First They Came For the Nail Clippers….

Perry Metzger addresses the actual reported terrorist plot from the UK: First he addresses the chemical and logistical plausibility of what the news media have reported the terrorists as planning, and concludes that they would have had an interesting time actually pulling it off without spilling or being detected, unless they brought major constituent parts onboard already mixed, which is something we’ve known for a long time could be done. In other words, this doesn’t look to him like a new threat, so why are airlines and governments reacting as if it was, by adding all sorts of new searches and restrictions on carryon baggage?

And now, on to the fun part of this note. First they came for the nail clippers, but I did not complain for I do not cut my finger nails. Now they’ve come for the shampoo bottles, but I did not complain for I do not wash my hair. What’s next? What will finally stop people in their tracks and make them realize this is all theater and utterly ridiculous? Lets cut the morons off at the pass, and discuss all the other common things you can destroy your favorite aircraft with. Bruce Schneier makes fun of such exercises as “movie plots”, and with good reason. Hollywood, here I come!
On the implausibility of the explosives plot. by Perry E. Metzger, 11 Aug 2006, Interesting People.

Continue reading →

DHS, Microsoft, and National Security

Paul Ferguson notes that DHS says that a recent Microsoft patch that has already been exploited puts national security at risk. While on the one hand that’s very interesting, because that’s the sort of thing that could lead to software vendor liability, despite the current legal loophole that keeps the software vendors off the hook, yet on the other hand, I’d rather not see such liability come through the root password of national security, because you never know what form it would take or where it would stop. And on the third hand, if Microsoft software is so insecure as to adversely affect national security, when DHS decided to require a monoculture of Microsoft software on its own computers, what effect did that have on national security?

-jsq

What can We Do about Terrorism?

Below is a slightly augmented (with links) version of a post I sent to Dave Farber’s Interesting People list in response to a request by another poster for what should government do regarding plots like the one recently foiled regarding infiltrating planes in the UK to attack the U.S.; the poster asked:

Now that the maniacs have our full attention, I’ll ask once more the question I’ve asked before:

What should a government do? How far should it go, to surveil, arrest and interrogate the sort of people who’d plan something like this? It’s all very well to complain of governmental threats to our liberty; indeed, such complaints are a vital part of that liberty, so keep ’em coming. But at some point, somebody’s got to decide what we will do against these disgusting, murderous fanatics.

And so the question: To foil plots like these, what would IPers do?

A very interesting question on news from the UK, Hiawatha Bray, 10 August 2006.

Well, for one thing, IPers can continue to discourage use of methods that have little promise of working, such as blanket scans of all telephone numbers or electronic mail, which just increase the haystack without making finding the needle more likely, or national ID cards such as the British government has been pushing lately.

Continue reading →

U.S. DHS Unprepared for Internet Disruption

Could what happened to New Orleans happen to the Internet? If we were expecting U.S. DHS to prevent it, apparently so:

While the Homeland Security Department has been charged with coordinating cyberspace security and recovery, GAO found that the initiatives so far lack authority, and the relationship between the initiatives is unclear.
David Powner, GAO’s director of information technology management issues, told a Senate subcommittee during a hearing timed to coincide with the release of the report that it is unclear what government entity is in charge, what the government’s role should be and when it should jump in. “Despite federal policy requiring DHS to develop this public-private plan, today no such plan exists,” Powner said.
Report: U.S. unprepared for major Web disruption, By Heather Greenfield, National Journal’s Technology Daily 28 July 2006

Continue reading →

Risk-Based Funding

I see Gunnar Peterson has beaten me to posting about Bryan Ware’s decision matrix that he uses to advise the U.S. DHS on investing in security. One axis is risk, high or low. The other axis is effectiveness, high or low, as in the likely effectiveness of the funded organization at actually doing something about the problem. High risk and high effectiveness spells best investment; High risk and low effectiveness not so much; Low risk and high effectiveness, invest some to incentivize high effectiveness, and low risk and low effectiveness “Apply minimal funding”.

Bryan mentioned that they have no data as to how well this risk-based funding scheme works, but at least they’re trying.

-jsq

Why Did the Titanic Sink?

Let’s ask some people in different lines of work:

Reporters:: because it hit an iceberg.
Executives:: because it had the wrong captain.
Security professionals:: because its rivets were stressed from temperature changes.
Security managers:: because it didn’t have radar to detect the iceberg.
Risk managers:: because it didn’t have access to a distributed iceberg detection system.

Continue reading →

House Construction Security

Some argue that it’s not possible to measure software or network security because there are always bugs, many of which may lie hidden for years, miscreants are always out there trying to exploit those bugs, and trying to find ways to misinterpret features to their favor, etc., so there’s no way to build secure software or networks, so there’s no point in trying to measure security.

Let me demonstrate by the same method that it’s not possible to build a secure house. Continue reading →

No Kitty Skimming

How to secure yourself from being quantified at a distance: Hello Kitty RFID covers to prevent skimming, i.e., unauthorized distance reading of your broadcasting identity cards.

-jsq

PS: Seen on Bruce Sterling’s Beyond the Beyond.

Metricon, Tomorrow

Tomorrow in Vancouver, the first-ever conference on security metrics, Metricon. It’s about changing security from art to science. I’ll be speaking about how metrics should be used to tell a story, so that people will look at the metrics. Lots of other good folks. Accept no substitutes.

-jsq

Turning Alcohol

Ethyl alcohol – C2H5OH – CH3-CH2-OH:

I don’t think of ethanol as an alternative fuel; I think gasoline should be the alternative fuel that meets 10 to 20 percent of my needs. We definitely don’t need hydrogen. We don’t need new car engines, designs, or distribution. In less than five years, we can, with very little cost, make an irreversible change in our trajectory. With little cost to consumers, little cost to automakers, and no money from the government.

Biofuels: Think Outside The Barrel, Vinod Khosla, Google TechTalks, March 29, 2006

Khosla, a well-known venture capitalist, has been examining how Brazil did it, how they benefited including greatly reduced oil imports, and he presents a plan for how the U.S. can do it. He starts by pointing out that once you discount subsidies and taxes, the production costs of ethanol are only about $1.00/gallon vs. $1.60 for gasoline. Then he walks through why we should do this, and how to do it.

Continue reading →

Perilocity

Beyond Internet security to risk management

First They Came For the Nail Clippers….

DHS, Microsoft, and National Security

What can We Do about Terrorism?

U.S. DHS Unprepared for Internet Disruption

Risk-Based Funding

Why Did the Titanic Sink?

House Construction Security

No Kitty Skimming

Metricon, Tomorrow

Turning Alcohol