Well at least I'm introducing numbers and trade-offs into the equation. That's something we need a lot more of in security discussions - it is usually just emotion and guesswork.
The Israeli model depends on well-trained people, well-organized airports and well-tested plans. Making that work with hundreds of airports large and small, thousands of planes and hundreds of thousands of people would require a huge investment in time and money.
Even if you could scale just FAMS to handle every flight, why would you? Let's get back to question you asked at the start of this thread: Is it cost effective?
What threats would they guard against? Regular crimes and unruly passengers? As noted above, they don't seem to be doing much of that. How about folks like the shoe bomber? He was first detected by the person seated next to him, and subdued by nearby passengers. An air marshal riding in the front could have joined in, but wasn't necessary.
What about the guy who might try to hijack the plane with a box cutter? That hasn't worked for nine years - reinforced cockpit doors and passenger awareness have taken care of that.
So, to summarize: is FAMS, in its current incarnation, worth the money? I say no. Would FAMS with air marshals on every flight be worth it? I really, really doubt it. Would an air marshal program consisting of a dozen guys and a lot of fake publicity about how many there are be worth it? Maybe - it's security theater, but it'd be cheap security theater.
It's this very expensive security theater we have right now that is the real stupidity.
What metric would you propose? Spending $200 million per arrest would seem to indicate that there just isn't that much crime to prevent.
And there is no way to measure how effective FAMS is against terrorist attacks. The smart terrorists are not going to be deterred by the low odds of riding with an air marshal. The stupid terrorists probably don't even know they exist.
The comments in the Schneier post do a good job of exploring this. It seems likely that there are better ways of spending almost a billion dollars a year.
That was one of several possibilities he proposed in response to the original question (why no attacks?)
There, he's basically saying that 9/11 changed the equation, which is a statement we can discuss rationally. But instead we get a bunch of responses to the emotion-laden headline.
the only way I can conceive this to be hacked...
Always a dangerous statement - just because you can't think of an attack doesn't mean there isn't one.
You are correct that no one is going to guess the next one-time password. Instead, they are going to attack your machine, and piggyback on your session after you have logged in. This is happening in the wild today, although it's mostly aimed at larger commercial accounts.
Those keypads are more secure because they can be used to enter unique data for each transaction, like the amount of a transfer. Plus, they aren't connected to a network, so remote hacks are blocked. The keypad's generated code will definitively prove that the holder of the device entered the transaction data(*).
No, the best tech people are the ones that solve the problems that their business needs solved. Sometimes that comes from the guy who knows the technology, and sometimes that comes from the folks who understand the problem.
And when you're really lucky, you get both parts of the equation from the same people...
The uber-coder's code works the first time - it sits there silently and invisibly working.
Meanwhile, everyone is looking at the hard work and long hours being put in by the guy who's code needs lots of help. He gets the notice, not the guy who did it right.
That kinda presumes that the unit tests are good, doesn't it? Which means that somewhere, somehow, somebody has to know what problem they are trying to solve.
Defining 'good enough' is really tough. I've seen perfectionists get bogged down, but even more often, I've seen folks that invoke the 'it's good enough' mantra as a cover for sloppiness and incompetence.
Umm, that was definitely Leonard Cohen singing. They used the version from Various Positions, which was released in 1984.
It was very heavily edited - not just verses were cut out, but they even removed individual phrases, making it a bit choppy.
Cohen is not a gifted singer. However, he does have a wonderful musicality, but it takes a while to hear it. In short bits he isn't great (but I don't think "really sucked" is a very accurate critique).
Liability can be an interesting thing. When you don't do anything unusual, you don't take any extra responsibility.
Let's say you're a theater manager that isn't blocking cell phone signals deliberately (like now, presumably)... then somebody has an emergency. Their companion runs out to the lobby, but one of the high school kids is on break, and the other one is getting stuff from the supply closet. The companion runs up and down the halls for a couple of minutes, and finally finds someone. However, that person doesn't have a key to the office where the phone is, so that takes a radio call to the on-duty manager. Finally, after several minutes, help is summoned.
So far, this is bad luck, but not negligence. You never made any promises about how fast they can contact emergency services.
