers. It might just evaluate software version numbers and patch levels, and make inferences about vulnerabilities.

It’s going to be expensive, and you’ll get a thick report when the testing is done.

And that’s the real problem. You really don’t want a thick report documenting all the ways your network is insecure. You don’t have the budget to fix them all, so the document will sit around waiting to make someone look bad. Or, even worse, it’ll be discovered in a breach lawsuit. Do you really want an opposing attorney to ask you to explain why you paid to document the security holes in your network, and then didn’t fix them? Probably the safest thing you can do with the report, after you read it, is shred it.

Given enough time and money, a pen test will find vulnerabilities; there’s no point in proving it. And if you’re not going to fix all the uncovered vulnerabilities, there’s no point uncovering them. But there is a way to do penetration testing usefully. For years I’ve been saying security consists of protection, detection and response—and you need all three to have good security. Before you can do a good job with any of these, you have to assess your security. And done right, penetration testing is a key component of a security assessment.

I like to restrict penetration testing to the most commonly exploited critical vulnerabilities, like those found on the SANS Top 20 list. If you have any of those vulnerabilities, you really need to fix them.

If you think about it, penetration testing is an odd business. Is there an analogue to it anywhere else in security? Sure, militaries run these exercises all the time, but how about in business? Do we hire burglars to try to break into our warehouses? Do we attempt to commit fraud against ourselves? No, we don’t.

Penetration testing has become big business because systems are so complicated and poorly understood. We know about burglars and kidnapping and fraud, but we don’t know about computer criminals. We don’t know what’s dangerous today, and what will be dangerous tomorrow. So we hire penetration testers in the belief they can explain it.

There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you’re going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I’m going to save you a lot of money by giving you this free penetration test: You’re vulnerable.

Now, go do something useful about it.

This essay appeared in the March issue of Information Security, as the first half of a point/counterpoint with Marcus Ranum. Here’s his half.

Posted on May 15, 2007 at 7:05 AMView Comments

1 15 16 17 18 19 21

Sidebar photo of Bruce Schneier by Joe MacInnis.