[SecurityRatty] tag: tightly

Movie Plot Threats in The Guardian

Thu, 04 Sep 2008 01:56:57 +0000

We spend far more effort defending our countries against specific movie-plot threats, rather than the real, broad threats. In the US during the months after the 9/11 attacks, we feared terrorists with scuba gear, terrorists with crop dusters and terrorists contaminating our milk supply. Both the UK and the US fear terrorists with small bottles of liquid. Our imaginations run wild with vivid specific threats. Before long, we're envisioning an entire movie plot, without Bruce Willis saving the day. And we're scared.

It's not just terrorism; it's any rare risk in the news. The big fear in Canada right now, following a particularly gruesome incident, is random decapitations on intercity buses. In the US, fears of school shootings are much greater than the actual risks. In the UK, it's child predators. And people all over the world mistakenly fear flying more than driving. But the very definition of news is something that hardly ever happens. If an incident is in the news, we shouldn't worry about it. It's when something is so common that its no longer news - car crashes, domestic violence - that we should worry. But that's not the way people think.

Psychologically, this makes sense. We are a species of storytellers. We have good imaginations and we respond more emotionally to stories than to data. We also judge the probability of something by how easy it is to imagine, so stories that are in the news feel more probable - and ominous - than stories that are not. As a result, we overreact to the rare risks we hear stories about, and fear specific plots more than general threats.

The problem with building security around specific targets and tactics is that its only effective if we happen to guess the plot correctly. If we spend billions defending the Underground and terrorists bomb a school instead, we've wasted our money. If we focus on the World Cup and terrorists attack Wimbledon, we've wasted our money.

It's this fetish-like focus on tactics that results in the security follies at airports. We ban guns and knives, and terrorists use box-cutters. We take away box-cutters and corkscrews, so they put explosives in their shoes. We screen shoes, so they use liquids. We take away liquids, and they're going to do something else. Or they'll ignore airplanes entirely and attack a school, church, theatre, stadium, shopping mall, airport terminal outside the security area, or any of the other places where people pack together tightly.

These are stupid games, so let's stop playing. Some high-profile targets deserve special attention and some tactics are worse than others. Airplanes are particularly important targets because they are national symbols and because a small bomb can kill everyone aboard. Seats of government are also symbolic, and therefore attractive, targets. But targets and tactics are interchangeable.

The following three things are true about terrorism. One, the number of potential terrorist targets is infinite. Two, the odds of the terrorists going after any one target is zero. And three, the cost to the terrorist of switching targets is zero.

We need to defend against the broad threat of terrorism, not against specific movie plots. Security is most effective when it doesn't require us to guess. We need to focus resources on intelligence and investigation: identifying terrorists, cutting off their funding and stopping them regardless of what their plans are. We need to focus resources on emergency response: lessening the impact of a terrorist attack, regardless of what it is. And we need to face the geopolitical consequences of our foreign policy.

In 2006, UK police arrested the liquid bombers not through diligent airport security, but through intelligence and investigation. It didn't matter what the bombers' target was. It didn't matter what their tactic was. They would have been arrested regardless. That's smart security. Now we confiscate liquids at airports, just in case another group happens to attack the exact same target in exactly the same way. That's just illogical.

This essay originally appeared in The Guardian. Nothing I haven't already said elsewhere.

Finland privacy judgment

Wed, 23 Jul 2008 11:26:48 +0000

In a case that will have profound implications, the European Court of Human Rights has issued a judgment against Finland in a medical privacy case.

The complainant was a nurse at a Finnish hospital, and also HIV-positive. Word of her condition spread among colleagues, and her contract was not renewed. The hospital’s access controls were not sufficient to prevent colleages accessing her record, and its audit trail was not sufficient to determine who had compromised her privacy. The court’s view was that health care staff who are not involved in the care of a patient must be unable to access that patient’s electronic medical record: “What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place.” (Press coverage here.)

A “practical and effective” protection test in European law will bind engineering, law and policy much more tightly together. And it will have wide consequences. Privacy compaigners, for example, can now argue strongly that the NHS Care Records service is illegal. And what will be the further consequences for the Transformational Government initiative - the “Database State”?

Interview with Paul Cannon, Mozy Software Engineer

Wed, 16 Jul 2008 11:00:49 +0000

Mozy Awesome Process
Sometimes people come up to me and say, “Paul, how is it that Mozy has created such an unrelenting output of Awesome?”

