Schneier's Keynote At Linux.conf.au

← Back to Stories (view on slashdot.org)

Schneier's Keynote At Linux.conf.au

Posted by kdawson on Tuesday January 29, 2008 @02:49PM from the necessary-security-theater dept.

Stony Stevenson writes "Computer security expert Bruce Schneier took a swipe at a number of sacred cows of security including RFID tags, national ID cards, and public CCTV security cameras in his keynote address to Linux.conf.au (currently being held in Melbourne, Australia). These technologies were all examples of security products tailored to provide the perception of security rather than tackling actual security risks, Schneier said. The discussion of public security — which has always been clouded by emotional decision making — has been railroaded by groups with vested interests such as security vendors and political groups, he claimed. 'For most of my career I would insult "security theater" and "snake oil" for being dumb. In fact, they're not dumb. As security designers we need to address both the feeling and the reality of security. We can't ignore one. It's not enough to make someone secure, that person needs to also realize they've been made secure. If no-one realizes it, no-one's going to buy it,' Schneier said."

138 comments

In other words . . . by base3 · 2008-01-29 15:00 · Score: 3, Insightful

. . . Bruce has figured out the real money's in security theater, not in security, and he wants a piece of that action.

--
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
1. Re:In other words . . . by Anonymous Coward · 2008-01-29 15:24 · Score: 0, Flamebait
  
  Actually, Bruce wrote a crappy book copied from other sources, and couldn't hack doing real cryptography, so he's looking for other ways to look smart.
2. Re:In other words . . . by ppanon · 2008-01-29 15:53 · Score: 5, Insightful
  
  No. What Bruce has realized is that, in the boardroom and the lunchroom (where almost nobody knows any better), security theatre often will kick the ass of real security practices because it's marketed by professional sales teams. It also often can be delivered for less (because it can be priced for what the market will bear).
  
  If you want real security to be provided, you have to learn to sell it at least as well as the snake-oil. You have to make it sufficiently visible, but non-impeding, that people feel safe.
  
  It's about understanding the human/political side of the equation that can make the difference between a successful deployment and a perceived failure.
  
  --
  Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
3. Re:In other words . . . by QuantumG · 2008-01-29 16:05 · Score: 4, Insightful
  
  It's an interesting theory but are you aware of anyone who thinks the bullshit we go through at the airport is for anything other than appearances? It's not just geeks and smart asses who know this, it is everyone.
  
  --
  How we know is more important than what we know.
4. Re:In other words . . . by oldhack · 2008-01-29 16:06 · Score: 0
  
  Dude, say what you will about the dude, but his book (the red one) was and still is an awesome book that taught whole lot of us programmers the nuts and bolts of cryptography, both the algorithms and implementation, in a nice compact package.
  
  --
  Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
5. Re:In other words . . . by PurpleZebra · 2008-01-29 16:12 · Score: 1
  
  Obviously someone doesn't know who Bruce Schneier is.
6. Re:In other words . . . by bigstrat2003 · 2008-01-29 16:25 · Score: 1
  
  I know one person who really does think that. He's a fairly smart person, for the most part, but this one has always baffled me. Oh, true, he thinks that some of the measures are bullshit, but he fails to see that they're pretty much all bullshit... so he's in the same camp as the true morons, just a matter of degrees.
  
  --
  "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
7. Re:In other words . . . by NoPantsJim · 2008-01-29 16:32 · Score: 1
  
  I'm no expert on the subject, but my experience so far has been this, and I am a big fan of Schneier.
  
  If you explain to a group of people why something is 'security theater' and then present an alternative, they flock to it. It does not matter that the alternative may also be 'security theater', as long as its shortcomings are of a different variety.
  
  --
  Name...That...Autocomplete!
8. Re:In other words . . . by QuantumG · 2008-01-29 16:36 · Score: 3, Informative
  
  Uh huh.. I, unfortunately, spend a lot of time in airports.. I've never once seen someone taking off their shoes with a smile on their face.. there's only one thing you think when they tell you to take your shoes off: "oh my god this is bullshit." If your friend actually thinks there is a sensible reason to scan the shoes of flyers then I suggest you get him some psychological help.
  
  --
  How we know is more important than what we know.
9. Re:In other words . . . by ZombieRoboNinja · 2008-01-29 16:57 · Score: 0
  
  Remember when that idiot put a bomb in his shoe and tried to blow up a plane? Ever wonder how many other idiots would have copied this brilliant idea if security DIDN'T make a show of inspecting shoes? Ever wonder if maybe a few of them would have succeeded?
  
  I dunno, I guess I need some of that psychological help you were recommending.
10. Re:In other words . . . by QuantumG · 2008-01-29 17:06 · Score: 2, Interesting
  
  Remember how that guy was foiled without the help of scanning and so the scanning of the shoes is completely superfluous?
  
  --
  How we know is more important than what we know.
11. Re:In other words . . . by ZombieRoboNinja · 2008-01-29 17:10 · Score: 1
  
  THAT guy was "foiled" because he was extra-special dumb. He was trying to light his shoe IN THE SEAT OF THE PLANE. All he had to do was go in the bathroom - worst case scenario, the smoke alarm goes off and they think he's smoking in there.
12. Re:In other words . . . by QuantumG · 2008-01-29 17:28 · Score: 3, Insightful
  
  I think you're laboring under the belief that:
  
  1. the sole of a shoe can contain any significant amount of explosive
  2. that walking on such a shoe would not cause the explosive to go off
  3. that airport scanner technology can tell the difference between explosives and leather
  
  None of which are the case. The only thing you could maybe fit in the sole of a very hard soled shoe would be a knife.. which hopefully people realize doesn't give a would-be hijacker any more of an advantage than being unarmed - if 50 scared passengers rush you, it doesn't matter that you have a knife. And that's what should have been the lesson of 9/11: if you allow yourself to be victimized you will die.. but if you step up and stop hijackers there is no way to hijack a plane.
  
  All in all, I wish the government would just let the market decide. There should be a "no security" terminal where people can catch a plane much as you catch a bus.. buy your ticket, get on the next available flight. If you want to be harrassed, go to the security theater terminal.
  
  --
  How we know is more important than what we know.
13. Re:In other words . . . by Free_Meson · 2008-01-29 17:56 · Score: 1
  
  Obviously someone doesn't know who Bruce Schneier is.
  His brother was in the Jaws movies, no?
14. Re:In other words . . . by SJ2000 · 2008-01-29 18:19 · Score: 1
  
  If they really gave a flying fucking about security they wouldn't allow "Screwdrivers (seven inches or less in length)" in carry-on luggage. Seriously, are these people fucking stupid or what? You think I can't stab someone with a 6 inch screwdriver but I can with an 8 inch?
  http://www.tsa.gov/travelers/airtravel/prohibited/permitted-prohibited-items.shtm#7
  
  Also (Video unavailable, it's on a tape and I currently don't have the equipment to digitise it) they wouldn't take scanned and verified checked-in luggage from the X-Ray machine back into the untrusted areas of the airport (shops, the line you wait in to put your baggage through the x-ray machine, ticket desks etc.) on an open trolley, unescorted, before going back into the trusted area and being loaded on to the aircraft.(LAX, Tom Bradly International Terminal within the last week)
  
  Plenty of time and opportunity to steal baggage, or slip something into a bag of your choosing.
  
  Let me guess, they use the camera's to watch the trolley's to ensure this doesn't happen?
  Why the FUCK are they using trolley's in the first fucking place and not conveyors belts like EVERY other fucking international airport I've been to (South Korea, Paris, Heathrow, Melbourne, Sydney, Frankfurt, Amsterdam) so I'm fairly sure they don't have the initiative to follow them with cameras.
  
  By the way, if you read the marketing posters next to the areas under construction within the Tom Bradly International Terminal, it has nothing to do with security. Just more waiting areas and seats.
  
  But as long as I don't bring my Pudding of Death (over 3 oz, http://www.tsa.gov/travelers/airtravel/prohibited/permitted-prohibited-items.shtm#10) then all is well....once you actually get to the damn checkpoint, after all, the line has 300 people in it. Great traffic flow planning fuck-wits.
15. Re:In other words . . . by bigstrat2003 · 2008-01-29 19:49 · Score: 1
  
  I agree, it's stupid, but unfortunately, I can't force other people to see reason. If I could, we wouldn't have such bullshit things going on in this country in the first place. ;)
  
  --
  "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
16. Re:In other words . . . by nospam007 · 2008-01-29 23:49 · Score: 1
  
  All in all, I wish the government would just let the market decide. There should be a "no security" terminal where people can catch a plane much as you catch a bus.. buy your ticket, get on the next available flight.
  
