Slashdot Mirror
Distributed Security
A reader writes: ""Where Schneier had sought one overarching technical fix, hard experience had taught him the quest was illusory." A long and detailed article at The Atlantic Online on why Bruce Schneier has come down from his strong cryptography tower to preach the gospel of small scale, ductile security against the popular approach of broad scale, often high tech security that often proves to be very brittle."
from the no-you-are-just-seeing-things-dept:
:
Oblivious writes, Even though you may think you have seen this on Slashdot before, you really haven't, the editors would catch it otherwise you see! People who submit worthy stories get rejected but those that submit old and worthless shit get through you see!
from the I-am-getting-really-annoyed-with-the-repeats-dept
Aggrivated writes, Editors, I have supported you on this in the past, now it is just out of hand. What is this, the third, fourth+ time this week that this has happened? It's fucking Tuesday morning boys. I am no longer in support of your lack of effort. This is now a job. Editors get in trouble for small mis-spellings. You should be fired for failure to do your job.
Ductility - the ability to fail gracefully - isn't just essential in the area of security, it's true for reliable systems generally. All programmers who've worked on stuff like Combat Systems for ships, aircraft avionics, railway control systems etc should know this, and most do.
There are 2 ways of making things secure - either against outside attack, or internal failure. I call them the Battleship and the Blob. With the Battleship, you load up the Firewall, or put in 2048-bit encryption, or even have an air gap. You basically rely on a layer of "armour plate" that your predicted threat can't penetrate. But this often fails - the threat either goes around the armour, or the incoming shell is bigger than you'd bargained for, and penetrates. Far safer in practice, though not in theory, is the Blob. This has layer after layer of safety features, each of which is easily circumvented in isolation, but every one of which limits the damage. Bugs can exist, attacks get through, but it works anyway. You can shoot the Blob full of holes, but it keeps on oozing along... Terminator 2 not Terminator 1.
What does this mean for programmers? Use strong typing (if your language doesn't support it, fake it with explicit sanity checks, boolean isSane()), always check inputs for sanity, check your outputs are plausible at least, get good peer review on everything, KISS, basically all the techniques professional Software Engineers rather then 31337 haXOrs have been spouting on about for some time. The software equivalent of "Wear belt, braces, keep a piece of string in your pocket, and then make sure your underwear's in good shape."
Zoe Brain - Rocket Scientist
Technological solutions for social problems (like legislative ones) are only as good as their worst failure mode.
I'm tempted to write more in this /. comment but I think that idea is pretty deep. The article (for those who didn't want to read it all, I don't blame you) describes how Schneier came to realize this.
I believe one of our ex-presidents (LBJ perhaps) has a quote where he expresses the same idea about laws.
Unfortunately, the most effective solutions aren't always the ones chosen. Our current government seems to have no concept of the idea that you don't just have to "do something", you have to do the right "something".
Since /. readers are such a cynical and paranoid bunch, we can come up with all sorts of failure modes for today's "security". Imagine the dumb blank look that would appear on Ashcroft's face if you asked him "what if someone gets a copy of the fingerprint used in those biometric systems? will the federal government be paying for finger transplants?". Then after a few seconds the blank look will disappear, and the lies and bullshit would stream out.
Just like the TV talk shows. One intelligent guest will make a simple point ("what if they sharpen the edge of a credit card? isn't that more dangerous than a nail clipper?"), which to me would be an instant show-stopper, forcing me to stop and re-think the whole system, but then the other guests will pile the bullshit so high the point is quickly forgotten.
It makes you wonder if the legislators actually consulted any security experts (that weren't trying to sell something). Probably not.
The article brought up a good point about cryptosystems that depend on keeping the algorithm secret. Once that secret gets out, the security is hopelessly compromised. The Germans learned this the hard way in WWII.
I think this has a nice parallel to the entertainment industry's approach to DRM. The fiasco with DVD encryption is a perfect example. Once the format was broken, the genie was out of the bottle. Making laws to try and stuff the genie back in just will not work.
With the ever increasing number of people who try to break security protocols as a hobby, it seems that relying on secrecy to keep things safe is a recipe for disaster. The internet allows information to be distributed so quickly and widely that no secret will stay secret very long.
If the entertainment/software/etc industries continue to rely on their nonexistant ability to keep secrets, we will either have an overabundance of silly overbroad laws, or else the companies will falter and die. No matter how large and dedcated their tech geeks are, there is no way to match the vast number of hobbyist nerds trying to break stuff for fun.
<clip> "The trick is to remember that technology can't save you," Schneier says. "We know this in our own lives. We realize that there's no magic anti-burglary dust we can sprinkle on our cars to prevent them from being stolen. We know that car alarms don't offer much protection. The Club at best makes burglars steal the car next to you. For real safety we park on nice streets where people notice if somebody smashes the window. Or we park in garages, where somebody watches the car. In both cases people are the essential security element. You always build the system around people."</clip>
I haven't heard that story before. Can somebody point me to a source with more details?
Like Schneier says, a good sentry is one of the best additions to the security blanket. Trouble is, where do you find good sentries? Night watchmen are some of the worst paid employees on the payroll, and time and time again have been shown to miss the obvious attacks. It's repetitive, boring work that most people would hate.
The problem lies with the way the human brain operates. We evolved to match patterns as a survival skill. To pick out images from masses of almost random data. Is that a piece of ripe fruit on that tree over there? We are so good at it that we can see patterns in anything: faces in inkblots, or subtle "head and shoulders" movements in stock markets. Generating false positives is also a survival trait when it comes to looking for threats. Is that moving mass of lines the face of a tiger, or a snake? Better to be cautious and check it out.
