Bruce Schneier

 

Home

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

Computer Security Articles

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography and Computer Security Resources

Contact Information

 

Schneier on Security

A blog covering security and security technology.

Washington Post Comments on Terrorist Plots

From this article, published last April:

Batiste confided, somewhat fantastically, that he wanted to blow up the Sears Tower in Chicago, which would then fall into a nearby prison, freeing Muslim prisoners who would become the core of his Moorish army. With them, he would establish his own country.

Somewhat fantastically? What would the Washington Post consider to be truly fantastic? A plan involving Godzilla? Clearly they have some very high standards.

I'm sick of people taking these idiots seriously. This plot is beyond fantastic, it's delusional.

Posted on July 25, 2008 at 6:48 AM6 CommentsView Blog Reactions

Open Source Laptop Tracking Service

Adeona. Looks good.

Posted on July 24, 2008 at 11:59 AM22 CommentsView Blog Reactions

Anti-Terrorism Stupidity at Yankee Stadium

They're confiscating sunscreen at Yankee Stadium:

The team contends that sunscreen has long been on the list of stadium contraband, but there is no mention of it on the Yankee Web site.

Four weeks ago, Stadium officials decided that sunscreen of all sizes and varieties would not be permitted, a security supervisor told The Post before last night's game.

"There have been a lot of complaints," he said. "We tell them to apply once and then throw it out."

For fans who bring babies or young children to cheer on the home team, the guard had suggested they "beg" to take the sunblock in.

Seeing the giant bag full of confiscated sunscreen Saturday, one steaming Yankee fan asked whether he could take one of the tubes and apply it before heading into the park.

"Absolutely not," the guard told him. "What if you get a rash? You might sue the Yankees."

Next, I suppose, is confiscating liquids at pools.

We've collectively lost our minds.

This story has a happy ending, though. A day after The New York Post published this story, Yankee Stadium reversed its ban. Now, if only the Post had that same effect on airport security.

Posted on July 24, 2008 at 6:50 AM42 CommentsView Blog Reactions

Information Security and Liabilities

In my fourth column for the Guardian last Thursday, I talk about information security and liabilities:

Last summer, the House of Lords Science and Technology Committee issued a report on "Personal Internet Security." I was invited to give testimony for that report, and one of my recommendations was that software vendors be held liable when they are at fault. Their final report included that recommendation. The government rejected the recommendations in that report last autumn, and last week the committee issued a report on their follow-up inquiry, which still recommends software liabilities.

Good for them.

I'm not implying that liabilities are easy, or that all the liability for security vulnerabilities should fall on the vendor. But the courts are good at partial liability. Any automobile liability suit has many potential responsible parties: the car, the driver, the road, the weather, possibly another driver and another car, and so on. Similarly, a computer failure has several parties who may be partially responsible: the software vendor, the computer vendor, the network vendor, the user, possibly another hacker, and so on. But we're never going to get there until we start. Software liability is the market force that will incentivise companies to improve their software quality – and everyone's security.

Posted on July 23, 2008 at 3:09 PM62 CommentsView Blog Reactions

Speed Cameras Record Every Car

In this article about British speed cameras, and a trick to avoid them that does not work, is this sentence:

As vehicles pass between the entry and exit camera points their number plates are digitally recorded, whether speeding or not.

Without knowing more, I can guarantee that those records are kept forever.

EDITED TO ADD (7/25): Passenger moons speeding camera and gets his picture published even though the car was not speeding.

Police may take action against the man for public order offences and not wearing a seat belt.

Officers have the registration of the car, which was not breaking the speed limit, and intend to contact its owner.

It is understood the driver will not face prosecution as no driving offence was being committed.

How did they even know to look at the picture in the first place?

Posted on July 23, 2008 at 5:32 AM69 CommentsView Blog Reactions

Washington DC Metro Farecard Hack

Clever:

Thieves took a legitimate paper Farecard with $40 in value, sliced the card's magnetic strip into four lengthwise pieces, and then reattached one piece each to four separate defunct paper Farecards. The thieves then took the doctored Farecards to a Farecard machine and added fare, typically a nickel. By doing so, the doctored Farecard would go into the machine and a legitimate Farecard with the new value, $40.05, would come out.

My guess is that the thieves were caught not through some fancy technology, but because they had to monetize their attack. They sold farecards on the street for half face value.

Posted on July 22, 2008 at 12:29 PM27 CommentsView Blog Reactions

The Case of the Stolen Blackberry and the Awesome Chinese Hacking Skills

A high-level British government employee had his Blackberry stolen by Chinese intelligence:

The aide, a senior Downing Street adviser who was with the prime minister on a trip to China earlier this year, had his BlackBerry phone stolen after being picked up by a Chinese woman who had approached him in a Shanghai hotel disco.

The aide agreed to return to his hotel with the woman. He reported the BlackBerry missing the next morning.

That can't look good on your annual employee review.

But it's this part of the article that has me confused:

Experts say that even if the aide’s device did not contain anything top secret, it might enable a hostile intelligence service to hack into the Downing Street server, potentially gaining access to No 10’s e-mail traffic and text messages.

Um, what? I assume the IT department just turned off the guy's password. Was this nonsense peddled to the press by the UK government, or is some "expert" trying to sell us something? The article doesn't say.

EDITED TO ADD (7/22): The first commenter makes a good point, which I didn't think of. The article says that it's Chinese intelligence:

A senior official said yesterday that the incident had all the hallmarks of a suspected honeytrap by Chinese intelligence.

But Chinese intelligence would be far more likely to clone the Blackberry and then return it. Much better infomation that way. This is much more likely to be petty theft.

