Inside The Twisted Mind of Bruce Schneier

← Back to Stories (view on slashdot.org)

Inside The Twisted Mind of Bruce Schneier

Posted by Soulskill on Thursday March 20, 2008 @09:15PM from the it's-dark-in-here dept.

I Don't Believe in Imaginary Property writes "Bruce Schneier has an essay on the mind of security professionals like himself, and why it's something that can't easily be taught. Many people simply don't see security threats or the potential ways in which things can be abused because they don't intend to abuse them. But security pros, even those who don't abuse what they find, have a different way of looking at things. They always try to figure out all the angles or how someone could beat the system. In one of his examples, Bruce talks about how, after buying one of Uncle Milton's Ant Farms, he was enamored with the idea that they would mail a tube of live ants to anyone you asked them to. Schneier's article was inspired by a University of Washington course in which the professor is attempting to teach the 'security mindset.' Students taking the course have been encouraged to post security reviews on a class blog."

208 comments

Min score:

Reason:

Sort:

Destructive mindset by wces423 · 2008-03-20 21:20 · Score: 5, Insightful

This article just confirms my belief that a good security professional needs to have destructive mindset. You need to feel the urge to abuse the system as soon as you have seen it. I was not good at it, quit security research to join development!
1. Re:Destructive mindset by Anonymous Coward · 2008-03-20 21:57 · Score: 0, Troll
  
  This article confirms to me that Bruce Schneier is an ego maniac, without much good reason. What has he ever done ? He wrote a crappy as hell book that people like because they don't understand it. He did blowfish, which is one of a MILLION symmetric crypto systems, which btw, is totally easier than public key crypto, and he did a recent entry to the AES contest, but it wasn't his work it was with other people, and it turned out to suck anyway if you read the reviews of it.
2. Re:Destructive mindset by andy666 · 2008-03-20 22:17 · Score: 3, Insightful
  
  Yes, but more like "ooooh look at the dark and deep mind of Bruce Schneier, he is so briliiant." He's so dramatic about it. Jesus, a lot of people do security, why does he think he understands all of them ? It's another branch of computer science - not being James Bond. In fact I went into security after college because of the allure, but in fact the daily things that have to be done are not that glamorous, and have little to do with his strange psychological theories. And I agree, the book is overrated.
3. Re:Destructive mindset by iamdrscience · 2008-03-20 22:26 · Score: 4, Funny
  
  You two should be careful about critcizing Bruce Schneier. His fists are tatooed with "Bob" and "Alice" and if you get on his bad side, he'll exchange keys all over your face.
4. Re:Destructive mindset by strider44 · 2008-03-20 22:33 · Score: 1
  
  He did blowfish, which is one of a MILLION symmetric crypto systems, which btw, is totally easier than public key crypto
  
  Don't comment when you obviously with that statement showed you have only a little bit of an idea about cryptography.
5. Re:Destructive mindset by Anonymous Coward · 2008-03-20 22:35 · Score: 0
  
  It's true that symmetric cryptography is not trivial, but public key wasn't invented until the 1970s. It is HARDER.
6. Re:Destructive mindset by strider44 · 2008-03-20 22:46 · Score: 1
  
  Why does it have to be destructive? It's not so much the urge to abuse the system, it's more the urge to see what it's capable of, even the things not intended by the creator.
7. Re:Destructive mindset by strider44 · 2008-03-20 23:04 · Score: 1, Interesting
  
  Why does being invented later mean that it's harder? Usually it goes the other way around - people find better and easier ways of doing things.
  
  For an example of how hard symmetric key cryptography is consider this: The session key exchange algorithm that is in most common use (Diffie Hellman) was invented in 1976. The public key cryptographic algorithm most commonly in use now (RSA) was invented in 1973. These haven't been broken. The current symmetric algorithm in use was invented in 2000 and the reason is that every previous algorithm was broken. There are dozens of attacks against symmetric algorithms and almost none against public key cryptography. While symmetric cryptography isn't nearly as hard as hashing, it's still pretty damn hard.
  
  (also, RSA can be implemented in about five lines of code. Not quite as easy for AES)
8. Re:Destructive mindset by SL+Baur · 2008-03-20 23:08 · Score: 2, Funny
  
  Bruce talks about how, after buying one of Uncle Milton's Ant Farms, he was enamored with the idea that they would mail a tube of live ants to anyone you asked them to. I had the board game when I was very young. I also remember the spanking I got when I brought a container of ants into the house. Dad, they can't get out! Ouch!
9. Re:Destructive mindset by cbart387 · 2008-03-20 23:11 · Score: 4, Funny
  
  Even if you're not 'Eve'?
  
  --
  Lack of planning on your part does not constitute an emergency on mine.
10. Re:Destructive mindset by qbzzt · 2008-03-20 23:16 · Score: 4, Insightful
  
  In fact I went into security after college because of the allure, but in fact the daily things that have to be done are not that glamorous, and have little to do with his strange psychological theories.
  
  Implementing security procedures is not at all glamorous, and does not require more than understanding the system to which they apply. Writing security procedures in such a way that they will be difficult to abuse requires a twisted mind. Doing it correctly, so the procedures properly balance security and availability, requires a mind that is twisted and straight at the same time.
  
  --
  -- Support a free market in the field of government
11. Re:Destructive mindset by Splab · 2008-03-20 23:40 · Score: 1
  
  (also, RSA can be implemented in about five lines of code. Not quite as easy for AES)
  
  Could we please please PLEASE! stop talking about programs in terms of lines of code?? It makes no sense! You can't just claim something is a oneliner - I can create and populate a huge database with one line of code, just remove all line breaks and voila.
  
  Even when you limit it to say "it's 5 function calls" or something like that it still makes no sense, one of those function calls could be to libEverything calling some god forsaken huge library that does everything...
12. Re:Destructive mindset by Anonymous Coward · 2008-03-20 23:45 · Score: 4, Insightful
  
  At least he has accomplished something notable, which is a heck of a lot more than can be said for an anonymous post criticizing said noteworthiness.
13. Re:Destructive mindset by Registered+Coward+v2 · 2008-03-20 23:54 · Score: 3, Insightful
  
  This article just confirms my belief that a good security professional needs to have destructive mindset. You need to feel the urge to abuse the system as soon as you have seen it. I was not good at it, quit security research to join development!
  
  I would not say a destructive mindset but rather an inquisitive one - that asks "What possibilities does this open up and how can I use this to other ends?"
  
  The challenge is to turn that mindset to productive, rather than destructive ends.
  
  Speaking as one who has done that work; a little paranoia is a good thing as well; because some people are out to get you (and even more are just plain stupid enough to do a dumb thing).
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
14. Re:Destructive mindset by somersault · 2008-03-21 00:08 · Score: 1
  
  Fine. Uh.. RSA can be implemented in.. 8452 operations and using only 3 registers!
  
  --
  which is totally what she said
15. Re:Destructive mindset by cardpuncher · 2008-03-21 00:09 · Score: 4, Insightful
  
  I think it's got more to do with awareness and analysis than destructivness.
  I remember some years ago now gently trying to persuade a colleague that it was inappropriate to have forwarded the infamous Craig Shergold chain e-mail. Despite widespread publicity, the colleague absolutely refused to believe that there could be anything amiss and insisted I was being mean and cruel to deny the child (even by then cured and in his late teens) his "dying wish" and denounced my callousness to other co-workers.
  There's an advertisement for an animal welfare organisation on British TV at present with pictures of pathetic looking dogs who have been badly beaten ("it's the worst case I've ever seen" says the voice-over) or "used as an ashtray". Finally, at the end of the advertisement the confession, "these are not real cases" - followed with a demand for money anyway, now the viewers have been "softened up".
  Being a sucker for a sob-story isn't "constructive"; knowing that it can be exploited for social engineering isn't "destructive" - unless you regard human gullibility as a postive trait - though it sure can make you unpopular!
16. Re:Destructive mindset by Anonymous Coward · 2008-03-21 00:09 · Score: 0
  
  I can create and populate a huge database with one line of code, just remove all line breaks and voila.
  And there goes your bragging rights. :/
17. Re:Destructive mindset by mattpalmer1086 · 2008-03-21 00:15 · Score: 5, Informative
  
  Symmetric crypto easier than public key? Are you kidding? Public key is based on simple one-way math functions. It's easy to prove it's secure (with certain assumptions about not being able to solve hard problems, like discreet logs or factoring large numbers). If the maths is solid, you've got a good encryption algorithm. If the single hard maths problem isn't cracked, you're safe. Job done.
  
  I could probably invent a reasonable public key algorithm with a maths textbook to hand - but no way could I invent a good symmetric crypto algorithm. Symmetric crypto relies on scrambling things up in a way it can't be unscrambled easily. You have to know a *lot* about cryptanalysis to even begin designing one, and you can still become vulnerable to a surprise attack. There is no general way of mathematically proving that how you are doing the scrambling is secure in any way - only that it is resistant to all the known attacks so far.
18. Re:Destructive mindset by Naughty+Bob · 2008-03-21 00:24 · Score: 1
  
  This article just confirms my belief that a good security professional needs to have destructive mindset
  As in 'Set a thief to catch a poacher turned gamekeeper'.
  
  --
  "Be light, stinging, insolent and melancholy"
19. Re:Destructive mindset by Anonymous Coward · 2008-03-21 00:32 · Score: 5, Funny
  
  Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.
  
  Hashes collide because they're swerving to avoid Bruce Schneier.
  
  And more:
  http://geekz.co.uk/schneierfacts/
  http://geekz.co.uk/schneierfacts/facts/top
20. Re:Destructive mindset by lightman_wg · 2008-03-21 00:35 · Score: 1
  
  He did blowfish, which is one of a MILLION symmetric crypto systems, which btw, is totally easier than public key crypto I dont get this statement. Easier than public key crypto? Different yes, and I dont get the point your making.
21. Re:Destructive mindset by Watson+Ladd · 2008-03-21 00:57 · Score: 1
  
  What keysize? Is this program length or execution time? What about mems of computation?
  
  --
  Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
22. Re:Destructive mindset by jellomizer · 2008-03-21 01:27 · Score: 1
  
  I think "urge to abuse" is to strong of a phrase. You don't need to feel the need to do it wrong but you do realize ways around things, I see these things all the time that are security nightmares. But I don't feel any urge to try them myself. Because I realize yea it is a security problem but it also makes my life more convient. You need to get a fair balance between the two.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
23. Re:Destructive mindset by Anonymous Coward · 2008-03-21 01:28 · Score: 0
  
  [...] with certain assumptions about not being able to solve hard problems, like discreet logs or factoring large numbers [...]
  
  [...] There is no general way of mathematically proving that how you are doing the scrambling is secure in any way - only that it is resistant to all the known attacks so far.
  
  It's really interesting how you spin the same thing as "totally secure" for asymmetric cryptography and "totally insecure" for the symmetric kind.
24. Re:Destructive mindset by Anonymous Coward · 2008-03-21 01:40 · Score: 0
  
  The simplest crypto is the strongest is symetric: One Time Pads
  
  As for symetric key strength vs asymetric key strength, given the same bit length for each, symetric keys are FAR more stronger than asymetric because symetric all bits are fair game while in asymetric, only those bits related to prime numbers in the same field are usable.
  
  The only reason asymetric keys are so popular is because you dont have to communicate the decryption key in advance. Security vs usability.
  
  Admiral Beotch
25. Re:Destructive mindset by Anonymous Coward · 2008-03-21 01:44 · Score: 1, Interesting
  
  You are only half right. The concept, the algorithm, and the math may be correct, but that does *not* mean the product is secure. One of the key problems with cryptography, indeed with most security, is in its implementation. There is a famous quote from Donald Knuth, it goes something like this: "Beware of bugs in the above code. I have only proven it correct, not tested it." Proof does not make a program correct. So often programmers make small but fundamental mistakes that compromise the security of the concept/algorithm. This is part of what Bruce Schneier is talking about - how is it compromised. It is this issue that makes your first assumption wrong as well: "I could probably invent a reasonable public key algorithm with a maths textbook to hand [...]".
26. Re:Destructive mindset by macslas'hole · 2008-03-21 01:51 · Score: 1
  
  What has he ever done ? He outs crap crypto every month on his blog. Are you in his doghouse?
  
  one of a MILLION symmetric crypto systems and approximately 999,900 of those are utter crap. Good crypto is not easy; if you think it is, you probably are in his doghouse.
  
  --
  Life's a tale told by an idiot, full of sound and fury, signifying nothing.
27. Re:Destructive mindset by hal9000(jr) · 2008-03-21 01:59 · Score: 1
  
  It's easy to prove it's secure (with certain assumptions about not being able to solve hard problems, like discreet logs or factoring large numbers) ...snip... I could probably invent a reasonable public key algorithm with a maths textbook to hand - but no way could I invent a good symmetric crypto algorithm.
  
  First, to make a strong crypto algorithm, you have to prove your assumptions are strong. The caveat with asymmetric key crypto based on factoring large primes is that today, factoring large primes is a difficult problem. But that doesn't mean a more efficient way to factor large primes won't be discovered tomorrow.
  
  I bet you can't just whip up a new asymmetric key algorithm with a math text book. Talk about arrogance. The reason why there are so few good crypto systems is because creating an algorithm that is sufficiently strong is difficult. Hell, creating a pseudo random number generator is difficult. So maybe you are a genius. If so, then I challenge you to come up with a new asymmetric algorithm based on a math problem other than factoring large primes and have it assess by the crypto community. You can patent it and make millions off licensing.
28. Re:Destructive mindset by macslas'hole · 2008-03-21 02:01 · Score: 2, Insightful
  
  Security and crypto are not branches of computer science. They both existed before CS and are widely application outside of CS.
  not being James Bond ... I went into security after college ... not that glamorous You sound bitter. Life's a bitch, and then you die. (This being /. you can skip the "marry one" part) Get over it.
  