  In Europe they have such planes, they are called trains.
17. Re:In other words . . . by base3 · 2008-01-30 00:14 · Score: 1
  
  That's exactly what I said, although in more flowery language--security theater is easier to sell than security, and thus, there's more money in it. So add some theater to to the non-snake-oil security, and . . . PROFIT!!!
  
  --
  One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
18. Re:In other words . . . by that+this+is+not+und · 2008-01-30 01:11 · Score: 1
  
  You say that like a namedropper.
  
  Schneier is someone who has accomplished a lot as an amateur cryptography hacker. Someone outside the 'credentialed' cryptography community who wrote a tremendously useful book 'for the rest of us.'
  
  That doesn't make him a security expert. Cryptography and Security are two completely different things.
19. Re:In other words . . . by DdJ · 2008-01-30 01:32 · Score: 1
  
  I've never once seen someone taking off their shoes with a smile on their face.
  
  I do.
  
  Mind you, I think it's bullshit. But the people at the airport are not the ones who caused the problem. The people around me have nothing to do with the decision making that went into it. The people it's appropriate to get mad at are nowhere around. A hostile reaction to the security theater while being subjected to it is itself an emotional, illogical response to the situation.
  
  So, why get worked up about it while there? That'd make my day even less pleasant. So I smile, and chat with folks. If the topic comes up (and as you can imagine, sometimes it does), the fact that none of it makes us any more secure is one of the things we chat about. That helps more than grumbling or ranting.
  Years ago my mother used to say to me, she'd say, "In this world, Elwood, you must be" -- she always called me Elwood -- "In this world, you must be oh so smart or oh so pleasant." Well, for years I was smart. I recommend pleasant. And you may quote me.
  
  -Elwood P. Dowd
20. Re:In other words . . . by Anonymous Coward · 2008-01-30 01:36 · Score: 0
  
  1. the sole of a shoe can contain any significant amount of explosive
  2. that walking on such a shoe would not cause the explosive to go off
  3. that airport scanner technology can tell the difference between explosives and leather
  
  1. How much would you call significant? 1/4 oz? I could happily blow a plane out of the sky with 1/4 oz of Semtex and a crown cork off a beer bottle.
  2. I'll have a 100 yard dash with anyone while wearing Semtex soled trainers, without fear of anything going amiss.
  3. Most airports now have detectors that can identify objects with a high nitrogen content, such as explosives.
  Having said all that, I think there should be a place for individual airlines deciding the level of intrusion that their customers are put through - as you say, let the market decide.
21. Re:In other words . . . by MrLogic17 · 2008-01-30 02:18 · Score: 1
  
  >I think you're laboring under the belief that:
  >1. the sole of a shoe can contain any significant amount of explosive
  >2. that walking on such a shoe would not cause the explosive to go off
  
  Dude, why do you think they suddenly started making people take their shoes off? Does the name "Richard Reid" ring a bell? Inept idiot or not, he does [ahem] totally blow away your argument.
  
  http://www.google.com/search?q=shoe+bomber
22. Re:In other words . . . by bickle · 2008-01-30 02:33 · Score: 1
  
  "but if you step up and stop hijackers there is no way to hijack a plane." ...except for the the plane on 9/11 where the passengers *did* step up. They stopped the plane from reaching the hijacker's target, but it *was* hijacked.
23. Re:In other words . . . by QuantumG · 2008-01-30 02:45 · Score: 1
  
  Isn't the fact that it failed and had no chance of success anyway enough?
  
  Or is the mere threat of an impossible bomb a problem.. oh yes, of course it is.
  
  --
  How we know is more important than what we know.
24. Re:In other words . . . by QuantumG · 2008-01-30 02:48 · Score: 1
  
  They didn't step up soon enough to prevent the hijackers from getting into the cockpit.
  
  By the time they finally did something it was too late.
  
  --
  How we know is more important than what we know.
25. Re:In other words . . . by dfetter · 2008-01-30 05:15 · Score: 1
  
  Cryptography and Security are two completely different things. This is a key insight he has been sharing, and not always successfully. Just getting the word out on that is a worthy endeavor.
  
  --
  What part of "A well regulated militia" do you not understand?
26. Re:In other words . . . by immcintosh · 2008-01-30 05:39 · Score: 1
  
  That's a good lesson. Also, "lock the cockpit door," might help.
27. Re:In other words . . . by jgs · 2008-01-30 05:50 · Score: 1
  
  I really wish I agreed, but I travel a fair amount and I can think of many occasions when I overheard or actually spoke with someone who expressed the general sentiment that "yeah, it's a pain, but it's for our own good, I'm just glad they're protecting us."
  
  Which is all anecdotal of course. I'd be interested in seeing a controlled survey of air travelers and their opinions of airport security. Who's the outlier? Me, the curmudgeon? Or the "take my shoes, take my jockstrap, just please keep me safe" traveler?
28. Re:In other words . . . by QuantumG · 2008-01-30 07:25 · Score: 1
  
  On flight 93 they did lock the cockpit door, but the stewardess let the hijackers in.. because she figured it was a "normal" hijacking and would be over soon if she just complied.
  
  --
  How we know is more important than what we know.
29. Re:In other words . . . by sjames · 2008-01-30 14:06 · Score: 1
  
  1. How much would you call significant? 1/4 oz? I could happily blow a plane out of the sky with 1/4 oz of Semtex and a crown cork off a beer bottle.
  
  You'll need a detonator with that.
30. Re:In other words . . . by Thundersnatch · 2008-01-30 16:00 · Score: 1
  
  1. the sole of a shoe can contain any significant amount of explosive
  
  The sole of a pair of adult male shoes could easily carry 500 grams of C-4, Semtex, or other plastic explosive. This is more than enough to tear a steel girder in half. Or tear a commercial airliner's fuselage wide open, especially if detonated near a window.
  
  2. that walking on such a shoe would not cause the explosive to go off
  
  Plastic explosives are very stable, and almost impossible to detonate with out a blasting cap. Some can even survive bullet strikes without detonating, and have been burned as fuel for cooking fires by soldiers in the field without detonating. C-4 and Semtex are widely available, and would most definitely NOT detonate by being walked on.
  
  3. that airport scanner technology can tell the difference between explosives and leather
  
  The newer color tomography machines, which are deployed widely in the USA, can easily distinguish explosives from leather.
  
  There are a lot of aspects of airport security that are stupid, but scanning shoes is actually a good idea if you're going to do scanning for explosives. Of course, a terrorist could always swallow baggies full of TNT and a basting cap on a wire.
31. Re:In other words . . . by QuantumG · 2008-01-30 19:56 · Score: 1
  
  See, this is where rational thought seems to disappear:
  Plastic explosives are very stable, and almost impossible to detonate with out a blasting cap. So how are you getting that onto the plane? Wouldn't your own statement here imply that a shoe would have to contain a non-stable explosive to be useful? And if that is the case then how do you walk on it? It's called logic and people don't seem to exercise it when talking about airport security.
  
  --
  How we know is more important than what we know.
32. Re:In other words . . . by jonadab · 2008-01-30 23:14 · Score: 1
  
  Your second point is pretty much invalid. If the sole of the shoe were made of military-grade explosives, walking, even jumping, would not cause the explosives to go off. Yes, there *are* explosives that are so unstable they can be set off that way, most famously nitroglycerine, but something like that is too impractical to use. The stuff they make grenades out of and use to blow up bridges isn't shock-sensitive like that.
  
  Not that I'm saying the shoe-scanning is really necessary. Any amount of explosive that you can hide in the sole of a shoe can just as easily be worn under your clothes, I would think.
  
  On the other hand, I don't understand why people make such a big deal about it either. It's not like taking off your shoes is a huge multi-minute inconvenience. It takes, what, six seconds? What a petty thing to whine about. Not being able to take a decent-sized beverage on the flight is a much greater annoyance, as far as I'm concerned.
  
