Slashdot Mirror
Bruce Schneier on Security Tradeoffs
Anonymous Smile writes "Business Week has an interview with Bruce Schneier on his new book 'Beyond Fear.' He talks about the tradeoffs we've made in the name of increased security. (hint: we've done a poor job so far) Bruce furthers his tradition of being accessible by the non-technical crowd."
Q: You have been critical of efforts to better secure the U.S. and the world in the wake of September 11. What do you think are the biggest mistakes we've made in those efforts? A: I think the biggest mistake is that we've made policy decisions while scared. We've passed laws that are expensive, both in terms of money and fundamental liberties, without giving us a corresponding increase in actual security. In other words, we've made bad security tradeoffs.
Hopefully some bright men in the EU parliament will consider the laws passed in the USA before they blindly try to copy them into laws applying in European countries..
Turkeyphant
Security will never be a solved problem, because people are involved. No matter how secure a system is from a technical standpoint, people can ALWAYS circumvent it. It is a mathematical fact. But we can improve immensely, and that is the point of Bruce's book.
Bruce states that the only two measures to do any help is the reinforcement of the cockpit doors and the teaching of passengers to fight back. Citizens of the US for the most part do not want to be bothered with their own security. It is the same with handguns. I own one and believe I have every right to do so. Citezens need to stand up for themselves and be be prepared to defend themselves and those close to them. The government and police cannot be everywhere all the time, not that would be good either. When you are in your home or a plane it will take some time for the protection services to show up. There is a window of 2 minutes to 2 hours where each person may be called upon to defend themselves.
But we're still better off talking and thinking about it, and consciously making those tradeoffs than just sticking our heads in the sand. These domestic security issues are also so fundamentally visible that they _are_ subject to feedback and criticism by the public - unlike obtuse IRS regulations, the absurdity of, for example, flagging every flyer with a one-way ticket for special security treatment, is eminently visible to every frequent business traveler. And thus there are a lot of us to whine, bitch and complain until something gets done about it.
I'm much more worried about the invisible stuff than the visible stuff (like nail clippers being banned from planes). The invisible stuff is the pressure exerted on ISPs, credit card companies, technology organizations, encryption researchers, etc. to "help combat terrorism" by reducing security, or opening and releasing personal information to the government. Because, doncha know, "hackers" are terrorists. What's a hacker? Well, you know, those "cybercriminals". And "identity thieves". And you never know who might be doing those things. And maybe tax evaders are also helping the terrorists - aren't they avoiding funding our fabulous military? And what about drug users - well, clearly, they are supporting terrorists, I mean, we saw the government make those claims in ads on TV.
That "with us or against us" attitude combined with the power of overreaching legislation like the Patriot Act makes me queasy about who or what comes next behind the scenes - the security we don't see at the airport, or in city hall, or on the streets during a festival or parade, and that does give me cause to worry. I don't have a perfect solution, other than that we, the technologically aware and literate, need to push our causes more, be more politically organized, and make sure that some portion of the citizenry is watching what the government is doing, and that we do a better job of getting that word out to the mass media, and to politicians.
Well, I actually find it describes my attitude about things. Yes, I lock my doors and have very tight firewall rules, but this part is important:
"I'd rather accept the slight risk of attack than constantly live in fear."
--Drunk as in Beer
I remember the days when I travelled via plane to Canada and the US, with my swiss army knife in my pocket. Fat chance of that ever happening again, and I can live with that, I suppose. But nail clippers, matches, and lighters? Does any of this strike anyone as paranoid to the point of absurdity?
The ironic thing is that any determined terrorist will find a way to do what they need, without having to resort to any of the banned items. Do you want to threaten someone with a dangerous object? There's many devices other than metal knives that will do the job. Want to set fire to something on a plane? The whole chemical world abounds with ways to ignite things. Want to clip your nails on a plane? Hey, any smart terrorist can find a way to make sure their nails are decently manicured before they hijack the transport they're on.
Let's face it. Security is not provided, in any way, by banning a whole bunch of little items. It is just a panacea for a nervous public, looking for action after some very troubling events. It is there to bolster confidence by providing a false sense of security. Succinctly, it's a PR exercise.
A colleague of mine who works for Kryptonite says in response to every smart ass (who has the great lock breaking solution) is that, with security, money is only buying you "time and noise". In other words, any detirmined thief will get in. The price we pay is to delay him and make it noisy to get in.
How confident do you feel about visiting all the mosques in your city to speak with lots of muslim people about their faith? (an activity that's harmless, but may cause you to be added to various agencies' watchlist)
How about participating in non-violent activist groups? (anti-war protestors have been placed on a "no fly list")
How about being critical of your government in a highish-profile way?
All sorts of groups are being classed as "potential threats" these days. You'd be surprised at some of them.
Also, many of the post-911 laws have been passed with no sunset clause. Legislation generally requires significant effort to be removed from the books when it is no longer needed. Whilst we have (arguably, relatively) benign governments, people are unconcerned ("their power will only be used for good!"), but if an extremist government came to power, all the legislational infrastructure is there to establish a repressive state in no time at all.
--
You know, it's interesting to take those comments in a computer-security context. Compromised machines are often used to send spam, conduct DDoS attacks, and otherwise wreak havok on the Internet -- many of them compromised by script kiddies, the "crystal-meth users" of the Internet. It seems odd then that while the average gun owner knows to take at least basic security precautions with his/her weapon, the average computer owner isn't even aware that a broadband internet connection can be used as a weapon.
How can user awareness be raised? Hell if I know. But it needs to be done: right now the Internet is like a row of houses where 90% have a loaded AK-47 lying on the front doorstep.
They've completely lost sight of the fact that the FBI, CIA, etc. have been well known (internationally as well as locally) for their less-than-ethical ways of doing "business".
You know, the "power corrupts" comment is fairly common, but I think the issue is more complicated. Power certainly does corrupt a lot of people, but I don't think organizations like the FBI or CIA seek legislation like the Patriot Act because they are power hungry. They do it to make their job easier. Youth curfews, for example, are usually supported/sought by local police departments because it is easier for them if they can just tell a group of kids to go home. Some groups of kids will get into trouble if left unsupervised, but catching them in the act is tricky. So rather than try to catch individual acts of vandalism (or whatever), they would prefer to just keep all juveniles off the street.
Now, the argument should be whether we should allow them to make their jobs easier, and you have to address this issue on a case by case basis. I think most people would agree that not allowing weapons on board aircraft is a reasonable measure. However, I think most would agree that overarching legislation like the Patriot Act is certainly not reasonable. Both make the jobs of the enforcing agencies easier. But one is simply a deterrant, and the other allows for circumvention of judicial controls, like due process.
The problem is, a lot of enforcement agencies see due process as a hurdle they have to cross to catch criminals. Criminals can get away because you don't have a search warrant, or you don't have a wiretap warrant, or the evidence isn't sufficient.... In other words, you can't just look at somebody and say "I think he might be up to something" and throw him in jail. I think it is important for law enforcement agencies (and legislators) to realize that due process is important because, yes, people do make mistakes, and suspicious looking activity can be legitimate. So as for my original point, no I don't think this is just about a power struggle.