Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
2Activity
0 of .
Results for:
No results containing your search query
P. 1
Bruce Schneier's Crypto-Gram, April 15 2008

Bruce Schneier's Crypto-Gram, April 15 2008

Ratings: (0)|Views: 68|Likes:
Published by JP

More info:

Published by: JP on Apr 24, 2008
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as ODT, PDF, TXT or read online from Scribd
See more
See less

05/09/2014

pdf

text

original

 
CRYPTO-GRAMApril 15, 2008by Bruce SchneierFounder and CTOBT Counterpaneschneier@schneier.comhttp://www.schneier.comhttp://www.counterpane.comA free monthly newsletter providing summaries, analyses, insights, andcommentaries on security: computer and otherwise.For back issues, or to subscribe, visit<http://www.schneier.com/crypto-gram.html>.You can read this issue on the web at<http://www.schneier.com/crypto-gram-0804.html>. These same essaysappear in the "Schneier on Security" blog:<http://www.schneier.com/blog>. An RSS feed is available.** *** ***** ******* *********** *************In this issue:Third Annual Movie-Plot Threat ContestThe Security MindsetNewsThe Feeling and Reality of SecurityWeb EntrapmentSchneier/BT Counterpane NewsSpeeding Tickets and AgendaSeat Belts and Compensating BehaviorInternet CensorshipComments from Readers** *** ***** ******* *********** *************Third Annual Movie-Plot Threat ContestFor this contest, the goal is to create fear. Not just any fear, but afear that you can alleviate through the sale of your new product idea.There are lots of risks out there, some of them serious, some of them sounlikely that we shouldn't worry about them, and some of them completelymade up. And there are lots of products out there that provide securityagainst those risks.Your job is to invent one. First, find a risk or create one. It can bea terrorism risk, a criminal risk, a natural-disaster risk, a commonhousehold risk -- whatever. The weirder the better. Then, create aproduct that everyone simply *has to* buy to protect him- or herselffrom that risk. And finally, write a catalog ad for that product.Here's an example, pulled from page 25 of the Late Spring 2008 Skymall
 
catalog I'm reading on my airplane as I write this:"A Turtle is Safe in Water, A Child is Not! Even with the most vigilantsupervision a child can disappear in seconds and not be missed untilit's too late. Our new wireless pool safety alarm system is a must forpool owners and parents of young children. The Turtle Wristband lockson the child's wrist (a special key is required to remove it) andinstantly detects immersion in water and sounds a shrill alarm at theBase Station located in the house or within 100 feet of the pool, spa,or backyard pond. Keep extra wristbands on hand for guests or toprotect the family dog."Entries are limited to 150 words -- the example above had 97 words --because fear doesn't require a whole lot of explaining. Tell us why weshould be afraid, and why we should buy your product.Entries will be judged on creativity, originality, persuasiveness, andplausibility. It's okay if the product you invent doesn't actuallyexist, but this isn't a science fiction contest.Portable salmonella detectors for salad bars. Acoustical devices thatestimate tiger proximity based on roar strength. GPS-enabled walletsfor use when you've been pickpocketed. Wrist cuffs that emit fake DNAto fool DNA detectors. The Quantum Sleeper. Fear offers endlessbusiness opportunities. Good luck.Entries due by May 1. Submit them as entries to the blog post. Andeven if you don't want to enter, go read some of the submissions. Youpeople are frighteningly creative.Blog post:http://www.schneier.com/blog/archives/2008/04/third_annual_mo.htmlThe First Movie-Plot Threat Contest rules:http://www.schneier.com/blog/archives/2006/04/announcing_movi.htmlAnd winners:http://www.schneier.com/blog/archives/2006/06/movieplot_threa_1.html.The Second Movie-Plot Threat Contest rules:http://www.schneier.com/blog/archives/2007/04/announcing_seco.htmlSemifinalists:http://www.schneier.com/blog/archives/2007/06/second_annual_m.htmlAnd winners:http://www.schneier.com/blog/archives/2007/06/second_movieplo.html** *** ***** ******* *********** *************The Security MindsetUncle Milton Industries has been selling ant farms to children since1956. Some years ago, I remember opening one up with a friend. Therewere no actual ants included in the box. Instead, there was a card thatyou filled in with your address, and the company would mail you someants. My friend expressed surprise that you could get ants sent to youin the mail.I replied: "What's really interesting is that these people will send a
 
tube of live ants to anyone you tell them to."Security requires a particular mindset. Security professionals -- atleast the good ones -- see the world differently. They can't walk into astore without noticing how they might shoplift. They can't use acomputer without wondering about the security vulnerabilities. Theycan't vote without trying to figure out how to vote twice. They justcan't help it.SmartWater is a liquid with a unique identifier linked to a particularowner. "The idea is for me to paint this stuff on my valuables as proofof ownership," I wrote when I first learned about the idea. "I think abetter idea would be for me to paint it on your valuables, and then callthe police."Really, we can't help it.This kind of thinking is not natural for most people. It's not naturalfor engineers. Good engineering involves thinking about how things canbe made to work; the security mindset involves thinking about how thingscan be made to fail. It involves thinking like an attacker, an adversaryor a criminal. You don't have to exploit the vulnerabilities you find,but if you don't see the world that way, you'll never notice mostsecurity problems.I've often speculated about how much of this is innate, and how much isteachable. In general, I think it's a particular way of looking at theworld, and that it's far easier to teach someone domain expertise --cryptography or software security or safecracking or document forgery --than it is to teach someone a security mindset.Which is why CSE 484, an undergraduate computer-security course taughtthis quarter at the University of Washington, is so interesting towatch. Professor Tadayoshi Kohno is trying to teach a security mindset.You can see the results in the blog the students are keeping. They'reencouraged to post security reviews about random things: smart pillboxes, Quiet Care Elder Care monitors, Apple's Time Capsule, GM'sOnStar, traffic lights, safe deposit boxes, and dorm room security.One recent one is about an automobile dealership. The poster describedhow she was able to retrieve her car after service just by giving theattendant her last name. Now any normal car owner would be happy abouthow easy it was to get her car back, but someone with a security mindsetimmediately thinks: "Can I really get a car just by knowing the lastname of someone whose car is being serviced?"The rest of the blog post speculates on how someone could steal a car byexploiting this security vulnerability, and whether it makes sense forthe dealership to have this lax security. You can quibble with theanalysis -- I'm curious about the liability that the dealership has, andwhether their insurance would cover any losses -- but that's all domainexpertise. The important point is to notice, and then question, thesecurity in the first place.The lack of a security mindset explains a lot of bad security out there:voting machines, electronic payment cards, medical devices, ID cards,internet protocols. The designers are so busy making these systems workthat they don't stop to notice how they might fail or be made to fail,

Activity (2)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->