  --
  Cut that out, or I will ship you to Norilsk in a box.
33. Re:In other words . . . by Anonymous Coward · 2008-01-30 23:15 · Score: 0
  
  Did you even read your great grandparent's post?
34. Re:In other words . . . by Thundersnatch · 2008-01-31 01:47 · Score: 1
  
  So how are you getting that onto the plane?
  
  A blasting cap is very small... about the size of a crayon. It could be wrapped in cotton and stuck in a sock, for example. And then set off with a cell phone battery.
  
  What I'm saying is if you're going to screen for explosives effectively, you need to screen everything: shoes, clothing, and even the body.
  
  Whether or not screening for explosives is a cost-effective security measure for commercial air travel is another matter entirely. The Israelis who run El Al seem to think so, and the rest of the world's air transport system looks to El Al for leadership in security practices. Everybody, including Bruce Schneier, agrees that El Al's security measures are effective (but also quite intrusive).
35. Re:In other words . . . by jesse285 · 2008-02-06 09:04 · Score: 1
  
  No. What Bruce has realized is that, in the boardroom and the lunchroom (where almost nobody knows any better), security theatre often will kick the ass of real security practices because it's marketed by professional sales teams. It also often can be delivered for less (because it can be priced for what the market will bear).
  
  If you want real security to be provided, you have to learn to sell it at least as well as the snake-oil. You have to make it sufficiently visible, but non-impeding, that people feel safe.
  
  It's about understanding the human/political side of the equation that can make the difference between a successful deployment and a perceived failure. And to the point to much and not enough, so now what do we have some one who pocketing all the money, make it whjere it fair and then talk.
love this line... by Serious+Poo · 2008-01-29 15:03 · Score: 3, Funny

"tailored to provide the perception of security rather than tackling actual security risks." Isn't this also the mission statement for the TSA?

--
"There is nothing more unequal than the equal treatment of unequal people." - Thomas Jefferson
1. Re:love this line... by fizzbin · 2008-01-29 15:36 · Score: 1
  
  If Bruce were giving his speech in the US rather than Australia, the TSA (Theater Security Agency) would get prominent mention.
  
  So much of what they do, from checking IDs (ever seen an ID that says "Terrorist"?) to carry-on bag screening (violating privacy while missing guns and weapons) is pure theater. It provides the appearance of security, but not the reality.
  
  --
  Fizz
2. Re:love this line... by bersl2 · 2008-01-29 17:33 · Score: 1
  
  "Unfortunately, we're stuck with us as a species."
Perceptions. by Anonymous Coward · 2008-01-29 15:03 · Score: 1

I'm sorry but what does RFID have to do with the "perception of security"? Barcodes don't make me feel safe, why should RFID? As for the latter (cameras). When was the last time you saw security video on the evening news, not to mention all those cellphone video shots. And the middle? Yeah my drivers license makes me feel soo safe.
1. Re:Perceptions. by Whiney+Mac+Fanboy · 2008-01-29 15:40 · Score: 1
  
  I'm sorry but what does RFID have to do with the "perception of security"?
  
  RFIDs have bugger all to do with security, but plenty of people are trying to push the perception that they can. Read this alarmist article. Check out its opening sentence:
  An associate of Osama bin Laden crawls into a container -- along with some new luxury cars -- in a shipyard in Hamburg, Germany. The goal -- shipping himself to the United States and evading the Department of Homeland Security,
  Lucky all terrorists are RFID-tagged!
  
  --
  There are shills on slashdot. Apparently, I'm one of them.
2. Re:Perceptions. by AJWM · 2008-01-29 16:12 · Score: 1
  
  That's okay, if the cargo container 6+ MeV x-ray inspection doesn't cook him, it should at least catch him.
  
  Might not do those RFID tags much good, either.
  
  --
  -- Alastair
3. Re:Perceptions. by Anonymous Coward · 2008-01-30 02:27 · Score: 0
  
  ...have bugger all to do with... Pardon me, but if I may - what does this mean in this context? Does it, or doesn't it?
4. Re:Perceptions. by Anonymous Coward · 2008-01-30 02:36 · Score: 0
  
  FYI : The phrase '...have bugger all to do with...' means '...has nothing at all to do with...'
CCTV - Worth its weight in gold by mungmaster2000 · 2008-01-29 15:15 · Score: 5, Interesting

CCTV almost never captures what you set out to catch. In many organizations, it's a knee-jerk reaction to some kind of incident. ie) Something got pinched, someone received an ass-kicking, etc. Even if you do catch it, you'll never be able to identify/recognize/charge/convict the person based on the video image alone. 4CIF at 30 fps is pretty much as good as it gets right now in most feasible installations. All you'll be able to say is, "Subject is hatless...REPEAT...HATLESS!" (And that's even if he's in the frame). The PTZ will just pan around aimlessly on a tour program, or be pointed at the wrong thing. However, wide-spread deployment of CCTV systems is still not futile; you just usually end up catching something that were never really looking for in the first place. People and vehicular traffic movements, facility useage, or realtime video of an incident in progress that just happens to be going-on in front of the lens. You can establish time frames of entry or exit, or use it to clue-you-in to the right path to finding the real evidence you're looking for. From a security systems perspective, more CCTV is better, but not to mitigate direct and specific threats. Only general ones. Or sometimes you just luck-out and with a good booby shot in the atrium of an office building.
1. Re:CCTV - Worth its weight in gold by Whiney+Mac+Fanboy · 2008-01-29 15:44 · Score: 2, Funny
  
  Check out this article.
  
  These guys would NEVER have been convicted without CCTV.
  
  Absolute PROOF that CCTV works.
  
  --
  There are shills on slashdot. Apparently, I'm one of them.
2. Re:CCTV - Worth its weight in gold by OzRoy · 2008-01-29 15:48 · Score: 1
  
  Well the obvious answer to that is to just put in more CCTV. We need more! THINK OF THE CHILDREN!
3. Re:CCTV - Worth its weight in gold by springbox · 2008-01-29 16:15 · Score: 1
  
  That's like having an employee who regularly screws up but their employer decides to keep them because of that one time when they did something right. Is there any actual proof (more than one) that even more monitoring will actually do anything good?
4. Re:CCTV - Worth its weight in gold by warrigal · 2008-01-29 16:16 · Score: 5, Interesting
  
  Sometimes cameras can have a deterrent effect. I don't mean those lame dummy cameras, either.
  
  Just the rumor that we were putting a camera system in our school practically eliminated graffiti
  
  vandalism in a vulnerable area. The vandalism then took other forms, which were actually more of a problem.
5. Re:CCTV - Worth its weight in gold by mungmaster2000 · 2008-01-29 16:19 · Score: 1
  
  The security systems integrator or security principal in charge of that CCTV installation should share the blame for that incident - By installing a camera that personnel had access to do such peeping with. It's irresponsible. Not to mention a major faux pas in today's era of privacy legislation. (Especially in my neck of the woods - Canada). You never put a camera in a place like that. And if you have a legitimate business need for CCTV coverage anywhere near such an era, you spec-out a system that has the "prohibited area" feature. That is, you can define a polygonal area of the screen that will always display black - either live and/or for archival purposes. So if Rowdy Roddy Peeper the Security Guard decides he wants to zoom-in on say a hotel room window, all that he'll see is the window frame, flood-filled with black. They say that in the physical security industry, you must respect everyone and yet trust no one. But I think that you also have to trust your security officers even less. If you give them some kind of power or ability, they'll abuse it because they're human. You gotta have controls in place to detect, deter, and prevent abuse. Just like a security guard's watchclock. Skip it, and he goes to sleep whenever he can.
6. Re:CCTV - Worth its weight in gold by mungmaster2000 · 2008-01-29 16:30 · Score: 1
  
  How do we know that it's not doing its job all along? You might document zero security incidents for a particular camera over a particular time period. But you'll never be able to measure the incident avoidance or mitigation (or even count the number of times) the bad shit that it prevented. Totally Heisenberg. And I know; we can't hide behind the "what-ifs." But security (and I mean all forms of security) is all like that. You'll never realize a measurable cost-benefit, but there's an inate sense within everybody that it's needed on some level. The tricky thing is to just not go overboard (as with anything). (The difference between scratching your ass, and tearing it wide open). CCTV is a tool, but that's it. Policing is a similar matter.
7. Re:CCTV - Worth its weight in gold by Anonymous Coward · 2008-01-29 18:26 · Score: 0
  