  --
  Life's a tale told by an idiot, full of sound and fury, signifying nothing.
29. Re:Destructive mindset by analog_line · 2008-03-21 02:06 · Score: 2, Insightful
  
  I would agree. I've got the "security mindset". I used to work in security on the consulting side, trying to fix up people's stuff. Thought about getting into research, but the culture of the security community at the time (right before 9/11) drove me away before I could. A kind of self-hating trifecta of ex-military intelligence grunts looking at disdain at anyone that didn't come out of the armed services, genius technical boffins with all the interpersonal skills of Rain Man, or wild-eyed "Information must be free, damn the consequences" idealogues. Since I don't fit into any one of those stereotypes, I made a lot more enemies than friends (though I did make plenty enough friends, and there are many exceptions to the rule), and decided once it was nigh impossible to find work after 9/11, that a change in direction wasn't such a bad thing after all.
  
  Now I don't make nearly as much money, but I'm both a lot happier, and my work is a lot more helpful than it was when I was a part of the "security community". Working with little companies, a security mindset can go a very long way. I don't worry about intrusion detection or policy enforcement, or priviledges, or password strength, or encryption keys even a quarter as much as I had to before. Not when no one I deal with has a backup system that actually backs anything up (if they have a backup system) when I first walk in the door, or a simple switch of web browsers or e-mail clients will eliminate the lion's share of reasonable attack vectors into their network. Not when they don't understand the concept of patching their operating system. Not when a hands on explanation of what a phishing e-mail exactly is, what they look like, and what not to do.
  
  Not that the more complicated stuff doesn't ever come up, because it does, and often I bring it up. I've set up a lot of VPNs lately, stopping people from what they had been doing, which is exposing their file servers directly to the outside world, with no encryption or really ANYTHING other than bad passwords stopping entry. Passwords is a big pet peeve of mine. So many of my customers have passwords that so many people know, or are trivial to guess, that they've started prefacing telling me what a new password is with "I know you're going to hate me" when they tell me the password is something that every employee that has ever been there knows, including the ones that hate the owner's guts. However, I choose to see that as a glass half full. They may not be doing the right thing, but THEY KNOW they're not doing the right thing, and have chosen to continue doing things a different way. Before I showed up and spoke to them in language they understood and took the time to explain how things work, the jargon and fearmongering of the public infosec community (including antivirus software companies) helped them nil. Maybe that kind of stuff works better in bigger organizations (heck, maybe it's the only thing that has any effect in big organizations). Perhaps that's why I couldn't handle bigger organizations and have found a lot more success with the personal touch.
30. Re:Destructive mindset by Oktober+Sunset · 2008-03-21 02:11 · Score: 1
  
  He sounds like Butters when he becomes Professor Chaos.
  
  --
  What if Tetris was invented by Nazis?
31. Re:Destructive mindset by sdaemon · 2008-03-21 02:20 · Score: 2, Informative
  
  Actually, a one-time pad is an excellently secure symmetric cipher, the strength of which is dependent only upon the randomness of the pad (and the mechanism for distributing copies of the pad to the various parties who require it).
  
  You have to distribute copies of a secure symmetric key anyway. Distributing copies of a OTP is no different.
32. Re:Destructive mindset by sdaemon · 2008-03-21 02:22 · Score: 1
  
  Er, and I meant to add "and a good OTP algorithm is simple and can be written in a couple lines of code with an XOR operation in there somewhere."
33. Re:Destructive mindset by mattpalmer1086 · 2008-03-21 02:36 · Score: 1
  
  I apologise if I seemed arrogant; I wasn't claiming any great intelligence for myself. I maintain that pretty much *anyone*, with a reasonable understanding of maths and the principles of public key ciphers, would find it possible to design a workable (not necessarily efficient or pragmatic) public key cipher, but most people wouldn't even know where to start with symmetric cipher.
  
  The reason there aren't more public key ciphers is not because of a shortage of hard maths problems to pick from, but that the ciphers we have are sufficient, well studied and understood, and security people are quite conservative. In fact, much of the differentiator in them is down to pragmatic reasons, like computational power required to implement them, or that they are standardised and already in widespread use.
  
  Symmetric crypto, on the other hand, is not based on a simple mathematical problem you can find in a textbook. It is based on "scrambling things up" - a vague concept - in a way that you hope is hard to unscramble, and which is highly dependent on the key. But this isn't based on any single underlying mathematical problem or theory. You can't state that the security of your scrambling is the same as the difficulty of doing x. It takes a lot more understanding and skill to design a symmetric cipher that people can even begin to have any faith in, regardless of how pragmatic it may be to implement.
34. Re:Destructive mindset by scruffy · 2008-03-21 02:44 · Score: 1
  
  This doesn't seem so much different from the mindset needed for good programming or good testsets. You need to think of how different inputs or states can cause things to go wrong and then program accordingly.
35. Re:Destructive mindset by mattpalmer1086 · 2008-03-21 02:54 · Score: 1
  
  Yes, and in fact, the OTP is the only provable, completely secure crypto in existence! Completely uncrackable - as long as the pad is really random and you don't re-use it.
  
  It's not quite the same as other symmetric crypto though. You can't re-use the key (the pad) without completely compromising it, but you can with other crypto algorithms, and you need a pad as long as all the messages you ever want to send. So distribution of a useful OTP is much harder.
36. Re:Destructive mindset by sempernoctis · 2008-03-21 02:59 · Score: 1
  
  You all seem to be overlooking the fact that symmetric and asymmetric ciphers are two entirely different things with two entirely different applications. Asymmetric algorithms in general take a long time to compute and add padding overhead to every block of data, and symmetric algorithms are impossible to use without a pre-shared private key or some key agreement algorithm (like Diffie-Hellman) that is based on the same principles as asymmetric cryptography.
37. Re:Destructive mindset by uberdilligaff · 2008-03-21 03:19 · Score: 2, Informative
  
  Nobody factors large primes, because they're, well, prime. What public key crypto depends on is factoring a large number into its two prime factors. That's what you meant, and that is still a computationally difficult problem.
  
  --
  Against stupidity, the Gods themselves contend in vain. --Friederich Schiller
38. Re:Destructive mindset by sempernoctis · 2008-03-21 03:19 · Score: 1
  
  Public key is based on simple one-way math functions. It's easy to prove it's secure (with certain assumptions about not being able to solve hard problems, like discreet logs or factoring large numbers). If the maths is solid, you've got a good encryption algorithm. If the single hard maths problem isn't cracked, you're safe. Job done.
  Awesome...so if I assume that factoring a 512-bit number is hard, I can build an uncrackable asymmetric cipher based on factoring 512-bit numbers. Oh...wait...shit...factoring large numbers isn't really as hard as we thought it was...oops.
  
  With symmetric algorithms, we crack them by developing techniques like differential cryptanalysis, and with asymmetric algorithms, we crack them by developing techniques like faster factoring algorithms. When make asymmetric algorithms stronger by increasing the size of the prime numbers, and we make symmetric algorithms stronger by cascading them like we did with 3DES. The reason DES was so short-lived compared to RSA is that the government shortened the key and block sizes to make it weaker. The original version of the algorithm was submitted by IBM and was (one of several algorithms) they named Lucifer. It had a block size equal to the current AES and a key size of 128 bits (one of the three key sizes used by the official AES).
39. Re:Destructive mindset by sempernoctis · 2008-03-21 03:30 · Score: 1
  
  I assume you are referring to his Applied Cryptography book, which I own a copy of, and it does contain some very useful technical information (though it is a little out-dated and much of the information is available online these days). I will assume from your flawed comparison of symmetric and asymmetric cryptography that you fall in the category of people who "don't understand".
  
  To set the record straight, Blowfish became the de facto standard in many cryptographic circles after DES was considered by the cryptographic community to be insecure, and his AES submission (Twofish, which if memory serves was a derivative of Blowfish) was one of the 5 finalists. I won't argue the assertion of his large ego though.
40. Re:Destructive mindset by sdaemon · 2008-03-21 03:36 · Score: 1
  
  by its very definition, if you reuse the key, it is no longer a one-time pad :)
  
  OTP works great if you can distribute a great big bulk of OTPkeydata ahead of time, and use it incrementally in short chunks. The key distribution problem remains the same, it is simply the practice that has to change.
41. Re:Destructive mindset by DaleGlass · 2008-03-21 03:48 · Score: 1
  
  If you refer to Applied Cryptography, it's actually a very interesting and mostly readable book. IMO it's worth reading for anybody working on anything crypto related. At least part of it.
  
  About half of it is about the theory. This includes things like cryptographic protocols, such as: How to get two parties to exchange information in such a way that one of them can't back off it once they started? A lot of that is quite esoteric, but it's quite interesting, and mostly understandable to a programmer without needing math knowledge.
  
  The other half is a description of many crypto algorithms, such as, how DES works. This is followed by source listings. That part is probably too hard to understand for people without the relevant knowledge. This is probably is interesting for a cryptographer and includes discussion on how the algorithms came to be, but probably won't be useful to 99% of programmers as most people aren't going to implement DES from scratch.
  
  Then there's Secrets and Lies, which IMO is a bad book for a technical person. It makes a fine gift for somebody who really doesn't get how is all this security stuff supposed to work, but for me it's a "Well, DUH" one after another. It explains what is a DoS, what is the problem with biometrics, etc. Anybody interested in the subjects will be quite familiar with all of that already.
42. Re:Destructive mindset by mattpalmer1086 · 2008-03-21 04:00 · Score: 1
  
  Well, the algorithm you link to is a primality test - useful for generating large primes to encrypt with, not for factoring composite numbers into their prime components. And it's a theoretical advance, as even the inventor admits existing primality tests are faster for practical purposes today. So it would make generating very large keys (larger than we use today) easier, but does not help to crack them.
  
  You are right that the key length of DES was a bit too short, although, the NSA put in some changes that were only understood to increase resistance to differential cryptanalysis later. I think computational power had as much to do with it as any conspiracy.
  
  You are right that we attack symmetric ciphers by developing new cryptanalytic techniques, and public key ciphers by attacking the maths. However, to date, no-one has made any mathematical advance that would help to practically crack any public key cipher, whereas some practical cryptanalytic attacks on symmetric ciphers have been developed.
  
  I guess this shouldn't surprise us; public key ciphers are based on maths problems that have defeated everyone for decades, centuries, or even millenia. Symmetric ciphers just don't have an easily defined, underlying problem you can tie the security to, they are based on intuition and knowledge of attacks found so far, as much as anything else.
43. Re:Destructive mindset by icydog · 2008-03-21 04:46 · Score: 1
  
  And don't even think about getting near him if you're Mallory...
44. Re:Destructive mindset by jaeson · 2008-03-21 05:30 · Score: 1
  
  Symmetric crypto includes a one-time pad. No math textbook necessary, just a list of random bits. The best part is that if the key is truly random, is not reused, and is kept secret, the one-time pad provides *perfect* crypto.
45. Re:Destructive mindset by BitZtream · 2008-03-21 05:40 · Score: 1
  
  You do not have the twisted mind that Bruce speaks of.
  
  Theres a lot more to asymetric cryptography than the math itself. The implementation of the systems that control the whole process, the fact that 'simple' math can not be too 'simple' or it will be easy to brute force, the fact that it has to be usable without a 200 page manual each time you use it. You may be able to open a text book and come up with a theoretical asymetric algorithm, but its very likely that you'll miss some trivial implementation detail that blows holes the size of our solar system in it and makes it easy for Bruce to walk all over it.
  
  Just like symetric algorithms, public key systems have weak keys, they have ways of solving for the original data that doesn't involve knowing the whole key or the data, but just parts of it, to break it into chunks that can be found quickly, then reassembled to get the original value. I deal with symetric cryptography daily (I happen to write cryptography software) and personally, given the option of having to write my own algorithm from scratch, if I had to choose from symetric or asymetric, I'd personally take my chances with symetric. Its easier for me to visualize the process due to the fact that it goes both ways, versus having to do everything in a forward only mindset for PKI sort of stuff.
  
  And if you design a system with a 'single hard maths problem' you've already failed. Part of the cryptography world is providing redundancy in the encryption and verification of the encrypted data. No one uses one algorithm to do anything. You perhaps use one for the encryption portion, but another completely different unrelated one for data verification/tamper detection. Encryption is great at making sure someone can't see your data, but I may not need to see your data, I may just need to corrupt it in such a way that you get the wrong value back out of it, in order to do my evil bidding. I don't need to steal your nuclear launch codes, I just need to trick you into using the ones that redirect the nukes back onto yourself and I've accomplished the same thing, without ever breaking your encryption ... just screwing with it enough to get you to do the work for me!
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
46. Re:Destructive mindset by Anonymous Coward · 2008-03-21 07:06 · Score: 0
  
  Yeah? Well I heard Bruce Schneier encrypts his messages with ROT13 TWICE and nobody has yet to break the cypher.
47. Re:Destructive mindset by MikeBabcock · 2008-03-21 07:25 · Score: 1
  
  Get back to me when you've written a better book, made a more well-circulated mailing list, and have more or better security insights than he does.
  
  Until then, he really does get the genius points.
  
  --
  - Michael T. Babcock (Yes, I blog)
48. Re:Destructive mindset by Brad+Eleven · 2008-03-21 08:26 · Score: 1
  
  "...it turned out to suck anyway if you read the reviews of it."
  
  Wow. Good thing I didn't read those reviews.
  
  Wait, did you say that it sucked iff I read the reviews, or did you mean that it sucked anyway, whether or not I read the reviews, or ... ?
  
  Heyyyy. Just a minute, there. I've been re-reading your crappy as hell post, and I have concluded that I like it only because I don't understand it. Plus I think it may not have been your own work. I'm waiting for the reviews before I meta-moderate.
  
  Now where did I put that hash ... ?
  
  --
  "Press to test."
  (click)
  "Release to detonate."
49. Re:Destructive mindset by sempernoctis · 2008-03-21 11:07 · Score: 1
  
  OK, I didn't really read the article I linked to, only the title of it, but there have been recent (within the last 8 years at least) advances in factorization that have contributed to cracking some of the weaker forms of RSA. I just don't have links to them off the top of my head. It should also be noted here that the preferred method of cracking DES is still brute force (there are a couple ways to do better, but they don't do much better). The reason DES is so insecure is mainly because of the key and block size. Most of the problems that both asymmetric and symmetric ciphers are based on, however, never got much attention until modern cryptography was discovered (1960s or 1970s for non-government, sometime between then and WWII for the No-Such-Agency), so it isn't really fair to say that these problems have defeated everyone for centuries. Symmetric ciphers are based on math problems as much as asymmetric ciphers are, it's just that we happen to have a couple math problems like factoring and discrete logs that lend themselves particularly well to simple asymmetric algorithms, and can be easily generalized to arbitrary key lengths.
50. Re:Destructive mindset by mattpalmer1086 · 2008-03-21 11:12 · Score: 1
  
  Hmmm... I would still say that public key crypto isn't that hard to implement. It's not the complexity of doing the maths - it's finding the solution that's hard. For example, there aren't really any good shortcuts to factoring a large number. Very, very simple maths - just very difficult to find the answer short of trying all the possible solutions.
  
