Conventional wisdom holds that terrorism is inherently political, and that people become terrorists for political reasons. This is the "strategic" model of terrorism, and it's basically an economic model. It posits that people resort to terrorism when they believe -- rightly or wrongly -- that terrorism is worth it; that is, when they believe the political gains of terrorism minus the political costs are greater than if they engaged in some other, more peaceful form of protest. It's assumed, for example, that people join Hamas to achieve a Palestinian state; that people join the PKK to attain a Kurdish national homeland; and that people join al-Qaida to, among other things, get the United States out of the Persian Gulf.

If you believe this model, the way to fight terrorism is to change that equation, and that's what most experts advocate. Governments tend to minimize the political gains of terrorism through a no-concessions policy; the international community tends to recommend reducing the political grievances of terrorists via appeasement, in hopes of getting them to renounce violence. Both advocate policies to provide effective nonviolent alternatives, like free elections.

Historically, none of these solutions has worked with any regularity. Max Abrahms, a predoctoral fellow at Stanford University's Center for International Security and Cooperation, has studied dozens of terrorist groups from all over the world. He argues that the model is wrong. In a paper (.pdf) published this year in International Security that -- sadly -- doesn't have the title "Seven Habits of Highly Ineffective Terrorists," he discusses, well, seven habits of highly ineffective terrorists. These seven tendencies are seen in terrorist organizations all over the world, and they directly contradict the theory that terrorists are political maximizers:

Terrorists, he writes, (1) attack civilians, a policy that has a lousy track record of convincing those civilians to give the terrorists what they want; (2) treat terrorism as a first resort, not a last resort, failing to embrace nonviolent alternatives like elections; (3) don't compromise with their target country, even when those compromises are in their best interest politically; (4) have protean political platforms, which regularly, and sometimes radically, change; (5) often engage in anonymous attacks, which precludes the target countries making political concessions to them; (6) regularly attack other terrorist groups with the same political platform; and (7) resist disbanding, even when they consistently fail to achieve their political objectives or when their stated political objectives have been achieved.

Abrahms has an alternative model to explain all this: People turn to terrorism for social solidarity. He theorizes that people join terrorist organizations worldwide in order to be part of a community, much like the reason inner-city youths join gangs in the United States.

The evidence supports this. Individual terrorists often have no prior involvement with a group's political agenda, and often join multiple terrorist groups with incompatible platforms. Individuals who join terrorist groups are frequently not oppressed in any way, and often can't describe the political goals of their organizations. People who join terrorist groups most often have friends or relatives who are members of the group, and the great majority of terrorist are socially isolated: unmarried young men or widowed women who weren't working prior to joining. These things are true for members of terrorist groups as diverse as the IRA and al-Qaida.

For example, several of the 9/11 hijackers planned to fight in Chechnya, but they didn't have the right paperwork so they attacked America instead. The mujahedeen had no idea whom they would attack after the Soviets withdrew from Afghanistan, so they sat around until they came up with a new enemy: America. Pakistani terrorists regularly defect to another terrorist group with a totally different political platform. Many new al-Qaida members say, unconvincingly, that they decided to become a jihadist after reading an extreme, anti-American blog, or after converting to Islam, sometimes just a few weeks before. These people know little about politics or Islam, and they frankly don't even seem to care much about learning more. The blogs they turn to don't have a lot of substance in these areas, even though more informative blogs do exist.

All of this explains the seven habits. It's not that they're ineffective; it's that they have a different goal. They might not be effective politically, but they are effective socially: They all help preserve the group's existence and cohesion.

This kind of analysis isn't just theoretical; it has practical implications for counterterrorism. Not only can we now better understand who is likely to become a terrorist, we can engage in strategies specifically designed to weaken the social bonds within terrorist organizations. Driving a wedge between group members -- commuting prison sentences in exchange for actionable intelligence, planting more double agents within terrorist groups -- will go a long way to weakening the social bonds within those groups.

We also need to pay more attention to the socially marginalized than to the politically downtrodden, like unassimilated communities in Western countries. We need to support vibrant, benign communities and organizations as alternative ways for potential terrorists to get the social cohesion they need. And finally, we need to minimize collateral damage in our counterterrorism operations, as well as clamping down on bigotry and hate crimes, which just creates more dislocation and social isolation, and the inevitable calls for revenge.

---

Bruce Schneier is Chief Security Technology Officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

The problem is self-signed certificates.