  Image enhancement software has become very advanced. In certain government departments and in law enforcement, even the worst, grainy images with bad lighting can be zoomed in on an infinite amount when enhanced with a progressive de-pixellation effect. The same technology has filtered down to TV shows such as NCIS, which is based on a true story.
8. Re:CCTV - Worth its weight in gold by boarsai · 2008-01-29 20:09 · Score: 1
  
  On the flipside from my personal experience:
  The apartments where I used to live we had security patrols and security cameras. Even with these deterents four men brazenly walked into the "secure" undercover carpark, broke my steering lock, hotwired and rode my motorbike out and off into the night.
  Yes, my bike could probably have been a bit more secure if I'd taken extra precautions but I thought that surveilence would have been a bit of a deterant. Evidently these criminals were aware of the effectiveness of such cameras.
  The cameras caught them in the act of course but the video captured is of such poor quality that you couldn't pick someone out of a lineup even tho their faces were captured staring at the cameras.
  The same night my bike was stolen a scooter also went missing. Weeks later another motorbike or two got knocked off, even after I had warned the owners of my loss and suggesting they up their security (such as chaining bikes to poles etc etc). There's only so much you can do however and all you really manage to acheive is slowing them down somewhat... :(
  Altho there is the chance that these guys thought they were simply dummy cameras... even so the poor quality of them makes you wonder why the hell they even bother. All I can tell you is 4 white blokes stole my bike. That may help in a very few select circumstances... but I never did see my bike again. :(
  Yes, it was insured. Thankfully. Now convincing the significant other to allow me to get another bike? You cannot insure that chance unfortunately. I ride the train to work now.
9. Re:CCTV - Worth its weight in gold by Vskye · 2008-01-29 20:40 · Score: 1
  
  All you'll be able to say is, "Subject is hatless...REPEAT...HATLESS!" (And that's even if he's in the frame). The PTZ will just pan around aimlessly on a tour program, or be pointed at the wrong thing.
  In other words, you have crap ass cameras, or placement. I have NO idea on how this was rated +4 minus dumb ass mods.
  
  --
  Life was hell, then I discovered Linux...
10. Re:CCTV - Worth its weight in gold by Anonymous Coward · 2008-01-29 21:14 · Score: 0
  
  Wrong! well, not completely. It is proven, that cctv has a deterring effect on only some crimes - the "planned" crimes. Only idiots would break open a car in a supervised lot. ut aggressive behaviour, and especially the so-called "anti-social behaviour" that most british apologists claim cctv to be usefull against, is something you do without using your head. drunken fights, being abusive and brutal is not something you plan. therefore, it might get caught on camera, but the fact that you might be filmed is not a deterrent.
11. Re:CCTV - Worth its weight in gold by ps236 · 2008-01-30 01:08 · Score: 1
  
  That's the case with all security.
  
  Our burglar alarm at home has never gone off and meant that a burglar has been caught - but we have no way of knowing how many burglars have looked at our house and decided to go somewhere else instead because of the burglar alarm. So, we keep it. On a simplistic level it could seem like a waste of money.
  
  CCTV may not catch many people committing crimes, but it may put off an awful lot of people.
  
  Airport security may not catch many people trying to carry on 'dangerous' items (bottles of water etc) onto planes, but if it makes a few people decide not to bother trying, then it's a good thing in my book.
  
  That's not to say that I don't think they're often dumb, and usually take it too far - like the time the metal detector went off when I went through it, and they told me to take my shoes off - scanned them, and then let me go on my way - no frisking or going back through the detector or anything - I could have been carrying an automatic rifle under my coat and they'd never have noticed... I did consider pointing this out to them, but decided against it, because I wasn't in the mood for probes in random parts of my body.
12. Re:CCTV - Worth its weight in gold by 0racle · 2008-01-30 04:28 · Score: 3, Interesting
  
  There is a slight difference between keeping a potential thief from doing anything and preventing a terrorist from doing something.
  
  Burglars choose easy targets. CCTV and alarms make the target more difficult so most move on. Experienced thieves require more then just a sign to keep them away but still, they are for the most part looking for the easy target.
  
  Terrorism is not a crime of opportunity. You can make the target appear as difficult as you want, all that does is make them plan a little more. The stupid restrictions at the airport do nothing to deter terrorists.
  
  --
  "I use a Mac because I'm just better than you are."
Schnier's List by jakepmatthews · 2008-01-29 15:17 · Score: 4, Funny

I think that would of been a catchier title...
1. Re:Schnier's List by ScrewMaster · 2008-01-29 16:26 · Score: 1
  
  That's actually funny, mods. And it's not offtopic (God some people with mod points have no sense of humor.)
  
  --
  The higher the technology, the sharper that two-edged sword.
2. Re:Schnier's List by jakepmatthews · 2008-01-29 16:33 · Score: 0
  
  Thanks for that... those assholes are the same reason i have bad karma
3. Re:Schnier's List by Anonymous Coward · 2008-01-29 20:00 · Score: 0
  
  Your spelling may have something do with it too. Getting the guys name wrong kind of ruins the joke.
4. Re:Schnier's List by Anonymous Coward · 2008-01-30 03:27 · Score: 0
  
  I think that would of been a catchier title... would HAVE, you illiterate fuck. would HAVE. Get it right!
Sacred Cows? by devnullkac · 2008-01-29 15:20 · Score: 1

Around here, they're more like whipping boys. Now, if he'd started in on Linux security...

--
What do you mean they cut the power? How can they cut the power, man? They're animals!
1. Re:Sacred Cows? by Zeinfeld · 2008-01-29 16:31 · Score: 1
  
  Around here, they're more like whipping boys. Now, if he'd started in on Linux security...
  Well yes, kinda difficult to think of any forum where this type of presentation would be considered 'risky material'. But that does not stop it being any less true or needing to be said.
  I do wish that Bruce would choose his targets a bit more carefully though. He has a tendency to come out with sweeping statements that sound good but don't mean quite what he intends them to mean.
  
  --
  Looking for an Information Security student project suggestion?
  Try http://dotcrimeManifesto.com/
Success... by Anonymous Coward · 2008-01-29 15:28 · Score: 0

depends on your definition.

As per Bruce Schneier: 'For most of my career I would insult "security theater" and "snake oil" for being dumb. In fact, they're not dumb.

This is an argument I have to make with friends when I claim that Bush-Cheney is the most successful administration in US history. I agree with exactly ZERO of what they have done but as far as scaring the shit out of people, robbing us blind, and in general being dicks you cannot argue that they are unsuccessful.

It is simply a matter of motivation and intention and the folks engaging in security theater are selling products. It's all about money and power.

Frito: "I like money though!"
1. Re:Success... by ScrewMaster · 2008-01-29 16:34 · Score: 2, Insightful
  
  This is an argument I have to make with friends when I claim that Bush-Cheney is the most successful administration in US history. I agree with exactly ZERO of what they have done but as far as scaring the shit out of people, robbing us blind, and in general being dicks you cannot argue that they are unsuccessful.
  
  It's all about your frame of reference.
  
  I think of these things as kind of like an electric heater. Most people would argue that an electric heater is one of the most inefficient devices known to mankind. However, when viewed with the proper perspective, it's anything but. Put it this way: an electric heater is basically designed to waste power by transducing electrical energy into heat and spewing it into the immediate environment. A heater does this with virtually no losses. Therefore, an electric heater is almost 100% efficient, as long as there's nothing coming out of it that doesn't qualify as waste.
  
  Which pretty much describes the Bush Administration.
  
  --
  The higher the technology, the sharper that two-edged sword.
2. Re:Success... by novakyu · 2008-01-29 18:38 · Score: 1
  
  Put it this way: an electric heater is basically designed to waste power by transducing electrical energy into heat and spewing it into the immediate environment. A heater does this with virtually no losses. Have you heard of Heat pumps? These things can put actually more heat into a house than the amount of electrical (anything other than thermal) energy spent.
  
  This is one of the reasons that one shouldn't use the word "efficiency" with any device that actually turns work into heat. The best thing to an accurately representative "efficiency" would be the ratio of heat output per work, with that of Carnot heat pump at the top and that of electric heater at the bottom.
  
