Skip to content

Posts in 'Security policies' category

Twitter Terrorists -- Come On...

I could not miss this one in Wired.com.

Then the presentation launches into an even-more theoretical discussion of how militants might pair some of these mobile applications with Twitter, to magnify their impact. After all, “Twitter was recently used as a countersurveillance, command and control, and movement tool by activists at the Republican National Convention,” the report notes. “The activists would Tweet each other and their Twitter pages to add information on what was happening with Law Enforcement near real time.”

It seems as people are making an effort to ring the bell on just about anything. Twitter? Twitter is merely an application that facilitates instant messaging, like tons of others. Whatever can be done with Twitter can also be done with IRC, Web chat rooms, shout boxes (those little frames on websites that display whatever is written by guests to the website), and what not.

Yes, someone evil can use Twitter to pass messages to other evil people in the field, but the ability to pass instant messages along is a “problem” of ubiquitous network technologies, not of this or that particular product.

The TSA Does Not Get It Completely Wrong

Many homeland security experts preach against the approach to airport security taken by the TSA. The TSA’s mitigation efforts focus primarily on specific tactics that terrorists may use, rather than on more generalized, more effective, measures, such as intelligence. Airline security, according to the ones opposing the TSA’s acts, shall be in effect long before the terrorist reaches the airport. All existing mechanisms, such as scanning shoes, banning liquids, etc., are a waste of time and money and punish only the innocent.

I generally agree, but I do so with mixed emotions.

Continue reading "The TSA Does Not Get It Completely Wrong"

Airport Security: Israel vs. the United States

Last July, an interesting post appeared in Bruce Schneier’s blog. It’s called: Airport Security: Israel vs. the United States. It discusses the difference between airport security in Israel and in the U.S. The post quotes evidence showing that the airport security in Israel is based more on interrogation and less on mechanical scanning. Mr. Schneier commented:

Regularly I hear people talking about Israeli airport security, and asking why we can’t do the same in the U.S. The short answer is: scale. Israel has 11 million airline passengers a year; there are close to 700 million in the U.S. Israel has seven airports; the U.S. has over 400 “primary” airports — and who knows how many others. Things that can work there just don’t scale to the U.S.

I do not generally buy this.

Continue reading "Airport Security: Israel vs. the United States"

Last Major Label Plans to Ditch DRM Restrictions

No one who follows on DRM news could have missed this: Report: RIP DRM, as Last Major Label Plans to Ditch Restrictions:

In a move certain to rock the distribution of digital music, Sony BMG is in the midst of finalizing plans to begin offering at least part of its downloadable music catalog DRM-free, according to BusinessWeek.com. This makes Sony BMG the last of the Big Four record labels to cave on digital rights management schemes designed to restrict the distribution of music via peer-to-peer networks.

I was asked more than once: What can prevail, if DRM cannot?

Continue reading "Last Major Label Plans to Ditch DRM Restrictions"

Making Standardization Committees Build More Secure Products

Lately I have been occupied once again with the specification of a security system as part of a standards committee. The identity of this standards body really does not matter. What does matter is that the process, just like its outcome, never improved.

There is a problem with security systems that are standardized by committees. Perhaps not every committee, but those committees that are democratic in nature. Democracy is good, all in all, but it doesn’t serve the design of security products well; at least not when it comes to design done by many individuals with different agendas.

It is easy to see why.

Continue reading "Making Standardization Committees Build More Secure Products"

Survey About DRM Acceptance

About a month late I got to see this news item about a survey that results in a conclusion that people are finally getting used to DRM.

Among other things, it says that:

The overall messages from these studies are: higher-priced DRM-free downloads resonate with a percentage of consumers but not a very large one; …

and specifically that:

the EMR/Olswang study found that only 43% would prefer “paying a little extra” for DRM-free tracks; and the In-Stat study found that only 19% would be willing to pay 30% more for a DRM-free track, as opposed to 29% who would not (44% said that it depends on other factors).

So, on the face of it, it seems as people start to not care much if their content is DRM-crippled; at least that’s what the article implies. It also compares these statistics to those of a survey done years ago that presumably reflected more hostility towards DRM.

However, before I got the chance to be amazed enough at the outcome, I bumped into a seemingly unrelated observation of that same survey…

Continue reading "Survey About DRM Acceptance"

Countermeasures That Can't Be Modeled

A couple of nights ago I drove back from some family event and got pulled over by a cop. Okay, I agree that this for itself is not worth a blog post. The cop asked me to open the window, he looked at me, asked me where I come from and where I am going to, and sent me off my way, without even bothering to carry out the standard papers check. The entire event took no longer than two minutes.

What took more than two minutes was my discussion with my wife about whether or not this sort of “examination” is worth anything. She believes it is probably a waste of tax payers money, to stop people just to ask them how they’re doing. I happen to think that not only that this is not a waste of money, but it’s probably one of the most effective uses for this money; at least for the money that is devoted to security

Continue reading "Countermeasures That Can't Be Modeled"

DHS wants DNSSEC keys -- so what?

The Department of Homeland Security (DHS) wants to have the root master keys of DNSSEC. This will allow them to fake DNS responses at will. Read all about it at:

Homeland Security grabs for net’s master keys
Department of Homeland and Security wants master key for DNS

It caused quite a lot of fuss. I agree with the political feeling of discomfort, but I somehow cannot understand the threat that some people attribute to this.

Continue reading "DHS wants DNSSEC keys -- so what?"

Is more security always better?

This depends on who you ask. Some people think that the more secure a system is, the better; with no exceptions. This school of thought is often attributed to product vendors. This approach helps them believe (and thus convince) that their product is a great buy, regardless of the situation. This approach is also common among information security newbies who believe that an additional requirement or mechanism can only make you more resistant, not less, and thus is always worth adding. The fancier of these guys call it an additional “layer”, so they sound more confident.

I guess it can be told by my tone so far that I disagree. Making a system or a network more secure is sometimes
worthwhile and sometimes it is not.

Continue reading "Is more security always better?"

Today's Credit Card Fraud Prevention -- Throwing The Baby With The Bathwater?

E-commerce and credit cards in particular are always considered to have succeeded in overcoming the big problem of fraud. All too often when a new security mechanism is presented to combat credit card fraud its opponents claim that fraud in credit card transactions is already mitigated to an adequate extent. This does not seem as a false claim as we don’t see Visa, Mastercard, or American Express going bankrupt due to fraud. The fraud figures are not too bad either considering the fact that no state-of-the-art mechanism is deployed yet for the masses.

However, trying to make an online purchase recently made me lose any respect I had for the so-called anti-fraud mechanisms that are used today.

Continue reading "Today's Credit Card Fraud Prevention -- Throwing The Baby With The Bathwater?"