  For me anyway, it's way easier than calculating symmetric encryption (with the honorable exception of the OTP!). I can easily implement public key algorithms with just a pen and paper - I've calculated RSA and El Gamal myself. Contrast this with the internal complexities of s-boxes and the feistel cipher... I would struggle to implement DES accurately on paper, or even to write the software to do it, without making some awful mistake. Of course, your mileage may vary.
  
  I do agree that security generally implies a much wider set of services than just confidentiality. One of my favorite (simple) examples of this is a student hacking in to his school system to change his grades. The grades are encrypted, which the staff thought made the database invulnerable. The student hacks in, and just copies the encrypted grades from a student he knows generally does well, to his own record. He could never read them, but he didn't have to!
  
  I'm intrigued that you say there are ways of finding partial solutions to public key encryption - can you give me any links to some results in this area?
51. Re:Destructive mindset by Anonymous Coward · 2008-03-21 11:33 · Score: 0
  
  Not only that. Bruce Schneier invented the zero-time pad.
52. Re:Destructive mindset by mattpalmer1086 · 2008-03-21 11:57 · Score: 1
  
  You are completely correct it is far more likely that the implementation will be broken than the underlying algorithm
  
  For example, there have been some interesting side-channel attacks on public key crypto algorithms, by exploiting timing differences resulting from common implementations of certain maths functions. These can be used to reveal the key using enough attempts.
  
  However, this doesn't invalidate my ability to invent the algorithm in the first place!
53. Re:Destructive mindset by mattpalmer1086 · 2008-03-21 12:12 · Score: 1
  
  I'm not talking about how secure or insecure the algorithms really are, and I certainly never said either was totally secure or insecure. It's quite possible that in reality, a given symmetric algorithm is much tougher than a public key one. Someone might figure out how to factor large primes tomorrow (quantum computers can actually do this, if they can be scaled up), and then RSA is toast, while 3DES might still be really hard.
  
  I'm talking about how easy it is to *define* what their apparent security is based on. For public key algorithms, it's easy - it's the same difficulty as the well-defined maths problem they are based on. Most symmetric algorithms aren't based on a single well defined maths problem - they rely on introducing confusion and diffusion in various complex and iterative ways, so it's just not as clear how difficult it may be to break them. If they are resistant to the various attacks that people have figured out so far and seem to statistically diffuse and confuse the plaintext well, then that's as good as we can do.
54. Re:Destructive mindset by Anonymous Coward · 2008-03-21 13:07 · Score: 0
  
  certain assumptions about not being able to solve hard problems, like discreet logs or
  
  What is a discreet log?
55. Re:Destructive mindset by The+New+Andy · 2008-03-21 15:11 · Score: 1
  
  Er, you can trivially convert a public key crypto system to a symmetric system (just make the shared key the combination of the private and public key).
56. Re:Destructive mindset by mattpalmer1086 · 2008-03-21 15:26 · Score: 1
  
  Well, yes, I suppose you could, although that doesn't really satisfy the normal definition of symmetric ciphers, in which the encryption/decryption keys are either identical, or trivially related. But in principle, I guess you could use a public key cipher like this.
  
  Then I would have to make the distinction clear, and talk about ciphers that can be securely used asymmetrically versus ones that can't. There would no point in doing this whatsoever as far as I can see, but nicely observed!
57. Re:Destructive mindset by sjames · 2008-03-21 16:11 · Score: 1
  
  OK, howsabout RSA is as simple as p^E mod N? :-)
Disappointing by CRCulver · 2008-03-20 21:20 · Score: 3, Interesting

It seems like ever since Bruce left the cryptography world for general security consulting, he's become less interested in giving useful advice and more interested in self-aggrandizing.
1. Re:Disappointing by Feminist-Mom · 2008-03-20 22:27 · Score: 2, Insightful
  
  I think its all about having written a fat book at the right time and place. I can't stand it, but all my friends have it - yet none of them have read it! It has become the book you have on your shelf to look cool. Another Bruce Schneier, pronouncement about his superiority, ah yes...It would be nice if there were more articles here about current developments in cryptography. I've heard more than enough from Schneier. There are MANY other interesting security people out there to read, who aren't confused.
2. Re:Disappointing by call-me-kenneth · 2008-03-20 22:33 · Score: 5, Insightful
  
  Tell you what, when you've written a book that gives a tenth of the useful advice, interesting information and insightful analysis of a single issue of CryptoGram, come back and tell us about it. Until then, your words serve only to make you look bad.
3. Re:Disappointing by mattpalmer1086 · 2008-03-20 23:58 · Score: 5, Insightful
  
  I would say quite the opposite. I think it's well documented that Mr Schneier used to think that cryptography would solve all our security woes, and then he realised this was only a small part of the picture. You may have preferred him when he was all gung-ho on the deeply technical and fascinating aspects of crypto - I love that stuff too - but you are not his audience anymore.
  
  Things that you may think are obvious are just not to most people. He's trying to reach normal people, business leaders, politicians - people who don't get it, or still think security is just boring techy stuff that doesn't work very well. He's trying to show it's also a mindset, a way of seeing the world, that anyone can understand. I think he's doing pretty good, but again, we are not his primary audience.
4. Re:Disappointing by mattpalmer1086 · 2008-03-21 00:05 · Score: 1
  
  Well, I know what you mean about that. I've got Knuth on my bookshelf, and I can honestly say I don't look at it very often! Pure pose value for me ;) I assume you're talking about "Applied Cryptograhpy" - but I do read Schneier's books - I've got most of them, and I like 'em. What other security people would you recommend?
5. Re:Disappointing by hal9000(jr) · 2008-03-21 00:27 · Score: 1
  
  I like reading Ira Winkler and Michal Zalewski's Silence on the Wire is a must read.
6. Re:Disappointing by dpilot · 2008-03-21 00:31 · Score: 1
  
  Even if it's as bad as you say, he's still more interesting to read/hear than Donald Trump, the *real* king of self-aggrandizing.
  
  --
  The living have better things to do than to continue hating the dead.
7. Re:Disappointing by Grizzled+Old+Scout · 2008-03-21 03:12 · Score: 2, Insightful
  
  You may have preferred him when he was all gung-ho on the deeply technical and fascinating aspects of crypto ... but you are not his audience anymore.
  
  I have nothing to add, other than preach on, brother.
  
  It is always unfair to criticize a work which was never intended for you in the first place. Schneier has long since lost his faith in strong crypto as security's holy grail. He now writes, often, that security problems will not be solved with technical tools because they aren't technical problems. They are economic, political, psychological problems. In short, security problems are people problems. And he is absolutely right.
  
  If you have a critique of his writing on these people-problems subjects, then please say so. But if you're annoyed that he has moved on from the technology aspect of security, then it's okay to say that this isn't your cup of tea, but please acknowledge that you aren't in his target audience.
  
  He isn't writing for the math geeks anymore, and hasn't for quite some time.
8. Re:Disappointing by DerekLyons · 2008-03-21 03:37 · Score: 1
  
  If Crypto-gram wasn't a mix of technical information and the self aggrandizement the grandparent refers to - you'd have a point. The simple fact is, Bruce has been using his fame (for doing something unrelated[1]) to push his political agenda for some years now. It probably doesn't hurt his consulting business either to get so many column inches and electrons either.
  
  [1] Yes, cryptography is unrelated to security - one can be an expert on one without knowing anything about the other. (In the same way an architect can do his job without knowing much more than the average Joe about the detailed chemical processes involved in making steel - or your average IT geek without knowing a great deal about how IC chips are made beyond what he saw on Modern Marvels last night.) They are in the same field, but they aren't the same thing, Bruce trades on people not knowing that.
9. Re:Disappointing by Cal+Paterson · 2008-03-21 05:39 · Score: 1
  
  I'm not convinced that TAoCP is actually that hard. There is an vast amount of it, that is for sure, but it's written in a conversational tone and fully explains everything it mentions. With a "high school" prior mathematics knowledge and a fair bit of wikipedia/google, I was well able to understand what was said. There isn't a lot of presupposed knowledge (and in fact, I have little programming experience - only common lisp); most things are fully explained. I modelled most of the algos in lisp first, and this helped learning.
  
  Perhaps this is not the case in later volumes though; I read only the first 3/4 of volume 1, and had to give up reading when exam season came around. I'll probably come back to it later.
10. Re:Disappointing by VENONA · 2008-03-21 08:32 · Score: 1
  
  He's provided a lot of useful information to people who aren't security practitioners, exposes a lot of post-9/11 politics of fear, government security theater, etc. I've given away a couple of copies of _Secrets & Lies_ to friends, with good effect. I just don't see his writings as egotistical. He's a known-smart guy. I'm usually willing to read things written by known-smart people. Perhaps I'm just missing something.
  
  Plus, it's hard for me to stay current (probably true for anyone in a technical field, these days), even though I'm in the business. He covers a broad range, which is helpful. For instance, I mostly missed breaking anonymity of data sets. I was too busy the couple of times it was really in the press, and wasn't doing anything related to it at the time. Keeping feeds from his blog and Wired in my aggregator jogs me to get back to things I had to ignore at the time, and usually provides links to the research papers, where that's appropriate.
  
  If I had any complaint, it would probably be that he's biased toward outsourced security. I'm a recipient of outsourced security work, so stating that is probably acting against my own best interests. But I'm trying to be fair.
  
  --
  What you do with a computer does not constitute the whole of computing.
11. Re:Disappointing by AeroIllini · 2008-03-21 09:04 · Score: 1
  
  It is always unfair to criticize a work which was never intended for you in the first place. Obligatory.
  
  --
  For security, the MD5 hash of this message and sig is 09f911029d74e35bd84156c5635688c0.
Open network ? by davro · 2008-03-20 21:24 · Score: 1, Interesting

I couldn't help but wonder how you reconcile your security mindset with an open wireless network at home. A while ago you proposed an open network in the name of politeness http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html
1. Re:Open network ? by muridae · 2008-03-20 21:46 · Score: 5, Insightful
  
  Okay, I'm not Bruse, but I'll explain. If I open my wireless network, I know it's open. I can secure the computers behind with the knowledge that the wireless system is wide open. This is not really any different then securing the whole internal network against internet based problems. And, on the off chance that he really does have a single AP/router combo with the other computers connected directly to it, then the computers all need to be secured. How does this differ from securing a laptop that you use while traveling, connecting to what ever unsecured wireless signal you can pick up, except that you have to do it to all the devices involved?
  
  So, let's say you keep your wireless system closed. What happens when someone cracks the encryption key and gets access anyways? What happens when an internet bot net gets turned on your router because someone found a vulnerability in it? Lots of people kept secured computers before home routers and NAT became a real necessity. Doing so hasn't really gotten that much tougher. Just more constant.
  
  My real guess, though, is that he keeps the wireless and wired networks separated. Internet->wifi AP ->wired router+NAT+firewall-> computers. Given that he's a pro, the wifi AP and wired router might not even be connected to each other at all.
2. Re:Open network ? by iamdrscience · 2008-03-20 21:52 · Score: 1
  
  Way to repost a comment from the article page.
3. Re:Open network ? by jonadab · 2008-03-21 01:35 · Score: 3, Funny
  
  > If I open my wireless network, I know it's open. I can secure the computers
  > behind with the knowledge that the wireless system is wide open.
  
  You're thinking like an engineer: "How is this supposed to work?"
  
  Try thinking like an enemy: "How could this be exploited to harm Bruce Schneier?"
  
  The most obvious thing is to get a rental car, drive it through some mud until the plates aren't legible, and sit across the street from the guy's house and use his wireless network for... nefarious purposes. Sending spam via his ISP's mail server? Peer-to-peer child porn? Attacking government networks in a way that's likely to get noticed? So many possibilities.
  
  And sitting across the street in a car for a while is only the really obvious attack. There are much more interesting things that can be done over the long term.
  
  --
  Cut that out, or I will ship you to Norilsk in a box.
4. Re:Open network ? by SCHecklerX · 2008-03-21 03:31 · Score: 1
  
  My guess is that:
  
  1) He views the risk of someone doing something nefarious from his network to be small
  2) The wireless segment is firewalled from the rest of his network, and only specific outbound traffic is allowed.
  
  At least that's how I do it....
5. Re:Open network ? by Critical+Facilities · 2008-03-21 03:45 · Score: 1
  
  The most obvious thing is to get a rental car, drive it through some mud until the plates aren't legible
  Dude, were you watching old reruns of "The Dukes of Hazard" or "Chips" when you wrote that? I understand your point, but that's a little 1980's TV Drama-ish, don't you think? I think he might notice an odd, very muddy car lurking across from his house.
6. Re:Open network ? by Anonymous Coward · 2008-03-21 04:50 · Score: 0
  
  If I open my wireless network, I know it's open. I can secure the computers behind with the knowledge that the wireless system is wide open. This is not really any different then securing the whole internal network against internet based problems.
  
  Er, ever heard of ARP poisoning ?
7. Re:Open network ? by nine-times · 2008-03-21 05:25 · Score: 1
  
  What happens when someone cracks the encryption key and gets access anyways?
  I also feel like it's worth noting here that many security experts I've read and talked to don't consider current WiFi encryption methods to be terribly secure. Even using WEP or WPA, it's certainly not unthinkable that someone could hack in, especially considering that they don't have to really obtain physical access. They can sit outside your home/apartment/office all day long and make attempts.
  So I do sometimes advise people to encrypt their WiFi, but you should set up your network and computers such that if your WiFi is open, your computers are still secure.
8. Re:Open network ? by muridae · 2008-03-21 22:16 · Score: 1
  
  How is this any different then what can be done with an encrypted and 'closed' wireless network once you break through the encryption?
  
