Slashdot Mirror
Bruce Schneier on What He Knows Best
Over at CSO Magazine there's a wonderful interview with Bruce Schneier, where he talks about cryptography and security. He has several good points, such as the physical security industry versus the IT security camp, and how true security really boils down to people problems. There's some good commentary on post-9/11 airport security regulations as well.
to his website.
I have over 70 freaks, do you?
That sounded too much like SCO Magazine :)
Paranoia paranoia
Everybody's coming to get me
Just say you never met me
I'm going underground with the moles
Hear the voices in my head
I swear to god it sounds like they're snoring
But if you're bored then you're boring
The agony and the irony , they're killing me
I'm not sick but I'm not well
And I'm so hot cause i'm in hell
I'm not sick but I'm not well
I often wonder why it has to be this way. Wouldn't it be just as logical to make the two place nice? Perhaps if the two fields worked more closely they could actually learn something off each other.
I can see all of the glazed eyeballs out there as you tell folks that they need to learn about firewalls and computer security, etc. Some folks just don't want to be bothered.
Randon thought - with the decline of things like boot disk viruses, etc, best security most folks can understand is that they are safe so long as they are not on the internet.
"It is a greater offense to steal men's labor, than their clothes"
Whereas I will be flamed into Hades for suggesting, just suggesting, that "Actually, technology usually IS the solution": Social engineering is the least of your worries. Cryptography, authentication et cetera create the need for social engineering: if you leave the computers without passwords and the serviceman's door unlocked, you can't worry about whatever-you're-protecting being unprotected from social engineering, bribery, and whatnot. Y'know why? What industrial spy (as an example) is going to bribe the guards when he can telnet?
it should be Straits Times - need morning coffee. of course
"It is a greater offense to steal men's labor, than their clothes"
we changed the admin password of a colleague's Win2k machine who'd forgotten his password. But we also reminded ourselves just how important is physical security.
Cringely put out an article (Changing the Game: How to Save the World by Taking Back Control of Our Data) a week or so back emphasizing security through recording all activity in any given IT infrastructure. Cryptographic techniques may be great, but social engineering, cracked buffer overflows, and short-sighted or stupid actions can always leave some crucial data exposed.
Rather than throwing your hands up when you've found you've left data exposed, or you've discovered some insider has been poking around documents they shouldn't be looking at, you should be able to track down all access to all information at all layers of your infrastructure. You hopefully can uncover traces of specific incidents, find any other similar unnoticed events that are now part of history, and find the culprits.
So logging and log analysis are key to securing any site. You need to log:
... and you need to do it in a way where you can correlate information from all these disparate sources to uncover patterns of abuse. Cringely mentions that Addamark (he calls them the next "Oracle") is the first company with a viable solution for storing and analyzing the massive logs involved. I've looked at their site, does anybody know anything about this product? Sounds very useful.
He also gave an interview on Minnesota Public Radio covering similar topics on September 29. Follow the link for a RealMedia archive.
Yeah, logs are good. Prison sentences are good, too. But they are all after the fact.
For my own part, postmortems aren't nearly as important to me as preventative measures. But that's just me.
--Richard
I make a weekly trip to put our tape backups into a safety deposit box at a nearby bank. For $35/year, we get bank-level security and convenient off-site storage.
For the two years I've been doing this, I've had a small, running battle with the president of the branch, who wants to enforce a rule that all use of safety deposit boxes must be done in the booths provided for privacy; presumably, he wants to avoid any appearance of, or liability for, the bank employee knowing what's in my safety deposit box. However, switching the tapes in the box can be done in 5 seconds right there, whereas taking a booth makes it a 2 minute affair. The tellers all know me, so they let me do it right there, except for the couple weeks after a stern policy memo has been issued.
The reason I don't sacrifice another 1 minute, 55 seconds, is because I don't care that the tellers know--they'd figure something out with my weekly trips anyway. But the real crux is that, putting the tape backups into a safety deposit box makes it one of the strongest links in the security chain. The server room door is always locked, the servers logged off, etc. The weakest link now is that a competitor would offer one of my employees $20,000 to sneak the tape backups out one night. In comparison, the cost of breaking into a safety deposit box, removing the tapes, and returning them after copying, all undetectably, would be in the hundreds of thousands of dollars, if it could be done at all. They can't bribe a teller because the bank has only one of two keys for my box--when I've forgotten my key, I'm SOL.
This is what Schneier means by system security. Insisting on me using a booth is like upgrading your encryption when users are writing their passwords on stickies attached to their monitors.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
( ... hey I never do anyway!) can I guess that Bruce says something like:
"Technological solutions don't work for human problems. 9/11, Bush, P2P vs. RIAA are human problems. Cryptography can't help you here either, so look elsewhere. "
Just a hunch.
"It's not your information. It's information about you" - John Ford, Vice President, Equifax
[*] Come on, the day that really changed the world and you call it A NUMBER? All those other days have good names like Bloody Sunday, but a number... It sounds so empty, so devoid of emotions. Or maybe that's why it's used -- to show the world that America wasn't shaken, that the Star Spangled Banner is still waving (is that why the flag found in the ruins of WTC was shown in Salt Lake City?) and so on.
Hell is not other people; it is yourself. - Ludwig Wittgenstein
"You need to log:... disk I/O"
Isn't that recursive?
I just want to put on file that I put on file that I put on file that I put on file that I put on file that I put on file that I saw somebody read a file on disk. Damn, now I need to report myself.
