Many homeland security experts preach against the approach to airport security taken by the TSA. The TSA's mitigation efforts focus primarily on specific tactics that terrorists may use, rather than on more generalized, more effective, measures, such as intelligence. Airline security, according to the ones opposing the TSA's acts, shall be in effect long before the terrorist reaches the airport. All existing mechanisms, such as scanning shoes, banning liquids, etc., are a waste of time and money and punish only the innocent.
I generally agree, but I do so with mixed emotions.
I was interviewed (by e-mail) for a project that preferred to remain undisclosed, on the future of secure content distribution. Enclosed are the (slightly modified) questions and answers.
A while ago the iPhone was hacked so to make it usable on networks other than AT&T's.
Since that moment, many opinions were sounded on how Apple could have done their security better and how the hack could have been eliminated. Moreover, some of the industries security experts went on to their desks to work out a stronger mechanism that can save the gigantic firm from such embarrassments in the future.
An obvious question comes up: couldn't Apple, with its $167 billion market cap, afford to pay some good security designers to protect its assets on the iPhone?
Last July, an interesting post appeared in Bruce Schneier's blog. It's called: Airport Security: Israel vs. the United States. It discusses the difference between airport security in Israel and in the U.S. The post quotes evidence showing that the airport security in Israel is based more on interrogation and less on mechanical scanning. Mr. Schneier commented:
Regularly I hear people talking about Israeli airport security, and asking why we can't do the same in the U.S. The short answer is: scale. Israel has 11 million airline passengers a year; there are close to 700 million in the U.S. Israel has seven airports; the U.S. has over 400 “primary” airports — and who knows how many others. Things that can work there just don't scale to the U.S.
I do not generally buy this.
No one who follows on DRM news could have missed this: Report: RIP DRM, as Last Major Label Plans to Ditch Restrictions:
In a move certain to rock the distribution of digital music, Sony BMG is in the midst of finalizing plans to begin offering at least part of its downloadable music catalog DRM-free, according to BusinessWeek.com. This makes Sony BMG the last of the Big Four record labels to cave on digital rights management schemes designed to restrict the distribution of music via peer-to-peer networks.
I was asked more than once: What can prevail, if DRM cannot?
Lately I have been occupied once again with the specification of a security system as part of a standards committee. The identity of this standards body really does not matter. What does matter is that the process, just like its outcome, never improved.
There is a problem with security systems that are standardized by committees. Perhaps not every committee, but those committees that are democratic in nature. Democracy is good, all in all, but it doesn't serve the design of security products well; at least not when it comes to design done by many individuals with different agendas.
It is easy to see why.
Most vendors selling security software that deals with removable devices or with flash storage mediums such as Disk-On-Key (DoK) provide the functionality of file wiping (often called shredding) from the removable medium. This feature allows the user to erase sensitive files that are no longer needed, in a way that (presumably) prevents them from ever being recovered; even if forensics gear is involved.
I find file wiping to be a useful function. Software that permanently destroys files is available on PCs since the early 80's and has always been handy. File encryption utilities also use file wiping to remove the original plaintext file after encrypting it.
The one concern I have is about the reliability of these tools when they run against particular files that are stored on flash memory, such as USB DoK or SD cards.