  Once the wireless network is there, for what ever reason, why not leave it open? The current methods of closing a wireless network aren't all that bullet proof.
9. Re:Open network ? by muridae · 2008-03-21 22:26 · Score: 1
  
  Yes, I have. I wasn't giving a 'How to secure your WIFI connection' post, so I was glossing over all the factors you have you to consider.
  
  All the computers connected to the AP have to be treated as if they are going through an open AP at the coffee shop. Even the computers on the wired side, since you can not always predict the next usable attack vector for an MIM attack. They also have to be secured against in-network cracking, you are no longer trusting the hardware firewall to do that while it also does NAT. However, if I were to set up an AP, encrypted and MAC filtered and everything, those are the same (non-inclusive) steps I would take.
  
  Once the access point is there, you guard against it as if it were open. I don't think Bruce is silly enough to not do that. Once you have the network protected as if the AP was open, why not leave it open?
In security by Z00L00K · 2008-03-20 21:38 · Score: 3, Interesting

It's not necessarily to have a destructive mindset but a great deal of imagination and some paranoia.
Such a personality may be disastrous in many other cases but works well when it comes to security work.
And remember that most computer viruses in the beginning weren't really malicious - they just were there "because I can". Even those cases has to be taken into account by security people.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
1. Re:In security by the+99th+penguin · 2008-03-20 21:51 · Score: 1
  
  Sounds like you're describing the hacker mindset, but in a security context, which seems pretty fitting. It does make sense if you think of a security expert as a hacker, someone that that sees something and thinks "hm, wonder if I could do this with it?".
2. Re:In security by v1 · 2008-03-21 00:16 · Score: 5, Insightful
  
  I take the third view. I believe you need the ability to (forgive the overused phrase) "think different". 100% of what we do every day in life is based on a world of assumptions. To be a good security researcher requires distancing yourself from the assumptions, breaking out of the ruts in the road, and trying different things. The majority of security holes exist because the developers and defenders are making the same assumptions as everyone else. Buffer overflows are the classic example, and we still see them constantly even though they've been recognized for years as a major security risk.
  
  I did in-house beta testing for a time, and used to really piss off the developers because I had a knack for knowing what they weren't planning for. I wasn't so much looking for security holes, but rather ways to crash the app. (which probably many of which were exploitable) A classic I heard was a developer submitting a bug report for "program crashes when it says Press Any Key and you press letter A". The developer called her back to his cubicle, why did you press "A"??? She said her name was Alice, and it said press ANY KEY so she hit "A". "But you're not SUPPOSED to hit "A", you're SUPPOSED to hit the space bar!" At which point the other developer stood up from his cubicle and said "oh? I thought it meant RETURN?" This perfectly illustrates how persistent assumptions are in coding. Not only are they all making assumptions, but they aren't even making the same assumptions.
  
  That's the sort of testing I did. Deleting the last element in a list, Select all in empty lists, saving a form before completing it, entering a 200 character filename for save, taking advantage of assumptions that the user knew what they were doing and would not ask the program to do something that was certain to produce undesirable results.
  
  --
  I work for the Department of Redundancy Department.
3. Re:In security by TheRaven64 · 2008-03-21 01:51 · Score: 3, Funny
  
  I used to know a tester who would always hit control-alt-delete when told to press any key to continue. The company changed the messages to 'press almost any key to continue' after a while. Of course, that then confused real users who wondered which keys they weren't allowed to press...
  
  --
  I am TheRaven on Soylent News
4. Re:In security by jvkjvk · 2008-03-21 03:52 · Score: 3, Funny
  
  This is actually just really quite obnoxious and not very helpful.
  
  Do you really want a user program hooking into trapping the ctrl-alt-delete sequence? I thought not.
  
  Being pedantic, since the tester appears to be so, "any key" does not imply "any combination of keys", either.
  
  I test by hitting the reset button, after all it can be considered a key too, just not a 'key' on the keyboard...
  
  If I was the company, instead of changing the message, i would have modified the tester's behaviour, perhaps with a hammer if necessary...
5. Re:In security by Anonymous Coward · 2008-03-21 03:53 · Score: 0
  
  ... Wouldn't that be a combination of keys, though? "Press any key" seems pretty clearly singular. You could make a better message by being explicit and saying "Press [Enter] to continue," even if it still has the "any key" behavior. Much less confusing to your average user ("where's the 'any' key?") and your tester will look stupid if he tries to report that as a bug again. I'm sorry, but to me that just seems like someone trying to look clever without actually being clever.
6. Re:In security by Anonymous Coward · 2008-03-21 03:56 · Score: 0
  
  I had a problem like that once. My response was to make it continue as soon as it saw Control.
7. Re:In security by Z00L00K · 2008-03-21 04:39 · Score: 1
  
  And on some keyboards you have a "power" key and a "sleep" key too...
  I think that it's safer today to say "Press Enter" to continue, or press "Space" to continue. But be aware that for old DEC users "Enter" means the key at the numeric pad while "Return" is the key by the letters.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
8. Re:In security by Reziac · 2008-03-21 05:42 · Score: 1
  
  [laughing] Sounds like me, in my fearsome persona as "the beta-tester who can break anything". It's why in a dev-group of 5 pro coders and 26 testers, I found 75% of the reported bugs -- I just can't help doing the unexpected, even if I do so by accident! Tho most often it's really extrapolation: Action X works while the program is doing THIS, so why shouldn't it work while you're doing THAT?
  
  --
  ~REZ~ #43301. Who'd fake being me anyway?
Ant farms are nothing. by evanbd · 2008-03-20 21:52 · Score: 2, Interesting

You can get a port-a-potty delivered without ever providing positive identification. You don't even have to pay for it until it shows up, and they'll happily deliver while you're at work. They're quite used to people preparing to have renovations done by contractors.

Of course, I would never decide someone else needed a port-a-potty on their front lawn. But, much like the ants, it's something you can't help but notice if you have the right mindset.
1. Re:Ant farms are nothing. by Nullav · 2008-03-21 02:31 · Score: 1
  
  So you're the one flooding hapless neighborhoods and honest businesses with toilets!
  
  --
  I just read Slashdot for the articles.
2. Re:Ant farms are nothing. by DerekLyons · 2008-03-21 03:39 · Score: 1
  
  You can get a port-a-potty delivered without ever providing positive identification. You don't even have to pay for it until it shows up, and they'll happily deliver while you're at work.
  
  Maybe where you live. Not here.
Is this mindset really special? by badzilla · 2008-03-20 21:59 · Score: 4, Insightful

Anyone can do what Bruce implies only "special security people" can do. It's just that most people don't because there is no incentive to. You might as well announce that your special security mindset has noticed how easy it would be to go into restaurants and put poison in the salt shakers. Hell they are wide open! What were the salt shaker designers thinking of! But of course normal people are just not interested in doing that.

--
"Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
1. Re:Is this mindset really special? by Anonymous Coward · 2008-03-21 03:29 · Score: 0
  
  and there's the problem right there. you don't have to worry about what "normal" people would do - if everybody was a law-abiding, considerate member of the community, having to worry about security *at all* would be a waste of resources. what you DO have to worry about is the freak who WILL run around putting poison in salt shakers. The kind of mindset you seem to have is the kind that will only take action once it's been done - but by then, it's a bit late for the sorry bastard who has already been poisoned. Are you thinking it's better to act only when someone's dead, or do you feel it's unacceptable for someone to be poisoned at all?
2. Re:Is this mindset really special? by Braino420 · 2008-03-21 03:40 · Score: 1
  
  Exactly, I read the thing about the ants and I couldn't even imagine why you would even bother to send some place live ants. Hey, you know you can *gasp* take more than one newspaper from the machine when you only payed for one! Onos security breach!
  
  And I read the AC reply to you, and all I have to say is this: I don't want to live in a society where everyone is treated like a criminal. Things are moving more and more in this direction in the US, and it's very sad. I think people should be treated like the adults they are, and the people who abuse those privileges need to be punished. Now, instead of only the criminal being punished, everyone is. Great!
  
  --
  They call me the wookie man, I guess that's what I am
3. Re:Is this mindset really special? by Anonymous Coward · 2008-03-21 05:58 · Score: 0
  
  Yes, this mindset is really special. I've been a QA engineer for 12 years, the last 7 at a large fortune 500 e-commerce company testing their public-facing web application. For the last 4 years, I've been focused primarily on security testing as well as providing internal training for doing security testing.
  
  What Bruce seems to be suggesting is that you think more critically about security for things you have the ability to influence. You seem to be confusing criminal activity with identifying weaknesses in systems designed by other people. And, I can tell you from first-hand experience that teaching people to look beyond whatever their widget is supposed to do, and think of ways that it could be made to fail is very, very difficult. Under a time constraint, and with a list of things the widget is supposed to do, it is easy to ignore this, and repeatedly ignoring this aspect of the testing narrows your ability to think critically about it.
  
  But hey, if you believe you have the knack for this kind of testing and can demonstrate skill in the art, you should absolutely seek a job in the field... it pays rather well.
4. Re:Is this mindset really special? by BitZtream · 2008-03-21 06:21 · Score: 1
  
  This is not true. While many people can do what Bruce is saying to a limited extent, it takes active effort on their part and they aren't good at it. What he is refering to is the people who do it without even realizing they are doing it, these are the people who are >GOODGOOD at finding security flaws. And not just in computer/software related systems. He does it in everything, door locks, car alarms, auditing proceedures for accounting, health records, literally everything.
  
  That is a special breed of person. Just like anyone can play basketball if they try, only a select few are actually good at it. And not just because they are interested in it, there are plenty of people who are interested in both basketball and security that down right suck at it. I'm certainly actively interested in it, but by no means do I consider myself good at it. The only advantage I have is the knowledge and experience that there are people out there who are REALLY good at it, so I at least can force myself to code absolutely defensively and hope I catch the problems that people are going to try to exploit, and prey no one finds the holes I didn't catch.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
5. Re:Is this mindset really special? by MikeBabcock · 2008-03-21 07:32 · Score: 1
  
  The issue isn't the capacity to think the way he does (although I would argue many people do not in fact have this capacity at all), but the will to do it, and the speed with which they do it. A security consultant who figures out why the camera system directly attached to the Internet with no password on an open port is a bad idea is only a useful one if they figure it out BEFORE it is connected to the Internet (or at least before its exploited).
  
  Seeing the potential problems before the vast majority of others does is a gift, much like being able to take a good photograph. Sure, anyone can snap a photo. Now go try to sell your shots to National Geographic and tell me how it goes.
  
  --
  - Michael T. Babcock (Yes, I blog)
6. Re:Is this mindset really special? by Anonymous Coward · 2008-03-21 08:11 · Score: 1, Interesting
  
  No incentive to wonder if the attachment from the strangely worded email is a trojan?
  
  Plenty of incentive to wonder if their dark-skinned neighbor is a Muslim terrorist?
  
  It's not about incentive. It's about hype, and unfortunately, info sec hasn't gotten enough hype. Have a few media outlets declare that terrorists have poisoned the salt shakers and watch Americans start eating healthier.
7. Re:Is this mindset really special? by Ant+P. · 2008-03-22 10:27 · Score: 1
  
  s/salt shaker/envelope/g
  s/restaurant/post office/
  
  Doesn't sound so far-fetched now, does it?
Re:yawn, another "superior geek" complex by TheP4st · 2008-03-20 21:59 · Score: 2, Interesting

RTFA! "There's nothing magical about this particular university class; anyone can exercise his security mindset simply by trying to look at the world from an attacker's perspective."

--
"I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
Good engineering by TheLink · 2008-03-20 22:01 · Score: 3, Insightful

"This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail"

In my opinion, good engineering involves thinking that things _will_ eventually fail, how it can be made to fail _safely_ if possible and figuring out what the acceptable risk is given the cost. Modern engineers don't normally design stuff to last for 1000 years (some of it might last that long - distribution curves and all that).
--
- Too many replies beneath your current threshold
1. Re:Good engineering by Anonymous Coward · 2008-03-20 23:19 · Score: 0
  
  Most engineers don't design things to last even 10 years, let alone 1000 -- if you're talking about consumer good. Heck, even 1 year would be a dream come true with some crap. Gotta keep the monkeys buying again and again...
2. Re:Good engineering by tsjaikdus · 2008-03-20 23:41 · Score: 1
  
  >> In my opinion, good engineering involves thinking that things _will_ eventually fail
  .
  Most engineering is done by engineers that have just left school. They are fast and they don't think. When the design is ticked of the excel sheet of the project leader it is time to progress to the next open issue. Nobody cares that the design does not fit or does not work at all. Engineering is about ticking off open issues.
3. Re:Good engineering by Anonymous Coward · 2008-03-21 00:36 · Score: 0
  
  This is why it's called software "engineering".
4. Re:Good engineering by Hatta · 2008-03-21 01:36 · Score: 2, Insightful
  
  In my opinion, good engineering involves thinking that things _will_ eventually fail, how it can be made to fail _safely_ if possible and figuring out what the acceptable risk is given the cost.
  
  Murphy was an engineer after all.
  
  --
  Give me Classic Slashdot or give me death!
5. Re:Good engineering by Anonymous Coward · 2008-03-21 01:49 · Score: 0
  
  That's because modern engineers work for companies that need to continue to make money. They need to have to replace things in order to sell more stuff to people and keep up "growth."
  
  Roman engineers were soldiers who were out to build an empire for the Eternal City - and that meant "last for ever." Hell, Segovia in Spain still uses the one the Romans built!
6. Re:Good engineering by celafon · 2008-03-21 02:26 · Score: 1
  
  I would say more.
  
