Re: CRYPTO-GRAM SPECIAL ISSUE, September 30, 2001

[InfoSec News <isn () c4i org>]

Forwarded from: Aj Effin Reznor <aj () reznor com>

Pardon the rant.  Since Bruce went down his yellow brick road to the
Land Where Full Disclosure Is Bad, I have been wondering about the
usefulness of a crypto guy functioning as the head of a security
company.

"InfoSec News was known to say....."
 
> Watching the television on September 11, my primary reaction was
> amazement.
 
Thanks for reminding us that you're human...

> supports and collapse the World Trade Center.  It seems probable
> that they placed advantageous trades on the world's stock markets
> just before the attack.  No one planned for an attack like this.  
> We like to think that human beings don't make plans like this.

> From what I've gathered since the 11th, this *was* planned for, in a
sense. The scenario was deemed unlikely enough that any preparation
for such an occurance was considered pointless.

 
> It was also a new type of attack.  One of the most difficult
> things about a

(This line is important in a minute).


>         Airline Security Regulations
>
> Computer security experts have a lot of expertise that can be
> applied to the real world.  First and foremost, we have
> well-developed senses of what security looks like.  We can tell
> the difference between real security and snake oil.  And the new
> airport security rules, put in place after September 11, look and
> smell a whole lot like snake oil.

"We" computer security experts.

(A) Bruce does crypto, not security.  When he made the cutover, and
rapidly rose to the rank of "expert" is unknown to me.

(B) It's always been said that no one who calls themself an expert in
anything, is.  And chances are the ones who don't, are.
 
> All the warning signs are there: new and unproven security
> measures, no real threat analysis, unsubstantiated security
> claims.  The ban on cutting

Claims like "full disclosure is bad."  I'd like to see what studies
this ideology is based on.

> Parked cars now must be 300 feet from airport gates.  Why?  What
> security problem does this solve?  Why doesn't the same problem
> imply that passenger drop-off and pick-up should also be that far
> away?  Curbside check-in has been eliminated.  What's the threat
> that this security measure has solved?  Why, if the new threat is
> hijacking, are we suddenly worried about bombs?

Pudding, including proof.  Since this is a new style of hijacking,
then clearly this is all we must concentrate on?  I didn't see people
taking down firewalls just because Code Red & Nimda passed right
through and hit web servers.  No, new threats need to be responded to
without neglecting every previous threat.

Bruce seems to think that just because these guys were so clever, that
they'd never resort back to a simple car bomb parked next to an
airport terminal. No, they'd never go low-tech.  Think: Boxcutters.

> The rule limiting concourse access to ticketed passengers is
> another one that confuses me.  What exactly is the threat here?  
> Hijackers have to be on the planes they're trying to hijack to
> carry out their attack, so they have to have tickets.  And anyone
> can call Priceline.com and "name their own price" for concourse
> access.

Unless they were simply planting a bomb in the luggage compartment.  
You know, like an airport-employed *baggage*handler* would be able to
do.

Bruce is making far too many assumptions which, instead of bordering
on the fanatical are instead bordering on the blind.
 
> Increased inspections -- of luggage, airplanes, airports -- seem
> like a good idea, although it's far from perfect.  The biggest
> problem here is

Inspection of what, a hijacker?  Until a hijacking occurs, any
terrorist is merely a potential hijacker.  What are these inspections
for that Bruce supports?  Bombs?  The same ones he thinks are a
non-issue now?

> Positive bag matching -- ensuring that a piece of luggage does not
> get loaded on the plane unless its owner boards the plane -- is
> actually a good security measure, but assumes that bombers have
> self-preservation as a guiding force.  It is completely useless
> against suicide bombers.

Now bombs *are* an issue again!  This waffling is feeling rather
Clinton-esque!

> The real point of photo ID requirements is to prevent people from
> reselling tickets.  Nonrefundable tickets used to be regularly
> advertised in the newspaper classifieds.  Ads would read something
> like "Round trip, Boston

This much I agree with.

>              Biometrics in Airports
>
> You have to admit, it sounds like a good idea.  Put cameras
> throughout airports and other public congregation areas, and have
> automatic face-recognition software continuously scan the crowd
> for suspected terrorists.  When the software finds one, it alerts
> the authorities, who swoop down and arrest the bastards.  Voila,
> we're safe once again.

Speaking of snake oil... face recognition!  Is the security expert not
noticing the oil being passed?

> security badge that includes a picture that a guard looks at.  
> Implemented properly, biometrics can be an effective part of an
> access control system.

Excluding cost-prohibitive systems, many can be easily tricked.

Once someone hacks your "code" (print, retinal scan, etc), how do you
*change* it?  'Splain, Lucy!


>          Terrorists and Steganography
>
> Guess what?  Al-Qaeda may use steganography.  According to
> nameless "U.S.  officials and experts" and "U.S. and foreign
> officials," terrorist groups are "hiding maps and photographs of
> terrorist targets and posting instructions for terrorist
> activities on sports chat rooms, pornographic bulletin boards and
> other Web sites."

No Proof.

> It doesn't surprise me that terrorists are using this trick.  The
> very

No Proof.

> To make it work in practice, the terrorists would need to set up
> some sort of code.  Just as Hanssen knew to collect his package
> when he saw the chalk mark, a virtual terrorist will need to know
> to look for his message. (He can't be expected to search every
> picture.)  There are lots of ways to communicate a signal:
> timestamp on the message, an uncommon word in the subject line,
> etc.  Use your imagination here; the possibilities are limitless.

For once we see the broad imagination and not the narrow focus we saw
above.

Perhaps Bruce is now in his zone again, instead of thinking within an
area where he doesn't seem to be quite as comfortable.  How Bruce
presents himself as a "security expert" is really beyond me...

>          Protecting Privacy and Liberty
>
> to provide security on the Internet.  This works; my company
> catches attackers -- both outside hackers and insiders -- all the
> time.  We do it by monitoring the audit logs of network products:
> firewalls, IDSs, routers,

Ah yes, log auditing.  A low-level AI with a human overlord.  Nothing
like retroactive "response".


Valor.  Kimble.  Schneier?!


-aj.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.