Bruce Schneier | |||||||||||
Schneier on SecurityA blog covering security and security technology. Washington Post Comments on Terrorist PlotsFrom this article, published last April: Batiste confided, somewhat fantastically, that he wanted to blow up the Sears Tower in Chicago, which would then fall into a nearby prison, freeing Muslim prisoners who would become the core of his Moorish army. With them, he would establish his own country. Somewhat fantastically? What would the Washington Post consider to be truly fantastic? A plan involving Godzilla? Clearly they have some very high standards. I'm sick of people taking these idiots seriously. This plot is beyond fantastic, it's delusional. Posted on July 25, 2008 at 6:48 AM • 6 Comments • View Blog Reactions Open Source Laptop Tracking ServicePosted on July 24, 2008 at 11:59 AM • 22 Comments • View Blog Reactions Anti-Terrorism Stupidity at Yankee StadiumThey're confiscating sunscreen at Yankee Stadium: The team contends that sunscreen has long been on the list of stadium contraband, but there is no mention of it on the Yankee Web site. Next, I suppose, is confiscating liquids at pools. We've collectively lost our minds. This story has a happy ending, though. A day after The New York Post published this story, Yankee Stadium reversed its ban. Now, if only the Post had that same effect on airport security. Posted on July 24, 2008 at 6:50 AM • 42 Comments • View Blog Reactions Information Security and LiabilitiesIn my fourth column for the Guardian last Thursday, I talk about information security and liabilities: Last summer, the House of Lords Science and Technology Committee issued a report on "Personal Internet Security." I was invited to give testimony for that report, and one of my recommendations was that software vendors be held liable when they are at fault. Their final report included that recommendation. The government rejected the recommendations in that report last autumn, and last week the committee issued a report on their follow-up inquiry, which still recommends software liabilities. Posted on July 23, 2008 at 3:09 PM • 62 Comments • View Blog Reactions Speed Cameras Record Every CarIn this article about British speed cameras, and a trick to avoid them that does not work, is this sentence: As vehicles pass between the entry and exit camera points their number plates are digitally recorded, whether speeding or not. Without knowing more, I can guarantee that those records are kept forever. EDITED TO ADD (7/25): Passenger moons speeding camera and gets his picture published even though the car was not speeding. Police may take action against the man for public order offences and not wearing a seat belt. How did they even know to look at the picture in the first place? Posted on July 23, 2008 at 5:32 AM • 69 Comments • View Blog Reactions Washington DC Metro Farecard HackThieves took a legitimate paper Farecard with $40 in value, sliced the card's magnetic strip into four lengthwise pieces, and then reattached one piece each to four separate defunct paper Farecards. The thieves then took the doctored Farecards to a Farecard machine and added fare, typically a nickel. By doing so, the doctored Farecard would go into the machine and a legitimate Farecard with the new value, $40.05, would come out. My guess is that the thieves were caught not through some fancy technology, but because they had to monetize their attack. They sold farecards on the street for half face value. Posted on July 22, 2008 at 12:29 PM • 27 Comments • View Blog Reactions The Case of the Stolen Blackberry and the Awesome Chinese Hacking SkillsA high-level British government employee had his Blackberry stolen by Chinese intelligence: The aide, a senior Downing Street adviser who was with the prime minister on a trip to China earlier this year, had his BlackBerry phone stolen after being picked up by a Chinese woman who had approached him in a Shanghai hotel disco. That can't look good on your annual employee review. But it's this part of the article that has me confused: Experts say that even if the aide’s device did not contain anything top secret, it might enable a hostile intelligence service to hack into the Downing Street server, potentially gaining access to No 10’s e-mail traffic and text messages. Um, what? I assume the IT department just turned off the guy's password. Was this nonsense peddled to the press by the UK government, or is some "expert" trying to sell us something? The article doesn't say. EDITED TO ADD (7/22): The first commenter makes a good point, which I didn't think of. The article says that it's Chinese intelligence: A senior official said yesterday that the incident had all the hallmarks of a suspected honeytrap by Chinese intelligence. But Chinese intelligence would be far more likely to clone the Blackberry and then return it. Much better infomation that way. This is much more likely to be petty theft. EDITED TO ADD (7/23): The more I think about this story, the less sense it makes. If you're a Chinese intelligence officer and you manage to get an aide to the British Prime Minister to have sex with one of your agents, you're not going to immediately burn him by stealing his Blackberry. That's just stupid. Posted on July 22, 2008 at 10:05 AM • 39 