  On the topic of the thread though, I do agree that the Bush administration was/is successful in their own way. They got all the tax cuts that they wanted passed, they got two terms (a traditional marking of a "good" president versus a "bad" president), and, heck, because of the spineless Democrats, they might even get scot-free with the NSA warrantless tapping responsibilities.
3. Re:Success... by Petrushka · 2008-01-29 23:01 · Score: 1
  
  A heater does this with virtually no losses. Therefore, an electric heater is almost 100% efficient, as long as there's nothing coming out of it that doesn't qualify as waste.
  I'm trying, but I can't imagine what might qualify as "waste" when all energy output is by definition the desired output. What are the things that you're thinking of that lead you to insert "virtually" and "almost" into the above?
4. Re:Success... by bhima · 2008-01-30 02:06 · Score: 1
  
  I'm not sure I understand your point. Are you saying that if we had shoved an electric heating element up all the members of the Bush Administration ass's we get better efficiency from them. Or are you saying if we redefine success to mean something more along the lines of abject failure that we'd be seeing more successes from them? Or perhaps both?
  
  --
  Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
5. Re:Success... by Anonymous Coward · 2008-01-30 02:58 · Score: 0
  
  Um, doesn't a heat pump just move heat around? An electric heater actually *produces* heat.
Electronic Voting Security Theater by r7 · 2008-01-29 15:28 · Score: 5, Interesting

For many of the same reasons there is no semblance of a secure electronic voting platform on the horizon. The reason is not that such a platform would be difficult to design. The reason is that it would not be profitable.

To be secure it would have to be open. In the case of voting platforms that means every line of code, every encryption algorithm, and all the hardware has to be open, published, and known. Nobody has yet figured out how to make enough money from such a system to outspend Diebold's lobbyists and earn considered from election officials.
1. Re:Electronic Voting Security Theater by Zymergy · 2008-01-29 15:45 · Score: 0, Offtopic
  
  Please mod parent up.
  
  While on topic: http://www.schneier.com/blog/archives/2004/11/the_problem_wit.html
2. Re:Electronic Voting Security Theater by cduffy · 2008-01-29 17:13 · Score: 2, Interesting
  
  For many of the same reasons there is no semblance of a secure electronic voting platform on the horizon.
  Does its support for using paper disqualify punchscan from being "electronic"?
3. Re:Electronic Voting Security Theater by NoMaster · 2008-01-29 18:34 · Score: 0
  
  To be secure it would have to be open.
  Bullshit.
  
  It just has to be proved trustworthy. There's plenty of ways of doing that without having "every line of code, every encryption algorithm, and all the hardware ... open, published, and known".
  
  Despite the fanboy-prattle, Open Source is not actually a solution to the age-old problem of "Quis custodiet custodes ipsos".
  
  --
  What part of "a well regulated militia" do you not understand?
4. Re:Electronic Voting Security Theater by bhima · 2008-01-29 19:00 · Score: 1
  
  The requirement that an algorithm be open has a lot less to do with Open Source as in Linux or BSD and lot more to do with the algorithm development process. This is the origin of the Obscurity is not Security mantra.
  
  Show us a modern closed encryption algorithm which does not have significant vulnerabilities. Off the top of my head I am not aware of one. However, there are plenty of examples of closed algorithms which are abject failures. Like what's used on DVDs, HD-DVDs, or Phillips' RFID tags. There are also examples of secure algorithms which are secure. Like AES.
  
  To my knowledge the difference is having the algorithm open to scrutiny during the development process. Like the contest which created AES.
  
  Bruce describes these observations (and factual history) in his book "Practical Cryptology" and publishes a virtually constant stream of positive examples on his blog. I am unaware of any examples which negate these observations.
  
  --
  Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
5. Re:Electronic Voting Security Theater by turbidostato · 2008-01-30 14:45 · Score: 1
  
  "Open Source is not actually a solution to the age-old problem of "Quis custodiet custodes ipsos"."
  
  Yes, it actually is. The key (read Iuvenal) is not needing for a custodio in first place: no custodio, no need to watch over him. So, when the husband is at home, there's no problem; it is when he must travel that he needs a guardian over his wife but, hell, who watches over the guardian not to be himself his wife's lover? (no: having an eunuch for a guardian is not the solution, as Iuvenal states on this very satire).
  
  That means that it's only the software you can't directly see (like the travelling husband) the one that needs a guardian. Open Source allows you to see the code just as the husband can see his wife when he's at home and the 'quis qustodiet' problem disappears. Of course, there're husbands blind enough for their wives to engage lovers even if they not travel but this definetly is not the 'quis custodiet' problem.
  
  "It just has to be proved trustworthy"
  
  By who's word? This *is* the very 'quis custodiet' problem, just as Diebold clearly demonstrates.
Security through obscurity: slashdot approach by Anonymous Coward · 2008-01-29 15:36 · Score: 0

It seems that the direction of slashdot has decided to make it difficult to read the good but controversial posts by removing the option from the main page. The default is now "Read the posts that suck", and go through hoops to reach the rest.

Already, dealing with the new display style was a pain in the ass to deal when using Firefox...
CCTV - HDTV by Anonymous Coward · 2008-01-29 15:42 · Score: 1, Informative

"Even if you do catch it, you'll never be able to identify/recognize/charge/convict the person based on the video image alone. 4CIF at 30 fps is pretty much as good as it gets right now in most feasible installations."

I wouldn't say that.(note the date)
We nerds and geeks need to wake up to theater by mlwmohawk · 2008-01-29 15:44 · Score: 4, Interesting

As a nerd and geek and long time hacker, it is perfectly clear to me that I've been missing the "theater" aspect of the technology that I love.

Take Linux for instance. I have had varying levels of success getting non-geeks to use it, but what is missing is the warm and fuzzies that make it psychologically comfortable to not be using Windows or a Macintosh.

There are two sides to change of any kind. (1) The actual details of change. (2) The psychological affirmation that it is worth the effort. No matter how valid the argument presented by the first, if it does not provide the second, it will fail.

If we wish to push Linux, we have to create theater around it.
1. Re:We nerds and geeks need to wake up to theater by prxp · 2008-01-29 16:32 · Score: 1
  
  And you think that's the reason Scheneier does what he does, right?
2. Re:We nerds and geeks need to wake up to theater by MightyYar · 2008-01-29 16:38 · Score: 1
  
  Take Linux for instance. I have had varying levels of success getting non-geeks to use it, but what is missing is the warm and fuzzies that make it psychologically comfortable to not be using Windows or a Macintosh. The warm and fuzzies is better known as Microsoft Office with Outlook.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
3. Re:We nerds and geeks need to wake up to theater by novakyu · 2008-01-29 18:44 · Score: 1
  
  Take Linux for instance. Don't you mean GNU/Linux? There is already a "theater" fo GNU/Linux: Freedom. We are not just fighting for technical superiority, we are fighting for the freedom of the people—just like a secure e-voting machine would, by the way of allowing fair and efficient election to be held.
  
  Why would you go looking for a "theater", when you have such a ready-made cause (one that's been around for over two decades, no less!) for you? All you have to do is join.
4. Re:We nerds and geeks need to wake up to theater by zcat_NZ · 2008-01-29 19:02 · Score: 1
  
  This is why I always install avscan and firestarter when setting up Linux for recently defenestrated users...
  
  --
  455fe10422ca29c4933f95052b792ab2
5. Re:We nerds and geeks need to wake up to theater by zcat_NZ · 2008-01-29 19:10 · Score: 1
  
  There isn't the "Black Ice stopped a portscan" "AVG detected a virus" "Adaware detected 3275 cookies which could have reporting your every move directly to the NSA" "Windows has detected a NEW MOUSE!! OMFG!! [Allow] [Deny]" kind of security theatre though...
  
  --
  455fe10422ca29c4933f95052b792ab2
6. Re:We nerds and geeks need to wake up to theater by novakyu · 2008-01-29 19:35 · Score: 2, Interesting
  
  I guess it might be just me ... but some of those sound like those annoying popups these "security" applications have.
  
  A colleague of mine has something called "Comodo" on some kind of paranoid mode on his computer, and whenever I use his computer (we share it because in addition to being his office computer, it's also used for some common task), it's annoying. I think I usually see something around 1 popup a minute, like "pidgin.exe is writing to XXX", allow or deny? "blah.com attempted to connect to xxx.xx.xxx.xxx", allow or deny?
  
