Podcast: Crypto-Gram 15 Apr 2006: Security through Begging
from the Apr 15, 2006 Crypto-Gram Newsletter
by Bruce Schneier
* Airport Passenger Screening
It seems like every time someone tests airport security, airport security fails. In tests between November 2001 and February 2002, screeners missed 70 percent of knives, 30 percent of guns, and 60 percent of (fake) bombs. And recently, testers were able to smuggle bomb-making parts through airport security in 21 of 21 attempts. It makes you wonder why we're all putting our laptops in a separate bin and taking off our shoes.
Airport screeners have a difficult job, primarily because the human brain isn't naturally adapted to the task. We're wired for visual pattern matching, and are great at picking out something we know to look for, but we're much less adept at detecting random exceptions in uniform data.
* VOIP Encryption
There are basically 4 ways to eavesdrop on a telephone call:
1) listen in on another phone extension.
2) attach some eavesdropping equipment to the wire with a pair of alligator clips.
3) eavesdrop at the telephone switch.
4) tap the main trunk lines, eavesdrop on the microwave or satellite phone links, etc.
That's basically the entire threat model for traditional phone calls.
Phone calls from your computer are fundamentally different from phone calls from your telephone. Internet telephony's threat model is much closer to the threat model for IP-networked computers than the threat model for telephony.
This is why encryption for VOIP is so important. VOIP calls are vulnerable to a variety of threats that traditional telephone calls are not.
Encryption for IP telephony is important, but it's not a panacea. Basically, it takes care of threats No. 2 through No. 4, but not threat No. 1. Unfortunately, that's the biggest threat: eavesdropping at the end points.
* Security through Begging
Surprising news came out that Japanese nuclear secrets leaked out: caused by a contractor was allowed to connect his personal virus-infested computer to the network at a nuclear power plant. The contractor had a file sharing app on his laptop as well, and suddenly nuclear secrets were available to plenty of kids just trying to download the latest hit single. It's only taken about nine months for the government to come up with its suggestion on how to prevent future leaks of this nature: begging all Japanese citizens not to use file sharing systems
* KittenAuth
CAPTCHAs: those distorted pictures of letters and numbers you sometimes see on web forms. GOAL: is to authenticate that there's a person sitting in front of the computer.
The idea is that it's hard for computers to identify the characters, but easy for people to do.
KittenAuth works with images. The system shows you nine pictures of cute little animals, and the person authenticates himself by clicking on the three kittens. A computer clicking at random has only a 1 in 84 chance of guessing correctly.
* New Kind of Door Lock
We know a lot about the vulnerabilities of conventional locks, but we know very little about the security of this system. But don't confuse this lack of knowledge with increased security.
length: 24:21m
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0604.html
by Bruce Schneier
* Airport Passenger Screening
It seems like every time someone tests airport security, airport security fails. In tests between November 2001 and February 2002, screeners missed 70 percent of knives, 30 percent of guns, and 60 percent of (fake) bombs. And recently, testers were able to smuggle bomb-making parts through airport security in 21 of 21 attempts. It makes you wonder why we're all putting our laptops in a separate bin and taking off our shoes.
Airport screeners have a difficult job, primarily because the human brain isn't naturally adapted to the task. We're wired for visual pattern matching, and are great at picking out something we know to look for, but we're much less adept at detecting random exceptions in uniform data.
* VOIP Encryption
There are basically 4 ways to eavesdrop on a telephone call:
1) listen in on another phone extension.
2) attach some eavesdropping equipment to the wire with a pair of alligator clips.
3) eavesdrop at the telephone switch.
4) tap the main trunk lines, eavesdrop on the microwave or satellite phone links, etc.
That's basically the entire threat model for traditional phone calls.
Phone calls from your computer are fundamentally different from phone calls from your telephone. Internet telephony's threat model is much closer to the threat model for IP-networked computers than the threat model for telephony.
This is why encryption for VOIP is so important. VOIP calls are vulnerable to a variety of threats that traditional telephone calls are not.
Encryption for IP telephony is important, but it's not a panacea. Basically, it takes care of threats No. 2 through No. 4, but not threat No. 1. Unfortunately, that's the biggest threat: eavesdropping at the end points.
* Security through Begging
Surprising news came out that Japanese nuclear secrets leaked out: caused by a contractor was allowed to connect his personal virus-infested computer to the network at a nuclear power plant. The contractor had a file sharing app on his laptop as well, and suddenly nuclear secrets were available to plenty of kids just trying to download the latest hit single. It's only taken about nine months for the government to come up with its suggestion on how to prevent future leaks of this nature: begging all Japanese citizens not to use file sharing systems
* KittenAuth
CAPTCHAs: those distorted pictures of letters and numbers you sometimes see on web forms. GOAL: is to authenticate that there's a person sitting in front of the computer.
The idea is that it's hard for computers to identify the characters, but easy for people to do.
KittenAuth works with images. The system shows you nine pictures of cute little animals, and the person authenticates himself by clicking on the three kittens. A computer clicking at random has only a 1 in 84 chance of guessing correctly.
* New Kind of Door Lock
We know a lot about the vulnerabilities of conventional locks, but we know very little about the security of this system. But don't confuse this lack of knowledge with increased security.
length: 24:21m
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0604.html
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home