Slashdot Mirror
Bruce Schneier on What He Knows Best
Over at CSO Magazine there's a wonderful interview with Bruce Schneier, where he talks about cryptography and security. He has several good points, such as the physical security industry versus the IT security camp, and how true security really boils down to people problems. There's some good commentary on post-9/11 airport security regulations as well.
to his website.
I have over 70 freaks, do you?
I, for one, welcome our new secret cryptographic overlords. Oops, I wasn't supposed to tell you about this.
If it can possibly lessen the likelihood of a terrorist attack, I'm in full support.
That sounded too much like SCO Magazine :)
Paranoia paranoia
Everybody's coming to get me
Just say you never met me
I'm going underground with the moles
Hear the voices in my head
I swear to god it sounds like they're snoring
But if you're bored then you're boring
The agony and the irony , they're killing me
I'm not sick but I'm not well
And I'm so hot cause i'm in hell
I'm not sick but I'm not well
This is a stupid term. It is now 2003 in case anyone is checking their calendars. Can we come up with a better term than something invented on Fox?
Laws are for people with no friends.
it takes an "expert" to tell you this? ..
man, I must be better than I thought
I often wonder why it has to be this way. Wouldn't it be just as logical to make the two place nice? Perhaps if the two fields worked more closely they could actually learn something off each other.
I can see all of the glazed eyeballs out there as you tell folks that they need to learn about firewalls and computer security, etc. Some folks just don't want to be bothered.
Randon thought - with the decline of things like boot disk viruses, etc, best security most folks can understand is that they are safe so long as they are not on the internet.
"It is a greater offense to steal men's labor, than their clothes"
Whereas I will be flamed into Hades for suggesting, just suggesting, that "Actually, technology usually IS the solution": Social engineering is the least of your worries. Cryptography, authentication et cetera create the need for social engineering: if you leave the computers without passwords and the serviceman's door unlocked, you can't worry about whatever-you're-protecting being unprotected from social engineering, bribery, and whatnot. Y'know why? What industrial spy (as an example) is going to bribe the guards when he can telnet?
it should be Straits Times - need morning coffee. of course
"It is a greater offense to steal men's labor, than their clothes"
Is it okay to put a "T" in one upsmanship?
It's a serious question. I saw somebody in the comments on Bruce's article was talking about "one upt" and I'm curious whether that's an acceptable variation on "one up."
we changed the admin password of a colleague's Win2k machine who'd forgotten his password. But we also reminded ourselves just how important is physical security.
Cringely put out an article (Changing the Game: How to Save the World by Taking Back Control of Our Data) a week or so back emphasizing security through recording all activity in any given IT infrastructure. Cryptographic techniques may be great, but social engineering, cracked buffer overflows, and short-sighted or stupid actions can always leave some crucial data exposed.
Rather than throwing your hands up when you've found you've left data exposed, or you've discovered some insider has been poking around documents they shouldn't be looking at, you should be able to track down all access to all information at all layers of your infrastructure. You hopefully can uncover traces of specific incidents, find any other similar unnoticed events that are now part of history, and find the culprits.
So logging and log analysis are key to securing any site. You need to log:
... and you need to do it in a way where you can correlate information from all these disparate sources to uncover patterns of abuse. Cringely mentions that Addamark (he calls them the next "Oracle") is the first company with a viable solution for storing and analyzing the massive logs involved. I've looked at their site, does anybody know anything about this product? Sounds very useful.
He also gave an interview on Minnesota Public Radio covering similar topics on September 29. Follow the link for a RealMedia archive.
Behind every great fortune there is a crime
logging is a good solution, however, it can lead to a slow-down of the services your server provides.
just a couple weeks ago i started logging our sql server.. somebody was breaking in somehow and i wanted to see if they were able to get into our db.. the entire server froze due to the huge amount of traffic.. win2k couldn't handle it.
of course that's probably the problem; we are running win2k
don't click here
Yeah, logs are good. Prison sentences are good, too. But they are all after the fact.
For my own part, postmortems aren't nearly as important to me as preventative measures. But that's just me.
--Richard
I make a weekly trip to put our tape backups into a safety deposit box at a nearby bank. For $35/year, we get bank-level security and convenient off-site storage.