Comments • View Blog Reactions Scary Knife Makes for Great Newspaper HeadlinesWho can not feel a little chill of fear after reading this: "Britain on alert for deadly new knife with exploding tip that freezes victims' organs." Yes, it's real. The knife is designed for people who need to drop large animals quickly: sharks, bears, etc. I have no idea why Britain is on alert for it, though. EDITED TO ADD (7/24): Knife crime is rising in the UK. Posted on July 21, 2008 at 6:12 AM • 61 Comments • View Blog Reactions Cost/Benefit Analysis of Airline SecurityThis report, "Assessing the risks, costs and benefits of United States aviation security measures" by Mark Stewart and John Mueller, is excellent reading: The United States Office of Management and Budget has recommended the use of cost-benefit assessment for all proposed federal regulations. Since 9/11 government agencies in Australia, United States, Canada, Europe and elsewhere have devoted much effort and expenditure to attempt to ensure that a 9/11 type attack involving hijacked aircraft is not repeated. This effort has come at considerable cost, running in excess of US$6 billion per year for the United States Transportation Security Administration (TSA) alone. In particular, significant expenditure has been dedicated to two aviation security measures aimed at preventing terrorists from hijacking and crashing an aircraft into buildings and other infrastructure: (i) Hardened cockpit doors and (ii) Federal Air Marshal Service. These two security measures cost the United States government and the airlines nearly $1 billion per year. This paper seeks to discover whether aviation security measures are cost-effective by considering their effectiveness, their cost and expected lives saved as a result of such expenditure. An assessment of the Federal Air Marshal Service suggests that the annual cost is $180 million per life saved. This is greatly in excess of the regulatory safety goal of $1-$10 million per life saved. As such, the air marshal program would seem to fail a cost-benefit analysis. In addition, the opportunity cost of these expenditures is considerable, and it is highly likely that far more lives would have been saved if the money had been invested instead in a wide range of more cost-effective risk mitigation programs. On the other hand, hardening of cockpit doors has an annual cost of only $800,000 per life saved, showing that this is a cost-effective security measure. From the body: Hardening cockpit doors has the highest risk reduction (16.67%) at lowest additional cost of $40 million. On the other hand, the Federal Air Marshal Service costs $900 million pa but reduces risk by only 1.67%. The Federal Air Marshal Service may be more cost-effective if it is able to show extra benefit over the cheaper measure of hardening cockpit doors. However, the Federal Air Marshal Service seems to have significantly less benefit which means that hardening cockpit doors is the more cost-effective measure. Cost-benefit analysis is definitely the way to look at these security measures. It's hard for people to do, because it requires putting a dollar value on a human life -- something we can't possibly do with our own. But as a society, it is something we do again and again: when we raise or lower speed limits, when we ban a certain pesticide, when we enact building codes. Insurance companies do it all the time. We do it implicitly, because we can't talk about it explicitly. I think there is considerable value in talking about it. (Note the table on page 5 of the report, which lists the cost per lives saved for a variety of safety and security measures.) The final paper will eventually be published in the Journal of Transportation Security. I never even knew there was such a thing. Posted on July 21, 2008 at 5:53 AM • 22 Comments • View Blog Reactions Friday Squid Blogging: Researching the Reproductive Habits of Giant SquidsI sure want to know more: Giants have very strange sexual behaviour where the male has a metre-long muscular penis that he uses a bit like a nail gun and shoots cords of sperm under the skin of the female's arms and she carries the sperm around with her until she is ready to lay her big jelly mass of a million eggs. Posted on July 18, 2008 at 4:05 PM • 7 Comments • View Blog Reactions Funny Radio Skit on Identity TheftBy Mitchell & Webb. Posted on July 18, 2008 at 1:21 PM • 18 Comments • View Blog Reactions Midazolam as a Non-Lethal WeaponDid you know that, in some jurisdictions, police can inject midazolam into suspects to subdue them? "There is no research guideline. There is no validated protocol for this. There's not even a clear set of indications for when this is to be used except when people are agitated. By saying that it's done by the emergency medical personnel, they basically are trying to have it both ways. That is, they’re trying to use a medical protocol that is not validated, not for a police function, arrest and detention," Miles said. The biggest side effect is amnesia, which makes it harder for any defendent to defend himself in court. Posted on July 18, 2008 at 11:28 AM • 66 Comments • View Blog Reactions
Powered by Movable Type 3.36. Photo at top by Steve Woit.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT. |
|