Now, let's suppose that you set up a cell phone blocker. Essentially, you are now saying that you MUST go through the staff to call 911 - you have no other options. You have now made an implicit promise.
With this change, the chain of events described above is a disaster... the lawsuits would come fast and furious, and be very difficult to defend.
Yep, people had heart attacks before - and they died. Now we have paramedics, automated defibrillators, cell phones, and other tools. So let's try a few scenarios:
Sorry that he died, but the ambulance's siren was bothering me so I sent them on a fake call. That's OK, people had heart attacks before paramedics.
Sorry that he died, but the color of the AED cabinet bothered me so I hid it behind a curtain. That's OK, people had heart attacks before AEDs.
Sorry that he died, but I didn't want my movie interrupted so I jammed the cell phone signal. That's OK, people had heart attacks before cell phones.
But the two networks are not 'fully isolated'. Routing from one to the other may involve an ISP or two, but it can be done. So your work systems will still need to be protected from the risks that your home machine poses.
The only risk factor you've affected is the bandwidth between the two systems - as security trade-offs go, that doesn't seem to be worth the effort.
Now, if separating broadband connections also gives you some tax deductions and billing simplicity, then it might be worthwhile....
Remote access should only be used in case of dire need
You have got to be kidding... does your definition of dire need include "keeping me from quitting and going to work at a company not run by crazy paranoid people?"
Here on/. we have endlessly re-hashed this, and the only way I've seen that a system based on computers and software can be improved is by adding a voter-verified paper trail. Everything else is just "lipstick on a pig", and the even voter-verified paper trail is unnecessarily clunky.
I'd be really interested what these "experts" that you speak of have to say, and what you would do to have "electronic voting done properly"...
Fool me once, shame on -- shame on you. Fool me -- you can't get fooled again.
Impressive - a Brit who can paraphrase a Bush gaffe! I couldn't even pretend to know something Gordon Brown has ever said (and I'm in that 0.002% of the US population who even knows who Gordon Brown is...).
Slashdot Mirror
Quick note: some analysts have found some completely impractical vulnerabilities in AES-256 (but not AES-128 !?!).
http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
Well at least I'm introducing numbers and trade-offs into the equation. That's something we need a lot more of in security discussions - it is usually just emotion and guesswork.
The Israeli model depends on well-trained people, well-organized airports and well-tested plans. Making that work with hundreds of airports large and small, thousands of planes and hundreds of thousands of people would require a huge investment in time and money.
Even if you could scale just FAMS to handle every flight, why would you? Let's get back to question you asked at the start of this thread: Is it cost effective?
What threats would they guard against? Regular crimes and unruly passengers? As noted above, they don't seem to be doing much of that. How about folks like the shoe bomber? He was first detected by the person seated next to him, and subdued by nearby passengers. An air marshal riding in the front could have joined in, but wasn't necessary.
What about the guy who might try to hijack the plane with a box cutter? That hasn't worked for nine years - reinforced cockpit doors and passenger awareness have taken care of that.
So, to summarize: is FAMS, in its current incarnation, worth the money? I say no. Would FAMS with air marshals on every flight be worth it? I really, really doubt it. Would an air marshal program consisting of a dozen guys and a lot of fake publicity about how many there are be worth it? Maybe - it's security theater, but it'd be cheap security theater.
It's this very expensive security theater we have right now that is the real stupidity.
El Al has air marshals on every flight. That's a real deterrent, against what (as you note) is a much more significant risk.
But, like many Israeli security measures, there is no way to scale it to the U.S. without completely destroying air travel as we know it.
What metric would you propose? Spending $200 million per arrest would seem to indicate that there just isn't that much crime to prevent.
And there is no way to measure how effective FAMS is against terrorist attacks. The smart terrorists are not going to be deterred by the low odds of riding with an air marshal. The stupid terrorists probably don't even know they exist.
The comments in the Schneier post do a good job of exploring this. It seems likely that there are better ways of spending almost a billion dollars a year.
Cost-effective?
More air marshals have been arrested than the number of people arrested by air marshals.
That was one of several possibilities he proposed in response to the original question (why no attacks?)
There, he's basically saying that 9/11 changed the equation, which is a statement we can discuss rationally. But instead we get a bunch of responses to the emotion-laden headline.
the only way I can conceive this to be hacked ...
