The views expressed in this entry, as in all entries on my website, represent my personal views alone. They do not necessarily represent the views, policies or standards of my current or any previous employers. No content on my website is promoted or endorsed by my employers. I am a free man, and my thoughts are my own.
In a few weeks both Def Con and Blackhat will be going on, and there’s going to be a lot of media scrutiny for them due to the recent NSA leaks, Snowden and the Aaron Swartz incident. All of that along with the usual announcements of new security tools, exploits, and other goodies.
Not to mention the increasing frequency of people at IT conferences sexually harassing and assaulting other people.
So really, that I even have to sit down and write this blog article to explain how to behave as a human being is frankly insane. But well, a lot of hackers may be considered ‘crazy’ by some standards. So be it.
Hi there. Yes, I know, it’s been 2 years since I last posted something on my website. Mea Culpa, I installed Joomla, I’m not much for website design, been busy, that sort of thing.
So how’s the spouse and kids? Really?! Well congrats, I’m glad to hear that. Except for the part about the restraining order, that’s a shame.
But hey the real reason why I’m here is to talk about an idea that popped into my head while I was zoning out along I-85 when heading back from a conference earlier this week. Being a responsible adult and all I tried to keep it down to only the “prayer for judgment” speeds and not “Judge Dredd” speeds. This is easy enough with cruise-control until you suddenly realize there’s a car ahead of you or behind you and you’re not sure if it’s a cop or not. And you don’t have radar detectors because you’re a law abiding citizen, damn it!
It occurred to me that we have all the technology to build an open source surveillance system for tracking and identifying police cars on the road. Now doing something like this of course requires making sure everything is done legally, and that has to account for differing laws between states and counties. But let’s push that down further into the article and jump into a technical outline of how to do this.
The biggest failure in information security is actually a failure in information technology implementation.
For many, many decades the operating systems and applications that have been made for computers have come with built-in security features. The very idea of a username and password to log into a computer pre-dates home computers by at least a decade, with Multics back in 1964. And it wasn’t the first.
But what has happened over this time is the old “arms race” where the bad guy finds a way around the restrictions put in place, so newer and more elaborate restrictions are put-up. More elaborate and complex security systems require more time to set-up, more knowledge to implement and a generally higher degree of intelligence.
In the Science Fiction novel “The Puppet Masters” by Robert A. Heinlein, alien creatures with the ability to connect to humans nervous systems invade the Earth. This novel was made into a terrible, horrible movie so if you have seen the movie but not read the book, please go read the book. And burn any copies of the movie you can get to.
But back to the book. It’s a pretty typical “alien possession” novel by current standards, but it was actually a significant publication in 1951. The aliens themselves are relatively small things with limited mobility (they are dubbed slugs), but can attach themselves to a victims neck and hang down the back. The “slug” can then control the human and tap into their memories, while remaining hidden under the clothing. As the novel progresses, the protagonists (Sam and Mary, who both work for a secret intelligence agency of the US) withdraw to the mountains. After being attacked by an alien slug, they return to the city to discover a law has been passed requiring full nudity.
Part of Information Security is not making assumptions. You don’t assume that computer systems are safe, you check them. Even if they were safe when you checked them, you check them again months later to make sure they are still safe. This sort of regular assessment is no different than security guards making regular rounds in an office building late at night. Such as at a bank.
When something suspicious is discovered during a systems check or pentest, you investigate it in order to verify that what was found is what you think it is. Evidence of a server break-in needs to be checked carefully before one goes blurting out “We’ve been hacked!”. Just like a bank doesn’t say “We’ve been robbed” because some accounting numbers don’t match-up.
Such verification and re-verification on a regular basis can sometimes seem like paranoia. But paranoia is the unreasonable sense of persecution. Banks have ample reason to be concerned about their security, as there is a long and rich history of criminals robbing banks. However, there is a point at which one may indeed have to ask oneself, “Am I being too cautious?”
(This is in response to this Slashdot article, about this gentleman, and the events described in this Wired article.)
I am writing to you as a Senior Information Security Analyst with Northrop Grumman corporation. I am employed with NGC on behalf of the United States Postal Service. I am a CISSP (Computer Information Systems Security Professional) and help protect the IT systems of America’s postal system.
I am writing you about the topic of Christopher Soghoian. This past Friday you called for his arrest due to the creation of the “http://www.dubfire.net/boarding_pass” website.
As you are hopefully aware of now, the security flaw in the TSA boarding methodology is not new. Bruce Schneier, a security expert who has done significant work for the US government, wrote about the exact same flaw in 2003. Senator Charles Schumer made a press release about it in 2005. I myself have been aware of the flaw since I read Bruce Schneier’s article earlier this year. I will repeat myself: It is not new.
It is irresponsible to have continued to ignore a fundamental problem with TSA security in airports for so many years. Mr. Soghoian was irresponsible in putting together a website for public consumption to exploit it. But he was being QUITE responsible in outing this flaw.
Neither you nor the rest of congress should continue to stick your heads in the sand. The TSA is NOT doing their job to the fullest extent necessary. Bruce Schneier has pointed out other problems in TSA security systems before, but has often been ignored.
The US government is passing laws and performing actions that reduce personal freedoms to try and bolster security. That is the wrong path. Security should come at the cost of convenience, not freedom. That way both security and personal freedoms are assured.
Thank you for your time. I look forward to your response.
From this Yahoo! article:
He was sympathetic, but accepted the Transportation Security Administration’s reasons for the ban.
“What are you going to do?” he said. “I guess you have to be safe.”
Amanda Volz, a TSA screener in Minneapolis, said she hoped more travelers would take that attitude Friday.
“There’s some moaning and groaning, and a few people who get angry, but once you explain it to them, they are more lenient about giving it up,” Volz said. “You just try to make them understand that it’s for their safety.”
Lots of things are done for safety. But they aren’t always the best choice, or the most useful. And there’s usually more than one way to make something safe and secure.
If you have never read John Brunner‘s novel “The Shockwave Rider“, I strongly recommend you do so at your earliest opportunity. Published in 1975, the novel is a fictional story about a man in a future society dominated by computer networks, corrupt governments and social upheaval. Key to the book’s plot is the division between what information government authorities can access and the information citizens can see.
In many ways the book mirrors the situation we live in today. In fact, “The Shockwave Rider” is so keenly accurate in its predictions that it’s somewhat unnerving (Brunner even coined the term “worm” to refer to a computer program that moves through a network of computers and makes changes). Vast oceans of data exist across societies throughout the world. Databases compiled by corporations, non-profits and governments store meticulous details about all of us. And in our world today there is no data access balance between “regular joes” and those governmental and corporate entities. Because data about people is so especially valuable, that divide represents a power imbalance.