Distributed Security

A reader writes: ""Where Schneier had sought one overarching technical fix, hard experience had taught him the quest was illusory." A long and detailed article at The Atlantic Online on why Bruce Schneier has come down from his strong cryptography tower to preach the gospel of small scale, ductile security against the popular approach of broad scale, often high tech security that often proves to be very brittle."

Re:Haven't we been here before?

[garcia]

from the no-you-are-just-seeing-things-dept:

Oblivious writes, Even though you may think you have seen this on Slashdot before, you really haven't, the editors would catch it otherwise you see! People who submit worthy stories get rejected but those that submit old and worthless shit get through you see!

from the I-am-getting-really-annoyed-with-the-repeats-dept:

Aggrivated writes, Editors, I have supported you on this in the past, now it is just out of hand. What is this, the third, fourth+ time this week that this has happened? It's fucking Tuesday morning boys. I am no longer in support of your lack of effort. This is now a job. Editors get in trouble for small mis-spellings. You should be fired for failure to do your job.

Lessons for Programmers

[aebrain]

Ductility - the ability to fail gracefully - isn't just essential in the area of security, it's true for reliable systems generally. All programmers who've worked on stuff like Combat Systems for ships, aircraft avionics, railway control systems etc should know this, and most do.

There are 2 ways of making things secure - either against outside attack, or internal failure. I call them the Battleship and the Blob. With the Battleship, you load up the Firewall, or put in 2048-bit encryption, or even have an air gap. You basically rely on a layer of "armour plate" that your predicted threat can't penetrate. But this often fails - the threat either goes around the armour, or the incoming shell is bigger than you'd bargained for, and penetrates. Far safer in practice, though not in theory, is the Blob. This has layer after layer of safety features, each of which is easily circumvented in isolation, but every one of which limits the damage. Bugs can exist, attacks get through, but it works anyway. You can shoot the Blob full of holes, but it keeps on oozing along... Terminator 2 not Terminator 1.

What does this mean for programmers? Use strong typing (if your language doesn't support it, fake it with explicit sanity checks, boolean isSane()), always check inputs for sanity, check your outputs are plausible at least, get good peer review on everything, KISS, basically all the techniques professional Software Engineers rather then 31337 haXOrs have been spouting on about for some time. The software equivalent of "Wear belt, braces, keep a piece of string in your pocket, and then make sure your underwear's in good shape."

Re:Lessons for Programmers

[sphealey]

But this often fails - the threat either goes around the armour, or the incoming shell is bigger than you'd bargained for, and penetrates. Far safer in practice, though not in theory, is the Blob. This has layer after layer of safety features, each of which is easily circumvented in isolation, but every one of which limits the damage.

Two problems: (1) in an actual organization, people need to get work done, and don't have an infinite amount of time to deal with security systems. This is easily seen at a nuclear power plant where Joe Operator can spend up to 25% of his (paid, presumably productive) workday dealing with security and access control mechanisms (2) organizations don't have an infinite amount of money to spend on IT, either. Consider $250,000 spent on a 5-axis milling machine vs. the same amount spent on IT systems and their associated security requirements. Yes, the 5-axis machine is expensive, fussy, difficult to set up, and requires a lot of training. But once it is in and running, it works, generating a stream of profit for the organization. And while it requires maintenance from time to time, it doesn't suddenly explode, taking the entire customer list with it (say). Which may explain the sudden drop in IT investement in the last 2 years!

sPh

the most important point of the article

[Dr.+Awktagon]

Technological solutions for social problems (like legislative ones) are only as good as their worst failure mode.

I'm tempted to write more in this /. comment but I think that idea is pretty deep. The article (for those who didn't want to read it all, I don't blame you) describes how Schneier came to realize this.

I believe one of our ex-presidents (LBJ perhaps) has a quote where he expresses the same idea about laws.

Unfortunately, the most effective solutions aren't always the ones chosen. Our current government seems to have no concept of the idea that you don't just have to "do something", you have to do the right "something".

Since /. readers are such a cynical and paranoid bunch, we can come up with all sorts of failure modes for today's "security". Imagine the dumb blank look that would appear on Ashcroft's face if you asked him "what if someone gets a copy of the fingerprint used in those biometric systems? will the federal government be paying for finger transplants?". Then after a few seconds the blank look will disappear, and the lies and bullshit would stream out.

Just like the TV talk shows. One intelligent guest will make a simple point ("what if they sharpen the edge of a credit card? isn't that more dangerous than a nail clipper?"), which to me would be an instant show-stopper, forcing me to stop and re-think the whole system, but then the other guests will pile the bullshit so high the point is quickly forgotten.

It makes you wonder if the legislators actually consulted any security experts (that weren't trying to sell something). Probably not.

Re:the most important point of the article

[dillon_rinker]

what if they sharpen the edge of a credit card? isn't that more dangerous than a nail clipper?

Yup. Flint knapping is a not-unheard of hobby. Wonder if I could get a piece of deer antler and some rocks past a security guard. Or a CD - ever break one of those? How about a laptop computer? They're full of sheet metal, and you can make an expedient knife out of sheet metal.

Re:the most important point of the article

[Eddie+the+Jedi]

I believe one of our ex-presidents (LBJ perhaps) has a quote where he expresses the same idea about laws.

This be the quote you're looking for:

You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered.

Secrecy failure in the entertainment industry

[dsconrad]

The article brought up a good point about cryptosystems that depend on keeping the algorithm secret. Once that secret gets out, the security is hopelessly compromised. The Germans learned this the hard way in WWII.