Today I have been authorized to share with you some of the unique facets of the Mozy Awesome Process that until now have been tightly controlled trade secrets of Mozy, Inc. It all starts with giant robots (virtually perpetual sources of raw Awesome). We attach them to special Awesome Siphons of our own design and pipe the yield directly into our engineers’ development workstations. Further, peripheral Awesome needs are farmed from old He-Man reruns, a roomful of ninjas wailing on electric guitars, and our captive Happy Fun Ball.

The crude Awesome is skillfully transformed by Mozy engineers into powerful software and hardware configurations, then carefully inspected and regulated according to a host of eldritch acronyms: SWAGs, PMQs, PRDs, and the ever-inspiring CFRRCs. Once a successful creation is stamped with the Seal of Acronymic Approval for Mozy (SAAM), it is subjected to final endorsement by the mystical, revered Mozy Leprecorn*. Finally, a highly trained team of Box Monks put the new Awesomery into place in the Mozy systems, where it becomes available to you, the user.

Our rigorous Awesome Enforcement Policies and Magical Oversight have brought us to what we believe is the most Awesome-efficient development process in the world of backup software.

Be safe,
Paul Cannon
Mozy Software Engineer

*Leprecorn (noun): a rare but phenomenal creature; half Unicorn, half Leprechaun, and all magical.

Visit Mozy now for a great reliable online backup service, I use it myself.

Vote for Mozy
Lifehacker is currently holding an online backup showdown. Show your love for Mozy. Vote now.

Documentary on Wireless Philadelphia Released

Fri, 06 Jun 2008 06:43:23 +0000

George Rausch decided in advance of the Phila. network shutdown to release his unfinished documentary: It's about 13 minutes, and isn't edited tightly at this point, but it's rather interesting. Rausch talked to a few network users, Wireless Philadelphia, and a few other people. These are well-spoken, thoughtful people, and it's well shot. I hope Rausch continues to think about how this all fits together after the Wi-Fi network halts operation in a few days.

Change is in the Airwaves: A Documentary about the Philadelphia Wireless Initiative from George Rausch on Vimeo.

BPL Powers Down

Mon, 05 May 2008 05:59:43 +0000

Broadband over powerline (BPL) is always next year's technology; now it's never. Is never soon enough for you? For about the last 13 years, BPL was the going to be the third pipe into the home, supplementing the two incumbent wireline offerings of DSL and cable, which had developed into monopoly or duopoly controls most places in the world. Two years ago, with favorable FCC and upcoming EC decisions on BPL either released or about to happen, BPL seemed about to come into its own. I wrote a positive piece for The Economist based in large part on an enormous deployment that was contracted and underway in Texas, and a contract that had just been signed in France. These two events seemed like they would catalyze BPL. About 18 months later, the Current Communicatins and TXU (now Oncor) Electric Delivery deal, which was expected to pass 2m homes by the end of 2008, is over, with Oncor purchasing the telecommunications network for $90m a few days ago. Oncor will use just the smart grid features that allow dramatically improved network monitoring--which is a well-understood aspect of data over powerlines, dating to much slower and primitive networks. The Dallas Morning News reports that just 64,000 homes were wired for BPL so far, and that Oncor will not offer Internet access. Oncor had agreed in 2006 to pay $150m for smart-grid features. Google was a Current investor, which gave more credence to their plans in 2006. The company had already rolled out some smaller markets, overcome equipment problems, and had a positive relationship with the ARRL, the amateur radio society, in resolving interference issues. Hams have been the biggest complaintants with the FCC over BPL because hams are primary and secondary licensed users in the bands they use, while BPL is an unlicensed use. The French deployment by SIPPEREC, a utility that manages power for the suburbs of Paris, stated that 1.5m homes would eventually be passed with BPL service, but no information has been released since Feb. 2007 about the project, which makes it likely that it simply didn't happen. Even when I was researching the Economist piece, I was troubled by the many European deployments that were announced, went into trials, and then disappeared without a trace. Still, there were some active projects in Spain, Switzerland, and Ireland, and the rollouts in France and Texas seemed both committed (contracts were signed) and imminent. But the laws of physics always win, and I can only think that BPL equipment from whatever vendor simply cannot deliver results that work within budget and reliably enough to make network deployment for broadband make any sense. The FCC's 2006 order that overruled a number of ARRL objectives stated, essentially, that interference was okay even with licensed purposes as long as it was within tightly controlled parameters. Part of the "BPL is dead" argument I make today stems from an appeals court decision in late April which affirms the FCC licensed/unlicensed approach, but which requires the agency to re-evaluate its information about interference. The FCC failed to disclose fully information from studies it relied on in setting rules, which violated public process. The ARRL wrote up the appeals decision on their site, and notes that a study in the UK that was fully released showed a much lower threshold would be needed. The agency's need to redo some of its work, a potential shift of power to Democrats on the commission starting 20-Jan-2009, and the fact that other work shows the rules were established incorrectly could result in restrictions on BPL that make it even less likely to be rolled out. [Initial links via DSL Reports]

WiFi Epidemiology: Can Your Neighbors Router Make Yours Sick?

