Wired Security

Military Eyes Football Helmets for Battlefield Protection

Fri, 29 Aug 2008 02:00:00 +0000

The Pentagon is seeking help from NFL gear makers to create helmets that will make U.S. combat soldiers safer.

Best Western Rebuts Claims of Massive Data Breach

Wed, 27 Aug 2008 09:45:00 +0000

Best Western International and the Sunday Herald newspaper of Scotland are duking it out over a story which reports that a hacker stole the records of 8 million customers from the hotel chain's global network in the "the greatest cyber-heist in world history." Best Western says 10 people were affected at one hotel.

Warner Keynote Comment On Science Lights Up Twitter

Wed, 27 Aug 2008 03:27:00 +0000

"Just think about this: In four months, we will have an administration that actually believes in science!" said former Virginia Governor Mark Warner during his keynote speech at the 2008 Democratic National Convention. It didn't set the room on fire but Twitter was aflutter as its geek community celebrated a throwaway line.

Clinton Urges Party Unity In Powerful Convention Address

Wed, 27 Aug 2008 00:22:00 +0000

Hillary Clinton exhorts the members of her party to unite and rally behind former Democratic presidential nominee Barack Obama, saying that the nation can't afford to elect another Republican to the White House.

Revealed: The Internet's Biggest Security Hole

Tue, 26 Aug 2008 20:00:00 +0000

Researchers demonstrate a serious eavesdropping risk in the internet's fundamental infrastructure, putting proof to a theory that's long been whispered about in national security circles.

Dem Convention: Live Audio of Denver Police

Tue, 26 Aug 2008 13:20:00 +0000

Bored with the speeches? Scanner buffs set up a live feed of the Denver police dispatch frequency. You can almost taste the pepper spray.

Airport Fast Pass Lets Redskins Fans Cut Security Line

Mon, 25 Aug 2008 13:15:00 +0000

Redskins fans can now pay $100 a year to get into the football stadium faster and to jump to the front of the security lines at airports around the country. Will fast-pass lanes be coming to retailers or fast-food joints soon?

Boston Court's Meddling With 'Full Disclosure' Is Unwelcome

Thu, 21 Aug 2008 00:00:00 +0000

In eerily similar cases in the Netherlands and the United States, courts have recently grappled with the computer-security norm of "full disclosure," asking whether researchers should be permitted to disclose details of a fare-card vulnerability that allows people to ride the subway for free.

The "Oyster card" used on the London Tube was at issue in the Dutch case, and a similar fare card used on the Boston "T" was the center of the U.S. case. The Dutch court got it right, and the American court, in Boston, got it wrong from the start -- despite facing an open-and-shut case of First Amendment prior restraint.

The U.S. court has since seen the error of its ways -- but the damage is done. The MIT security researchers who were prepared to discuss their Boston findings at the DefCon security conference were prevented from giving their talk.

The ethics of full disclosure are intimately familiar to those of us in the computer-security field. Before full disclosure became the norm, researchers would quietly disclose vulnerabilities to the vendors -- who would routinely ignore them. Sometimes vendors would even threaten researchers with legal action if they disclosed the vulnerabilities.

Later on, researchers started disclosing the existence of a vulnerability but not the details. Vendors responded by denying the security holes' existence, or calling them just theoretical. It wasn't until full disclosure became the norm that vendors began consistently fixing vulnerabilities quickly. Now that vendors routinely patch vulnerabilities, researchers generally give them advance notice to allow them to patch their systems before the vulnerability is published. But even with this "responsible disclosure" protocol, it's the threat of disclosure that motivates them to patch their systems. Full disclosure is the mechanism (.pdf) by which computer security improves.

Outside of computer security, secrecy is much more the norm. Some security communities, like locksmiths, behave much like medieval guilds, divulging the secrets of their profession only to those within it. These communities hate open research, and have responded with surprising vitriol to researchers who have found serious vulnerabilities in bicycle locks, combination safes (.pdf), master-key systems and many other security devices.

Researchers have received a similar reaction from other communities more used to secrecy than openness. Researchers -- sometimes young students -- who discovered and published flaws in copyright-protection schemes, voting-machine security and now wireless access cards have all suffered recriminations and sometimes lawsuits for not keeping the vulnerabilities secret. When Christopher Soghoian created a website allowing people to print fake airline boarding passes, he got several unpleasant visits from the FBI.

This preference for secrecy comes from confusing a vulnerability with information about that vulnerability. Using secrecy as a security measure is fundamentally fragile. It assumes that the bad guys don't do their own security research. It assumes that no one else will find the same vulnerability. It assumes that information won't leak out even if the research results are suppressed. These assumptions are all incorrect.

The problem isn't the researchers; it's the products themselves. Companies will only design security as good as what their customers know to ask for. Full disclosure helps customers evaluate the security of the products they buy, and educates them in how to ask for better security. The Dutch court got it exactly right when it wrote: "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."

In a world of forced secrecy, vendors make inflated claims about their products, vulnerabilities don't get fixed, and customers are no wiser. Security research is stifled, and security technology doesn't improve. The only beneficiaries are the bad guys.

If you'll forgive the analogy, the ethics of full disclosure parallel the ethics of not paying kidnapping ransoms. We all know why we don't pay kidnappers: It encourages more kidnappings. Yet in every kidnapping case, there's someone -- a spouse, a parent, an employer -- with a good reason why, in this one case, we should make an exception.

The reason we want researchers to publish vulnerabilities is because that's how security improves. But in every case there's someone -- the Massachusetts Bay Transit Authority, the locksmiths, an election machine manufacturer -- who argues that, in this one case, we should make an exception.

We shouldn't. The benefits of responsibly publishing attacks greatly outweigh the potential harm. Disclosure encourages companies to build security properly rather than relying on shoddy design and secrecy, and discourages them from promising security based on their ability to threaten researchers. It's how we learn about security, and how we improve future security.

---

Bruce Schneier is Chief Security Technology Officer of BT Global Services and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can read more of his writings on his website.

Defense Spooks: Let's Control Enemy Minds

Sat, 16 Aug 2008 09:03:00 +0000

Rather than developing performance-enhancing drugs for soldiers, defense agents want to study performance-degrading drugs for our enemies. A report recommends investment in neuroscience research that could reveal ways to eliminate our enemies' motivation to fight and get them to obey our commands.

Hacker Reportedly Kidnaps, Tortures Informant, Posts Picture as Warning

Fri, 15 Aug 2008 15:05:22 +0000

Computer crime gets tough, as a Turkish hacker who specializes in selling ATM skimmers allegedly exacts revenge on an informant who was helping the media and police.