Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier's Keynote At Linux.conf.au

Posted by kdawson on from the necessary-security-theater dept.

Stony Stevenson writes "Computer security expert Bruce Schneier took a swipe at a number of sacred cows of security including RFID tags, national ID cards, and public CCTV security cameras in his keynote address to Linux.conf.au (currently being held in Melbourne, Australia). These technologies were all examples of security products tailored to provide the perception of security rather than tackling actual security risks, Schneier said. The discussion of public security — which has always been clouded by emotional decision making — has been railroaded by groups with vested interests such as security vendors and political groups, he claimed. 'For most of my career I would insult "security theater" and "snake oil" for being dumb. In fact, they're not dumb. As security designers we need to address both the feeling and the reality of security. We can't ignore one. It's not enough to make someone secure, that person needs to also realize they've been made secure. If no-one realizes it, no-one's going to buy it,' Schneier said."

26 of 138 comments (clear)

  1. In other words . . . by base3 · · Score: 3, Insightful

    . . . Bruce has figured out the real money's in security theater, not in security, and he wants a piece of that action.

    --
    One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
    1. Re:In other words . . . by ppanon · · Score: 5, Insightful

      No. What Bruce has realized is that, in the boardroom and the lunchroom (where almost nobody knows any better), security theatre often will kick the ass of real security practices because it's marketed by professional sales teams. It also often can be delivered for less (because it can be priced for what the market will bear).

      If you want real security to be provided, you have to learn to sell it at least as well as the snake-oil. You have to make it sufficiently visible, but non-impeding, that people feel safe.

      It's about understanding the human/political side of the equation that can make the difference between a successful deployment and a perceived failure.

      --
      Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
    2. Re:In other words . . . by QuantumG · · Score: 4, Insightful

      It's an interesting theory but are you aware of anyone who thinks the bullshit we go through at the airport is for anything other than appearances? It's not just geeks and smart asses who know this, it is everyone.

      --
      How we know is more important than what we know.
    3. Re:In other words . . . by QuantumG · · Score: 3, Informative

      Uh huh.. I, unfortunately, spend a lot of time in airports.. I've never once seen someone taking off their shoes with a smile on their face.. there's only one thing you think when they tell you to take your shoes off: "oh my god this is bullshit." If your friend actually thinks there is a sensible reason to scan the shoes of flyers then I suggest you get him some psychological help.

      --
      How we know is more important than what we know.
    4. Re:In other words . . . by QuantumG · · Score: 2, Interesting

      Remember how that guy was foiled without the help of scanning and so the scanning of the shoes is completely superfluous?

      --
      How we know is more important than what we know.
    5. Re:In other words . . . by QuantumG · · Score: 3, Insightful

      I think you're laboring under the belief that:

      1. the sole of a shoe can contain any significant amount of explosive
      2. that walking on such a shoe would not cause the explosive to go off
      3. that airport scanner technology can tell the difference between explosives and leather

      None of which are the case. The only thing you could maybe fit in the sole of a very hard soled shoe would be a knife.. which hopefully people realize doesn't give a would-be hijacker any more of an advantage than being unarmed - if 50 scared passengers rush you, it doesn't matter that you have a knife. And that's what should have been the lesson of 9/11: if you allow yourself to be victimized you will die.. but if you step up and stop hijackers there is no way to hijack a plane.

      All in all, I wish the government would just let the market decide. There should be a "no security" terminal where people can catch a plane much as you catch a bus.. buy your ticket, get on the next available flight. If you want to be harrassed, go to the security theater terminal.

      --
      How we know is more important than what we know.
  2. love this line... by Serious+Poo · · Score: 3, Funny

    "tailored to provide the perception of security rather than tackling actual security risks." Isn't this also the mission statement for the TSA?

    --
    "There is nothing more unequal than the equal treatment of unequal people." - Thomas Jefferson
  3. CCTV - Worth its weight in gold by mungmaster2000 · · Score: 5, Interesting

    CCTV almost never captures what you set out to catch. In many organizations, it's a knee-jerk reaction to some kind of incident. ie) Something got pinched, someone received an ass-kicking, etc. Even if you do catch it, you'll never be able to identify/recognize/charge/convict the person based on the video image alone. 4CIF at 30 fps is pretty much as good as it gets right now in most feasible installations. All you'll be able to say is, "Subject is hatless...REPEAT...HATLESS!" (And that's even if he's in the frame). The PTZ will just pan around aimlessly on a tour program, or be pointed at the wrong thing. However, wide-spread deployment of CCTV systems is still not futile; you just usually end up catching something that were never really looking for in the first place. People and vehicular traffic movements, facility useage, or realtime video of an incident in progress that just happens to be going-on in front of the lens. You can establish time frames of entry or exit, or use it to clue-you-in to the right path to finding the real evidence you're looking for. From a security systems perspective, more CCTV is better, but not to mitigate direct and specific threats. Only general ones. Or sometimes you just luck-out and with a good booby shot in the atrium of an office building.