  Long gone are the days when the security was something that "others" will make sure is there. Being a developer now involves making the code/system/architecture/whatever SECURE. And you have to train this particular way of looking at things even when building them. There are no magic devices that will secure the system for you!
7. Re:Good engineering by przemekklosowski · 2008-03-21 03:45 · Score: 1
  In my opinion, good engineering involves thinking that things _will_ eventually fail, how it can be made to fail _safely_ if possible and figuring out what the acceptable risk is given the cost. Modern engineers don't normally design stuff to last for 1000 years Many widely-used technologies are successful at least in part because of the natural or engineered secondary mechanisms that mitigate failure, or even self-heal. It is easy to forget how important those are, because they don't matter for normal operation, but without such graceful failure mechanisms a lot of technology around us would be much less useful. Several examples that I can think of:
  
  Regular incandescent lightbulb: since the filament resistance increases with temperature, they are less sensitive to line voltage variation; since power is V^2/R, excessive voltage doesn't cause runaway power dissipation that would burn out the lamp quickly. Compare that to semiconductors, such as transistors in power amplifiers, whose resistance decreases with temperature. As a result, they are subject to a thermal runaway, where the more power they shed, the more power flows through them, and one needs special protection circuits. It would have been hard to make such protection cheaply in Edison's times, so lightbulbs wouldn't have succeeded as much as they did.
  Incidentally, power MOSFETs have much less thermal runaway, which partly explains why they overtook bipolar transistors
  
  Electrolytic capacitors: any damage to the insulating dielectric layer self-heals by the excess current flowing across the damaged spot. The tantalum electrolytic caps work the same way, except that under some circumstances, the heat shedding is faster than repair, and they sometimes blow up in spectacular ways (spilled gunk, chunks flying)
  
  Halogen lightbulbs: a damaged part of the filament gets hotter, causing preferential deposition of metal from the vapor phase, which self-repairs the damage
  
  Bikes: partly, stable because the gyroscopic torque counteracts small excursions from the vertical balance.
  
  How about the incredible amazing biological healing: I am looking at the healing cut on my finger. 'Nuff said.
8. Re:Good engineering by Reziac · 2008-03-21 05:56 · Score: 0, Offtopic
  
  [grin] So is the glass half-full or half-empty?? MY question is, why does the glass leak??
  
  --
  ~REZ~ #43301. Who'd fake being me anyway?
9. Re:Good engineering by TheLink · 2008-03-21 06:57 · Score: 1
  
  "So is the glass half-full or half-empty??"
  
  It's overengineered - someone has more glass than needed ;).
  --
  
  Too many replies beneath your current threshold
10. Re:Good engineering by Reziac · 2008-03-21 08:54 · Score: 1
  
  Ah, so you haven't accounted for the leaks ;)
  
  --
  ~REZ~ #43301. Who'd fake being me anyway?
11. Re:Good engineering by TheLink · 2008-03-21 16:53 · Score: 1
  
  It's in Beta we'll fix that in the release ;).
  --
  
  Too many replies beneath your current threshold
12. Re:Good engineering by Reziac · 2008-03-21 17:49 · Score: 1
  
  Well, okay... meanwhile, what am I supposed to do about the water all over my floor? ;0
  
  --
  ~REZ~ #43301. Who'd fake being me anyway?
13. Re:Good engineering by TheLink · 2008-03-21 20:57 · Score: 1
  
  Please press 1 for English.
  Para Espanol, oprima numero dos. ...
  Your call is important to us...
  --
  
  Too many replies beneath your current threshold
14. Re:Good engineering by Reziac · 2008-03-23 04:19 · Score: 1
  
  I only speak Martian, you insensitive clod!! ;)
  
  --
  ~REZ~ #43301. Who'd fake being me anyway?
paranoia yes ..... by taniwha · 2008-03-20 22:02 · Score: 2, Insightful

I do crypto for a living .... my bank really really wants me to to use their web banking service - but I have a dilemma - is it safe? if I try and break their security to test them a couple of things might happen: if it's any good they'll catch me and I might go to jail .... if it's crap there's no point in me using their service - so I can't win and can't use their service
1. Re:paranoia yes ..... by Bill+Wong · 2008-03-21 00:44 · Score: 1
  
  The problem is even if you actively choose not to use their system, security problems in their account creation or account login can still render your account wide open to whoever out there might try to hack it. So you really might as well use the service, if only to be able create a baseline and from thereon passively monitor it yourself to check for problems. Some banks are at least trying to get better in that regard, such as Bank of America has been been offering two-factor authentication that uses a cellphone as a keyfob, but, whether that's secure at all is anyone's guess. Also, if their service is crap, you could always use an aggregator like Yodlee, but, I suppose that it's own security risk in of itself.
2. Re:paranoia yes ..... by Lobster+Quadrille · 2008-03-21 01:19 · Score: 1
  
  This is the problem that's been giving me issues lately too.
  
  Every online payment application I have available to me, including my (very large) ISP's web interface, my student loan, my utility bill, my home loan, and my bank, has at least one serious xss, session fixation, or SQL injection hole. I've informed them about the problems, and not one has made an effort to fix the issue.
  
  They have all, however, failed to remove the text from their respective web sites saying:
  We have information systems that collect and store customer information in addition to systems that store our own business records. These systems have different types of security as appropriate for the information stored.
  We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your nonpublic personal information. What's a gray hat to do?
  
  If I make such things public, they pursue legal action against me. Posting anonymously may or may not help, but they still know that I know about the holes, and it wouldn't be hard to put 2 and 2 together.
  
  --
  "The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
3. Re:paranoia yes ..... by Lennie · 2008-03-21 01:38 · Score: 1
  
  I have the same problem, I do think from what I've seen of my current bank they aren't so good, I'm switching. As a user of the system you can see so much more, so I'll reevaluate after that.
  
  --
  New things are always on the horizon
4. Re:paranoia yes ..... by Hatta · 2008-03-21 01:44 · Score: 1
  
  If I make such things public, they pursue legal action against me.
  
  I suggest you talk to a lawyer. If you can demonstrate that their security really is inappropriate for the information stored on their systems, you might have action for negligence. Beat them to the punch.
  
  --
  Give me Classic Slashdot or give me death!
5. Re:paranoia yes ..... by TheRaven64 · 2008-03-21 01:49 · Score: 2, Interesting
  
  Have you contacted the bank and asked if they would be interested in you performing a free evaluation of their network security? Send them your credentials as a security professional and say that you are willing to give them a documented appraisal for free since you are a customer and the security of their system affects you. If they say no, then publish their refusal online somewhere, and approach another bank. If they say no, add them to the list. Start sending the list to consumer groups and mainstream media publications. Then contact another bank.
  If you're in the USA, then good luck finding one that's even remotely secure. My US bank has such a laughable concept of security that I'm very glad I don't keep much money on that side of the pond.
  
  --
  I am TheRaven on Soylent News
6. Re:paranoia yes ..... by balloonhead · 2008-03-21 03:37 · Score: 1
  
  exploit it?
  
  --
  This idea was invented by Shampoo.
7. Re:paranoia yes ..... by Z00L00K · 2008-03-21 04:35 · Score: 1
  
  You don't have to break THEIR system, just a system that is set up in a way that's indistinguishable from their system and demonstrate the various attacks possible.
  Make a YouTube video of it without mentioning their name if you feel aggressive.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
8. Re:paranoia yes ..... by liquiddark · 2008-03-21 09:15 · Score: 1
  
  Of course, if I were willing to pose as a security professional and fake it to this extent, I could get unwarranted access to a bank. So they're kind of damned either way.
9. Re:paranoia yes ..... by VENONA · 2008-03-21 09:38 · Score: 1
  
  Hi Raven. Long time, no post swappage.
  
  "If they say no, then publish their refusal online somewhere, and approach another bank. If they say no, add them to the list. Start sending the list to consumer groups and mainstream media publications. Then contact another bank."
  
  The problem is that then banks that have refused will never work with you in future, if that list is traceable to you. It could be rather easy to trace--a media outlet might sell that bank a lot of advertising, or similar. Banks that you haven't called would probably see it as blackmail, if they knew of it. It's just not a good business practice, particularly for a security guy, where in my experience maintaining a solid trust relationship pays large dividends.
  
  Also, a useful audit is an expensive thing to do [1], and it's still just a snapshot of a moment in time. While you're driving away from this several-day gig, someone could be forgetting to test a patch so that it could be installed on a production machine that night, etc. Random operational errors, even against written procedures, are a huge problem.
  
  Lastly, there's the issue that a bank might well have valid but confidential reasons for declining your offer. They're intrusive, after all, and for all you know they may have a periodic audit scheduled for the following week. Unless you already have a business relationship, and a need to know, they aren't going to be telling you about a coming audit schedule. They shouldn't be, at any rate. That specific scenario could be enough to land you in legal difficulties, and I'm sure you can think of others, now that I've got you started. :)
  
  [1] The IT environment can be complex, with a data flows from Web servers, ATM machines, check imaging systems, clearing houses, log hosts, CRM systems, etc., in and out of a large SMP machine running the OLTP db. You may not even be able to do an audit you'd be happy with, simply because the people you're working with may not know about some of the defenses built into the db itself. Must such systems have internal mechanisms to specifically guard against teller, branch manager, and manager fraud, but details are (quite rightly) hard to come by.
  
  --
  What you do with a computer does not constitute the whole of computing.
I have to agree by 2.7182 · 2008-03-20 22:08 · Score: 1, Interesting

I used to look forward to reading what he had to say - in the 1990's. Now when I see these articles about what the almightly Bruce Schneier says I cringe. He did some decent work, but I think the main reason for his high profile comes from a book which was essentially a derivative of several other classic tomes in cryptography, like Stinson. For me, he has become the Dvorak of security.
1. Re:I have to agree by Rainer · 2008-03-20 22:30 · Score: 5, Insightful
  
  I used to look forward to reading what he had to say - in the 1990's. Now when I see these articles about what the almightly Bruce Schneier says I cringe.
  
  You cringe because he keeps saying the same things over and over again.
  
  He keeps saying the same things over and over again because people keep making the same dumb mistakes over and over again.
2. Re:I have to agree by SerpentMage · 2008-03-21 06:51 · Score: 1
  
  The problem I find with his critique is that we in the world expect a certain amount of trust that the takes advantage of. While I agree systems like that are bad from a security perspective he has to start understanding that we need to trust each other whether we like it or not.
  
  Let me give an example from the Black Swan. Talleb asks the question why is the world as stable as it is? There is nothing to stop us all from being murderer's, rapists, terrorists and the likes. All that stops us is the fear of getting caught or not being part of the moral majority. When you think about it, it is quite impressive that the world works at all.
  
  My point is that Schneider with these comments is only pointing out the obvious. And there will always be weaknesses. For example, let's say to retrieve a car you need to give id. How do you know its not fake id? So now you have to ask for id's and make people smart enough to figure out it is not fake id. I say you are in fact complicating a system because somebody who really wants to steal the car will figure it out security or not...
  
  --
  
  "You can't make a race horse of a pig"
  "No," said Samuel, "but you can make very fast pig"
3. Re:I have to agree by CRCulver · 2008-03-21 08:45 · Score: 1
  
  I think the main reason for his high profile comes from a book which was essentially a derivative of several other classic tomes in cryptography, like Stinson.
  
  Well, to give the man credit, he did help develop one of the most popular crypto algorithms around, Blowfish. He wasn't just documenting the work of other crytographers, he was engaged in the field himself.
4. Re:I have to agree by sanctimonius+hypocrt · 2008-03-21 09:14 · Score: 1
  
  "He keeps saying the same things over and over again because people keep making the same dumb mistakes over and over again."
  
  Yes, and they will continue to, but they're pretty much the only people we've got.
Bruce Schneider Facts by tangent3 · 2008-03-20 22:14 · Score: 1

Bruce Schneider Facts
The last time someone tried to look into Bruce Schneider's twisted mind, the Big Bang happened
You're damn right, most people don't get it! by MikeRT · 2008-03-20 22:50 · Score: 5, Interesting

My instincts on this are more of "how would a criminal or terrorist" behave in this setting" because I grew up in a law enforcement family (both parents plus extended family). I've made a few "regular people" upset in the past by pointing out the idiocy of their evacuation plans to them in pointed detail. One example comes from high school when the school shootings were just starting to disappear from the news.

Our school gets a bomb threat, and the teachers and administrators are freaked out. They move us all, I kid you not, to the football field where we are fenced in by chain link fence, about 1/3 of which is covered by barbed wire. So I point out to my history teacher, one of the only genuinely intelligent public school teachers I have ever met that we had been corralled into an enclosed area, surrounded by strong sniper nests (there were many points where a shooter with a 30.06 and a few mags could have unloaded with impunity), and that ironically, if there were a bomb, and the person who planted it were clever, they'd have put it under the bleachers where about 200-300 of us were sitting.

He nodded his head in agreement that were this a real thing, we'd probably be fucked because of our administrators' plan, but the one or two regular teachers not far away who overheard acted like I was the real danger for pointing out what should been "the obvious" about this plan. Me? I'd have called in the buses, and shipped everyone off property to be safe right away.
1. Re:You're damn right, most people don't get it! by LaskoVortex · 2008-03-20 23:02 · Score: 3, Insightful
  
  Id have called in the buses, and shipped everyone off property to be safe right away.
  And then the snipers would shoot them as they were packed like sardines into the busses. Me, I would pull one of 50 cards with random "evacuation plans" out of a hat and did what it said on the card. I'd include an "ignore the bomb threat" card in there as well.
  
  --
  Just callin' it like I see it.
2. Re:You're damn right, most people don't get it! by remahl · 2008-03-20 23:20 · Score: 4, Insightful
  
  No need to call in the busses. Just tell everyone that they may go home for the day. They will disperse randomly in every direction, quicker than any school administrator can administer their movements and in ways that no terrorist can predict.
3. Re:You're damn right, most people don't get it! by autocracy · 2008-03-20 23:32 · Score: 3, Insightful
  
  That's basically the answer it would have to come down to as far a secure response would go. The constant issue in the grandparent's scenarios has been that the same thing will always happen. Call in a threat, watch them load the buses... bomb the buses the next time.
  Much like the pre-2001 response of "we'll sit and wait for the hijacking to end," bomb threats are dealt with as if the threat is honest. Once somebody has a case of a bomb under a bleacher to remember, we may act differently.
  Security tends to be reflexive.
  
  --
  SIG: HUP
4. Re:You're damn right, most people don't get it! by smooth+wombat · 2008-03-21 00:25 · Score: 1
  
  They will disperse randomly in every direction, . . . . in ways that no terrorist can predict.
  
