Podcast: Crypto-Gram 15 May 2007: the threat is no longer Big Brother, but instead thousands of Little Brothers.
from the May 15, 2007 Crypto-Gram Newsletter
by Bruce Schneier
* A Security Market for Lemons
I use PGPdisk, but Secustick sounds even better: It automatically erases itself after a set number of bad password attempts. The company makes a bunch of other impressive claims: The product was commissioned, and eventually approved, by the French intelligence service; it is used by many militaries and banks; its technology is revolutionary.
Unfortunately, the only impressive aspect of Secustick is its hubris, which was revealed when Tweakers.net completely broke its security. There's no data self-destruct feature. The password protection can easily be bypassed. The data isn't even encrypted. As a secure storage device, Secustick is pretty useless.
In 1970, American economist George Akerlof wrote a paper called "The Market for 'Lemons,'" which established asymmetrical information theory. He eventually won a Nobel Prize for his work, which looks at markets where the seller knows a lot more about the product than the buyer.
A used car market includes both good cars and lousy ones (lemons). The seller knows which is which, but the buyer can't tell the difference -- at least until he's made his purchase. I'll spare you the math, but what ends up happening is that the buyer bases his purchase price on the value of a used car of average quality. This means that the best cars don't get sold; their prices are too high. Which means that the owners of these best cars don't put their cars on the market. And then this starts spiraling. The removal of the good cars from the market reduces the average price buyers are willing to pay, and then the very good cars no longer sell, and disappear from the market. And then the good cars, and so on until only the lemons are left.
In a market where the seller has more information about the product than the buyer, bad products can drive the good ones out of the market.
Solution: signal: a way for buyers to tell the difference.
* Is Big Brother a Big Deal?
the threat is no longer Big Brother, but instead thousands of Little Brothers.
* More on REAL ID
As currently proposed, Real ID will fail for several reasons. From a technical and implementation perspective, there are serious questions about its operational abilities both to protect citizen information and resist attempts at circumvention by adversaries. Financially, the initial unfunded $11 billion cost, forced onto the states by the federal government, is excessive. And from a sociological perspective, Real ID will increase the potential for expanded personal surveillance and lay the foundation for a new form of class segregation in the name of protecting the homeland.
* Least Risk Bomb Location
Least Risk Bomb Location (LRBL): the place on an aircraft where a bomb would do the least damage if it exploded
All planes have a designated area where potentially dangerous packages should be placed. Usually it's in the back, adjacent to a door. There are a slew of procedures to be followed if an explosive device is found on board: depressurizing the plane, moving the item to the LRBL, and bracing/smothering it with luggage and other dense materials so that the force of the blast is directed outward, through the door.
• Social Engineering Notes
here's someone's story of social engineering a bank branch: "I enter the first branch at approximately 9:00AM. Dressed in Dickies coveralls, a baseball cap, work boots and sunglasses I approach the young lady at the front desk. 'Hello,' I say. 'John Doe with XYZ Pest Control, here to perform your pest inspection.' I flash her the smile followed by the credentials. She looks at me for a moment, goes 'Uhm… okay… let me check with the branch manager…' and picks up the phone. I stand around twiddling my thumbs and wait while the manager is contacted and confirmation is made. If all goes according to plan, the fake emails I sent out last week notifying branch managers of our inspection will allow me access. It does."
• Is Penetration Testing Worth It?
Given enough time and money, a pen test will find vulnerabilities; there's no point in proving it. And if you're not going to fix all the uncovered vulnerabilities, there's no point uncovering them. But there is a way to do penetration testing usefully. For years I've been saying security consists of protection, detection and response--and you need all three to have good security. Before you can do a good job with any of these, you have to assess your security. And done right, penetration testing is a key component of a security assessment.
I like to restrict penetration testing to the most commonly exploited critical vulnerabilities, like those found on the SANS Top 20 list. If you have any of those vulnerabilities, you really need to fix them.
• Do We Really Need a Security Industry?
IT security is getting harder -- increasing complexity is largely to blame -- and the need for aftermarket security products isn't disappearing anytime soon. But there's no earthly reason why users need to know what an intrusion-detection system with stateful protocol analysis is, or why it's helpful in spotting SQL injection attacks. The whole IT security industry is an accident -- an artifact of how the computer industry developed. As IT fades into the background and becomes just another utility, users will simply expect it to work -- and the details of how it works won't matter.
time 41:10
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0705.html
by Bruce Schneier
* A Security Market for Lemons
I use PGPdisk, but Secustick sounds even better: It automatically erases itself after a set number of bad password attempts. The company makes a bunch of other impressive claims: The product was commissioned, and eventually approved, by the French intelligence service; it is used by many militaries and banks; its technology is revolutionary.
