DATA
04-17-2002, 11:46 AM
HI.
Subject:Bruce Schneier on security
>** *** ***** ******* *********** *************
>
> How to Think About Security
>
>
>If security has a silly season, we're in it. After September 11,
every
>two-bit peddler of security technology crawled out of the woodwork
with
>new claims about how his product can make us all safe again. Every
>misguided and defeated government security initiative was dragged out
of
>the closet, dusted off, and presented as the savior of our way of
>life. More and more, the general public is being asked to make
security
>decisions, weigh security tradeoffs, and accept more intrusive
security.
>
>Unfortunately, the general public has no idea how to do this.
>
>But we in computer security do. We've been doing it for years; we do
it
>all the time. And I think we can teach everyone else to do it, too.
What
>follows is my foolproof, five-step, security analysis. Use it to
judge
>any security measure.
>
>Step one: What problem does the security measure solve? You'd think
this
>would be an easy one, but so many security initiatives are presented
>without any clear statement of the problem. National ID cards are a
>purported solution without any clear problem. Increased net
surveillance
>has been presented as a vital security requirement, but without any
>explanation as to why. (I see the problem not as one of not having
enough
>information, but of not being able to analyze and interpret the
>information already available.)
>
>Step two: How well does the security measure solve the problem? Too
>often analyses jump from the problem statement to a theoretical
solution,
>without any analysis as to how well current technology actually solves
the
>problem. The companies that are pushing automatic face recognition
>software for airports and other public places spend all their time
talking
>about the promises of a perfect system, while skipping the fact that
>existing systems work so poorly as to be useless. Enforcing a no-fly
zone
>around a nuclear reactor only makes sense if you assume a hijacker
will
>honor the zone, or if it is large enough to allow reaction to a
hijacker
>who doesn't.
>
>Step three: What other security problems does the measure
>cause? Security is a complex and inter-related system; change one
thing
>and the effects ripple. If the government bans strong cryptography,
or
>mandates back-doors, the resultant weaker systems will be easier for
the
>bad guys to attack. National ID cards require a centralized
>infrastructure that is vulnerable to abuse. In fact, the rise of
identity
>theft can be linked to the increased use of electronic identity. Make
>identities harder to steal through increased security measures, and
that
>will only make the fewer stolen identities more valuable and easier to
use.
>
>Step four: What are the costs of the security measure? Costs are not
>just financial, they're social as well. We can improve security by
>banning commercial aircraft. We can make it harder for criminals to
>outrun police by mandating 40 mph speed maximums in automobiles. But
>these things cost society too much. A national ID card would be
>enormously expensive. The new rules allowing police to detain illegal
>aliens indefinitely without due process cost us dearly in liberty, as
does
>much of the PATRIOT Act. We don't allow torture (officially, at
>least). Why not? Sometimes a security measure, even though it may be
>effective, is not worth the costs.
>
>Step five: Given the answers to steps two through four, is the
security
>measure worth the costs? This is the easy step, but far too often no
one
>bothers. It's not enough for a security measure to be effective. We
>don't have infinite resources. We don't have infinite patience. As a
>society, we need to do the things that make the most sense, that are
the
>most effective use of our security dollar.
>
>Some security measures pass these tests. Increasing security around
dams,
>reservoirs, and other infrastructure points is a good idea. Not
storing
>railcars full of hazardous chemicals in the middle of cities should
have
>been mandated years ago. New building evacuation plans are smart,
>too. These are all good uses of our limited resources to improve
security.
>
>This five-step process works for any security measure, past, present,
or
>future:
>
> 1) What problem does it solve?
> 2) How well does it solve the problem?
> 3) What new problems does it add?
> 4) What are the economic and social costs?
> 5) Given the above, is it worth the costs?
>
>When you start using it, you'd be surprised how ineffectual most
security
>is these days. For example, only two of the airline security measures
put
>in place since September 11 have any real value: reinforcing the
cockpit
>door, and convincing passengers to fight back. Everything else falls
>somewhere between marginally improving security and a placebo.
>
>
>** *** ***** ******* *********** *************
REGARDS Data.