  Generally, there are only two ways in and out of a school parking. Using the DC snipers as a template:
  1) Call in bomb threat to evacuate students
  2) Administrators let students go home immediately rather than putting them on buses
  3) As first car approaches exit, sniper shoots driver, disabling first vehicle and blocking exit
  4) Repeat with second sniper at second entrance
  5) Wait for students behind stuck vehicles to get out of cars or simply shoot at students inside vehicles
  6) . . . .
  7) Profit! (from publicity)
  
  Does what I just said now make me a terrorist or someone who should be involved with security issues?
  
  --
  We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
5. Re:You're damn right, most people don't get it! by The+New+Andy · 2008-03-21 00:53 · Score: 1
  
  You now have another problem though: Student has exam they don't want to do, so they call the school from a payphone and fake a bomb threat. Weee, no exam.
  Given that most school bomb threats are fake, and there are lots of people who would like to fake them, the problem is a bit trickier than just avoiding getting students blown up.
6. Re:You're damn right, most people don't get it! by Torvaun · 2008-03-21 00:57 · Score: 1
  
  Someone who should be involved with security issues. Note that this does not preclude terrorism.
  
  --
  I see your informative link, and raise you a pithy comment.
7. Re:You're damn right, most people don't get it! by Anonymous Coward · 2008-03-21 03:17 · Score: 0
  
  ... now that's thinking like a real hacker!
  
  hacking, isn't that what it's all about?
8. Re:You're damn right, most people don't get it! by Animats · 2008-03-21 03:34 · Score: 1
  
  Our school gets a bomb threat, and the teachers and administrators are freaked out. They move us all, I kid you not, to the football field where we are fenced in by chain link fence, about 1/3 of which is covered by barbed wire.
  That kind of dumb response happens at higher levels. A few years back, there were three incidents where the U.S. Capitol was evacuated because a light aircraft had entered the Washington area without authorization. I was amazed at that response. The official response to an air raid is to send everyone outside? Not down to the basements? (Especially since the U.S. Capitol has plenty of basement space, plus tunnels to most of the neighboring buildings.)
  Worse, if it's a real attack with a light aircraft, it has to be chemical or biological. A light aircraft just isn't big enough to cause substantial damage to a big stone building, even if it has explosives. Remember, there'd been an anthrax attack on the Capitol (we still don't know who was behind that), so that possibility was more than theoretical. But no, they send everyone outside to be sprayed.
  Of course, it turned out that, each time, it was some inept pilot noodling around in a small plane, flying VFR and totally lost. One of the pilots responsible is even suing to get his pilots license back.
  (NORAD actually did something intelligent about this. It's always VFR pilots who cluelessly wander into the Washington air defense identification zone, usually on clear days. IFR-qualified pilots know how to use their navaids, plan where they're going, file flight plans, have transponders identifying them on radar, and are in constant contact with ATC. So NORAD set up a laser system with several sites in the Washington area. Aircraft in the wrong place and not in contact with ATC get flashed with a bright red-red-green signal to tell them to get out of there, before they meet up with an F-16 in their face. This has been reasonably effective in getting clueless VFR pilots to turn around.)
9. Re:You're damn right, most people don't get it! by DerekLyons · 2008-03-21 03:48 · Score: 0
  
  My instincts on this are more of "how would a criminal or terrorist" behave in this setting" because I grew up in a law enforcement family (both parents plus extended family).
  
  You my believe this, but it's bullshit.
  
  One example comes from high school when the school shootings were just starting to disappear from the news.
  
  The problem is - your example is one of 'how a Hollywood scriptwriter thinks a terrorist or criminal would think' or 'an inexperienced teens fantasy world where he tries to kill all his classmates in the most spectacular, attention grabbing, and unrealistic manner'. Not how criminal and terrorists in the real world behave.
  
  I'd have called in the buses, and shipped everyone off property to be safe right away.
  
  Yep. An elaborate teen fantasy on how to get a free afternoon away from school and add excitement to another boring day. I had 'em too when I was a kid.
10. Re:You're damn right, most people don't get it! by DerekLyons · 2008-03-21 04:02 · Score: 1
  
  Great. When I was in high school, my school was (...hits Google Earth...) five miles away as the crow flies - much further by road. (You couldn't go as the crow flies.) Almost all of it alongside highways or busy roads without sidewalks. Then and now only about 10% of the student body drives to and from school. How in the hell was I supposed to get home? (Not to mention that compared with the area my school covered I lived practically in the parking lot.) Not to mention the horrendous traffic jams caused as the students tried to leave in a panic and the police and fire departments tried to get to the school - along the two roads that lead to the school.
11. Re:You're damn right, most people don't get it! by nine-times · 2008-03-21 05:20 · Score: 2, Funny
  
  Me? I'd have called in the buses, and shipped everyone off property to be safe right away.
  And then what happens when the busses drop below 55mph?
12. Re:You're damn right, most people don't get it! by Reziac · 2008-03-21 05:22 · Score: 1
  
  A simple way to instantly randomize the evacuation would be to tell everyone "Go home the way you normally do, or if you would ordinarily take the bus, go with a friend who walks home" which would quickly scatter the targets to the four winds.
  
  --
  ~REZ~ #43301. Who'd fake being me anyway?
13. Re:You're damn right, most people don't get it! by Reziac · 2008-03-21 05:25 · Score: 1
  
  Which is why I said above (having thought of the "send everyone home, instant dispersal" method before encountering this thread) -- if you'd normally ride the bus, walk with a friend to their home instead. This also applies to students who normally drive to school -- leave the car, pick a friend and walk to their home.
  
  No potential for parking lot bottleneck (nor OMG I'M TRAPPED panic) if everyone leaves on foot.
  
  --
  ~REZ~ #43301. Who'd fake being me anyway?
14. Re:You're damn right, most people don't get it! by archen · 2008-03-21 06:08 · Score: 1
  
  There is however different mindsets between objectives in criminal, and terrorist activity. My boss once asked me how I would go about a shooting spree; if I would go through the back door and start shooting or whatnot. I said I'd get a 22 with a silencer and execute every person in the cooperate office and close each office door - because I could kill far more people before the alarm was raised and everyone scattered. He pointed out that this wasn't really the mindset of crazed shooters, but that's true because if we're talking about killing people, I'd kill them; NOT terrorize them.
  
  With computers it's a bit different I feel because security administrators and their malicious hacker counterparts generally are in a similar mindset. Terrorists and crazy people rarely have well thought out plans executed with calculated moves. Criminal activity computing wise is almost always driven by money. And a good hacker is logical, and more than anything probably patient.. not exactly impulsive criminal/terrorist characteristics.
  
  I think you'll also probably find that the other teachers who "overreacted" are typical of many people: they just don't want to think about it. They run around like chickens with their head cut off when something happens because they don't know what to do when the shit hits the fan. Then afterwards they demand that this never happens again, and that someone ELSE will figure out how that will happen. Same people who lose their documents, are told they should have backups - then still never have backups, because they never think about bad scenarios. Same people who are happy to trade their freedoms away for the facade of safety, yet never ask themselves "is it worth it?" and "is it really making me safer?"
15. Re:You're damn right, most people don't get it! by Anonymous Coward · 2008-03-21 15:14 · Score: 0
  
  Aren't most bomb threats called in by students as a prank? If so, dismissing everyone is a good way to guarantee a lot of bomb threats for the school.
Article leaves out cost benefit analysis by MyNameIsFred · 2008-03-20 23:18 · Score: 5, Insightful

While I agree with many points of the article - specifically that a security professional must have an unusual mindset - I am troubled that the examples leave out the cost-benefit analysis. As an example, the article correctly points out the vulnerability associated with picking up "your car" from a service department. All you need is a last name, no ID. This is an obvious vulnerability. On the other hand, the service department is motivated to make the process as streamlined as possible for its customers. Demanding IDs, etc., will slow down the process. The more cumbersome the process, the more likely customers are to use a competitor. Therefore, they need to trade security with cars to the cost of loosing customers.

I am reminded of the time that I test drove a new car. All the dealership wanted was a photocopy of my driver license, and they let me drive the car off the lot for an extended test drive. Since driver licenses are relatively easy to fake, I wondered how often cars are stolen. I asked, and was told they are stolen on occasion, but insurance covers it. My point, they did the cost-benefit analysis, and decided on an insecure method.
1. Re:Article leaves out cost benefit analysis by remahl · 2008-03-21 00:30 · Score: 1
  
  The article recognizes that there is a cost-benefit tradeoff in the car dealership example. The point is that there will be no analysis unless someone sees that there may be a problem in the first place:
  The rest of the blog post speculates on how someone could steal a car by exploiting this security vulnerability, and whether it makes sense for the dealership to have this lax security. You can quibble with the analysis -- I'm curious about the liability that the dealership has, and whether their insurance would cover any losses -- but that's all domain expertise. The important point is to notice, and then question, the security in the first place.
2. Re:Article leaves out cost benefit analysis by CBravo · 2008-03-21 01:10 · Score: 1
  
  It would be easy to photocopy your drivers licence and see if the person that is collecting the car matches the photo from the licence. Right? Though that doesn't prove you have not already picked up the car.
  
  All these 'problems' should be stated as 'engineering requirements'.
  
  --
  nosig today
3. Re:Article leaves out cost benefit analysis by Anonymous Coward · 2008-03-21 01:55 · Score: 0
  
  Indeed, but the cost-effective method still IS the insecure one. This isn't a problem if the one making the security decision bears its costs, but it does mean that when there's externalities involved, we need to ensure that those who can make decision have a good financial reason to make the right ones.
  
  In the service department example, for example, it needs to be ensured that if a car gets stolen this way, the service department is held responsible.
4. Re:Article leaves out cost benefit analysis by Reziac · 2008-03-21 05:31 · Score: 1
  
  Also, this situation has reasonably good "social-level security" since even busy repair shops usually know most of their customers by sight, or at least will remember that this here car belongs to that there person. It's essentially a two-keys situation, where both the car and the person need to match the counter person's memory of who belongs to what.
  
  --
  ~REZ~ #43301. Who'd fake being me anyway?
5. Re:Article leaves out cost benefit analysis by JimBobJoe · 2008-03-21 09:33 · Score: 1
  
  All the dealership wanted was a photocopy of my driver license...
  
  Which incidentally provides invaluable information for the dealer (since it has an address on it, it's good for marketing purposes.) Once I get return from my test drive, I ask for that photocopy back. They always give it back, but they're often not happy about it.
What is Bruce trying to make us think ? by Alain+Williams · 2008-03-20 23:29 · Score: 1

Turn his reasoning on his article, how can we subvert it? Was the message that he gave a real one or was he trying to make us believe something and for who's benefit ?
Seriously: I agree with a lot of what he has to say. I am amazed at the number of programmers who do not follow Henry Spencer's 6th commandment for C programmers - check function return codes, they simply assume that it will work correctly.
If something can go wrong - it will, and often at the most inconvenient time.
I do this all the time by ledow · 2008-03-20 23:31 · Score: 1

I do this all the time... I actually am quite surprised at the number of everyday things that have such simple flaws.

In the hospital waiting for my wife the other day, I watched a mailwoman with a big trolley full of mail, sorted into departments, insert several people's medical records into the trolley and then walk off out of sight through locked doors (which were opened by her tapping the glass and standing to one side) leaving the mail unattended. It wouldn't take much to a) gain access to the baby ward that is supposed to be secure by posing as a mail woman or b) stealing someone medical records just by knowing they were in hospital that day and one department that they would have to visit.

The other, from working in schools, comes from the Tesco Computers For Schools voucher scheme. For every £10 spent in a supermarket, customers get a flimsy paper voucher that they can give to the schools (only schools) who, when they have a few thousand, can trade them in for a free computer or computer hardware. Most people just throw them away, and I actually collect hundreds from the floor outside shops on my way home.

First, the vouchers are simply printed pieces of paper - there isn't any security on them at all. The only "barcode" is always "1234567890X" and every piece of paper is identical - it's also just cheap, bog-standard paper. Secondly, the schools can collect amazing numbers of vouchers just by running campaigns or by collecting harder, so there are schools that collect 5 vouchers one year and 50,000 the next. Thirdly, the vouchers are *not counted* at the other end. They are weighed approximately (if at all - I don't believe that Tesco's actually weight millions of vouchers each year and worry about the accuracy). I always wonder how much it would cost to print, say, 10,000 identical vouchers of your own to the same standard compared to the cost of a video-editing PC and lots of educational software supplied with it. Or to try your luck by declaring false numbers of vouchers and thereby learn the accuracy that they measure to (yes, you TELL Tesco how many you have, you can even do that online, and then send them off later to be "verified").

That, and working in IT in a school means I'm always looking for ways into the building, past staff, into the computer systems, etc. Some schools are amazingly lax while others are like Fort Knox.
1. Re:I do this all the time by cbart387 · 2008-03-21 00:02 · Score: 1
  
  My favorite is when companies allow you to verify stuff over the phone. For example. My parents have POA (power of attorney) for my grandparents. I forget which company it was but they weren't accepting it when my mom needed to verify some information. Therefore they wanted my grandfather to give his consent. That was fixed by just my father calling and pretending he was my grandfather. Great!
  
  --
  Lack of planning on your part does not constitute an emergency on mine.
2. Re:I do this all the time by petes_PoV · 2008-03-21 01:47 · Score: 1
  
  The other, from working in schools, comes from the Tesco Computers For Schools voucher scheme
  The thing about this promotion is that giving away computers to schools is actually something Tesco could afford to do, for free, anytime they chose. The whole idea of making people collect worthles pieces of paper and go through the charade of giving them to schools who then redeem them is merely a marketing exercise to promote loyalty to the store and to make the donors feel good in themselves, it's certainly not a charitable activity.
  Therefore I would say that they have the level of security exactly right. The product (here, the voucher not the computer) is worthless, so there's no merit in trying to protect it. I would expect that any effort Tesco's made to either trace back or validate the authenticity of a voucher would add considerably to the cost of the marketing programme and is therefore not worthwhile.
  Securing things with value has some worth (provided the security costs are commensurate with the risks and value involved). Adding security just for the hell of it, or "because we can" is a pointless exercise that only adds to costs and overheads.
  