Sun, 06 Jan 2008 21:00:30 +0000

In densely populated urban areas WiFi routers form a tightly interconnected proximity network that can be exploited as a substrate for the spreading of malware able to launch massive fraudulent attack...

Think of Guest Networking as a Strategic First Step Toward NAC

Thu, 06 Dec 2007 16:02:04 +0000

Lately, I have been speaking with a lot of clients about guest networking. In nearly every discussion, a client will tell a "war story" about a visitor that plugged his or her laptop into the wall jack and brought down the network (either via a worm or via a misconfigured device). A guest network would prevent most of these problems, by providing only Internet access to guests (or possibly tightly limited internal access to a contractor).

A lot of people confuse guest networking and network access control (NAC). A guest network is really a subset of NAC: It authenticates a user or device before it gains access to the trusted network. NAC takes things a step further: It says "let's make sure that this device is not dangerous to our network before we grant it access." In other words, we baseline the PC to make sure that it is free of malware or that it is at least compliant with our device policies. The guest networking/NAC distinction is an important one. Not all guest networking projects can easily and cost-effectively evolve to a full-blown NAC implementation. But, any true NAC solution can first be used to perform basic endpoint authentication for guest networking and then evolve to a complete NAC implementation.

There are multiple approaches to building guest networks, and some vendors have started to offer dedicated guest networking products. Last month, Cisco announced its Network Admission Control Guest Server, an appliance for building guest networks. It includes a management application that makes it simple enough for any employee to sponsor a guest. Startup vendor Identity Engines sells a guest networking solution with similar features. Cisco's solution works best in Cisco environments (it needs to integrate with Cisco's NAC appliance or Cisco's wireless LAN controllers). Alternatively, Identity Engines' solution works best in an 802.1X environment (although it does have an offering for non-802.1X LANs). Some network managers that I have spoken with have implemented a homegrown guest network based on MAC address authentication (although this approach is not a good steppingstone to NAC, since it does not provide a mechanism for baselining endpoint health).

Gartner advises clients not to think of guest networking as a stand-alone point solution, but to think of it as the first step toward a strategic NAC implementation. When you design a guest network, you should do so with the end goal of NAC in mind; that's the most cost-effective approach. You can read more in "Findings from the 'Security' Research Meeting: Go Beyond Guest Networks to Achieve NAC Benefits."

The reason behind the "We're sorry..." message

Mon, 09 Jul 2007 07:54:00 +0000

Posted by Niels Provos, Anti-Malware Team

Some of you might have seen this message while searching on Google, and wondered what the reason behind it might be. Instead of search results, Google displays the "We're sorry" message when we detect anomalous queries from your network. As a regular user, it is possible to answer a CAPTCHA - a reverse Turing test meant to establish that we are talking to a human user - and to continue searching. However, automated processes such as worms would have a much harder time solving the CAPTCHA. Several things can trigger the sorry message. Often it's due to infected computers or DSL routers that proxy search traffic through your network - this may be at home or even at a workplace where one or more computers might be infected. Overly aggressive SEO ranking tools may trigger this message, too. In other cases, we have seen self-propagating worms that use Google search to identify vulnerable web servers on the Internet and then exploit them. The exploited systems in turn then search Google for more vulnerable web servers and so on. This can lead to a noticeable increase in search queries and sorry is one of our mechanisms to deal with this.

At ACM WORM 2006, we published a paper on Search Worms [PDF] that takes a much closer look at this phenomenon. Santy, one of the search worms we analyzed, looks for remote-execution vulnerabilities in the popular phpBB2 web application. In addition to exhibiting worm like propagation patterns, Santy also installs a botnet client as a payload that connects the compromised web server to an IRC channel. Adversaries can then remotely control the compromised web servers and use them for DDoS attacks, spam or phishing. Over time, the adversaries have realized that even though a botnet consisting of web servers provides a lot of aggregate bandwidth, they can increase leverage by changing the content on the compromised web servers to infect visitors and in turn join the computers of compromised visitors into much larger botnets. This fundamental change from remote attack to client based download of malware formed the basis of the research presented in our first post. In retrospect, it is interesting to see how two seemingly unrelated problems are tightly connected.

The reason behind the "We're sorry..." message

Mon, 09 Jul 2007 07:54:00 +0000