  Unless I am the only one really annoyed by those needless warnings that condition the user into clicking "allow" for everything, I'm not sure if that's such a good thing.
  
  Anyways. If you are looking for a simple catch phrase that might impress others, I think uptime of most GNU/Linux servers might be a good thing (this is "security" in a different sense---security from developer idiocy)---my notebook didn't need any reboots for a month or longer (numerous hibernations, though), until some proprietary application wanted me to reboot (for no apparent reason) and I naively followed, until I realized that neither the application nor its author had a freaking clue about how things are in GNU/Linux (or, indeed, simple Unix) world.
7. Re:We nerds and geeks need to wake up to theater by Anonymous Coward · 2008-01-29 22:51 · Score: 0
  
  You mean you get pins and needles trying to use it?
8. Re:We nerds and geeks need to wake up to theater by mlwmohawk · 2008-01-30 01:39 · Score: 1
  
  Why would you go looking for a "theater", when you have such a ready-made cause
  
  Yes, I used to have that attitude, but in the past few years, I have sort of changed my mind. When you think that half the people you meet are below average intelligence.
  
  Time and again, I've seen people too afraid or too unenthusiastic to use or stay with Linux. I've told them the arguments, they all say they agree, they all say they hate Windows, but they go back because they are comfortable with it. That's what "Cheerleaders" and fans do at a football game, they add a psychological support and create "comfort."
  
  With all the marketing that Microsoft puts out, even with all the crap that Windows has/is, people still feel better using it. The cheerleading adds rah! rah! to Windows use. It doesn't make sense to me, but it is a fact.
  
  We Linux users have made that psychological leap that is more than just the facts. People who are more emotional in their thinking, need the emotional comfort probably more than the comfort. To bring it back to the originalk argument, that's why people buy stuff that makes them "feel" secure as opposed to actually being secure.
9. Re:We nerds and geeks need to wake up to theater by TubeSteak · 2008-01-30 03:03 · Score: 1
  
  Anyways. If you are looking for a simple catch phrase that might impress others, I think uptime of most GNU/Linux servers might be a good thing (this is "security" in a different sense---security from developer idiocy)---my notebook didn't need any reboots for a month or longer If you can patch holes without re-booting and people actually do so, then sure, the uptime of GNU/Linux servers is a good thing.
  
  Otherwise, you just end up with a bunch of rooted Linux boxes spewing spam and hosting phishing sites. Wait a second... that's kinda like how things are right now.
  
  You can only do so much @ the OS level to avoid problems caused between the keyboard and the chair.
  
  --
  [Fuck Beta]
  o0t!
10. Re:We nerds and geeks need to wake up to theater by everphilski · 2008-01-30 03:23 · Score: 0, Flamebait
  
  Don't you mean GNU/Linux? There is already a "theater" fo GNU/Linux: Freedom. We are not just fighting for technical superiority, we are fighting for the freedom of the people--just like a secure e-voting machine would, by the way of allowing fair and efficient election to be held.
  
  Because 99% of us don't give a crap about RMS's holy war. We just want to get our work done.
  
  (and re: your followup to this thread, my Vista notebook has greater than 3 months uptime ... 1 reboot in 6 months of owning it)
11. Re:We nerds and geeks need to wake up to theater by IamTheRealMike · 2008-01-30 04:27 · Score: 2, Insightful
  
  Linux has its own security theatre ... the idea that "root vs user" DAC is sufficient to stop malware/viruses etc, when in reality it does no such thing (consider the permissions needed to do the things most botnets do). If I had a penny for every time I see a Linux user tell some hapless n00b that Linux is more secure than Windows because you don't have to run as superuser, I'd be a very rich guy.
12. Re:We nerds and geeks need to wake up to theater by zcat_NZ · 2008-01-30 19:28 · Score: 1
  
  I totally agree.. a virus is only a program after all. SUDO will be about as effective at stopping Linux malware as UAC is at stopping Windows malware.
  
  One thing that actually does make a difference; package management. I'm really trying to get Linux noobs away from the idea that you go to a website, download something, and run it as the normal way of installing software in Linux.. Add about three repositories beyond the default ubuntu ones and you have just about every piece of useful software that can run on Linux a mere Synaptic-checkbox away.
  
  --
  455fe10422ca29c4933f95052b792ab2
13. Re:We nerds and geeks need to wake up to theater by geekoid · 2008-02-08 10:06 · Score: 1
  
  "When you think that half the people you meet are below average intelligence."
  haha, well since you don't understand averages, clearly you are on the low side of things.
  
  Please stop opening your mouth.
  
  "We Linux users..."
  there is your problem, everything is Us and Them in all your posts. The world is gray, no black and white.
  
  Maybe you only use Linux because that's what you are comfortable with?
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
14. Re:We nerds and geeks need to wake up to theater by mlwmohawk · 2008-02-08 12:10 · Score: 1
  
  "When you think that half the people you meet are below average intelligence."
  haha, well since you don't understand averages, clearly you are on the low side of things.
  
  Perhaps you don't understand what an "average" is. It is a number created by the sum of entries divided by number of entries. There need not ever be an actual entry that equals the average. Of course we have to assume that the curve is fairly symmetrical.
  
  Aside from the obvious assumptions, it was supposed to be a representative comment not a mathematical theory.
  
  Please stop opening your mouth.
  
  Apparently you need to open your mouth to type? I do not suffer from that disability.
  
  "We Linux users..."
  there is your problem, everything is Us and Them in all your posts. The world is gray, no black and white.
  
  I agree the world is a very gray place, but it is absurd to assume that there are no black and white issues.
  
  Maybe you only use Linux because that's what you are comfortable with?
  
  Maybe you don't know enough to say anything meaningful
Video of Presentation by Anonymous Coward · 2008-01-29 15:52 · Score: 2, Informative

http://linux.conf.au/programme/wednesday
1. Re:Video of Presentation by Anonymous Coward · 2008-01-29 17:04 · Score: 0
  
  It's probably worth linking to this from the main article - the mirror has gobs of bandwidth.
Obligatory Bruce Schneier Fact by kwabbles · 2008-01-29 16:07 · Score: 1

Bruce Schneier expects the Spanish Inquisition.

--
Just disrupt the deflector shield with a tachyon burst.
1. Re:Obligatory Bruce Schneier Fact by Anonymous Coward · 2008-01-29 18:12 · Score: 0
  
  In Soviet Russia, the Spanish Inquisition expects YOU!
Schneier is an expert of the chaos! by prxp · 2008-01-29 16:22 · Score: 0, Redundant

Bruce Scheneier specializes himself on saying the obvious about the chaos. In other words, he is an expert on publicizing what most serious researches already know about general security flaws and problems. I dare anyone to find any real, down to earth, proposal from this man that would mitigate any of the problems he so easily evidentiates.
1. Re:Schneier is an expert of the chaos! by BlackCreek · 2008-01-30 03:15 · Score: 1
  
  I dare anyone to find any real, down to earth, proposal from this man that would mitigate any of the problems he so easily evidentiates.
  well, he did write Applied Cryptography http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099 didn't he? If you are unaware of the importance of that book for the general practice of cryptography, please take a look in the reviews at Amazon. They make much more justice to the book than what I would be able to do here.
  
  And please don't start complaining that book is not "down to earth". Simplifying is a good thing, oversimplifying a complex subject is not.
2. Re:Schneier is an expert of the chaos! by jorenko · 2008-01-30 04:13 · Score: 1
  
  First, every major problem needs a good publicist to expose it properly; this can be a job in and of itself and Bruce does a good job of it.
  Second, he runs a company that sells solutions to these problems as well; contract him out to fix them for you and see how he does before you criticize him on that front.
3. Re:Schneier is an expert of the chaos! by prxp · 2008-01-30 08:24 · Score: 1
  
  Let me make my point more clear. Imagine a building on fire. Among the people trapped inside it, Scheneier is the guy who keeps running around screaming: "Wee all gonna burn to death!"
That's why we have Compiz & Emerald... by Anonymous Coward · 2008-01-29 16:52 · Score: 0

I must admit, the desktop cube is a luxury we could live without - but until I tried it, I did not realize that it is useful: Compiz makes the multi-desktop environment much more accessible during actual work sessons. It's an ergonomic success story.