Unfortunately, the only impressive aspect of Secustick is its hubris, which was revealed when Tweakers.net completely broke its security. There's no data self-destruct feature. The password protection can easily be bypassed. The data isn't even encrypted. As a secure storage device, Secustick is pretty useless.
In 1970, American economist George Akerlof wrote a paper called "The Market for 'Lemons,'" which established asymmetrical information theory. He eventually won a Nobel Prize for his work, which looks at markets where the seller knows a lot more about the product than the buyer.
A used car market includes both good cars and lousy ones (lemons). The seller knows which is which, but the buyer can't tell the difference -- at least until he's made his purchase. I'll spare you the math, but what ends up happening is that the buyer bases his purchase price on the value of a used car of average quality. This means that the best cars don't get sold; their prices are too high. Which means that the owners of these best cars don't put their cars on the market. And then this starts spiraling. The removal of the good cars from the market reduces the average price buyers are willing to pay, and then the very good cars no longer sell, and disappear from the market. And then the good cars, and so on until only the lemons are left.
In a market where the seller has more information about the product than the buyer, bad products can drive the good ones out of the market.
Solution: signal: a way for buyers to tell the difference.
* Is Big Brother a Big Deal?
the threat is no longer Big Brother, but instead thousands of Little Brothers.
* More on REAL ID
As currently proposed, Real ID will fail for several reasons. From a technical and implementation perspective, there are serious questions about its operational abilities both to protect citizen information and resist attempts at circumvention by adversaries. Financially, the initial unfunded $11 billion cost, forced onto the states by the federal government, is excessive. And from a sociological perspective, Real ID will increase the potential for expanded personal surveillance and lay the foundation for a new form of class segregation in the name of protecting the homeland.
* Least Risk Bomb Location
Least Risk Bomb Location (LRBL): the place on an aircraft where a bomb would do the least damage if it exploded
All planes have a designated area where potentially dangerous packages should be placed. Usually it's in the back, adjacent to a door. There are a slew of procedures to be followed if an explosive device is found on board: depressurizing the plane, moving the item to the LRBL, and bracing/smothering it with luggage and other dense materials so that the force of the blast is directed outward, through the door.
• Social Engineering Notes
here's someone's story of social engineering a bank branch: "I enter the first branch at approximately 9:00AM. Dressed in Dickies coveralls, a baseball cap, work boots and sunglasses I approach the young lady at the front desk. 'Hello,' I say. 'John Doe with XYZ Pest Control, here to perform your pest inspection.' I flash her the smile followed by the credentials. She looks at me for a moment, goes 'Uhm… okay… let me check with the branch manager…' and picks up the phone. I stand around twiddling my thumbs and wait while the manager is contacted and confirmation is made. If all goes according to plan, the fake emails I sent out last week notifying branch managers of our inspection will allow me access. It does."
• Is Penetration Testing Worth It?
Given enough time and money, a pen test will find vulnerabilities; there's no point in proving it. And if you're not going to fix all the uncovered vulnerabilities, there's no point uncovering them. But there is a way to do penetration testing usefully. For years I've been saying security consists of protection, detection and response--and you need all three to have good security. Before you can do a good job with any of these, you have to assess your security. And done right, penetration testing is a key component of a security assessment.
I like to restrict penetration testing to the most commonly exploited critical vulnerabilities, like those found on the SANS Top 20 list. If you have any of those vulnerabilities, you really need to fix them.
• Do We Really Need a Security Industry?
IT security is getting harder -- increasing complexity is largely to blame -- and the need for aftermarket security products isn't disappearing anytime soon. But there's no earthly reason why users need to know what an intrusion-detection system with stateful protocol analysis is, or why it's helpful in spotting SQL injection attacks. The whole IT security industry is an accident -- an artifact of how the computer industry developed. As IT fades into the background and becomes just another utility, users will simply expect it to work -- and the details of how it works won't matter.
time 41:10
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0705.html
posted by omarg at
7:00 PM
0 Comments:
Post a Comment
<< Home