Always a dangerous statement - just because you can't think of an attack doesn't mean there isn't one.
You are correct that no one is going to guess the next one-time password. Instead, they are going to attack your machine, and piggyback on your session after you have logged in. This is happening in the wild today, although it's mostly aimed at larger commercial accounts.
Those keypads are more secure because they can be used to enter unique data for each transaction, like the amount of a transfer. Plus, they aren't connected to a network, so remote hacks are blocked. The keypad's generated code will definitively prove that the holder of the device entered the transaction data(*).
Obligatory Schneier reading: http://www.schneier.com/blog/archives/2009/09/hacking_two-fac.html
(*) The most likely attack against devices like this: the key stored on the bank's server. But it's just a single target, so it is easier to harden.
That was easy.
And no, it's not a crazy idea - the link gives some reasons.
No, the best tech people are the ones that solve the problems that their business needs solved. Sometimes that comes from the guy who knows the technology, and sometimes that comes from the folks who understand the problem.
And when you're really lucky, you get both parts of the equation from the same people ...
The uber-coder's code works the first time - it sits there silently and invisibly working.
Meanwhile, everyone is looking at the hard work and long hours being put in by the guy who's code needs lots of help. He gets the notice, not the guy who did it right.
That kinda presumes that the unit tests are good, doesn't it? Which means that somewhere, somehow, somebody has to know what problem they are trying to solve.
Defining 'good enough' is really tough. I've seen perfectionists get bogged down, but even more often, I've seen folks that invoke the 'it's good enough' mantra as a cover for sloppiness and incompetence.
Umm, that was definitely Leonard Cohen singing. They used the version from Various Positions , which was released in 1984. It was very heavily edited - not just verses were cut out, but they even removed individual phrases, making it a bit choppy.
Cohen is not a gifted singer. However, he does have a wonderful musicality, but it takes a while to hear it. In short bits he isn't great (but I don't think "really sucked" is a very accurate critique).
Liability can be an interesting thing. When you don't do anything unusual, you don't take any extra responsibility.
Let's say you're a theater manager that isn't blocking cell phone signals deliberately (like now, presumably) ... then somebody has an emergency. Their companion runs out to the lobby, but one of the high school kids is on break, and the other one is getting stuff from the supply closet. The companion runs up and down the halls for a couple of minutes, and finally finds someone. However, that person doesn't have a key to the office where the phone is, so that takes a radio call to the on-duty manager. Finally, after several minutes, help is summoned.
So far, this is bad luck, but not negligence. You never made any promises about how fast they can contact emergency services.
Now, let's suppose that you set up a cell phone blocker. Essentially, you are now saying that you MUST go through the staff to call 911 - you have no other options. You have now made an implicit promise.
With this change, the chain of events described above is a disaster ... the lawsuits would come fast and furious, and be very difficult to defend.
Yep, people had heart attacks before - and they died. Now we have paramedics, automated defibrillators, cell phones, and other tools. So let's try a few scenarios:
Yeah, that's a good argument ... </sarcasm>
But the two networks are not 'fully isolated'. Routing from one to the other may involve an ISP or two, but it can be done. So your work systems will still need to be protected from the risks that your home machine poses.
The only risk factor you've affected is the bandwidth between the two systems - as security trade-offs go, that doesn't seem to be worth the effort.
Now, if separating broadband connections also gives you some tax deductions and billing simplicity, then it might be worthwhile ....
Remote access should only be used in case of dire need
You have got to be kidding ... does your definition of dire need include "keeping me from quitting and going to work at a company not run by crazy paranoid people?"
Here on /. we have endlessly re-hashed this, and the only way I've seen that a system based on computers and software can be improved is by adding a voter-verified paper trail. Everything else is just "lipstick on a pig", and the even voter-verified paper trail is unnecessarily clunky.
I'd be really interested what these "experts" that you speak of have to say, and what you would do to have "electronic voting done properly" ...
Impressive - a Brit who can paraphrase a Bush gaffe! I couldn't even pretend to know something Gordon Brown has ever said (and I'm in that 0.002% of the US population who even knows who Gordon Brown is ...).