The theater of wobbly windows with transparent borders, the 3D close order drill app switcher, and of course the dancing cube effect, break the non-user's paradigms about (and against) Linux in about 20 seconds.
Its futile. by madbawa · 2008-01-29 16:52 · Score: 1

There's no point in designing a good security system that provides 'actual' security coz Schneier can hack it with one roundhouse kick to the keyboard.
The Reality and Perception of Security by canterbury+rod · 2008-01-29 17:40 · Score: 4, Insightful

In Bruce Schneier's keynote address at Linux.conf.au, he essentially admonishes that "security theater" is not only a necessity, it's a critical component that needs to accompany real security solutions. In the article, he states
the best security solution will fail if it doesn't cater to both the reality and perceptions to do with security. He's affirming that sales in the marketplace will be driven when security theater and real security products are matched. That's when end-users will also experience a real sense of security.
1. Re:The Reality and Perception of Security by TubeSteak · 2008-01-30 03:09 · Score: 1
  
  He's affirming that sales in the marketplace will be driven when security theater and real security products are matched. No, he's saying that "the best security solution will fail if it doesn't" do more than just provide security.
  That's when end-users will also experience a real sense of security. Observable reality shows that end-users already experience a "real" sense of security and that security theater currently does a great job driving sales in the market place.
  
  --
  [Fuck Beta]
  o0t!
2. Re:The Reality and Perception of Security by Anonymous Coward · 2008-01-30 07:16 · Score: 0
  
  Bruce is speaking from experience. His company Counterpane basically has been getting their asses kicked by lots of other "snake-oil" security types out there, and it has finally dawned on him that they need to adopt some of the slick techniques of their competitors.
  
  Not very surprising, really.
In other beatings . . . by Anonymous Coward · 2008-01-29 17:41 · Score: 0

"if you allow yourself to be victimized you will die.. but if you step up and stop hijackers there is no way to hijack a plane."

Sorry, but I don't think you're being entirely fair to all the people who died on 9/11. The people didn't "allow" themselves to victimized. They went in with the expectation that this would be like any other hijacking up to that time. In hindsight this wasn't the case, but it's not fair to penalize people for making a reasonable decision at the time.

"All in all, I wish the government would just let the market decide. "

All in all capitalism with it's "lowest common denominator" economics and decisionmaking is a poor tool against an irrational force like terrorism.
1. Re:In other beatings . . . by novakyu · 2008-01-29 18:24 · Score: 1
  
  All in all capitalism with it's "lowest common denominator" economics and decisionmaking is a poor tool against an irrational force like terrorism. I don't see how terrorism is irrational. It is very rational. In fact, it is most rational thing some people can do. It's quite as simple as:
  
  1. We meddle in other countries' affairs.
  2. We tick the locals off.
  3. The locals want to kill us.
  
  It's as old as the "an eye for an eye." Are you saying that the oldest legal code in the western tradition is irrational? Are you saying that the Bible is irrational?
  
  Well, maybe they are. But, if they are, then these terrorists are not any more irrational than the people held as saints in world's religions (and I don't mean just Islam), well, perhaps with the exception of Buddhism, but I don't know much about that.
2. Re:In other beatings . . . by Calinous · 2008-01-29 20:06 · Score: 1
  
  "Are you saying that the oldest legal code in the western tradition is irrational?"
  
  I think this comes from the Bible (The Old Testament). Its point of origin is known as the Middle East.
  I don't know about western traditions - the Gauls or others
3. Re:In other beatings . . . by QuantumG · 2008-01-30 01:42 · Score: 1
  
  The people didn't "allow" themselves to victimized. They went in with the expectation that this would be like any other hijacking up to that time. And let them selves be a victim of it because they figured it would be over soon. In other words, they failed to take action because they believed no action was necessary.. but if they had always taken action then no hijackings, ever, would have occurred because hijackers would have known that airline passengers are not willing to be victims. As it is now, airline passengers are willing to be victimized before they even get on the plane!
  
  --
  How we know is more important than what we know.
4. Re:In other beatings . . . by novakyu · 2008-01-30 01:42 · Score: 2, Informative
  
  I think this comes from the Bible (The Old Testament). Its point of origin is known as the Middle East.
  I don't know about western traditions - the Gauls or others Egh. I was feeling lazy, but here is the Wikipedia page about it. While most people may know it first from the Bible, I think it's the Codex Hammurabi that's often credited for having that written down first.
  
  I am not a lawyer or a law student (so whatever I speak of "tradition of legal code" would be out of my arse), but this is the first written code of law to the west of China (and that's what I mean by "western"; like it or not, the Middle "East" and Muslims had frequent interaction with Europe, at least enough so if you want to divide the world into "East" and "West", they would fall in with "West"), so it must mean *something*.
5. Re:In other beatings . . . by Anonymous Coward · 2008-01-30 14:20 · Score: 0
  
  "I think this comes from the Bible"
  
  The "an eye for an eye" code is Hammurab's which was from... Iran (well, ancient Mesopotammi).
It's Still Dumb! by Jane+Q.+Public · 2008-01-29 18:28 · Score: 2, Interesting

These "perception of security" things are still bad, because they create REAL threats to security, in the name of trying to make people feel more secure.

I will take the reality over a false perception, any day.
1. Re:It's Still Dumb! by Anonymous Coward · 2008-01-30 02:17 · Score: 0
  
  Unfortunately, you don't have that choice when it comes to society as a whole as opposed to your own personal security.
  
  The only choices are have are snake oil - making people feel good without actually doing anything - or making people feel good *while also* actually doing something. "Actually doing something without making people feel good" would require an intelligent population that doesn't swallow every last bit of FUD and fear-mongering bait, hook and sinker, but we don't have that.
  
  Don't confuse the way things OUGHT to be with the way things ARE. A less-than-perfect solution that works in reality is better than a perfect solution that doesn't - and can't.
2. Re:It's Still Dumb! by Jane+Q.+Public · 2008-01-30 04:15 · Score: 1
  
  I was not. I was referring to the way things ARE: creating real security, privacy, and freedom problems in the name of making people FEEL more secure. Like DCMA, DHS, NSA, telcom surveillance, and so on... the list is very long.
  
  It is not necessary to CREATE real (and sometimes even worse) problems in the name of "feel good". Yet that is what they HAVE been doing. There is nothing "ought" about it. It is not unrealistic to want them to cease problematic practices in favor of those that do not cause more problems than they solve.
3. Re:It's Still Dumb! by Translation+Error · 2008-01-30 06:22 · Score: 1
  
  No, "perception of security" is bad when the perception is more optimistic than the reality (for obvious reasons), but people feeling afraid and insecure when they actually aren't at much risk is bad, too. For example, consider the somewhat recent childhood immunization scare--a lot of parents thought that they weren't safe and didn't get their children vaccinated, putting their children's (and the community's) health at risk.
  
  Even if something is secure (or safe), it won't be as effective as it can if people don't believe it can be trusted.
  
  --
  When someone says, "Any fool can see ..." they're usually exactly right.
4. Re:It's Still Dumb! by Jane+Q.+Public · 2008-01-30 18:34 · Score: 1
  
  I don't disagree with you... please re-read what I wrote above. We are saying pretty much the same things, except that I am adding that the very real security threats they are creating with these "feel good" measures ARE much worse than the optimistic views they create. They not only create false hope, they make things ACTUALLY worse. So the "secure feeling" is in proportion more falsely and unrealistically optimistic than before. And that is a Bad Thing.
  
  Of course that is a generalization, but a good one. Many of the "feel good" measures they have been pushing off on us, like TSA at airports, passports with RFID, the attempt at passing the "Real ID" Act (what a sad joke) and a whole very long list of other things, actually do between very little and nothing to increase real security, and at the same time introduce actual threats to freedom and security that are in many ways much worse than the problems they are trying to solve. So the little amount of "secure feeling" they create is overwhelmed by the ACTUAL worse security that they create.
  