A CA is not a great solution:

Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors:

1. The CA becomes a single point of failure. It becomes the juicy/high-value target for the attacker. Single point of failures are not good. Attractive targets are not good.

   Any person with access to the CA key can undetectably fake passports. Direct attacks, virus, misplacing the key by accident (the UK government is good at this!) or bribery are just a few ways of getting the CA key.

2. The single CA would need to be trusted by all governments. This is not practical as this means that passports would no longer be a national matter.

3. Multiple CA's would not work either. Any country could use its own CA to create a valid passport of any other country. Read this sentence again: Country A can create a passport data set of Country B and sign it with Country A's CA key. The terminal will validate and display the information as data from Country B.This option also multiplies the number of 'juicy' targets. It makes it also more likely for a CA key to leak.

   Revocation lists for certificates only work when a leak/loss is detected. In most cases it will not be detected.

So what's the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart.

By all accounts the show did go on, and we have some very interesting results to share with you all.

Take the Top Challenges question. Once again, “Supporting New Technologies/Enabling Innovation” was most popular. But that’s a no-brainer and as one memorable respondent told me, “the definition of what I do”. What was more important was seeing the big jump that “Reducing Management Costs” made on the list, from #5 last year to #2 this year and only 1 percentage point behind #1. Tightening the belt is top of mind for everyone. (As I write, the Dow closed down today over 700 points)

Overall, IT professionals told us they were tackling the practical projects that should and could get done – from deploying Security Information Management solutions to getting Asset Management and Inventory Tools in place. For the first time, we saw a close correlation between what people said was important and what actually got done. Of low importance and even lower actual deployments – ITIL and CMDB, IPv6, Green IT and Cloud Computing.

And perhaps people “fessed” up about virtualization. Instead of the usual “high importance, not so many deployments now, but more deployments planned” theme we’ve been seeing around virtualization adoption, this year the very hot trend seemed to lose a bit of steam. Across the board, the numbers were down for virtualization management, with close to 50% of respondents telling us that their businesses were less than 10% virtualized (4% of that with no virtualization at all).

2008 Detailed Results – showing trends year over year

Comparison of Results from Interop NY 2008 vs FOSE 2008 (government IT)

On the CD-ROM accompanying the book we included a tool called Passgen. In the book, we recommended that you maintain separate passwords on every local administrator and service account in your enterprise. This is, of course, almost impossible to manage without something to automate it for you. That’s what Passgen does. The tool generates unique passwords based on known input (an identifier and passphrase you define), sets those passwords remotely, and allows you to retrieve them later.

For a while Jesper maintained a web site for the book, running on a server in his house. His ISP changed policies and made it impractical to continue running the site. But because the tool is still so useful, I’ve put a copy in my SkyDrive—look in the “Passgen” folder.

Also, note that I’ve put a new section in the right-side column, “Resources for you.” Here’s where I’ll keep links to bits and pieces that many of you will find relevant and interesting.

You can read all the details on their website (except for the part about the certification not being a measure of practical skills). From what I can tell, the CSSLP is just the CISSP with different CBKs, or Common Bodies of Knowledge. As with the CISSP, they are going for broad knowledge, not depth. Starting in June 2009, you can get certified by taking a paper exam, likely a multiple choice test similar to the CISSP. Why June? Because the test isn’t even written yet — I’ve heard from several sources that they are actively soliciting their existing pool of CISSPs to help write test questions.

Ah, but what if you can’t wait that long and want to get certified right away? You’re in luck. If you act before March 31, 2009, you can get grandfathered in without even having to take the exam! That’s right, they call it the CSSLP Experience Assessment, and here are the requirements:

• Upload a resume showing three years of experience related to software security, or four years if you don’t have a college degree
• Write short essays (500 words maximum) discussing four CBKs of your choice
• Get a CISSP to vouch for you
• Pay $650

Let’s examine these requirements one at a time.

Three years of experience. (ISC)2 doesn’t provide any requirements on depth of experience, other than citing the broadly-defined CBKs. Considering they are targeting everyone from software developers to security assessors to business analysts (yes, really), chances are they are going to accept any experience that is even tangential to the SDLC or software security.