But monitoring for exceptions is not a thing that humans are good at. Staring at production lines filled with identical chocolates looking for the one that isn't right, human eyes and brains fail at this task. What happens is that your pattern matching circuitry spots the wrong pattern: "these are all the same so there is no problem" each new piece of incoming data confirms this and the brain goes to sleep (try it some time!).
At airport scanners the operators have to take very frequent breaks from studying the X-ray images of suitcases. On top of this, every 10 minutes or so, a bag is fed through that they should react to. Like they say, this keeps them on their toes, or put differently stops pattern matching saying "I already found the pattern, stop bothering me with new data". This approach is better but it is still too labour intensive.
IMHO the way forward lies in a combination of human and automatic scrutiny. The automatic part consists of filtering out the routine, leaving human eyes to sort out the final details. If a security system generates 1,000 alerts an hour it will be ignored. Making a more sophisticated system that cuts down the number of false alerts is usually expensive and as Schneier suggests more likely to weaken things by giving a false sense of security. If however, the system generates 1,000 alerts and flags up the 10 most suspicious for human eyes to look at in detail then you capture the best of both worlds. The smart piece is the algorithm that ranks the alerts as more or less interesting and this is where security experts make the difference.
What Schneier is suggesting is that human+machine monitoring of a smaller range of very specific inputs is better than automatic trawling of masses of nonspecific input.
Good article, well worth the read.
Bad technology that takes away human initiative is used in the US because the good people are too expensive and the cheap people are not reliable. Besides there is a perpetual labor surplus especially of the people who will work for cheap due to basically unrestricted immigration. And since so many of the immigrants come from non-Western European countries there will never be mass public support for paying them higher wages. Those are the facts that limit the effectiveness of security in the US, or the effectiveness of many other things.
There is an incredible article in this month's The Weekly Standard Patio Man and the Sprawl People. David Brooks' insight into the American psyche is that the American approach to problems is to move away, especially to move away from people who are different, to move to a community of similar people. Where people stay rooted such as the South there is open conflict. Where people move to new communities such as the suburbs there can be a facade of acceptance--until too many of the different people start to move in.
In recent years I have noticed an increasing chorus in the media extolling the virtues of Europe, its peacefulness, its openness. I feel a small nagging doubt similar to when I heard praise for Japan's system in the early 80s. In the case of Japan the Sony headed by Akira Morita is not the Sony of today, and in the case of Europe, it does not seem to be headed in the direction of the one long-lasting democracy on that continent--Switzerland. The vaunted EU hardly submits every question of importance such as the Euro to referendum, unlike Switzerland. And even more worrisome, the direction of Europe the past century has been continuous fissioning of countries, instead of Switzerland's keeping itself together despite populations native speaking at least four different languages. Europe essentially murdered or expelled much of its Jewish population, it has not solved the Roma problem, and now Europe is struggling with Muslim immigration.
Even when European countries stay intact all is not well. Is not Italy's problem between north and south the same as the United States'?
Almost all conflict in the past couple of centuries can be summarized as the painful transition from agricultural serfdom to industrial society. A successful modern nation needs to actually pull off two incredible reformations, while most can't manage one. First agricultural serfdom has to be reformed so that small farmers own their land. Switzerland accomplished land reform in the 1800s, Japan had land reform imposed on it by General Douglas MacArthur during the Occupation because it was the only way to prevent a Communist insurrection. Once the land is put in the hands of a land-owning small farmer class there will be no danger of revolution. Sadly nations such as Russia have not accomplished just this one step over the past two centuries. Second, and perhaps paradoxically, the populace must in large part move to the cities and the power of the rural areas over the government must be diminished, for the rural areas tend to be more conservative and less willing to support reform.
Needless to say the vast majority of the nations on this planet have not successfully reformed themselves, twice. Thus there is an endless supply of refugees and endless labor surplus. Security remains far off and elusive.
So, security benefits from a strategy in which it fails gracefully, and is best implemented in small, easily manageable pieces?
And security also benefits from a reliance upon complex (human) intelligence instead of simplistic boolean concepts of success/fail?
Hmmm, doesn't that sound like just about every other kind of system in the world? Whether we're talking about how to build elegant systems that fail gracefully, or how to build systems that deliver what you want rather than what is easy, there are examples all around us.
However, if we look farther ahead and we will see another set of problems. For example, a reliance upon humans to evaluate system performance (whether the system is a security system or a telephone network) is expensive and is also unreliable. One of the next steps is SPC - where we can provide tools to help the humans automate much of the drudgery of looking through gazillions of bytes of low-level information.
In recent years I have noticed an increasing chorus in the media extolling the virtues of Europe, its peacefulness, its openness. I feel a small nagging doubt
One of the key differentiators between the US and the EU is that the US has a far lower population density. And because of the conquest and genocide of the indigeneous population, much of the land in the US was wide open and available for colonisation. As your referenced article points out, this led to the emergence of an "avoidance" strategy for handling social development in the US: just up stakes and move west, young man.
For the most part, Europeans don't have this luxury. The social networks that bind European societies are more complex and tightly knitted than US ones. It's related to how the sociologist Norbert Elias describes social interdependencies and the mannered society. European manners have evolved to handle large groups of sometimes wildly divergent peoples and cultures that must live intermingled with each other.
Da Blog