  In order for your scenario to be effective, the "good feelings" would have to be accompanied by actual improvements -- or at least no worsening -- of actual security. Sadly, that is not what they have been doing, and that is not what we have been getting. Quite the contrary.
Ah...NOW I get it! by hyades1 · 2008-01-29 18:51 · Score: 2, Insightful

I guess this would explain why just about everybody in Canada thinks crime is on the increase, even though the numbers conclusively prove otherwise.
You can't sell security hardware and convince nervous old women to throw away their rights if they know there's a long list of things more important than so-called "security". And a lot of those "nervous old women", by the way, are male, in their 30's, and convinced that everything will be fine if we just forget all that due process nonsense and start trusting the cops to throw the right people in jail.

--
I've calculated my velocity with such exquisite precision that I have no idea where I am.
1. Re:Ah...NOW I get it! by BlackCreek · 2008-01-29 22:32 · Score: 2, Interesting
  
  I guess this would explain why just about everybody in Canada thinks crime is on the increase, even though the numbers conclusively prove otherwise.
  You can't sell security hardware and convince nervous old women to throw away their rights if they know there's a long list of things more important than so-called "security".
  
  I often think about the political impact of the population ageing in Europe (where I live). There is a lot of political analysis about everything but never around the fact that, well, the population is getting on average older, and that older people tend to have a more conservative take on life, and IMO are easier to be made afraid of "different new stuff" (like having more non-Caucasians and/or Muslims living in their society).
  
  The other day I read about strong xenophobic language being used by politicians in Treviso, Italy. It went about how African immigrants were a great danger for the old people. The article was keen to mention that none of the perceived wave of violence was backed by official statistics. (Note that that is just something I read in the news, so I might be missing lots about it).
  In Belgium, and the Netherlands there is often very strong xenophobic language being used by (relatively) successful mainstream politicians.
  As I see it, dangerous foreigners/muslims/immigrants youngsters are really in the forefront of the justifications for the increase in surveillance in Europe nowadays (along with the "think about the children" argument).
  I'm often under the impression that a strong factor in the success of this line of argumentation is the fact that these populations are getting older, affecting not only their own opinion but also the whole cultural tone of their societies.
  I don't argue that that is only the cause, but I think its role its mostly underestimated.
2. Re:Ah...NOW I get it! by hyades1 · 2008-01-30 17:07 · Score: 1
  
  "I'm often under the impression that a strong factor in the success of this line of argumentation is the fact that these populations are getting older, affecting not only their own opinion but also the whole cultural tone of their societies."
  I think you're right...but they're also getting a lot of encouragement from the police, right wing media and others who stand to do well in a climate of fear and paranoia.
  I wonder how many people appreciate that all those cameras aren't going to stop a committed terrorist, but help convince average, law-abiding citizens that the state has every right to stick its nose into their business as a matter of course. Even a successful act of nuclear terrorism would only kill a single city. The erosion of our open societies by people who claim they want to keep us safe is a threat to our whole way of life.
  
  --
  I've calculated my velocity with such exquisite precision that I have no idea where I am.
Electronic Voting Security Theater-DES. by Anonymous Coward · 2008-01-29 19:17 · Score: 1, Insightful

"Show us a modern closed encryption algorithm which does not have significant vulnerabilities. "

DES in stream mode.
1. Re:Electronic Voting Security Theater-DES. by bhima · 2008-01-29 20:19 · Score: 1
  
  DES is not closed. It's not all that modern either.
  
  --
  Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
Talk available by retsil · 2008-01-29 23:19 · Score: 1

The talk is available for download from http://mirror.linux.org.au/linux.conf.au/2008/Wed/mel8-305.ogg
if you allow yourself to be victimized you will di by Peter+Simpson · 2008-01-30 01:45 · Score: 1

How true. It's unlikely that 9/11 would succeed again, given the almost 10-to-1 passengers-to-badguys ratio. Even if they're armed, they'll run out of ammo, and a grenade is a threat, not a guarantee of success. I'd rather the TSA start a new campaign along the lines of the title sentence. Maybe make it a little more positive, something like "together, we can do something about it" and encourage individual and group action against threats, rather than treat us all like suspects.

Fat chance of that ever happening, though.
Go *fish! by Mathinker · 2008-01-30 02:26 · Score: 2, Informative

Yeah, that's why Twofish was one of the 5 finalist algorithms of NIST's AES competition.

And Blowfish is still unbroken after 15 years.

I should be such a crappy cryptographer!
Someone has to do it by argent · 2008-01-30 03:24 · Score: 2, Insightful

In other words, he is an expert on publicizing what most serious researches already know about general security flaws and problems.

And the problem with this is what? Given how badly people misunderstand computer security we don't have enough people doing this kind of job.
Bruce, you're too trusting by russotto · 2008-01-30 03:26 · Score: 1

RFID tags (in certain contexts), national ID cards, and public CCTV security cameras aren't there to provide security at all. The "security theater" they provide is just the spoonful of sugar to make the medicine go down. Their real purpose is control of the population. Implement them well enough, and everywhere anyone goes they are watched (CCTV) and tracked (national ID, RFID). And administratively controlled, as well -- "I'm sorry sir, the computer says your national ID is not valid for interstate travel".
CCTV - Worth its weight in parking ticket revenue by kitgerrits · 2008-01-30 03:53 · Score: 1

Over the past few years, the police have installed CCTV in 'problem areas',
so they can monitor more locations with fewer staff at night.
(they can then send an on-duty officer to the site of the crime, if that is any use).

Even though the cameras have been installed for night surveillance,
they are now being used during the day to catch people in the act of 'bad parking'.

Because all the police need for that is an 'observation',
not a verbal conversation or even a ticket on the window,
this makes it very easy to write a lot of tickets without
even leaving the comfort of the control room.

(In the meantime, reports of harassment have failed to drop)

--
"I was in love with a beautiful blonde once, dear. She drove me to drink. It's the one thing I am indebted to her for."
Well Thought Out Mobile SMS Encryption by DonZorro · 2008-01-30 06:33 · Score: 1

With quite a few best practices, familiar GUI, standard crypto algorithms and proximity aware key exchange.

Check out http://www.cryptograf.com/ for CryptoGraf Messaging software for N Series and E Series mobile phones. There's even a free download.

I generate a "Crypto Profile", which is essentially an RSA 1024 or 2048 bit key.
I exchange "Crypto Contacts", which link x.509 certs with phonebook entries.
I send a message, it gets encrypted using the recipient's public key or Crypto Contact.
I read a message, it decrypts using my private key and check the sender's digital signature embedded in the message.

Caveat, 1 encrypted SMS gets blown up to 4 or 8 SMS packets. This is due to 1 text sms being limited to just 160 characters, so there's encryption and digital signature overhead
I can send text MMS instead, since all the overhead fits into one regular MMS.
SimCopter, reporting heavy traffic by darkvizier · 2008-01-30 07:05 · Score: 1

"Subject is hatless...REPEAT...HATLESS!"
This reminds me of SimCopter, where the police would announce "Suspect is wearing brown shoes!" I think Will Wright did that just to piss us off as we strained our eyes to try and find the 1-2 brown pixels on the screen.
Missing a subtlety there by RealProgrammer · 2008-01-30 07:10 · Score: 1

The subtlety is that just because something is closed doesn't mean it's less secure. The principle is that its security should not depend on its closure or obscurity.

A device with a secret algorithm, mechanism, or control is in fact more genuinely secure (tautologically) than a device without it, as long as the device's maker is willing to assume that the bad guys know about it, and doesn't rely on its secret nature. Relying on the secrecy for security means they will be more likely to slip up in other areas. It also means that any flaws in their design will be exposed less quickly. Their security will improve less quickly, in other works, but that doesn't say anything about how good it is.

The trouble is that, parasuit nature being what it is, the management types will rely on the secrecy, and even worse, tout all of their secret goo as a selling point. They never realize that the instant you say, "I've got secret protections!", you no longer have secret protections.

--
sigs, as if you care.
1. Re:Missing a subtlety there by turbidostato · 2008-01-30 14:51 · Score: 1
  
  "The subtlety is that just because something is closed doesn't mean it's less secure."
  
  The subtlety is that because it's closed you must take the word of others regarding its security.
  
  And that's exactly the 'quis custodiet custodes ipsos' problem.
  
  Are you going to take Diebold's word for it?
  Are you going to take some congressman word for it?
  
  As long as someone has a secret on you, you are open for *at least* the secret holder to use it against you.