Podcast: Crypto-Gram 15 August 2006: Doping testing can go back in time.
from the Aug, 2006 Crypto-Gram Newsletter
by Bruce Schneier
* Last Week's Terrorism Arrests
None of the airplane security measures implemented because of 9/11 -- no-fly lists, secondary screening, prohibitions against pocket knives and corkscrews -- had anything to do with last week's arrests.
It was a victory for old-fashioned intelligence and investigation. Details are still secret, but police in at least two countries were watching the terrorists for a long time. They followed leads, figured out who was talking to whom, and slowly pieced together both the network and the plot.
* Remote-Control Airplane Software
"'A hijacker would have no chance of reaching his goal, ' it said."
Unless his goal were, um, hijacking the aircraft.
It seems to me that by designing remote-control software for airplanes, you open the possibility for someone to hijack the plane without even being on board. Sure, there are going to be computer-security controls protecting this thing, but we all know how well that sort of thing has worked in the past.
"The system would be designed in such a way that even a computer hacker on board could not get round it."
But what about computer hackers on the ground?
* Doping in Professional Sports
Drug testing is a security issue. Various sports federations around the world do their best to detect illegal doping, and players do their best to evade the tests. It's a classic security arms race: improvements in detection technologies lead to improvements in drug detection evasion, which in turn spur the development of better detection capabilities. Right now, it seems that the drugs are winning; in places, these drug tests are described as "intelligence tests": if you can't get around them, you don't deserve to play.
But unlike many security arms races, the detectors have the ability to look into the past. Last year, a laboratory tested Lance Armstrong's urine and found traces of the banned substance EPO. The urine sample tested wasn't from 2005; it was from 1999. Back then, there weren't any good tests for EVO in urine. Today there are, and the lab took a frozen urine sample - who knew that labs save urine samples from athletes? - and tested it.
Doping testing can go back in time.
This has two major effects:
1) Doctors who develop new performance-enhancing drugs may know exactly what sorts of tests the anti-doping laboratories are going to run, and they can test their ability to evade drug detection beforehand. But they cannot know what sorts of tests will be developed in the future.
2) athletes accused of doping based on years-old urine samples have no way of defending themselves. They can't resubmit to testing; it's too late. If I were an athlete worried about these accusations, I would deposit my urine "in escrow" on a regular basis to give me some ability to contest an accusation.
* iPod Thefts
Rise in crime blamed on iPods.
This shouldn't come as a surprise, just as it wasn't a surprise in the 1990s when there was a wave of high-priced sneaker thefts. Or that there is also a wave of laptop thefts.
What to do about it? Basically, there's not much you can do except be careful. Muggings have long been a low-risk crime, so it makes sense that we're seeing an increase in them as the value of what people are carrying on their person goes up. And people carrying portable music players have an unmistakable indicator: those ubiquitous ear buds.
* Security Certifications
I've long been hostile to certifications -- I've met too many bad security professionals with certifications and know many excellent security professionals without certifications. But, I've come to believe that, while certifications aren't perfect, they're a decent way for a security professional to learn some of the things he's going to know, and a potential employer to assess whether a job candidate has the security expertise he's going to need to know.
* A Month of Browser Bugs
31 days, and 31 hacks later, the blog lists exploits against all the major browsers:
Internet Explorer: 25
Mozilla: 2
Safari: 2
Opera: 1
Konqueror: 1
My guess is that he could have gone on for another month without any problem, and possibly could produce a new browser bug a day indefinitely.
* Updating the Traditional Security Model
Dave Piscitello made a fascinating observation. Commenting on the traditional four-step security model:
Authentication (who are you)
Authorization (what are you allowed to do)
Availability (is the data accessible)
Authenticity (is the data intact)
"This model is no longer sufficient because it does not include asserting the trustworthiness of the endpoint device from which a (remote) user will authenticate and subsequently access data. Network admission and endpoint control are needed to determine that the device is free of malware (esp. key loggers) before you even accept a keystroke from a user. So let's prepend 'admissibility' to your list.
length: 20:57m
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0608.html
by Bruce Schneier
* Last Week's Terrorism Arrests
None of the airplane security measures implemented because of 9/11 -- no-fly lists, secondary screening, prohibitions against pocket knives and corkscrews -- had anything to do with last week's arrests.