Mr. Schneier contrasts problems of physical security with IT security throughout his article and emphasizes that in both domains criminals and terrorists will, at times, hit their mark. (He also implies losses to crime are greater than losses to terror, and that society emphasizes the terror while neglecting sensible countermeasures to crime -- but that's beside the point I want to make here).
In the physical world criminals always leaves tracks. Fingerprints, footprints, bodily fluids, DNA, personal effects, the air they breathe, traces from tools of their trade, etc. Sometimes the criminal is smart and leaves so few of these clues, or they're so undetectable or indistinguishable from the background (e.g., the air they breathe) that they get away. But at least in the physical world forensic experts can resort to physical evidence to track down the perps and extract justice or revenge.
Mr. Schneier complains that the physical security types take ineffective measures to prevent damage in the physical world and could learn a thing or two about mitigating risk from the IT community. (Confiscating those nail clippers from grandma isn't going to prevent a hijacking!) But I think Mr. Schneier is short-sighted too, and the IT security people haven't learned yet that gathering evidence in the electronic world is key! You need to lay down the dust to track electronic footprints through the network. Your electronic gated community isn't going to keep out everyone, and logs are the dust in which cybercriminals leave their footprints! If you don't collect and analyze your logs, you're just left with 500,000 stolen credit card/social security numbers and the air they breathed.
And the best quote on the article regarding those kinds of databases:
"Definitely. Terrorism is rare, while crime is common. Security systems that require massive databases in order to function--TIA, CAPPS 2--will make crime easier. They'll make identity theft easier. They'll make illegal government surveillance easier. They'll make it more likely that rogue employees of the governments and corporations that maintain the systems will use the data for their own purposes. In the United States, there isn't a government database that hasn't been misused by the very people entrusted with keeping its information safe. IRS employees have perused the tax records of celebrities and friends. State employees have sold driving records to private investigators. This kind of thing happens all the time."
// Agent Green (Ian / IU7 / KB1JQO)
// IEEE 802.3: All 10base Are Belong To Us
Ok so lots of valuable company data is moved from your facility to a bank by an employee on a weekly basis? I think the weakest link in the chain is you. I'm just saying what's to stop someone from taking the tapes from you in transit? Sure the bank has good security (cameras, security guards, a vault), and your company most likely has good security too but when your in transit couldn't someone stop you and take the tapes from you (by force if needed)? Just out of curiosity are there any backup software packages (like something made by Veritas or Computer Associates) that will not only compress data before backup but also encrypt it?
(No, I didn't RTFA. Why do you ask?)
My other car is a 1984 Nark Avenger.
The point is that he's refering to something that's changed since that date which I won't mention since it offends you. It doesn't matter how much time has passed since then, it changed alot of security procedures. Since he's refering to those specific changes, post-9/11 is the best term.
These buildings had a great value, if not economical (was there really that big a need for office space when they were built? Right now, there certaintly isn't much need for offices, so why build new towers?) then symbolical -- why else bother attacking them? Many have called the WTC towers the symbols of capitalism, or of America(n). The history of the world may not be split into before and after it, but the history of USA is, at least for some time.
Hell is not other people; it is yourself. - Ludwig Wittgenstein
I wouldn't assume that a misbehaving system is due to slashdotting. My buddy's hard drive HAPPENED to crash on 1/1/2000 (hey, someone's had to). He blamed it on Y2K. Maybe it was slashdotted too. Sorry, non-Americans, when I referred to 1/1, to y'all, that would be reversed... 1/1, that is.
It just popped into my head. It has to be...
FLESHNET
Does this mean they arent really the experts they pretend to be? Im confused.
Manipulate the moderator system! Mod someone as "overrated" today.
I think people started referring to the attacks using "9/11" because they were not limited to one place, unlike, say, Pearl Harbor [Day]. It was too hard to refer to the events themselves, so they refer to the day.
CSO?
Aren't they the people who are trying to stamp out Lniux with a bunch of frivolous lwasuits?
Dyslexic lawyers of the world, untie!
Tired of FB/Google censorship? Visit UNCENSORED!
You're actually saying there's no great economic value to office space in lower Manhattan? No one could be that misinformed; I conclude you are entirely uninformed. That is probably the most valuable real estate on the planet.
While we're at it, "economical" isn't the word you want, and "symbolical" is not a word at all. Try "economic" and "symbolic".
"... the Pentagon (have they rebuilt the part that was damaged?),"
Yes.
"Should new buildings be built in their place..."
"Should" is subjective. "Will" is a a certainty. I say again: most valuable real estate on the planet.
You started by saying that your secuurity is pretty good, and giving us a breakdown.. now you claim you aren't the weak link, because who would want the tapes?
That doesn't change the fact that you are the weak link.
Also, the bank manager has a very good, and valid, point. Wheras you see convenience, he sees the possibility of a complaint down the road, and heck, bank protocol wasn't followed; the employees had information they should not have, which makes them more suspect.
You are mixing up two things here. Yes, a PIN is easy to brute-force, if the system will allow you to do it. Most will not; after a few wrong attempts, your account is locked. What are the odds of guessing the right 4 digit pin if you only get five attempts?
You don't need a high entropy password if it's not possible to brute-force against the system.
Many banks insist that they KNOW what is in a safe deposit box, so you don't put, say, things that could explode, or start a fire, in them. That's not to say they know the exact contents, but they often supervise. I think maybe you watch too much TV if you think banks have safe deposit boxes full of "dirty" money. (though no doubt there is some out there)