    1. Re:CCTV - Worth its weight in gold by Whiney+Mac+Fanboy · · Score: 2, Funny

      Check out this article.

      These guys would NEVER have been convicted without CCTV.

      Absolute PROOF that CCTV works.

      --
      There are shills on slashdot. Apparently, I'm one of them.
    2. Re:CCTV - Worth its weight in gold by warrigal · · Score: 5, Interesting

      Sometimes cameras can have a deterrent effect. I don't mean those lame dummy cameras, either.

      Just the rumor that we were putting a camera system in our school practically eliminated graffiti

      vandalism in a vulnerable area. The vandalism then took other forms, which were actually more of a problem.

    3. Re:CCTV - Worth its weight in gold by 0racle · · Score: 3, Interesting

      There is a slight difference between keeping a potential thief from doing anything and preventing a terrorist from doing something.

      Burglars choose easy targets. CCTV and alarms make the target more difficult so most move on. Experienced thieves require more then just a sign to keep them away but still, they are for the most part looking for the easy target.

      Terrorism is not a crime of opportunity. You can make the target appear as difficult as you want, all that does is make them plan a little more. The stupid restrictions at the airport do nothing to deter terrorists.

      --
      "I use a Mac because I'm just better than you are."
  4. Schnier's List by jakepmatthews · · Score: 4, Funny

    I think that would of been a catchier title...

  5. Electronic Voting Security Theater by r7 · · Score: 5, Interesting

    For many of the same reasons there is no semblance of a secure electronic voting platform on the horizon. The reason is not that such a platform would be difficult to design. The reason is that it would not be profitable.

    To be secure it would have to be open. In the case of voting platforms that means every line of code, every encryption algorithm, and all the hardware has to be open, published, and known. Nobody has yet figured out how to make enough money from such a system to outspend Diebold's lobbyists and earn considered from election officials.

    1. Re:Electronic Voting Security Theater by cduffy · · Score: 2, Interesting

      For many of the same reasons there is no semblance of a secure electronic voting platform on the horizon.
      Does its support for using paper disqualify punchscan from being "electronic"?
  6. We nerds and geeks need to wake up to theater by mlwmohawk · · Score: 4, Interesting

    As a nerd and geek and long time hacker, it is perfectly clear to me that I've been missing the "theater" aspect of the technology that I love.

    Take Linux for instance. I have had varying levels of success getting non-geeks to use it, but what is missing is the warm and fuzzies that make it psychologically comfortable to not be using Windows or a Macintosh.

    There are two sides to change of any kind. (1) The actual details of change. (2) The psychological affirmation that it is worth the effort. No matter how valid the argument presented by the first, if it does not provide the second, it will fail.

    If we wish to push Linux, we have to create theater around it.

    1. Re:We nerds and geeks need to wake up to theater by novakyu · · Score: 2, Interesting

      I guess it might be just me ... but some of those sound like those annoying popups these "security" applications have.

      A colleague of mine has something called "Comodo" on some kind of paranoid mode on his computer, and whenever I use his computer (we share it because in addition to being his office computer, it's also used for some common task), it's annoying. I think I usually see something around 1 popup a minute, like "pidgin.exe is writing to XXX", allow or deny? "blah.com attempted to connect to xxx.xx.xxx.xxx", allow or deny?

      Unless I am the only one really annoyed by those needless warnings that condition the user into clicking "allow" for everything, I'm not sure if that's such a good thing.

      Anyways. If you are looking for a simple catch phrase that might impress others, I think uptime of most GNU/Linux servers might be a good thing (this is "security" in a different sense---security from developer idiocy)---my notebook didn't need any reboots for a month or longer (numerous hibernations, though), until some proprietary application wanted me to reboot (for no apparent reason) and I naively followed, until I realized that neither the application nor its author had a freaking clue about how things are in GNU/Linux (or, indeed, simple Unix) world.

    2. Re:We nerds and geeks need to wake up to theater by IamTheRealMike · · Score: 2, Insightful

      Linux has its own security theatre ... the idea that "root vs user" DAC is sufficient to stop malware/viruses etc, when in reality it does no such thing (consider the permissions needed to do the things most botnets do). If I had a penny for every time I see a Linux user tell some hapless n00b that Linux is more secure than Windows because you don't have to run as superuser, I'd be a very rich guy.

