Home page logo

isn logo Information Security News mailing list archives

Re: CRYPTO-GRAM SPECIAL ISSUE, September 30, 2001
From: InfoSec News <isn () c4i org>
Date: Wed, 3 Oct 2001 02:20:55 -0500 (CDT)

Forwarded from: Aj Effin Reznor <aj () reznor com>

Pardon the rant.  Since Bruce went down his yellow brick road to the
Land Where Full Disclosure Is Bad, I have been wondering about the
usefulness of a crypto guy functioning as the head of a security

"InfoSec News was known to say....."
Watching the television on September 11, my primary reaction was
Thanks for reminding us that you're human...

supports and collapse the World Trade Center.  It seems probable
that they placed advantageous trades on the world's stock markets
just before the attack.  No one planned for an attack like this.  
We like to think that human beings don't make plans like this.

From what I've gathered since the 11th, this *was* planned for, in a
sense. The scenario was deemed unlikely enough that any preparation
for such an occurance was considered pointless.

It was also a new type of attack.  One of the most difficult
things about a

(This line is important in a minute).

        Airline Security Regulations

Computer security experts have a lot of expertise that can be
applied to the real world.  First and foremost, we have
well-developed senses of what security looks like.  We can tell
the difference between real security and snake oil.  And the new
airport security rules, put in place after September 11, look and
smell a whole lot like snake oil.

"We" computer security experts.

(A) Bruce does crypto, not security.  When he made the cutover, and
rapidly rose to the rank of "expert" is unknown to me.

(B) It's always been said that no one who calls themself an expert in
anything, is.  And chances are the ones who don't, are.
All the warning signs are there: new and unproven security
measures, no real threat analysis, unsubstantiated security
claims.  The ban on cutting

Claims like "full disclosure is bad."  I'd like to see what studies
this ideology is based on.

Parked cars now must be 300 feet from airport gates.  Why?  What
security problem does this solve?  Why doesn't the same problem
imply that passenger drop-off and pick-up should also be that far
away?  Curbside check-in has been eliminated.  What's the threat
that this security measure has solved?  Why, if the new threat is
hijacking, are we suddenly worried about bombs?

Pudding, including proof.  Since this is a new style of hijacking,
then clearly this is all we must concentrate on?  I didn't see people
taking down firewalls just because Code Red & Nimda passed right
through and hit web servers.  No, new threats need to be responded to
without neglecting every previous threat.

Bruce seems to think that just because these guys were so clever, that
they'd never resort back to a simple car bomb parked next to an
airport terminal. No, they'd never go low-tech.  Think: Boxcutters.

The rule limiting concourse access to ticketed passengers is
another one that confuses me.  What exactly is the threat here?  
Hijackers have to be on the planes they're trying to hijack to
carry out their attack, so they have to have tickets.  And anyone
can call Priceline.com and "name their own price" for concourse

Unless they were simply planting a bomb in the luggage compartment.  
You know, like an airport-employed *baggage*handler* would be able to

Bruce is making far too many assumptions which, instead of bordering
on the fanatical are instead bordering on the blind.
Increased inspections -- of luggage, airplanes, airports -- seem
like a good idea, although it's far from perfect.  The biggest
problem here is

Inspection of what, a hijacker?  Until a hijacking occurs, any
terrorist is merely a potential hijacker.  What are these inspections
for that Bruce supports?  Bombs?  The same ones he thinks are a
non-issue now?

Positive bag matching -- ensuring that a piece of luggage does not
get loaded on the plane unless its owner boards the plane -- is
actually a good security measure, but assumes that bombers have
self-preservation as a guiding force.  It is completely useless
against suicide bombers.

Now bombs *are* an issue again!  This waffling is feeling rather

The real point of photo ID requirements is to prevent people from
reselling tickets.  Nonrefundable tickets used to be regularly
advertised in the newspaper classifieds.  Ads would read something
like "Round trip, Boston

This much I agree with.

             Biometrics in Airports

You have to admit, it sounds like a good idea.  Put cameras
throughout airports and other public congregation areas, and have
automatic face-recognition software continuously scan the crowd
for suspected terrorists.  When the software finds one, it alerts
the authorities, who swoop down and arrest the bastards.  Voila,
we're safe once again.

Speaking of snake oil... face recognition!  Is the security expert not
noticing the oil being passed?

security badge that includes a picture that a guard looks at.  
Implemented properly, biometrics can be an effective part of an
access control system.

Excluding cost-prohibitive systems, many can be easily tricked.

Once someone hacks your "code" (print, retinal scan, etc), how do you
*change* it?  'Splain, Lucy!

         Terrorists and Steganography

Guess what?  Al-Qaeda may use steganography.  According to
nameless "U.S.  officials and experts" and "U.S. and foreign
officials," terrorist groups are "hiding maps and photographs of
terrorist targets and posting instructions for terrorist
activities on sports chat rooms, pornographic bulletin boards and
other Web sites."

No Proof.

It doesn't surprise me that terrorists are using this trick.  The

No Proof.

To make it work in practice, the terrorists would need to set up
some sort of code.  Just as Hanssen knew to collect his package
when he saw the chalk mark, a virtual terrorist will need to know
to look for his message. (He can't be expected to search every
picture.)  There are lots of ways to communicate a signal:
timestamp on the message, an uncommon word in the subject line,
etc.  Use your imagination here; the possibilities are limitless.

For once we see the broad imagination and not the narrow focus we saw

Perhaps Bruce is now in his zone again, instead of thinking within an
area where he doesn't seem to be quite as comfortable.  How Bruce
presents himself as a "security expert" is really beyond me...

         Protecting Privacy and Liberty

to provide security on the Internet.  This works; my company
catches attackers -- both outside hackers and insiders -- all the
time.  We do it by monitoring the audit logs of network products:
firewalls, IDSs, routers,

Ah yes, log auditing.  A low-level AI with a human overlord.  Nothing
like retroactive "response".

Valor.  Kimble.  Schneier?!


ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]