For the two years I've been doing this, I've had a small, running battle with the president of the branch, who wants to enforce a rule that all use of safety deposit boxes must be done in the booths provided for privacy; presumably, he wants to avoid any appearance of, or liability for, the bank employee knowing what's in my safety deposit box. However, switching the tapes in the box can be done in 5 seconds right there, whereas taking a booth makes it a 2 minute affair. The tellers all know me, so they let me do it right there, except for the couple weeks after a stern policy memo has been issued.
The reason I don't sacrifice another 1 minute, 55 seconds, is because I don't care that the tellers know--they'd figure something out with my weekly trips anyway. But the real crux is that, putting the tape backups into a safety deposit box makes it one of the strongest links in the security chain. The server room door is always locked, the servers logged off, etc. The weakest link now is that a competitor would offer one of my employees $20,000 to sneak the tape backups out one night. In comparison, the cost of breaking into a safety deposit box, removing the tapes, and returning them after copying, all undetectably, would be in the hundreds of thousands of dollars, if it could be done at all. They can't bribe a teller because the bank has only one of two keys for my box--when I've forgotten my key, I'm SOL.
This is what Schneier means by system security. Insisting on me using a booth is like upgrading your encryption when users are writing their passwords on stickies attached to their monitors.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
( ... hey I never do anyway!) can I guess that Bruce says something like:
"Technological solutions don't work for human problems. 9/11, Bush, P2P vs. RIAA are human problems. Cryptography can't help you here either, so look elsewhere. "
Just a hunch.
"It's not your information. It's information about you" - John Ford, Vice President, Equifax
After read this article, it lead me to believes that how half-life game being stolen by someone when software developer forgot to locked his door. Somehow the cleaner(who love the game), or anyone, got in and stole it.
:)
:)
Or Social engineering:
You take half-life developer to bar and hopefully he reveal his secret to those people.
No wonder, Physical security problem. not computer security problem.
"You need to log:... disk I/O"
Isn't that recursive?
I just want to put on file that I put on file that I put on file that I put on file that I put on file that I put on file that I saw somebody read a file on disk. Damn, now I need to report myself.
I thought Jaws and Seaquest DSV were pretty cool. I had no idea he was a security expert too. Wow, these Hollywood people sure keep it quiet...
Mr. Schneier contrasts problems of physical security with IT security throughout his article and emphasizes that in both domains criminals and terrorists will, at times, hit their mark. (He also implies losses to crime are greater than losses to terror, and that society emphasizes the terror while neglecting sensible countermeasures to crime -- but that's beside the point I want to make here).
In the physical world criminals always leaves tracks. Fingerprints, footprints, bodily fluids, DNA, personal effects, the air they breathe, traces from tools of their trade, etc. Sometimes the criminal is smart and leaves so few of these clues, or they're so undetectable or indistinguishable from the background (e.g., the air they breathe) that they get away. But at least in the physical world forensic experts can resort to physical evidence to track down the perps and extract justice or revenge.
Mr. Schneier complains that the physical security types take ineffective measures to prevent damage in the physical world and could learn a thing or two about mitigating risk from the IT community. (Confiscating those nail clippers from grandma isn't going to prevent a hijacking!) But I think Mr. Schneier is short-sighted too, and the IT security people haven't learned yet that gathering evidence in the electronic world is key! You need to lay down the dust to track electronic footprints through the network. Your electronic gated community isn't going to keep out everyone, and logs are the dust in which cybercriminals leave their footprints! If you don't collect and analyze your logs, you're just left with 500,000 stolen credit card/social security numbers and the air they breathed.
It has come to our attention that your moniker is valid only in the United States. The rest of the world properly refers to September 11th as 11/9. Not quite as catchy, huh? Be glad that you exist only in the United States.
American,
Gladiator
P.S. The 911 emergency response service will see you in court soon!
And the best quote on the article regarding those kinds of databases:
"Definitely. Terrorism is rare, while crime is common. Security systems that require massive databases in order to function--TIA, CAPPS 2--will make crime easier. They'll make identity theft easier. They'll make illegal government surveillance easier. They'll make it more likely that rogue employees of the governments and corporations that maintain the systems will use the data for their own purposes. In the United States, there isn't a government database that hasn't been misused by the very people entrusted with keeping its information safe. IRS employees have perused the tax records of celebrities and friends. State employees have sold driving records to private investigators. This kind of thing happens all the time."