Subject:Bruce Schneier on security
>** *** ***** ******* *********** *************
>
> How to Think About Security
>
>
>If security has a silly season, we're in it. After September 11,
every
>two-bit peddler of security technology crawled out of the woodwork
with
>new claims about how his product can make us all safe again. Every
>misguided and defeated government security initiative was dragged out
of
>the closet, dusted off, and presented as the savior of our way of
>life. More and more, the general public is being asked to make
security
>decisions, weigh security tradeoffs, and accept more intrusive
security.
>
>Unfortunately, the general public has no idea how to do this.
>
>But we in computer security do. We've been doing it for years; we do
it
>all the time. And I think we can teach everyone else to do it, too.
What
>follows is my foolproof, five-step, security analysis. Use it to
judge
>any security measure.
>
>Step one: What problem does the security measure solve? You'd think
this
>would be an easy one, but so many security initiatives are presented
>without any clear statement of the problem. National ID cards are a
>purported solution without any clear problem. Increased net
surveillance
>has been presented as a vital security requirement, but without any
>explanation as to why. (I see the problem not as one of not having
enough
>information, but of not being able to analyze and interpret the
>information already available.)
>
>Step two: How well does the security measure solve the problem? Too
>often analyses jump from the problem statement to a theoretical
solution,
>without any analysis as to how well current technology actually solves
the
>problem. The companies that are pushing automatic face recognition
>software for airports and other public places spend all their time
talking
>about the promises of a perfect system, while skipping the fact that
>existing systems work so poorly as to be useless. Enforcing a no-fly
zone
>around a nuclear reactor only makes sense if you assume a hijacker
will
>honor the zone, or if it is large enough to allow reaction to a
hijacker
>who doesn't.
>
>Step three: What other security problems does the measure
>cause? Security is a complex and inter-related system; change one
thing
>and the effects ripple. If the government bans strong cryptography,
or
>mandates back-doors, the resultant weaker systems will be easier for
the
>bad guys to attack. National ID cards require a centralized
>infrastructure that is vulnerable to abuse. In fact, the rise of
identity
>theft can be linked to the increased use of electronic identity. Make
>identities harder to steal through increased security measures, and
that
>will only make the fewer stolen identities more valuable and easier to
use.
>
>Step four: What are the costs of the security measure? Costs are not
>just financial, they're social as well. We can improve security by
>banning commercial aircraft. We can make it harder for criminals to
>outrun police by mandating 40 mph speed maximums in automobiles. But
>these things cost society too much. A national ID card would be
>enormously expensive. The new rules allowing police to detain illegal
>aliens indefinitely without due process cost us dearly in liberty, as
does
>much of the PATRIOT Act. We don't allow torture (officially, at
>least). Why not? Sometimes a security measure, even though it may be
>effective, is not worth the costs.
>
>Step five: Given the answers to steps two through four, is the
security
>measure worth the costs? This is the easy step, but far too often no
one
>bothers. It's not enough for a security measure to be effective. We
>don't have infinite resources. We don't have infinite patience. As a
>society, we need to do the things that make the most sense, that are
the
>most effective use of our security dollar.
>
>Some security measures pass these tests. Increasing security around
dams,
>reservoirs, and other infrastructure points is a good idea. Not
storing
>railcars full of hazardous chemicals in the middle of cities should
have
>been mandated years ago. New building evacuation plans are smart,
>too. These are all good uses of our limited resources to improve
security.
>
>This five-step process works for any security measure, past, present,
or
>future:
>
> 1) What problem does it solve?
> 2) How well does it solve the problem?
> 3) What new problems does it add?
> 4) What are the economic and social costs?
> 5) Given the above, is it worth the costs?
>
>When you start using it, you'd be surprised how ineffectual most
security
>is these days. For example, only two of the airline security measures
put
>in place since September 11 have any real value: reinforcing the
cockpit
>door, and convincing passengers to fight back. Everything else falls
>somewhere between marginally improving security and a placebo.
>
>
>** *** ***** ******* *********** *************
REGARDS Data.