  --
  politicians are like babies' nappies: they should both be changed regularly and for the same reasons
How about risk management? by tansualpcan · 2008-03-20 23:55 · Score: 2, Insightful

I have written a long long reply to his article at my blog (no ads, etc.)
Short summary:
In my opinion, security in real life is not about "what can go wrong". It is about "how often and how much can it go wrong and am I prepared to handle those cases". In short it is more about how to calculate risks accurately and knowing when to take them.
1. Re:How about risk management? by Time+Ed · 2008-03-21 02:48 · Score: 1
  
  Risk Management is just another corporate way of asking "how much liability can I accept"? No one knows how to calulate risk beyond questioning the consequences of failure. Case-in-point: corporate managers aren't concerned with the risks to operations if someone circumvents a safeguard. They only want to know how hard their ass will get slung, or how much money they'll lose. They're only after a "procedure", which is an outlined way of Doing Things. What if I choose to ignore the procedure? Risk Management is more Security Theater.
  
  What Bruce is talking about is people who have a certain disregard for the rules. Pranksters, malcontents, and folks in general who don't accept convention. Those are the people who have the security mindset. Timothy Leary had another way of putting it: "think for yourself and question authority" he said.
  
  I can't visit a shop without wondering how I can walk away with credit card numbers. I love to hack my neighbors AP's. Its fun to put files on other machines in coffee shops. I got pushed into network security because I like to break things. Now, twenty years later, I not only write the policy, I spend my time shredding it. I teach my techs and analysts to do the same thing.
  
  Who do you want defending your network? Someone like me? Or the pencilneck with the CISSP and the ISO17799 paperwork?
2. Re:How about risk management? by tansualpcan · 2008-03-21 06:55 · Score: 1
  
  I am sorry to hear that corporate types have hijacked the term "risk management". I am as far from being a corporate type as one can imagine. All I am trying to say is (let me use game theoretic terms in order not to be confused with a corporate type again): knowing the action space of an attacker is only partially important. It is equivalently or more important to calculate with what probability attackers will choose specific actions (which in turn depends on the possible outcome of that branch of the game). Assuming some rationality on behalf of the attacker, a defender can easily decrease those probabilities by taking appropriate actions. Maybe the game even ends up at Nash equilibrium in the worst case. Then, the defender does not have to be paranoid about anything. In practice this whole story might even degrade from glorious security warfare to boring accounting of how much the insurance company will pay back. I was just talking to a shop owner this afternoon who was telling about the last two thefts in his store only as incidence for evaluating his insurance company's quality.
  
  By the way, these security games become quite interesting when the assumption of knowledge is removed and some learning dimension is added to the picture (e.g. repeated games, fictitious play, Q-learning etc.)
There's a fine line by petes_PoV · 2008-03-21 00:02 · Score: 3, Interesting

between being "security conscious" and being completely paranoid. When it boils down to it, there's risk involved in everything we do. Nothing is completely secure and there's always a chance that something will go wrong.
Sadly the world we live in today has massively overestimated the possiblity of problems and hugely inflates the effects they will have (in the tiny percent of occasions when they happen). I think this is a side-effect of improved communications: we all get to hear about the 1 in a million disaster stories, but never about all the other times, when everything goes right. This leads us to think that problems are more common than they actually are.
The great thing about being a security professional is that you can never be proved wrong. If you claim a security hole and it is never exploited, no-one will say you're wrong - just that it hasn't been exploited yet. If we beleived everything these guys say, no-one would ever do anything as we'd all be too scared. Personally I think we should avoid the obvious problems, get on with our lives and accept that on a few, very few, occasions we might have to spend a little time sorting out a problem.

--
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
1. Re:There's a fine line by dpilot · 2008-03-21 00:51 · Score: 1
  
  But this becomes a good lead-in to point out the findings of the 9/11 Commission.
  
  The "fault" was assigned as a "failure of imagination." Yet in the very center of the whole investigation was the NSA, the folks that are *supposed* to be, as you say, completely paranoid. These are the people who are supposed to see an array of dots and connect them all into a pattern - that's their job. They're supposed to think about the possibilities of a hijacked airplane loaded with fuel, and what you do to mitigate the risk. They're supposed to see briefings titled, "Bin Laden determined to attack inside US" and start thinking.
  
  We had the wrong mindset in the job.
  
  But that's OK, they've been promoted out of that position.
  
  --
  The living have better things to do than to continue hating the dead.
2. Re:There's a fine line by Torvaun · 2008-03-21 01:03 · Score: 1
  
  Security professionals can be proven wrong, all it takes is someone listening to them. Suppose a security professional stated that guns were dangerous, and outlawing guns would make people safer. Then someone outlaws guns, and voila, the reverse happens. The security professional has just been proven wrong.
  
  --
  I see your informative link, and raise you a pithy comment.
3. Re:There's a fine line by petes_PoV · 2008-03-21 01:33 · Score: 1
  
  Yes, you're right in that example. However my experience (somewhat limited I admit) is that security professionals and others tend to make statements such as "X is a security risk", rather than saying "if you do X, Y will happen".
  They seem to have learned the "weasel words": might, could, may, etc. and pepper their prognostications with them. As a consequence you can't nail them down to a definitive, quantifable, statement.
  I'd like to ask the guy who wrote about being able to mail tubes of live ants (from the original article) exactly how many instances of this has occurred? While he is right that's it's possible, my point is that possible does not mean probable. Even if someone did send you a tube of ants, or ordered you a porta-potty: well, so what? It's not exactly life-threatening and would only take a phone call, or a quick FLUSH to resolve the problem - barely worth considering, much less writing about.
  
  --
  politicians are like babies' nappies: they should both be changed regularly and for the same reasons
4. Re:There's a fine line by grassy_knoll · 2008-03-21 01:47 · Score: 2, Informative
  
  It seems when many consider risk they don't consider the probability of something happening only the possibility.
  
  Consider the National Safety Council's Odds of Dying page. According to them, one has a 1 in 73,085 chance of dying in a motorcycle accident while there's a 1 in 19,216 of dying in a motor vehicle accident as a car occupant.
  
  However, motorcycles are perceived ( at least by people I know, obviously a small sample ) as more risky because "people die riding those". Obviously that happens, but not to the same extent as people dying in car accidents.
  
  Since many people drive every day, that's a routine activity they don't seem to associate with risk; your average person doesn't seem to assign the probability of risk very high even though it's statistically more dangerous.
  
  --
  A Human Right
5. Re:There's a fine line by Anonymous Coward · 2008-03-21 02:36 · Score: 1, Informative
  
  You do realise that that's pretty much what Bruce is saying, too, don't you?
  
  Or, well, I guess you don't. Did you RTFA? For that matter, do you read Bruce's blog? I'm not saying you need to do either - it's fine if you didn't / don't -, but you should not pass judgement on him if you don't.
6. Re:There's a fine line by analog_line · 2008-03-21 02:42 · Score: 1
  
  Or perhaps it's a riskier activity, in part, because fewer people associate the activity of driving with risk. People take far more care when packing glassware than they do driving despite the fact that the latter is far more dangerous.
7. Re:There's a fine line by pongo000 · 2008-03-21 03:38 · Score: 1
  
  That may well be true, but once you are in a motorcycle accident, the chances of dying from injuries in that accident are much higher than in an auto accident (sorry, no stats on this, just lots of anecdotal evidence from folks who deal with this type of stuff).
  
  Aviation is the same way: While chances are slight that you'll be in an aircraft accident, I can say with some degree of certaintly that uncontrolled descent into terrain is almost always 100% fatal.
  
  So pick your odds...you want to fly or ride a bike, go right ahead, with the understanding that if you do find yourself in an impending accident situation, your odds of survival aren't so hot...
8. Re:There's a fine line by 3247 · 2008-03-21 04:16 · Score: 1
  between being "security conscious" and being completely paranoid. When it boils down to it, there's risk involved in everything we do. Nothing is completely secure and there's always a chance that something will go wrong.
  
  Burying your head in the sand is not a solution, either. The goal is to avoid security problems not to ignore them because "there's always a chance that something will go wrong".
  However, it's only the first step to ask: What can go wrong?
  The next questions should be:
  
  How likely is it to go wrong?
  What happens when it goes wrong?
  
  Often, you'll notice that you can take the risk. This saves you from paranoia.
  --
  Claus
9. Re:There's a fine line by Violet+Null · 2008-03-21 04:18 · Score: 3, Informative
  
  It doesn't matter how many people die of something. What matters is the percentage of people who do it that die.
  
  Saying "jumping off the top of a building with piano wire wrapped around your neck" is much, much safer than being a passenger in a care because, hey, your chances of dying that way are only 1 in 492,593,129. That number just tells you how often death happened while doing that; without the vital piece of information about how many times it was attempted without dying, you don't really know anything of interest.
10. Re:There's a fine line by grassy_knoll · 2008-03-21 04:45 · Score: 1
  
  On this:
  That may well be true, but once you are in a motorcycle accident, the chances of dying from injuries in that accident are much higher than in an auto accident (sorry, no stats on this, just lots of anecdotal evidence from folks who deal with this type of stuff).
  
  Perhaps the difference in stats reflects that motorcycle riders are more aware of the dangers of riding and therefore take greater precautions.
  
  At least, I've not seen motorcycle riders on the freeway yakking on cell phones, doing their makeup and eating a McSomething where I have seen that behavior from automobile drivers ( and in one very special case someone doing all three at once ).
  
  --
  A Human Right
11. Re:There's a fine line by Reziac · 2008-03-21 05:52 · Score: 1
  
  And some that cause the most drastic legislation are the most negligible as realworld risks. Frex, banning specific dog breeds, even tho your chance of death by dog attack is nearly nil. You are somewhat more likely to be run over and killed by your nextdoor neighbour, yet we don't ban cars...
  
  --
  ~REZ~ #43301. Who'd fake being me anyway?
Developers: Put On Your Hacker Hat! by curmudgeon99 · 2008-03-21 00:15 · Score: 2

Over the Christmas holidays, when work is always slow, I have a long habit of putting on my hacker hat and seeing what our vulnerabilities are. I think every developer owes it to their sanity to do this regularly. You will find so many opportunities for SQL Injection--no matter how careful your developers are--and Cross-Site Scripting and just a bunch of other holes. You do not want to be in a conference room some day explaining to your boss's boss why your program allowed a hacker to gain access to the company's systems through your app. This is a no-brainer.
1. Re:Developers: Put On Your Hacker Hat! by Ant+P. · 2008-03-22 11:04 · Score: 1
  
  The last time I found an SQL injection hole I went and rewrote everything to use prepared statements.
2. Re:Developers: Put On Your Hacker Hat! by curmudgeon99 · 2008-03-24 00:08 · Score: 1
  
  I agree. However, in some unusual queries, you have query terms that are conditional with all kinds of subcases and you would end up keeping track of 16 parameters and it just becomes a pain in the ass to use a PreparedStatement.
The necessary human element by dpilot · 2008-03-21 00:25 · Score: 3, Insightful

One example used was getting the car from the repair shop, with just a last name.

Where I get my car serviced, I know both guys who might be behind the desk, and they both know me, my wife, and son. They won't hand over the car keys on just a last name. Which brings it all back to a frequent point of Bruce's writings - all of the security razzle-dazzle in the world doesn't make a bit of difference compared to a knowledgeable person in the right spot.

--
The living have better things to do than to continue hating the dead.
1. Re:The necessary human element by QuantumRiff · 2008-03-21 01:51 · Score: 1
  
  Where I get my car serviced, I know both guys who might be behind the desk, and they both know me, my wife, and son.
  
  But not everyone drives a ford!
  
  --
  
  What are we going to do tonight Brain?
Good engineers look for failure too. by argent · 2008-03-21 01:04 · Score: 2, Insightful

Good engineers need to look for how things can fail, too. They need to look for small parts that children may swallow, weak latches that can allow lids to fall open, weak load-bearing structures... how the environment can make their products fail. They need to look for how things can be made to fail, as well, because the hostile human element is always part of the environment... the same factors that make someone a good engineer make them a good security expert.

The problem isn't that good security professionals have a different mindset from good engineers, it's that both good security professionals and good engineers are rarer than people think, and that engineers are not as often held responsible for how their stuff fails when someone gains an advantage by deliberately making them fail.

As in many other areas of life, I try to ask myself, WWFD? What Would Feynman Do?
1. Re:Good engineers look for failure too. by Anonymous Coward · 2008-03-21 08:22 · Score: 0
  
  Good engineers will also do cost-benefit analysis. How safe do we need to make the car vs how many lawsuits can we afford? Not so with many security professionals (or rather, vulnerability hunters on BugTraq) though. For them, finding a vulnerability which may be exploited, and even so under hard to obtain conditions is one more feather in their cap.
2. Re:Good engineers look for failure too. by argent · 2008-03-21 09:21 · Score: 1
  
  Good engineers will also do cost-benefit analysis.
  
  So do good security professionals.
  
  Not so with many security professionals (or rather, vulnerability hunters on BugTraq) though.
  
  I think your parenthetical comment answers your point quite well.
HERO Sys by ChristTrekker · 2008-03-21 01:10 · Score: 1

I described this as "PsychLim: naive to criminal mindset, -10" on a Champions character I played back in the day.

--
Constitutionally Correct
Scripts by Hatta · 2008-03-21 01:13 · Score: 2, Insightful

Speaking of security analysis, there are scripts from 9 different domains on that page, none of which are required to read the article. WTF. Thank god for noscript.

--
Give me Classic Slashdot or give me death!
Making money by breaching security isn't easy by dpbsmith · 2008-03-21 01:53 · Score: 3, Insightful

Without disagreeing with anything at all the article, I'd like to raise the point that an awful lot of things have no security, or very porous security.

What saves society is three things.

First, mischief and curiosity aren't a powerful enough motivator to create a real problem. I don't know whether Schneier ever sent live ants to strangers... or how many Slashdot readers will try it... but most likely not very many.

Second, for most security holes it is difficult to think of a way to make money from the exploits.

Third, even if you can make money, it's even more difficult to find a way that will make significant amounts of money and to repeat the exploit often enough to make a living wage, without being caught.

Case in point: newspaper vending boxes which allow you to pay for one newspaper and access a whole stack of them. If you have a "security mindset" (or even if you don't), it occurs to you that you could pay for one and take two... or ten... or the whole stack. And, indeed, you can. The problem is that it doesn't benefit you to get more than one newspaper. So, can you take two and sell the extra? Maybe. Net profit $0.50. Could you take the entire stack out of the machine and dress up as a street vendor and sell them on a street corner? Maybe. Net profit $25. Could you do it more than half-a-dozen times? Probably not.

