Darwin's Theories - Security category

Security Theatre, Part n

Thu, 31 Dec 2009 20:35:00 GMT

According to a BBC report on the latest security theatre, airline customers are now to be subject to the following indignities for in-flight entertainment:

Customers to remain seated during final hour of flight;
No access to hand luggage and a ban on leaving possessions or blankets on laps during this hour.

Now I don't know about you, but I don't find this very comforting. The thought of being forced to sit still is inculcated in obedient citizens from kindergarten (a German word meaning roughly "vegetable garden to grow kids"). But at a certain point things like bladder pressure will win out. And what happens if you're in mid-whiz at the one-hour mark? Do you get shot by the air marshall while trying to return to your seat? (Watch the news for this one, folks). The entire process is utterly ridiculous. If the bomber had tried to light his fuse at the 45 minute mark into the flight, who can doubt that they'd ban visiting the toilet between 37 and 52 minutes after takeoff?

Remember the shoe bomber and how airport security made everybody take their shoes off before flight? Didn't stop the next religious fanatic with a fuse to light, did it?

The notion of an allegedly civilized nation dancing its "security" policies in the wind every time there's a real or perceived threat, to so vastly inconvenience its population while at the same time making no difference to the actual terrorists, is so laughable it's earned the term "security theater" - putting on a big show, but doing nothing for actual security.

It's not just me saying so. See Bruce Schnier's many writings on this topic, and his essay The Psychology of Security. Bruce is a well-known cryptology and security researcher; he knows whereof he speaks. TSA, not so much.

Protecting Your Castle

Sun, 21 Dec 2008 16:35:00 GMT

SANS.org has a nice white paper showing how to protect your home network using OpenBSD and other free software. According to the abstract:

"It is possible to clean up the back yard with Free Open Source Software and a little design. Using off the shelf components and Open Source software the family geek can deploy a more multilayered security stance that will provide far more visibility and control over the network. This is not to say that large swaths of the Internet can be cleaned up just by plugging in a box, but to say that if anything should be a safe haven on the internet, it should be the family network, the backyard. It makes sense to clean up the backyard before taking on the world’s trash."

Presumably the same techniques would apply to the average small business. Check it out at http://www.sans.org/reading_room/whitepapers/firewalls/32933.php [PDF].

P.S. According to Bartleby, the quotation in my subtitle, while commonly attributed to William Pitt, comes to us in its present wording from a précis done by Lord Henry Peter Brougham some sixty years later.

It's true what they say about airport security

Sat, 18 Oct 2008 20:41:00 GMT

"Airport security in America is a sham—“security theater” designed to make travelers feel better and catch stupid terrorists. Smart ones can get through security with fake boarding passes and all manner of prohibited items—as our correspondent did with ease..."

There's nothing I can add to this. While you're there, check the other security-related articles on the site.

Linus Just Doesn't Get It

Wed, 16 Jul 2008 17:54:00 GMT

Linux founder Linus Torvalds makes an amazing claim about Linux security (or not) on gmane.kernel.org (I'm not even gonna help pagerank that article by linking to it; search the newsgroup name and the date 2008-07-08). Speaking about security fixes, he says:

... It makes "heroes" out of security people, as if the people who [just]
fix normal bugs aren't as important.

In fact, all the boring normal bugs are _way_ more important, just
because there's a lot more of them. I don't think some spectacular
security hole should be glorified or cared about as being any
more "special" than a random spectacular crash due to bad locking.

Security people are often the black-and-white kind of people that I
can't stand. I think the OpenBSD crowd is a bunch of masturbating
monkeys, in that they make such a big deal about concentrating
on security to the point where they pretty much admit that nothing
else matters to them.

Normal bugs are "way more important" than security to Linus, the guy in charge of Linux? I'm sure gonna think twice before running Linux on anything connected to the Internet. If he'd actually read the OpenBSD security policy document, or any of our presentations at conferences over the years, rather than just calling silly names, he'd know that OpenBSD works on ordinary bugs as a way of preventing security bugs. But I guess it's easier to sit at home pulling on your tool chain and calling people names, than to actually acquaint yourself with the facts. Well done, Linus. Next time I won't even bother recommending Linux as a second choice after OpenBSD.

P.S. As if to prove the point, the next day, security mailing lists were full of this:

Wei Wang discovered that the ASN.1 decoding routines in CIFS and
SNMP NAT did not correctly handle certain length values. Remote
attackers could exploit this to execute arbitrary code or crash
the system. (CVE-2008-1673)

So they have CIFS and SNMP in the Linux kernel, and they haven't checked for overflows? 'Nuff said!

P.P.S: Apparently not enough said! It seems that the esteemed Mr. Torvalds is also implicated in a massive coverup of security bugs (aka attempted "security through obscurity").