from the Mar 15, 2006 Crypto-Gram Newsletter
by Bruce Schneier
* The Future of Privacy
Wholesale surveillance is a whole new world. It's not "follow that car," it's "follow every car." The National Security Agency can eavesdrop on every phone call, looking for patterns of communication or keywords that might indicate a conversation between terrorists.
More and more, we leave a trail of electronic footprints as we go through our daily lives.
Information about us has value. It has value to the police, but it also has value to corporations.
In the dot-com bust, the customer database was often the only salable asset a company had. Companies like Experian and Acxiom are in the business of buying and reselling this sort of data, and their customers are both corporate and government.
* Face Recognition Comes to Bars
The data will be owned by the bars that collect it. They can choose to erase it, or they can choose to sell it to data aggregators like Acxiom.
It's rarely the initial application that's the problem. It's the follow-on applications. It's the function creep. Before you know it, everyone will know that they are identified the moment they walk into a commercial building. We will all lose privacy, and liberty, and freedom as a result.
* Security, Economics, and Lost Conference Badges
Conference badges are an interesting security token. They can be very valuable
A few years ago, the RSA Conference charged people $100 for a replacement badge, which is far cheaper than a second membership. So the fraud remained.
This year, the RSA Conference solved the problem through economics: "If you lose your badge and/or badge holder, you will be required to purchase a new one for a fee of $1,895.00."
Instead of trying to solve this particular badge fraud problem through security, they simply moved the problem from the conference to the attendee. The badges still have that $1,895 value, but now if it's stolen and used by someone else, it's the attendee who's out the money. As far as the RSA Conference is concerned, the security risk is an externality.
* Data Mining for Terrorists
The basic idea was as audacious as it was repellent: suck up as much data as possible about everyone, sift through it with massive computers, and investigate patterns that might indicate terrorist plots. Americans across the political spectrum denounced the program, and in September 2003, Congress eliminated its funding and closed its offices.
But TIA didn't die. According to "The National Journal," it just changed its name and moved inside the Defense Department.
* Airport Security Failure
At LaGuardia, a man successfully walked through the metal detector, but screeners wanted to check his shoes. But he didn't wait, and disappeared into the crowd.
The entire Delta Airlines terminal had to be evacuated, and between 2,500 and 3,000 people had to be rescreened.
Aside from the obvious security failure -- how did this person manage to disappear into the crowd, it's painfully obvious that the overall security system did not fail well. Well-designed security systems fail gracefully, without affecting the entire airport terminal.
* Police Department Privilege Escalation
In the computer security world, privilege escalation means using some legitimately granted authority to secure extra authority that was not intended. This is a real-world counterpart. Even though transit police departments are meant to police their vehicles only, the title -- and the ostensible authority that comes along with it -- is useful elsewhere. Someone with criminal intent could easily use this authority to evade scrutiny or commit fraud.
The real problem is that we're too deferential to police power. We don't know the limits of police authority, whether it be an airport policeman or someone with a business card from the "San Gabriel Valley Transit Authority Police Department."
* Credit Card Companies and Agenda
A guy tears up a credit card application, tapes it back together, fills it out with someone else's address and a different phone number, and send it in. He still gets a credit card.
* Proof that Employees Don't Care About Security
Employees care about security; they just don't understand it. Computer and network security is complicated and confusing, and unless you're technologically inclined, you're just not going to have an intuitive feel for what's appropriate and what's a security risk. Even worse, technology changes quickly, and any security intuition an employee has is likely to be out of date within a short time.
length: 28:49m
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0603.html
Labels: cissp, security