It was a victory for old-fashioned intelligence and investigation. Details are still secret, but police in at least two countries were watching the terrorists for a long time. They followed leads, figured out who was talking to whom, and slowly pieced together both the network and the plot.
* Remote-Control Airplane Software
"'A hijacker would have no chance of reaching his goal, ' it said."
Unless his goal were, um, hijacking the aircraft.
It seems to me that by designing remote-control software for airplanes, you open the possibility for someone to hijack the plane without even being on board. Sure, there are going to be computer-security controls protecting this thing, but we all know how well that sort of thing has worked in the past.
"The system would be designed in such a way that even a computer hacker on board could not get round it."
But what about computer hackers on the ground?
* Doping in Professional Sports
Drug testing is a security issue. Various sports federations around the world do their best to detect illegal doping, and players do their best to evade the tests. It's a classic security arms race: improvements in detection technologies lead to improvements in drug detection evasion, which in turn spur the development of better detection capabilities. Right now, it seems that the drugs are winning; in places, these drug tests are described as "intelligence tests": if you can't get around them, you don't deserve to play.
But unlike many security arms races, the detectors have the ability to look into the past. Last year, a laboratory tested Lance Armstrong's urine and found traces of the banned substance EPO. The urine sample tested wasn't from 2005; it was from 1999. Back then, there weren't any good tests for EVO in urine. Today there are, and the lab took a frozen urine sample - who knew that labs save urine samples from athletes? - and tested it.
Doping testing can go back in time.
This has two major effects:
1) Doctors who develop new performance-enhancing drugs may know exactly what sorts of tests the anti-doping laboratories are going to run, and they can test their ability to evade drug detection beforehand. But they cannot know what sorts of tests will be developed in the future.
2) athletes accused of doping based on years-old urine samples have no way of defending themselves. They can't resubmit to testing; it's too late. If I were an athlete worried about these accusations, I would deposit my urine "in escrow" on a regular basis to give me some ability to contest an accusation.
* iPod Thefts
Rise in crime blamed on iPods.
This shouldn't come as a surprise, just as it wasn't a surprise in the 1990s when there was a wave of high-priced sneaker thefts. Or that there is also a wave of laptop thefts.
What to do about it? Basically, there's not much you can do except be careful. Muggings have long been a low-risk crime, so it makes sense that we're seeing an increase in them as the value of what people are carrying on their person goes up. And people carrying portable music players have an unmistakable indicator: those ubiquitous ear buds.
* Security Certifications
I've long been hostile to certifications -- I've met too many bad security professionals with certifications and know many excellent security professionals without certifications. But, I've come to believe that, while certifications aren't perfect, they're a decent way for a security professional to learn some of the things he's going to know, and a potential employer to assess whether a job candidate has the security expertise he's going to need to know.
* A Month of Browser Bugs
31 days, and 31 hacks later, the blog lists exploits against all the major browsers:
Internet Explorer: 25
Mozilla: 2
Safari: 2
Opera: 1
Konqueror: 1
My guess is that he could have gone on for another month without any problem, and possibly could produce a new browser bug a day indefinitely.
* Updating the Traditional Security Model
Dave Piscitello made a fascinating observation. Commenting on the traditional four-step security model:
Authentication (who are you)
Authorization (what are you allowed to do)
Availability (is the data accessible)
Authenticity (is the data intact)
"This model is no longer sufficient because it does not include asserting the trustworthiness of the endpoint device from which a (remote) user will authenticate and subsequently access data. Network admission and endpoint control are needed to determine that the device is free of malware (esp. key loggers) before you even accept a keystroke from a user. So let's prepend 'admissibility' to your list.
length: 20:57m
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0608.html
posted by omarg at
8:00 AM
0 Comments:
Post a Comment
<< Home