| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « May | ||||||
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 | |
You are currently browsing the archives for the 'Security' category.
Bruce Schneier has a story on a new Internet threat, the Storm: a worm, a Trojan horse and a bot all rolled into one. The details of this new threat are thrilling and the article is well worth the reading.
http://www.wired.com/politics/security/commentary/securitymatters/2007/10/securitymatters_1004
I have just arrived from the local photo shop (Profi Foto), where I wanted to print several of my vacation photos. I am still stunned at how difficult security measures are for some people to get right. Here is why:
Endowed with a USB flash drive, I went to the photo shop and ask the clerk to print my photos. She refused to take my order, saying that they were forbidden to insert foreign USB flash drives in their PCs, as they might contain viruses. She added that some computers were infected in other two of their locations, therefore the management took the decision that all photo shops in the chain would refuse USB flash drives. I asked how I could then bring the photos down to their shop and have them printed and the answer was: CD, DVD or SD card.
Now I wonder who services the computers at Profi Foto? The alleged professional who advised them to ban USB flash drives has certainly no knowledge of how malware spreads. How is a CD different to a USB drive from the storage point of view? How a SD card is then different? They are all mass storage devices, they have an underlying file system (be it FAT, FAT32 or NTFS) and they are all readable by a Windows machine, regardless of their manufacturing technology (albeit SD cards and USB drives haveā¦ flash memories). Most importantly, they can all carry malware, regardless of their form factor and storage capacity.
My story has a happy end, as the lady at Profi Foto dutifully listened to my plea and decided to trust me. She understood my points and even invited me to insert the flash drive into the USB slot myself. Well, if I were to run the shop, I would offer her the job of the genial service guy J
If security is a topic that interests you, you may be trapped within the “computing security mind-set”, that is you may think about security only in the context of computers. Security in general is a multi-faceted term which is not necessarily tied to computers. Having read several of Bruce Schneier’s books (among which the most recent is Beyond Fear, ISBN 978-0387026206) and after giving the issue some thoughts of my own, I came to realize that indeed, security is part of our day-to-day life and we are prone to security trade-offs.
Security decisions are usually taken in order to protect a certain objective. We lock the door in order to protect our possessions; we install antivirus software in order to protect the programs and the data in our computers and we read newspapers in order to be updated with the latest happenings. All these are security trade-offs: we lock the door, but we have the inconvenience of carrying the key around; we install antivirus software, but the system is somewhat slowed down. Finally, we read newspapers at the expense of the subscription and the physical time to read. These are trade-offs.
Trade-offs are almost never black or white. It all depends on the lengths one is willing to go in order to accomplish a specific goal and the intrinsic value of the objective being protected. For instance, my house has a regular door, with no special properties, which should protect against most burglars. Installing an expensive door with all the fancy features out there would make little sense here, unless perhaps I would need to protect a valuable collection of paintings. Similarly, I am willing to install one antivirus product, but there’s nothing you can do to convince me to install two at the same time (okay, the example is a bit not realistic here, as two antivirus programs would most likely collide in an odd way).
Here is a real-world example of what I consider to be a security trade-off. In my recent trip to Greece, I booked a room at a nice hotel (Roda Garden Village, north of Corfu Island). The room was nice and cozy and had a system for saving on electricity, described below:
The power in the room was conditioned by inserting a metallic strip attached to the key inside the EnerCard device (see image below). When the strip was inserted into the slot, the power would go on instantly. The system could not be easily fooled, as inserting objects such as sheets of paper or cardboard into the slot did not trigger the power. Nice.
To increase its efficiency, the air conditioning unit was further controlled by a magnetic sensor placed on the balcony door. So, even though I had power in the room, I had to keep the door closed in order the air conditioning unit to work.
If you are like me, trying to spot weaknesses in anything, you may have noticed already that I found a workaround that completely circumvented the power economizer. It’s more mundane than you might think. Since the EnerCard device needed the metal strip that was attached to the room key and I wanted the key (while being out of the room), I simply detached the key from its metal strip. I didn’t even force the two objects, I simply used my fingers. Voila, we have power in the room while the key itself is in my pocket. Now, next in line is the air conditioning unit. I noticed that the balcony door actually consisted in two twin doors opening on the sides. However, the magnetic sensor was only placed on one door, which basically allowed half of the door to be opened while still allowing the air conditioning unit to run.
If you are wondering how this fact relates to security trade-offs, remember that the designer tried to save on his electricity bill incurred by the average hotel guest. Securing the system harder (like for instance using a solid connection between the key and the metal strip and using two magnetic sensors, one for each door) would have probably rendered my efforts useless, but the added cost multiplied by the number of rooms would have meant something. Now, the designer may have either put little thought on the economizer system, leaving it flawed, or it may have reached to a judiciously thought trade-off. You judge.
The draconic security measures enforced in airports throughout the world may not be as effective as the officials want. We are banned from bringing onboard box cutters and a few drops of liquid, but terrorists aren’t stupid. They will find new ways to circumvent the security measures because they are adaptable. People in charge of “thinking security” are not.
The lack of proper security practices is obvious. People tend to concentrate on countering events that are rare, extraordinary, vivid and well publicized. For instance, in 2003 Attorney General John Ashcroft claimed that there were no terrorist attacks two years after 9/11 and that proved that his policies worked. However, Bruce Schneier wonders why there were no terrorist attacks two years before 9/11, when no policies were in effect?
The skit I wanted to show to you is about how ineffective security measures are in airports. It was aired on “Saturday Night Live”. Play it and see for yourself whether this joke may already be the truth.
(No Ratings Yet)
Loading …
Hosted by Paymaster Web Design Studio, Powered by WordPress, Mandigo theme by tom.
Entries (RSS)
and Comments (RSS).