Short essays on four of the CBKs. I asked the (ISC)2 exhibitors specifically what they are looking for to satisfy this requirement, and they said the essays should be a general discussion of the CBK topic, optionally citing your personal experience in that area if you have any. This messaging is not quite aligned with the website guidance, which states that the essays should be “Accomplishment Records” which are self-reported descriptions of experience. Either way, with a maximum essay length of 500 words, it’s pretty obvious that substance is not (ISC)2’s first priority. Here’s one data point for you: I spoke to someone who has already submitted the CSSLP Experience Assessment, and he said it took about an hour to write the essays.

Get a CISSP to vouch for you. Actually this can be any (ISC)2 certified person, not just CISSPs. Contrary to what you’d expect, though, the person isn’t vouching for your skillset so much as they are confirming that the attestations on your resume are accurate.

Pay $650. You knew it was coming. After all, there is money to be made. How is it that qualifying for the CSSLP through professional experience should cost $650? If you’re taking the written exam, fair enough, (ISC)2 does incur the cost of administering and grading that exam (even though the Scantron machine is probably paid off by now). But $650 for the submitted-online Experience Assessment? If we assume that the person reading these essay submissions makes a rather generous $100k per year, then $650 accounts for roughly a day and a half. Will it really take that long to read a maximum of 2,000 words and pass judgment? Of course not. (ISC)2 wants to get as many people as possible to qualify based on “experience”, seeding the initial pool of CSSLPs and netting them $650 per head for doing next to nothing.

As Lee Kushner stated during his OWASP AppSec presentation (7 Habits of Highly Effective Career Managers), “the more people who own a cert, the less relevant it becomes.” Irrelevant — that’s exactly what the CISSP has become, and it’s exactly where the CSSLP is headed. Meanwhile, (ISC)2 will sit back and watch while you and your employers continue to fill their coffers.

In closing, let me acknowledge that this blog entry probably comes across as judgmental. I accept that. I’m not ranting against the idea of certifications, though admittedly I’m not a fan of them either. I am disappointed that (ISC)2, an organization with tremendous influence, could have created something more meaningful but chose not to. Why bother when people will just fork over the cash anyway?

I used to react to this with "Are you stupid?! PCI being prescriptive is the best thing since sliced cake :-) Finally, there is some specific guidance for people to follow and be more secure!" BTW, in many cases end users who have to comply with PCI DSS still think it is "too fuzzy" and "not specific enough" (e.g. see "MUST-DO Logging for PCI"); and they basically ask for  "a compliance TODO list." (also see this and especially this on compliance checklists)

But every time it happens, I can't stop but think - why do people even utter such utter heresy? :-) And you know what?  I think I got it!

When people say "PCI is too prescriptive," they actually mean that it engenders "checklist mentality" and leads to following the letter of the mandate blindly, without thinking about WHY it was put in place (to protect cardholder data, share risk/responsibility, etc). For example, it says "use a firewall" and so they deploy a shiny firewall with a simple "ALLOW ALL<->ALL" rule (an obvious exaggeration - but you get the point!) Or they have a firewall with a default password unchanged... In addition, the proponents of "PCI is too prescriptive" tend to think that fuzzier guidance (and, especially, prescribing the desired end state AND not the tools to be installed) will lead to people actually thinking about the best way to do it.

So the choices are:

1. Mandate the tools (e.g. "must use a firewall") - and risk "checklist mentality", resulting in BOTH insecurity and "false sense" of security.
2. Mandate the results (e.g. "must be secure") -  and risk people saying "eh, but I dunno how" - and then not acting at all, again leading to insecurity.

Take your poison now?! Isn't compliance fun? What is the practical solution to this? I personally would take the pill #1 over pill #2 (and that is why I like PCI that much), but with some pause to think, for sure.  I think organizations with less mature security programs will benefit at least a bit from #1, while those with more mature programs might "enjoy" #2 more...

BTW, this post was originally called "Isn't Compliance Fun?!"  I had a few fierce debates with some friends and all of them  piled on me to convince me that "compliance is boring, while security is fun!" The above does illustrate that there are worthy and exciting intellectual challenges in the domain of regulatory compliance. It is not [only] a domain of minimalists (who just "want the auditor to go away") and mediocrity, as some think. What makes security fun - the people aspect, the ever-changing threat landscape, cool technology, high uncertainty, even risk - also apply to compliance ...

So, need a cool marketing slogan BUT hate "making compliance easy"?  Go for "Making Compliance Fun!" :-)

All posts on PCI - some are fun:-)

Obviously, as a practical stage one, Lexar is selling a private-label Eye-Fi Share as the Lexar Shoot-n-Sync using. Same price, same features.