// Agent Green (Ian / IU7 / KB1JQO)
// IEEE 802.3: All 10base Are Belong To Us
Parent is a known troll who uses his karma to post trolls and flamebait at +2.
Ok so lots of valuable company data is moved from your facility to a bank by an employee on a weekly basis? I think the weakest link in the chain is you. I'm just saying what's to stop someone from taking the tapes from you in transit? Sure the bank has good security (cameras, security guards, a vault), and your company most likely has good security too but when your in transit couldn't someone stop you and take the tapes from you (by force if needed)? Just out of curiosity are there any backup software packages (like something made by Veritas or Computer Associates) that will not only compress data before backup but also encrypt it?
(No, I didn't RTFA. Why do you ask?)
My other car is a 1984 Nark Avenger.
Stupidsecurity.com, linked to from within the article, has been slashdotted. This proves that slashdotters *do* read articles after all!
SCO magazine - your impartial word of reason in the world of Linux/Unix controversy. Subscribe today!
This is the guy who, after the last Windows worm, said that maybe it's time that internet users should have to have a license. Was he joking? The journalists certainly wasn't.
You are only as secure as your weakest link.
and your weakest link is normally a human being.
Some cryptography can't be cracked in a reasonable time-frame.
Humans can be.
and some, quite easily.
these people make a living off bugs and flaws. if they say "security in Windows 2023 is tight" then thats symantec and friends out of work. this guy wont be selling books to anyone - yeah there will always be bugs but if they stop being headline news budgets and thinking moves to other things. its in their interest to create percieved problems and / or hype things, make sure security stays a headline.
how many times was 9/11 mentioned in that article, what has crashing planes into a building got specifically todo with *computer security* ? nothing. it makes a great headline and great headlines mean companies get scared, idiot ctos follow the hype and the same people making a living off complaining and saying they can fix security make big money. catch 22.
The classic is Verisign and root servers. "Imagine cyberterrorists knocking them all over !!!" (cyberterrorists aka 13 yr old kid but it doesnt sound "cool"). Are they a charity who are really concerned or rather want control and the money and power that comes with it ? Take a wild frickin guess. Of course the usual idiots jump on board predicting world ending disasters and link it to 9/11. Oh and the "experts" who make the comments and predictions also work for a . always.
Bruce Schneier will be speaking (along with many other security experts) at the Stanford Center for Internet and Society's CyberSecurity conference this Nov. 22nd.
More info here.
It just popped into my head. It has to be...
FLESHNET
Does this mean they arent really the experts they pretend to be? Im confused.
Manipulate the moderator system! Mod someone as "overrated" today.
dog grooming? Is he for it or against it?
Or what about that 300,000,000 year old purple donut frog they just found recently?
CSO?
Aren't they the people who are trying to stamp out Lniux with a bunch of frivolous lwasuits?
Dyslexic lawyers of the world, untie!
Tired of FB/Google censorship? Visit UNCENSORED!
Lovely anchorage and the Schneier generally doesn't have the wherewithall to enforce the no slashdot linkage laws.
And finally to some lot somewhere concluding our very gay tour please exit through the gift shop you fat stupid cocksucker.
I've looked at their site, does anybody know anything about this product? Sounds very useful. Yes they have an excellent product and I haven't seen a single other company that can scale to the huge logging levels this one can, or for as cheaply. After learning about Addmark, it seems obvious that any log solution that uses a traditional RDBMS as a backend cannot possibly be as cheap or fast as their solution.
You started by saying that your secuurity is pretty good, and giving us a breakdown.. now you claim you aren't the weak link, because who would want the tapes?
That doesn't change the fact that you are the weak link.
Also, the bank manager has a very good, and valid, point. Wheras you see convenience, he sees the possibility of a complaint down the road, and heck, bank protocol wasn't followed; the employees had information they should not have, which makes them more suspect.
You are mixing up two things here. Yes, a PIN is easy to brute-force, if the system will allow you to do it. Most will not; after a few wrong attempts, your account is locked. What are the odds of guessing the right 4 digit pin if you only get five attempts?
You don't need a high entropy password if it's not possible to brute-force against the system.
Many banks insist that they KNOW what is in a safe deposit box, so you don't put, say, things that could explode, or start a fire, in them. That's not to say they know the exact contents, but they often supervise. I think maybe you watch too much TV if you think banks have safe deposit boxes full of "dirty" money. (though no doubt there is some out there)