I think this has a nice parallel to the entertainment industry's approach to DRM. The fiasco with DVD encryption is a perfect example. Once the format was broken, the genie was out of the bottle. Making laws to try and stuff the genie back in just will not work.

With the ever increasing number of people who try to break security protocols as a hobby, it seems that relying on secrecy to keep things safe is a recipe for disaster. The internet allows information to be distributed so quickly and widely that no secret will stay secret very long.

If the entertainment/software/etc industries continue to rely on their nonexistant ability to keep secrets, we will either have an overabundance of silly overbroad laws, or else the companies will falter and die. No matter how large and dedcated their tech geeks are, there is no way to match the vast number of hobbyist nerds trying to break stuff for fun.

Interesting article.

[^MB^]

Very long, but worth the time to read. I've been a big fan of Schneier since i read his book a few years ago.

Best Article quote: "Cryptophiles, Schneier among them, had been so enraptured by the possibilities of uncrackable ciphers that they forgot they were living in a world in which people can't program VCRs.

Perfect timing as I'm gearing up for CRYPTO 2002 at UCSB, YAY!

-Nick

The beef

[jukal]

Is actually in the first sentence.

<clip> "The trick is to remember that technology can't save you," Schneier says. "We know this in our own lives. We realize that there's no magic anti-burglary dust we can sprinkle on our cars to prevent them from being stolen. We know that car alarms don't offer much protection. The Club at best makes burglars steal the car next to you. For real safety we park on nice streets where people notice if somebody smashes the window. Or we park in garages, where somebody watches the car. In both cases people are the essential security element. You always build the system around people."</clip>

Re:The beef

[Spunk]

The Club at best makes burglars steal the car next to you.

Well, that sounds to me like it works perfectly.

RSA Wars

[DarkHelmet]

During the 1990s Schneier was a field marshal in the disheveled army of computer geeks, mathematicians, civil-liberties activists, and libertarian wackos that--in a series of bitter lawsuits that came to be known as the Crypto Wars

Luke: You were in the Crypto Wars?

Schneier: I was once an RSA Knight like your father. He was the best Composite Factorer in the whole galaxy... I see you have written programs that factor large numbers yourself. He was a good friend. Before the Dark Times, before The Empire.

Luke:What happened to my father?

Schneier:A young RSA Knight by the name of Len Adleman betrayed and murdered your father. Adleman was seduced by the Dark Side of the Force

A driver's license without picture or signature?

[richard-parker]

The article briefly mentions the following:

A few years ago Schneier devoted considerable effort to persuading the State of Illinois to issue him a driver's license that showed no picture, signature, or Social Security number.

I haven't heard that story before. Can somebody point me to a source with more details?

Read Ross Anderson's work

[Camillo]

Bruce's "enlightenment" is of course a good thing, and he is brilliant in his way of presenting security issues for the masses. However, security engineering is far from a new field, and many of the principles are well established.

Take a look at Ross Anderson's home page, read a few of his classics like "Why Cryptosystems Fail", "Programming Satan's Computer" and "The Cocain Auction Protocol".

Ross' book "Security Engineering - A Guide to Building Dependable Distributed Systems" should be mandatory reading for anyone who writes code for networked computers - no matter what kind of computers.

I feel that one of the biggest threats to Internet security today is the inability to learn from history. That is, after all, at the core of the engineering arts and sciences.

The Trinity of Authentication

[dido]

What Schneier actually advocates in the article is the use of at least two of these three layers for doing user authentication: something you know (e.g. a password), something you have (e.g. a smart card or other secure token), and something you are (biometrics falls into this rubric). Depending on only one is necessarily weak, but even two of the three taken together would be strong indeed. For instance, if you have a website that uses not only username/password pairs for authentication, but lives on SSL *and* requests client-side certificates from any browser that wishes to visit the protected page uses both something you know (your username and password) and something you have (the computer where the browser with the client-side certificate is installed, or better yet if the cert lives on a smart card). THAT would make Schneier's Parable of the Dirty Website fail utterly without extra work: without the client-side cert, the web page wouldn't even serve the username/password page to you. Fine, the password is compromised because the employee used the same password to surf for porn, but since access to the certificate is limited to the computer where it's installed, or the smart card possessed by the employee no dice unless you can also steal the smart card and/or computer. Even better would be to provide biometric authentication for the secured computer, so you'd then have to steal the fingerprint or retinal scan or whatnot as well to break the system.

It can be done of course, but it would require contortions worthy of Sneakers .

The whole article actually feels like a distillation of the last six months of the Crypto-Gram newsletter.

Funny, comming at the same time as the PGP vuln.

[Styx]

Shneier et al just released a paper about a PGP/GPG vulnerability. This vulnerabilty relies on the PGP user not being paranoid, and doing something that's not too smart.

So, once again, you're only as secure as the weakest link, which is often the user...

Europe's greater population density is the key

[meehawl]

In recent years I have noticed an increasing chorus in the media extolling the virtues of Europe, its peacefulness, its openness. I feel a small nagging doubt

One of the key differentiators between the US and the EU is that the US has a far lower population density. And because of the conquest and genocide of the indigeneous population, much of the land in the US was wide open and available for colonisation. As your referenced article points out, this led to the emergence of an "avoidance" strategy for handling social development in the US: just up stakes and move west, young man.

For the most part, Europeans don't have this luxury. The social networks that bind European societies are more complex and tightly knitted than US ones. It's related to how the sociologist Norbert Elias describes social interdependencies and the mannered society. European manners have evolved to handle large groups of sometimes wildly divergent peoples and cultures that must live intermingled with each other.