Monthly Archives: August 2006

Concentric Circles

How did MI5 find the suspected terrorists in the U.K. in order to foil their plot to down multiple transatlantic airliners? By casting a net over the entire countries telecommunications and looking for needles in that huge haystack? Apparently not; rather by good old-fashioned detective work:

Given that the four British men who carried out last July’s suicide bombings in London were radicalised in Pakistan, British officials have been acutely interested in potential links between UK-based al-Qaeda sympathisers and established militants in Pakistan.

Based on the information from Pakistan, MI5 began its watching operation last year. The BBC last night reported the operation began in July, but The Scotsman understands it started several months earlier.

Arrest in Pakistan led MI5 to airline terror plot suspects The Scotsman, 11 Aug 2006

I heard British Home Secretary John Reid say on the radio yesterday that they had been following the specific group of plotters since December. But how did MI5 find them those plotters in the first place?

Continue reading

First They Came For the Nail Clippers….

Perry Metzger addresses the actual reported terrorist plot from the UK: First he addresses the chemical and logistical plausibility of what the news media have reported the terrorists as planning, and concludes that they would have had an interesting time actually pulling it off without spilling or being detected, unless they brought major constituent parts onboard already mixed, which is something we’ve known for a long time could be done. In other words, this doesn’t look to him like a new threat, so why are airlines and governments reacting as if it was, by adding all sorts of new searches and restrictions on carryon baggage?
And now, on to the fun part of this note. First they came for the nail clippers, but I did not complain for I do not cut my finger nails. Now they’ve come for the shampoo bottles, but I did not complain for I do not wash my hair. What’s next? What will finally stop people in their tracks and make them realize this is all theater and utterly ridiculous? Lets cut the morons off at the pass, and discuss all the other common things you can destroy your favorite aircraft with. Bruce Schneier makes fun of such exercises as “movie plots”, and with good reason. Hollywood, here I come!

On the implausibility of the explosives plot. by Perry E. Metzger, 11 Aug 2006, Interesting People.

Continue reading

DHS, Microsoft, and National Security

Paul Ferguson notes that DHS says that a recent Microsoft patch that has already been exploited puts national security at risk. While on the one hand that’s very interesting, because that’s the sort of thing that could lead to software vendor liability, despite the current legal loophole that keeps the software vendors off the hook, yet on the other hand, I’d rather not see such liability come through the root password of national security, because you never know what form it would take or where it would stop. And on the third hand, if Microsoft software is so insecure as to adversely affect national security, when DHS decided to require a monoculture of Microsoft software on its own computers, what effect did that have on national security?

-jsq

What can We Do about Terrorism?

Below is a slightly augmented (with links) version of a post I sent to Dave Farber’s Interesting People list in response to a request by another poster for what should government do regarding plots like the one recently foiled regarding infiltrating planes in the UK to attack the U.S.; the poster asked:

Now that the maniacs have our full attention, I’ll ask once more the question I’ve asked before:

What should a government do?  How far should it go, to surveil, arrest and interrogate the sort of people who’d plan something like this? It’s all very well to complain of governmental threats to our liberty; indeed, such complaints are a vital part of that liberty, so keep ’em coming.  But at some point, somebody’s got to decide what we will do against these disgusting, murderous fanatics.

And so the question:  To foil plots like these, what would IPers do?

A very interesting question on news from the UK, Hiawatha Bray, 10 August 2006.

Well, for one thing, IPers can continue to discourage use of methods that have little promise of working, such as blanket scans of all telephone numbers or electronic mail, which just increase the haystack without making finding the needle more likely, or national ID cards such as the British government has been pushing lately.

Continue reading

U.S. DHS Unprepared for Internet Disruption

Could what happened to New Orleans happen to the Internet? If we were expecting U.S. DHS to prevent it, apparently so:
While the Homeland Security Department has been charged with coordinating cyberspace security and recovery, GAO found that the initiatives so far lack authority, and the relationship between the initiatives is unclear.

David Powner, GAO’s director of information technology management issues, told a Senate subcommittee during a hearing timed to coincide with the release of the report that it is unclear what government entity is in charge, what the government’s role should be and when it should jump in. “Despite federal policy requiring DHS to develop this public-private plan, today no such plan exists,” Powner said.

Report: U.S. unprepared for major Web disruption, By Heather Greenfield, National Journal’s Technology Daily 28 July 2006

Continue reading

Risk-Based Funding

I see Gunnar Peterson has beaten me to posting about Bryan Ware’s decision matrix that he uses to advise the U.S. DHS on investing in security. One axis is risk, high or low. The other axis is effectiveness, high or low, as in the likely effectiveness of the funded organization at actually doing something about the problem. High risk and high effectiveness spells best investment; High risk and low effectiveness not so much; Low risk and high effectiveness, invest some to incentivize high effectiveness, and low risk and low effectiveness “Apply minimal funding”.

Bryan mentioned that they have no data as to how well this risk-based funding scheme works, but at least they’re trying.

-jsq

Why Did the Titanic Sink?

Let’s ask some people in different lines of work:

Reporters:
because it hit an iceberg.
Executives:
because it had the wrong captain.
Security professionals:
because its rivets were stressed from temperature changes.
Security managers:
because it didn’t have radar to detect the iceberg.
Risk managers:
because it didn’t have access to a distributed iceberg detection system.
Continue reading

House Construction Security

Some argue that it’s not possible to measure software or network security because there are always bugs, many of which may lie hidden for years, miscreants are always out there trying to exploit those bugs, and trying to find ways to misinterpret features to their favor, etc., so there’s no way to build secure software or networks, so there’s no point in trying to measure security.

Let me demonstrate by the same method that it’s not possible to build a secure house. Continue reading