Wednesday, June 24, 2009

Podcast: Crypto-Gram 15 Nov 2005: users, not software manufacturers, pay the price, nothing improves.

from the Nov 15, 2005 Crypto-Gram Newsletter
by Bruce Schneier

* The Security of RFID Passports

RFID chips are passive, and broadcast information to any reader that queries the chip: the new passports would reveal your identity without your consent or even your knowledge. Thieves could collect the personal data of people as they walk down a street, criminals could scan passports looking for Westerners to kidnap or rob and terrorists could rig bombs to explode only when four Americans are nearby. The police could use the chips to conduct surveillance on an individual; stores could use the technology to identify customers without their knowledge.

The RFID industry envisions these chips embedded everywhere.

RFID chips, can still be uniquely identified by their radio behavior. Specifically, these chips have a unique identification number used for collision avoidance. This is something buried deep within the chip, and has nothing to do with the data or application on the chip.

* Liabilities and Software Vulnerabilities

It's the software manufacturers that should be held liable, not the individual programmers. Getting this one right will result in more-secure software for everyone; getting it wrong will simply result in a lot of messy lawsuits.

In a capitalist society, businesses are profit-making ventures, and they make decisions based on both short- and long-term profitability. They try to balance the costs of more-secure software - extra developers, fewer features, longer time to market - against the costs of insecure software: expense to patch, occasional bad press, potential loss of sales.

The end result is that insecure software is common. But because users, not software manufacturers, pay the price, nothing improves. Making software manufacturers liable fixes this externality.

If end users can sue software manufacturers for product defects, then the cost of those defects to the software manufacturers rises. Manufacturers are now paying the true economic cost for poor software, and not just a piece of it. So when they're balancing the cost of making their software secure versus the cost of leaving their software insecure, there are more costs on the latter side. This will provide an incentive for them to make their software more secure.

* Preventing Identity Theft: The Living and the Dead

According to Metacharge: the fastest growing form of identity theft is not phishing; it is taking the identities of dead people and using them to get credit.

* Banks and Two-Factor Authentication

Two-factor authentication won't stop phishing, because the attackers will simply modify their techniques to get around it.

Nordea bank: paper-based single-use pwd sec system...

* Sony Secretly Installs Rootkit on Computers

Sony lies about their rootkit: it removes the cloaking technology component - This component is not malicious and does not compromise security.

It does not remove the rootkit

* The Zotob Worm

Internet epidemics are much like severe weather: they happen randomly, they affect some segments of the population more than others, and your previous preparation determines how effective your defense is.

Zotob was the first major worm outbreak since MyDoom in January 2004. It happened quickly - less than five days after Microsoft published a critical security bulletin

It wasn't much of a big deal, but it got a lot of play in the press because it hit several major news outlets, most notably CNN.

length: 24:19m
PS: this is my cheat sheet of Bruce Schneier's Podcast:

Labels: ,


Post a Comment

Subscribe to Post Comments [Atom]

<< Home