How about self-checkout lines in supermarkets? You can buy produce at them, and the produce isn't bar-coded. So, you can buy orange bell peppers at $3.99 a pound, put them on the scanner scale, and enter the code for green peppers at $1.69 a pound. Most supermarkets seem to rely on someone at a nearby counter keeping an eye on the self-checkout lanes while doing other things, and they don't usually come over unless a customer calls or the machine goes into an error state. Again, it's hard to see how you can make money, rather than saving a little on your grocery bill... and if you managed to do this to the extent where you were stealing hundreds of dollars, I think your chances of being detected get to be high. (I'm thinking of people who got caught recently pasting barcodes for two-dollar items over things like boom-boxes and DVD players...).

--
"How to Do Nothing," kids activities, back in print!
1. Re:Making money by breaching security isn't easy by krack · 2008-03-21 08:21 · Score: 1
  
  It isn't our fault you can only come up with small examples. :)
  
  --
  Just because you are not paranoid does not mean they are not out to get you.
Also the auditor mindset by baomike · 2008-03-21 02:36 · Score: 1

When investigating/examing internal controls over cash, you use the same idea.
How can you get money out of the system?
If you can find it, so can someone else.
If I was Bruce Schneier... by pyrr · 2008-03-21 02:52 · Score: 1

...I would keep my AP open simply to provide a path of least resistance to the internet. I'd configure it behind a router that would block a healthy number of outgoing ports to prevent network abuse (making it difficult to run port scans, use SMTP, spew worms or other exploits, etc.). I might leave it open for P2P, but set reasonable QoS restrictions on traffic. I could let guests or passersby use that AP without much fear of their security competence. I might keep logs, but I'd prefer not to unless legal counsel indicated that I'd be subject to ISP recordkeeping requirements for providing an open AP (with the rationale being that if I don't monitor or log, the access would be anonymous and it would be up to someone else to put the pieces together if they were investigating wrongdoing). I'd have my wired network on the other side of that router (or maybe throw a second router into the mix). If I needed to access files on my wired network from a wireless client, I'd probably VPN to it through that open AP. That would make the public AP portion of my network useful for the primary reason someone might want to trespass, but would give me enough control to direct that trespassing in a direction that wouldn't put my private network's defenses in the sights of much of anyone. There wouldn't be all that much of a reward for attacking my private network at that point, if someone wants internet access, they could just take it, and I'd make sure it would take more effort to get past my private defenses than curiosity or the chance of possibly acquiring personal information would be impractical.
1. Re:If I was Bruce Schneier... by DaleGlass · 2008-03-21 04:00 · Score: 1
  
  Actually, no. The mistake you make is thinking somebody is interested in you personally. Most often they aren't.
  
  They're not after your vacation's photos. They're after your internet connection, so that you're the one blamed for sending a huge amount of spam.
  
  The way around this is by using the best security you can. If you use WPA, and the neighbour is open, guess who the spammer is going to choose for their operations. Same goes for house and car security: It doesn't need to be perfect, just good enough to be more inconvenient to break through than the other ones nearby.
  
  You can't secure a connection against abuse. Exploits can be as simple as crafting an URL, and completely normal internet activity can involve illegal content. Posting death threats for instance.
2. Re:If I was Bruce Schneier... by Anonymous Coward · 2008-03-21 13:29 · Score: 0
  
  Shouldn't that be "If I were Bruce Schneier"?
Lies, damned lies, and statistics by heson · 2008-03-21 03:49 · Score: 1

I don't understand if you are joking or logically chalenged.
For example its even safer to try the joy of capital punishment legal execution is just one in 5,647,247.
Factoring large primes? by Mr.+Firewall · 2008-03-21 03:56 · Score: 1

...today, factoring large primes is a difficult problem.

Factoring large primes isn't difficult. It's impossible.

A prime is a number that cannot be factored.

Sounds like you've been learning your security from Bill Gates.

--
In times of universal deceit, telling the truth gets you modded -1 Troll
1. Re:Factoring large primes? by BitZtream · 2008-03-21 05:43 · Score: 1
  
  You're sitting beside him listening to Mr Gates I guess?
  
  Just because it can't be done today, doesn't mean someone won't come up with a way to do it tomorrow. Encryption is and has always been security through obscurity with the assumption that no one will figure out a quick way to do the math. It is rather stupid to assume that no one will ever figure out a way to speed up the process at some point in the future. The assumption assymetric cryptography uses is that it won't happen soon enough to matter, and just for good measure, we'll use really big numbers so that even if someone comes up with a short cut, hopefully it will still take a long time ... hopefully ...
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
2. Re:Factoring large primes? by Anonymous Coward · 2008-03-21 06:38 · Score: 1, Interesting
  
  That's because you misunderstood his comment--by definition primes are not factored (whether large or small)--composites are factored *into* primes.
Large intersection set... by mengel · 2008-03-21 04:01 · Score: 1

But the intersection set between security and computer science is very large, and the complexity of doing security when you include computer based hardware and software is actually much much larger -- for example, the failure modes/work factor of a mechanical lock are much easier to understand than the ones for a computer card-reader.
So studying the security as it relates to computer science is certainly worthwhile, and computers complicate security signifigantly; largely due to the lack of rigor and quality endemic in the software and hardware industries today.

--
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
1. Re:Large intersection set... by sjames · 2008-03-21 15:59 · Score: 1
  
  Even though CS has been around for quite a while before actually building a computer was practical, it could be argued that the modern era got it's big start from the efforts to break Enigma.
much more common than he thinks by Vrst1013 · 2008-03-21 05:06 · Score: 1

In the forward of the great book Why Buildings Fall Down, Matthys Levy tells the story of an elderly relative. When she was presented with Levy's previous book about how buildings stay up, said she would rather know why they fall down. Levy's book is a good read for security people and almost everyone who works in systems and networks.
Simple distinction: Engineers vs Security guys by JRHelgeson · 2008-03-21 05:38 · Score: 1

Engineers mindset is "If it ain't broken, don't take it apart to find out why!"

--
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
I always thought I was just weird by BenEnglishAtHome · 2008-03-21 05:57 · Score: 2, Interesting

This had me flashing back to elementary school arithmetic. It happened to me a hundred times. The textbook showed an equation and made a statement about it. The textbook showed another equation and made a statement about it. Then the textbook showed a third equation and asked "What can we say about this equation?"

My answers always started the same way. "It's printed in ink on paper." I don't really think that the textbook author expected people to do anything other than to extend whatever line of reasoning had been presented in the previous examples (and I always got around to that) but the open-ended question "What can we say about this equation?" always struck me as license to comment on the clarity of the typesetting or anything else.

My teachers thought I was weird.

Later in life, I became involved in competitive pistol shooting. I loved the rule books. They were just collections of hidden loopholes begging to be found. And then came the problems. In some sports it was called the "engagement" rule. In others, it was the "spirit of the rules" rule. They were all the same sort of thing - a way to say you couldn't do anything unexpected. If you looked at a practical defensive scenario and found some completely whacky way to beat it by, say, running between cover in an odd sequence, you'd be found guilty by the officials of "failure to engage" the scenario. No points for you. A guy I knew had trouble seeing sights too close to his face but the rules forbid changing the sight radius (distance between the sights) making it impossible for him to move the rear sight further from his face. He responded by cantilevering both sights forward so that the sight radius stayed unchanged but both sights were now completely forward of the muzzle. It was perfectly legal under the rules as written but his pistol was declared illegal because it violated the "spirit of the rules."

What amazes me is the hostility this mindset engenders. I'm not shy about saying that I love to parse out the rules and find advantages. I'm not shy about saying that a "spirit of the rules" rule is really just saying "You're not allowed to be smarter than the people writing the rules and running the match." The reaction I get is flaming on message boards and accusations of poor sportsmanship. There are actually people out there who want to punish innovation; at least, that's the way I look at it.

"Thinking different" makes people feel threatened and act nervous and hostile. I don't understand that. Am I weird, or are they?
1. Re:I always thought I was just weird by Wes+Janson · 2008-03-21 14:56 · Score: 1
  
  So what you're saying is that you're one of the bastards responsible for the upteen-thousand changes to the rules regarding capacity, caliber, size, weight, sights, etc. Thanks ;P
Not natural for engineers?! by Sloppy · 2008-03-21 07:26 · Score: 1

It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.
You've got to be kidding. Maybe it's not natural for most software "engineers", but I bet it's pretty natural for engineers in general. It was natural for the engineer that designed the last bridge I drove over .. I hope.

--
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
1. Re:Not natural for engineers?! by Ungrounded+Lightning · 2008-03-21 11:22 · Score: 2, Informative
  
  It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.
  
  You've got to be kidding. Maybe it's not natural for most software "engineers", but I bet it's pretty natural for engineers in general.
  
  Indeed.
  
  I was tempted to take issue with Bruce on that point. After I cut my programming teeth in classified research I built a career in automobile automation engineering. I was ALWAYS looking at all the things that could go wrong, through bugs, mischance, or malice, and insuring that they were properly handled.
  
  And this was expected. And it was honored, and the extra time required was paid for gladly. (I happened to be better at it than most, but everybody at least tried.)
  
  But then I got out to Silicon Valley. And here I discovered that there was another, and much lower, standard of reliability when it came to software. The contrast was almost painful. (One of my colleagues once remarked that I was the only guy he would trust to program his pacemaker. B-) )
  
  And I finally realized what it was:
  
  In Detroit, virtually ANY hunk of software can be life-critical. A bug in the idle speed control might result in a year's production of cars that tend to stall a car's length into the intersection when accellerating from a stop sign. A bug in the factory energy management system might shut off the lights in the plant while the machines are still moving and the workers are within inches of them. A bug in the alarm on the annealing oven's flame curtain could let the plant fill with hot gas loaded with carbon monoxide, then blow the roof into the next county. A bug in the airbag tester program could fire the bag with the worker inside the test cell trying to hook it up. (To name four that I actually worked on.)
  
  In Silicon Valley, on the other hand, there is massive pressure to get the product out marginally ahead of the competitors. And there are business models that turn product bugs into revenue streams via maintenance services and updates. (I finally switched to "the hard side of the force" - chip design - where a million dollars of nonrecurring expenses per bug-fix chip spin and months of lead time promotes the same sort of attention to perfection that I was used to.)
  
  Bruce lives and works out here in the land of fruits, nuts, flakes - and software engineers that treat bugs as features and ship dates as the holy grail. So perhaps most of his experience is with "software engineers" of that sort, leading him to make an overgeneralization.
  
  (Then again, while I apply that sort of thinking to my software and now hardware work, Bruce lives it 24/7. So perhaps he has a point. B-) )
  
  --
  Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
That's why mathematicians make great security guys by yomerito · 2008-03-21 07:27 · Score: 1

You don't have to have a destructive mind. Look at any mathematician, that's exactly what they do, find the exceptions to the "rule" and they don't call it a rule until they prove that there are no exceptions. That's why mathematicians are gret security guys. This reminds me of these jokes: http://math.arizona.edu/~mcleman/MathJokes.html
don't have to be paranoid by JimBobJoe · 2008-03-21 09:41 · Score: 1

I've seen several posts on here (like yours) suggesting that paranoia is a source of the security mindset.

I'm sure it is in some people, but it's not in me. The motivator in me is a desire to cause a bit of troublemaking. Enjoying seeing institutions have egg on their face when I point out they have a lousy design/lame thinking.

I don't know what motivates Schneier but if anything he has much more "anti-paranoia" than anything--he spends more time debunking security fears than actually talking about potential exploits.
money no, deviant ethics yes by obtuse · 2008-03-21 10:43 · Score: 1

I like your example, but I have known people to routinely purchase a newspaper from a rack, and then place the entire stack of papers on top of the rack as a gift to passersby. Check out Steal This Book by Abbie Hoffman.

Perhaps some conscientous person who was going to purchase a paper might put in a quarter and replace the rest of the stack. I never saw that and I must admit that at the time, it didn't occur to me.

--
Assembly is the reverse of disassembly.
It takes a thief... by Firrenzi · 2008-03-21 13:28 · Score: 1

It takes a "thief" to catch a thief. You need to think, eat, breath and live that mindset. Doesn't mean you are one, but you need to understand the drives and if possible, understand and replicate the emotional drives that give forth the cognition of breaking into somwhere. I guess at the end of the day this is profiling based on one archtype.

--
The Tao that can be named is not the Tao
Good point, but there's more to risk than that! by Anonymous Coward · 2008-03-24 14:44 · Score: 0

It seems when many consider risk they don't consider the probability of something happening only the possibility.

Consider the National Safety Council's Odds of Dying page. According to them, one has a 1 in 73,085 chance of dying in a motorcycle accident while there's a 1 in 19,216 of dying in a motor vehicle accident as a car occupant.

I think you're misunderstanding those statistics. They say nothing about the number of drivers, which is also important!

I'm not saying that motorcycles are riskier, because I don't know how many drivers there are of each. I'm just saying that the risks could still be disproportionate if the odds are that high even when many fewer people actually ride motorcycles given on my drive, motorcycles are less than 1% of traffic. So, if their odds of dying are that high even though they are that few, it may still be more dangerous to ride one.
It doesn't take a very smart terrorist by patio11 · 2008-03-24 17:36 · Score: 1

... to sit in front of the front gate and smoke the first 40 kids who come out of it. Now, fast forward to the next day: "You KNEW there was a TERRORIST IN THE NEIGHBORHOOD and you LET OUR CHILDREN GO OUT THE FRONT GATE?!?" Instant loss of job at a minimum.

This is why we have elaborate terror defense scenarios: because if the scenario didn't work, well then, it is that wily terrorist's fault. If an improvised plan doesn't work, then it is fault of whoever was on the scene at the time.

(Interesting question: what would happen to the security professional who said "Assuming an armed assault on an American public school, significant student fatalities are inevitable. We should accept their inevitability and try to rescue as many students as possible rather than using loss-prevention policies which increase the likelihood that the loss will be total.")

--
Help poke pirates in the eyepatch, arr.