  7. Video of Presentation by Anonymous Coward · · Score: 2, Informative

    http://linux.conf.au/programme/wednesday

  8. Re:Success... by ScrewMaster · · Score: 2, Insightful

    This is an argument I have to make with friends when I claim that Bush-Cheney is the most successful administration in US history. I agree with exactly ZERO of what they have done but as far as scaring the shit out of people, robbing us blind, and in general being dicks you cannot argue that they are unsuccessful.

    It's all about your frame of reference.

    I think of these things as kind of like an electric heater. Most people would argue that an electric heater is one of the most inefficient devices known to mankind. However, when viewed with the proper perspective, it's anything but. Put it this way: an electric heater is basically designed to waste power by transducing electrical energy into heat and spewing it into the immediate environment. A heater does this with virtually no losses. Therefore, an electric heater is almost 100% efficient, as long as there's nothing coming out of it that doesn't qualify as waste.

    Which pretty much describes the Bush Administration.

    --
    The higher the technology, the sharper that two-edged sword.
  9. The Reality and Perception of Security by canterbury+rod · · Score: 4, Insightful
    In Bruce Schneier's keynote address at Linux.conf.au, he essentially admonishes that "security theater" is not only a necessity, it's a critical component that needs to accompany real security solutions. In the article, he states

    the best security solution will fail if it doesn't cater to both the reality and perceptions to do with security. He's affirming that sales in the marketplace will be driven when security theater and real security products are matched. That's when end-users will also experience a real sense of security.
  10. It's Still Dumb! by Jane+Q.+Public · · Score: 2, Interesting

    These "perception of security" things are still bad, because they create REAL threats to security, in the name of trying to make people feel more secure.

    I will take the reality over a false perception, any day.

  11. Ah...NOW I get it! by hyades1 · · Score: 2, Insightful

    I guess this would explain why just about everybody in Canada thinks crime is on the increase, even though the numbers conclusively prove otherwise.

    You can't sell security hardware and convince nervous old women to throw away their rights if they know there's a long list of things more important than so-called "security". And a lot of those "nervous old women", by the way, are male, in their 30's, and convinced that everything will be fine if we just forget all that due process nonsense and start trusting the cops to throw the right people in jail.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
    1. Re:Ah...NOW I get it! by BlackCreek · · Score: 2, Interesting

      I guess this would explain why just about everybody in Canada thinks crime is on the increase, even though the numbers conclusively prove otherwise.

      You can't sell security hardware and convince nervous old women to throw away their rights if they know there's a long list of things more important than so-called "security".

      I often think about the political impact of the population ageing in Europe (where I live). There is a lot of political analysis about everything but never around the fact that, well, the population is getting on average older, and that older people tend to have a more conservative take on life, and IMO are easier to be made afraid of "different new stuff" (like having more non-Caucasians and/or Muslims living in their society).

      The other day I read about strong xenophobic language being used by politicians in Treviso, Italy. It went about how African immigrants were a great danger for the old people. The article was keen to mention that none of the perceived wave of violence was backed by official statistics. (Note that that is just something I read in the news, so I might be missing lots about it).

      In Belgium, and the Netherlands there is often very strong xenophobic language being used by (relatively) successful mainstream politicians.

      As I see it, dangerous foreigners/muslims/immigrants youngsters are really in the forefront of the justifications for the increase in surveillance in Europe nowadays (along with the "think about the children" argument).

      I'm often under the impression that a strong factor in the success of this line of argumentation is the fact that these populations are getting older, affecting not only their own opinion but also the whole cultural tone of their societies.

      I don't argue that that is only the cause, but I think its role its mostly underestimated.

  12. Re:In other beatings . . . by novakyu · · Score: 2, Informative

    I think this comes from the Bible (The Old Testament). Its point of origin is known as the Middle East.
    I don't know about western traditions - the Gauls or others Egh. I was feeling lazy, but here is the Wikipedia page about it. While most people may know it first from the Bible, I think it's the Codex Hammurabi that's often credited for having that written down first.

    I am not a lawyer or a law student (so whatever I speak of "tradition of legal code" would be out of my arse), but this is the first written code of law to the west of China (and that's what I mean by "western"; like it or not, the Middle "East" and Muslims had frequent interaction with Europe, at least enough so if you want to divide the world into "East" and "West", they would fall in with "West"), so it must mean *something*.
  13. Go *fish! by Mathinker · · Score: 2, Informative

    Yeah, that's why Twofish was one of the 5 finalist algorithms of NIST's AES competition.

    And Blowfish is still unbroken after 15 years.

    I should be such a crappy cryptographer!

  14. Someone has to do it by argent · · Score: 2, Insightful

    In other words, he is an expert on publicizing what most serious researches already know about general security flaws and problems.

    And the problem with this is what? Given how badly people misunderstand computer security we don't have enough people doing this kind of job.