EDITED TO ADD (7/23): The more I think about this story, the less sense it makes. If you're a Chinese intelligence officer and you manage to get an aide to the British Prime Minister to have sex with one of your agents, you're not going to immediately burn him by stealing his Blackberry. That's just stupid.

Posted on July 22, 2008 at 10:05 AM39 CommentsView Blog Reactions

Scary Knife Makes for Great Newspaper Headlines

Who can not feel a little chill of fear after reading this: "Britain on alert for deadly new knife with exploding tip that freezes victims' organs."

Yes, it's real. The knife is designed for people who need to drop large animals quickly: sharks, bears, etc.

I have no idea why Britain is on alert for it, though.

EDITED TO ADD (7/24): Knife crime is rising in the UK.

Posted on July 21, 2008 at 6:12 AM61 CommentsView Blog Reactions

Cost/Benefit Analysis of Airline Security

This report, "Assessing the risks, costs and benefits of United States aviation security measures" by Mark Stewart and John Mueller, is excellent reading:

The United States Office of Management and Budget has recommended the use of cost-benefit assessment for all proposed federal regulations. Since 9/11 government agencies in Australia, United States, Canada, Europe and elsewhere have devoted much effort and expenditure to attempt to ensure that a 9/11 type attack involving hijacked aircraft is not repeated. This effort has come at considerable cost, running in excess of US$6 billion per year for the United States Transportation Security Administration (TSA) alone. In particular, significant expenditure has been dedicated to two aviation security measures aimed at preventing terrorists from hijacking and crashing an aircraft into buildings and other infrastructure: (i) Hardened cockpit doors and (ii) Federal Air Marshal Service. These two security measures cost the United States government and the airlines nearly $1 billion per year. This paper seeks to discover whether aviation security measures are cost-effective by considering their effectiveness, their cost and expected lives saved as a result of such expenditure. An assessment of the Federal Air Marshal Service suggests that the annual cost is $180 million per life saved. This is greatly in excess of the regulatory safety goal of $1-$10 million per life saved. As such, the air marshal program would seem to fail a cost-benefit analysis. In addition, the opportunity cost of these expenditures is considerable, and it is highly likely that far more lives would have been saved if the money had been invested instead in a wide range of more cost-effective risk mitigation programs. On the other hand, hardening of cockpit doors has an annual cost of only $800,000 per life saved, showing that this is a cost-effective security measure.

From the body:

Hardening cockpit doors has the highest risk reduction (16.67%) at lowest additional cost of $40 million. On the other hand, the Federal Air Marshal Service costs $900 million pa but reduces risk by only 1.67%. The Federal Air Marshal Service may be more cost-effective if it is able to show extra benefit over the cheaper measure of hardening cockpit doors. However, the Federal Air Marshal Service seems to have significantly less benefit which means that hardening cockpit doors is the more cost-effective measure.

Cost-benefit analysis is definitely the way to look at these security measures. It's hard for people to do, because it requires putting a dollar value on a human life -- something we can't possibly do with our own. But as a society, it is something we do again and again: when we raise or lower speed limits, when we ban a certain pesticide, when we enact building codes. Insurance companies do it all the time. We do it implicitly, because we can't talk about it explicitly. I think there is considerable value in talking about it.

(Note the table on page 5 of the report, which lists the cost per lives saved for a variety of safety and security measures.)

The final paper will eventually be published in the Journal of Transportation Security. I never even knew there was such a thing.

Posted on July 21, 2008 at 5:53 AM22 CommentsView Blog Reactions

Friday Squid Blogging: Researching the Reproductive Habits of Giant Squids

I sure want to know more:

Giants have very strange sexual behaviour where the male has a metre-long muscular penis that he uses a bit like a nail gun and shoots cords of sperm under the skin of the female's arms and she carries the sperm around with her until she is ready to lay her big jelly mass of a million eggs.

Posted on July 18, 2008 at 4:05 PM7 CommentsView Blog Reactions

Funny Radio Skit on Identity Theft

By Mitchell & Webb.

Posted on July 18, 2008 at 1:21 PM18 CommentsView Blog Reactions

Midazolam as a Non-Lethal Weapon

Did you know that, in some jurisdictions, police can inject midazolam into suspects to subdue them?

"There is no research guideline. There is no validated protocol for this. There's not even a clear set of indications for when this is to be used except when people are agitated. By saying that it's done by the emergency medical personnel, they basically are trying to have it both ways. That is, they’re trying to use a medical protocol that is not validated, not for a police function, arrest and detention," Miles said.

"The decision to administer Versed is based purely on a paramedic decision, not a police decision," Slovis said.

It's up to the officer to call an ambulance and determine if a person is in a condition called excited delirium.

"I don't know if I would use the word diagnosing, but they are assessing the situation and saying, 'This person is not acting rationally. This is something I've been trained to recognize, this seems like excited delirium.' I don't view delirium in the field as a police function. It is a medical emergency. We're giving the drug Versed that's routinely used in thousands of health care settings across the country in the field by trained paramedics. I view what we're doing as the best possible medical practice to a medical emergency," Slovis said.

The biggest side effect is amnesia, which makes it harder for any defendent to defend himself in court.

Posted on July 18, 2008 at 11:28 AM66 CommentsView Blog Reactions

Powered by Movable Type 3.36. Photo at top by Steve Woit.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
whole site

Blog Home Page

Recent Entries

Comments

Archives

Translations

German
Italian (selected entries)
Support Blogger's Rights!
Syndication
RSS 1.0 (full text)
RSS 2.0 (excerpts)
Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more
Books
Beyond Fear
Secrets and Lies
Practical Cryptography
The Electronic Privacy Papers
Applied Cryptography