Keep secure


Answers from an expert on the changing face of computer security

Security expert Bruce Schneier answered questions through the Freakonomics blog. There are some great answers and comments on those answers. Here are a few that just jumped out at me. Emphasis added.

Identity verification will continue to be the hodge-podge of systems we have today. You’re recognized by your face when you see someone you know; by your voice when you talk to someone you know. Open your wallet, and you’ll see a variety of ID cards that identify you in various situations — some by name and some anonymously. Your keys “identify” you as someone allowed in your house, your office, your car. I don’t see this changing anytime soon, and I don’t think it should. Distributed identity is much more secure than a single system. I wrote about this in my critique of REAL ID.

<snip>

...More and more, your data isn’t under your direct control. Your e-mail is at Google, Hotmail, or your local ISP. Online merchants like Amazon and eBay have records of what you buy, and what you choose to look at but not buy. Your credit card company has a detailed record of where you shop, and your phone company has a detailed record of who you talk to (your cell phone company also knows where you are). Add medical databases, government databases, and so on, and there’s an awful lot of data about you out there. And data brokers like ChoicePoint and Acxiom collect all of this data and more, building up a surprisingly detailed picture on all Americans.

As you point out, one problem is that these commercial and government organizations don’t take good care of our data. It’s an economic problem: because these parties don’t feel the pain when they lose our data, they have no incentive to secure it. I wrote about this two years ago, stating that if we want to fix the problem, we must make these organizations liable for their data losses. Another problem is the law; our Fourth Amendment protections protect our data under our control — which means in our homes, in our cars, and on our computers. We don’t have nearly the same protection when we give our data to some other organization for use or safekeeping.

That being said, there’s a lot you can do to secure your own data. I give a list here.

<snip>

Social engineering will always be easy, because it attacks a fundamental aspect of human nature. As I said in my book, Beyond Fear, “social engineering will probably always work, because so many people are by nature helpful and so many corporate employees are naturally cheerful and accommodating. Attacks are rare, and most people asking for information or help are legitimate. By appealing to the victim’s natural tendencies, the attacker will usually be able to cozen what she wants.”

The trick is to build systems that the user cannot subvert, whether by malice, accident, or trickery. This will also help with the other problem you list: convincing individuals to take organizational security seriously. This is hard to do, even in the military, where the stakes are much higher.

<snip>

Brief note from NeoWayland:. I've recently bought the third season of Veronica Mars on DVD, great series. Most of the tactics used by Veronica Mars and her P.I. father used are based heavily on social engineering and are only one or two steps further than what most people would do.

There’s a huge difference between nosy neighbors and cameras. Cameras are everywhere. Cameras are always on. Cameras have perfect memory. It’s not the surveillance we’ve been used to; it’s wholesale surveillance. I wrote about this here, and said this: “Wholesale surveillance is a whole new world. It’s not ‘follow that car,’ it’s ‘follow every car.’ The National Security Agency can eavesdrop on every phone call, looking for patterns of communication or keywords that might indicate a conversation between terrorists. Many airports collect the license plates of every car in their parking lots, and can use that database to locate suspicious or abandoned cars. Several cities have stationary or car-mounted license-plate scanners that keep records of every car that passes, and save that data for later analysis.

“More and more, we leave a trail of electronic footprints as we go through our daily lives. We used to walk into a bookstore, browse, and buy a book with cash. Now we visit Amazon, and all of our browsing and purchases are recorded. We used to throw a quarter in a toll booth; now EZ Pass records the date and time our car passed through the booth. Data about us are collected when we make a phone call, send an e-mail message, make a purchase with our credit card, or visit a Web site.”

What’s happening is that we are all effectively under constant surveillance. No one is looking at the data most of the time, but we can all be watched in the past, present, and future. And while mining this data is mostly useless for finding terrorists (I wrote about that here), it’s very useful in controlling a population.

Great stuff and worth your time.

— NeoWayland

Posted: Sat - December 8, 2007 at 01:10 PM  Tag


 ◊  ◊   ◊  ◊ 

Random selections from NeoWayland's library



Pagan Vigil "Because LIBERTY demands more than just black or white"
© 2005 - 2009 All Rights Reserved