What I'm waiting for, which will likely take into 2009, is for Lexar and Eye-Fi to announce partnerships with a major camera maker or two that will allow the Lexar or Eye-Fi card to talk directly to the camera to control battery savings mode, as well as other details. Conceivably, a camera that supports an external GPS (like the new Nikon D90) could allow the Eye-Fi to retrieve coordinates and perform assistive GPS using its Wi-Fi positioning software, and so forth. There's a lot of potential.

Traveling towards VMworld 2008

I, along with thousands of others, wended my way through a vast dimly lit cavern of a place helped along by the strangely surreal sight of ushers in black waving wispy red flags to guide us not to the empty seats in front of us, but to the ones 50 yards on. (Ah Vegas, my feet hurt already.) Perhaps the point was to live in the moment, soak in the pre-rock concert atmosphere complete with a hip and cool soundtrack ripped off from Apple commercials. (Do they all use the same ad firm?) A better way to build the anticipation for, yes, the kickoff keynote session at VMworld 2008. (photo credit: lodev)

To the sounds of Hey Ya (Shake it like a Polaroid picture), we shifted forward in our uncomfortable temporary seating placed, as at all tech conferences, too close for all but the skinny girls. The moment was here – one of those videos started playing on the dozen or so huge monitors floating above the convention crowd. You know this video; you’ve probably seen it before from HP or someone like that. One of those videos with instrumental Coldplay music in the background with time lapse/speeded-up video of people in motion and floating captions dropping into the images that leave you with a slight smile on your face as you “get” the relationship between image and text. (Do they all use the same ad firm?)

And here he is, announced like a Vegas headliner, Paul Maritz, the new CEO of VMware. Hmm. After all that hype, I rather expected someone in a black turtleneck and jeans to come out. Instead here’s this guy with pleat-front pants and an admittedly cool accent (New Zealand?) who looks a little like Al from Home Improvement. Not that there’s anything wrong with that – everyone likes Al.

And then the real fun begins.

• 30 years ago, Paul Maritz started off his business career as a developer
• 10 years ago, VMware was founded by Diane Greene and Mendel Rosenblum (BTW, 10 seconds spent showing a slide with cartoon-ized images of the founders, “thanks for what you did for the company for the past 10 years”. 10 seconds after 10 years…but maybe more would have been hypocritical…)
• a retrospective of centralized vs. decentralized computing initiatives from the 1960’s to today
• of course VMware milestones from 1998 to today
• and then an analyst-ready diagram showing the product roadmap (to be delivered in 2009) with, you guessed it, finally a connection between VMware and cloud computing (remember Maritz’s cloud-computing company was bought by EMC just a couple of years ago and that’s the section he headed up at EMC before being brought into VMware).

Forward Looking

2008 (and probably much of 2009) will be a very busy year for VMware. If you believe the roadmap, VMware seems to be taking on the management of everything – from chargeback and capacity planning to virtual storage and virtual networking (more to come on just what the planned vStorage and vNetwork will deliver) – but all of it VMware-centric. As we said in an earlier post, they’ve moved away from “defending” the hypervisor business proposition to focusing on management services on top of their own hypervisor platform. Revenue pressures must be excruciating – who wants to be a public company these days?

The best part of that new “Virtual Data Center Operating System” diagram/roadmap was the addition (and I mean addition) of something called Cloud vServices. (Did anyone else find it odd that Cloud vServices is kind of on its own in the Infrastructure vServices area? AND, I’ll have to get the other version of the diagram/roadmap I actually saw at the show because that one shows an inexplicable 4^th box in the Application vServices area titled “…”. Really. Maybe to balance out the addition of Cloud vServices?)

What was clear is that the move from VirtualCenter to vCenter –and the new vServices for rolled-up management of virtualization components/capability to span multiple VirtualCenters (or future vCenters) for reporting, monitoring and management at scale – has been in the works for a bit (but in tech time, that could mean 6 months), but the cloud stuff…not so much.

Beyond the very high-level speak appropriate to a keynote (100+ service provider partners for off-premise cloud…suspended VM’s that you don’t have to pay for until you need it), the details are uber-fuzzy. There was a session that Dave went to which was supposed to shed more light, but when questions were asked about how it really works, the answers seemed to be TBD. Does anyone know more? If VMware really has figured out practical cloud computing for enterprises, kudos to them. But I fear they’re like everyone else (except maybe AT&T) and are still working out the details.