Podcast: Crypto-Gram 15 Aug 2005: People are the stronger point of security process.
Crypto-Gram 15 Aug 2005
from the August 15, 2005 Crypto-Gram Newsletter
by Bruce Schneier
* Profiling
Good security has people in charge, people are resilient, people can improvise, people are creative, people can develop on the spot solutions, ppl can detect attacker who cheat & can attempt to maintain security despite the fact tha attacker is cheating, ppl can detect passive failure, ppl are the stronger point of security process.
When a security system succeeds in the face of a new or coordinated or devastating attack, it's usually due to the efforts of people.
To profile is to generalize. It's taking characteristics of a population and applying them to an individual. People naturally have an intuition about other people based on different characteristics. Sometimes that intuition is right and sometimes it's wrong
1. Whenever you design a security system with two ways through - an easy way and a hard way - you invite the attacker to take the easy way.
2. If we are going to increase security against terrorism, the young Arab males living in our country are precisely the people we want on our side.
3. Despite what many people think, terrorism is not confined to young Arab males.
* Cisco and ISS Harass Security Researcher
Full disclosure is good for society. But because it helps the bad guys as well as the good guys, many of us have championed "responsible disclosure" guidelines that give vendors a head start in fixing vulnerabilities before they're announced.
Can see class-action suit against Cisco.
* E-Mail Interception Decision Reversed
Entertainment industry used to greatly expand copyright law in cyberspace. They argued that every time a copyrighted work is moved from computer to computer, or CD-ROM to RAM, or server to client, or disk drive to video card, a "copy" is being made...
* Stealing Imaginary Things
Every form of theft and fraud in the real world will eventually be duplicated in cyberspace.
* Turning Cell Phones off in Tunnels
this is to avoid cell phone to trigger bomb, but bomb can be triggered even with kitchen alarm. Communication availability is far more important.
* Searching Bags in Subways
Counterterrorism is most effective when it doesn't make arbitrary assumptions about the terrorists
* Plagiarism and Academia: Personal Experience
Schneier is surprised...if they were going to do this, wouldn't it have been smarter to pick a more obscure author?
* RFID Passport Security Revisited
The new design:
1. The data on the chip is encrypted, and the key is printed on the passport. The officer swipes the passport through an optical reader to get the key, and then the RFID reader uses the key to communicate with the RFID chip = passport-holder can control who has access to the information on the chip
2. A thin radio shield in the cover, protecting the chip when the passport is closed
* Risks of Losing Portable Devices
password protection and encryption
* How to Not Fix the ID Problem
more paperwork in order to get an ID
* Secure Flight
SA did not fully disclose to the public its use of personal information as required by the Privacy Act. TSA use of personal information drawn from commercial sources to test aspects of the Secure Flight program.
it's better to change the Privacy Act statement before violating the old one. Changing it after the fact just looks bad.
* Shoot-to-Kill
The most common type of bomb carried by a person has been the hand grenade.
When a shoot-to-kill policy is known to be in effect, that suicide bombers will use the same kind of dead-man's trigger on their bombs: a detonator that is activated when a button is released, rather than when it is pushed. This is a difficult one. Whatever policy you choose, the terrorists will adapt to make that policy the wrong one.
* Visa and Amex Drop CardSystems
The biggest problem with CardSystems' actions wasn't that it had bad computer security practices, but that it had bad business practices. It
time: 49:45
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0508.html
from the August 15, 2005 Crypto-Gram Newsletter
by Bruce Schneier
* Profiling
Good security has people in charge, people are resilient, people can improvise, people are creative, people can develop on the spot solutions, ppl can detect attacker who cheat & can attempt to maintain security despite the fact tha attacker is cheating, ppl can detect passive failure, ppl are the stronger point of security process.
When a security system succeeds in the face of a new or coordinated or devastating attack, it's usually due to the efforts of people.
To profile is to generalize. It's taking characteristics of a population and applying them to an individual. People naturally have an intuition about other people based on different characteristics. Sometimes that intuition is right and sometimes it's wrong
1. Whenever you design a security system with two ways through - an easy way and a hard way - you invite the attacker to take the easy way.
2. If we are going to increase security against terrorism, the young Arab males living in our country are precisely the people we want on our side.
3. Despite what many people think, terrorism is not confined to young Arab males.
* Cisco and ISS Harass Security Researcher
Full disclosure is good for society. But because it helps the bad guys as well as the good guys, many of us have championed "responsible disclosure" guidelines that give vendors a head start in fixing vulnerabilities before they're announced.
Can see class-action suit against Cisco.
* E-Mail Interception Decision Reversed
Entertainment industry used to greatly expand copyright law in cyberspace. They argued that every time a copyrighted work is moved from computer to computer, or CD-ROM to RAM, or server to client, or disk drive to video card, a "copy" is being made...
* Stealing Imaginary Things
Every form of theft and fraud in the real world will eventually be duplicated in cyberspace.
* Turning Cell Phones off in Tunnels
this is to avoid cell phone to trigger bomb, but bomb can be triggered even with kitchen alarm. Communication availability is far more important.
* Searching Bags in Subways
Counterterrorism is most effective when it doesn't make arbitrary assumptions about the terrorists
* Plagiarism and Academia: Personal Experience
Schneier is surprised...if they were going to do this, wouldn't it have been smarter to pick a more obscure author?
* RFID Passport Security Revisited
The new design:
1. The data on the chip is encrypted, and the key is printed on the passport. The officer swipes the passport through an optical reader to get the key, and then the RFID reader uses the key to communicate with the RFID chip = passport-holder can control who has access to the information on the chip
2. A thin radio shield in the cover, protecting the chip when the passport is closed
* Risks of Losing Portable Devices
password protection and encryption
* How to Not Fix the ID Problem
more paperwork in order to get an ID
* Secure Flight
SA did not fully disclose to the public its use of personal information as required by the Privacy Act. TSA use of personal information drawn from commercial sources to test aspects of the Secure Flight program.
it's better to change the Privacy Act statement before violating the old one. Changing it after the fact just looks bad.
* Shoot-to-Kill
The most common type of bomb carried by a person has been the hand grenade.
When a shoot-to-kill policy is known to be in effect, that suicide bombers will use the same kind of dead-man's trigger on their bombs: a detonator that is activated when a button is released, rather than when it is pushed. This is a difficult one. Whatever policy you choose, the terrorists will adapt to make that policy the wrong one.
* Visa and Amex Drop CardSystems
The biggest problem with CardSystems' actions wasn't that it had bad computer security practices, but that it had bad business practices. It
time: 49:45
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0508.html
posted by omarg at
8:00 AM
0 Comments:
Post a Comment
<< Home