Sunday, August 15, 2004

August Crypto-Gram highlights

It's the 15th again, and that means (as kiddies go "yay!") it's time for your Crypto-Gram highlights...

  • If you hear a flight attendant talking about a "Bob" while on board a flight, you now know what (s)he's really saying:

    Last Tuesday's bomb scare contains valuable security lessons, both good and bad, about how to achieve security in these dangerous times. Ninety minutes after taking off from Sydney Airport, a flight attendant on a United Airlines flight bound for Los Angeles found an airsickness bag -- presumably unused -- in a lavatory with the letters "BOB" written on it. The flight attendant decided that the letters stood for "Bomb On Board" and immediately alerted the captain, who decided the risk was serious enough to turn the plane around and land back in Sydney.

    Even a moment's reflection is enough to realize that this is an extreme overreaction to a nonexistent threat. "Bob" is common flight attendant jargon for "babe on board" or "best on board," as in: "Look at that Bob in seat 7A." United Airlines apparently also uses it for some domestic U.S. flights to mean "Buy on Board" -- meals aren't provided gratis, but if you want one you must buy it. And even if it weren't, there's absolutely no reason to think that "BOB" is not just someone's name, written on the airsickness bag sometime in the past and left in the lavatory by a passenger who didn't even realize it. Why in the world would someone decide that out of all the possible meanings that "BOB" scribbled on an airsickness bag could have, its presence on this particular airsickness bag on this particular flight must mean "Bomb On Board"?

  • Wireless networking is really insecure. Will the day of reckoning ever come? It's gotten one small step closer, at least for Bluetooth and 802.11.

  • The Bush Administration, working hard, each and every day, to fulfill its promise never to stop thinking about new ways to harm our country.

  • The UW IMA (sports activities center) has a poster next to the Internet terminal (which I never use, but it's right by the big workout room) that warns of date rape drugs. Schneier deflates this bit of security theater:

    GHB is gamma hydroxybutyric acid; a date rape drug. An attacker (presumably male) slips the drug into a woman's drink, and then rapes her after the effects of the drug set in. Not a common attack -- there are fewer than 40 reported cases in the U.S. each year -- but horrible when it happens. (To be fair, this number is widely believed to be an underestimate, but it seems clear that it's a small fraction of all rapes.)

    One suggested countermeasure is that women carry their own bottle opener into a bar, and make sure that no one else handles their opened drink. ...

    ...[deletia]...

    As with the threat of drugs or razors in Halloween candy (which, unlike GHB, is almost completely phony), risk assessment is often based on scariness rather than prevalence. That is, people are having an emotional reaction to the threat rather than a realistic one. And they end up with a countermeasure that makes no sense from a security analysis perspective, but a lot of sense from an emotional analysis perspective.

    Sure, carrying a bottle opener is easy. But the constant vigilance that this countermeasure requires is not. And someone so focused on this countermeasure is more likely to ignore other threats.

    There are 5,000 deaths every year from food-borne illnesses, but nobody refuses to take unwrapped food from restaurants, or insists on inspecting the kitchen and watching their food being prepared.

    Schneier also notes that the test strips that some people are selling don't work, at least for ketamine.

  • Schneier writes about a boneheaded program whereby Houston will allow men to ride around airports, in manly fashion, on their horsies:
  • Want to help fight terrorism? Want to be able to stop and detain suspicious characters? Or do you just want to ride your horse on ten miles of trails normally closed to the public? Then you might want to join the George Bush Intercontinental (IAH) Airport Rangers program. That's right. Just fill out a form and undergo a background check, and you too can become a front-line fighter as Houston's airport tries to keep our nation safe and secure. No experience necessary. You don't even have to be a U.S. citizen.

    No, it's not a joke. The Airport Rangers program is intended to promote both security and community participation, according to the official description. It's a volunteer mounted patrol that rides horses along the pristine wooded trails that form the perimeter of the 11,000-acre airport.

    Security is far more effective when it's based on well-trained smart people, instead of on rote-trained people checking photo IDs and X-ray machine screens, or implementing database-driven profiling. The idea of trained guards patrolling a secure perimeter is a good one. But as a security professional, I see two major problems with the program as described.

    The first is the lack of training. ...[deletia]...

    The second is the new security vulnerability that this program creates. The perimeter around the airport used to be a no-man's-land; anyone on the property was immediately suspicious. Now there is a group of people allowed around the airport perimeter. How do you tell the difference between someone who is allowed and someone who isn't? A photo ID, one you might glance at from ten feet away, is easily forgeable. And since all Rangers are on horseback, if you have a horse and you're Western-looking, you probably are going to be automatically trusted. Is the airport safer, or more at risk, because of this program? The answer isn't obvious.

    IMO Schneier is still not hard enough on this program. Given the fiscal tendencies and anti-government ideology of the ruling clique in Texas, this strikes me as a scheme to "improve" airport security on the cheap, without having to pay actual professionals who might, you know, know what they're doing. And the security vulnerability introduced by the system seems pretty serious.

  • A regular Crypto-Gram feature is "The Doghouse", wherein Schneier discusses some fraudulent or simply idiotic security product, measure, or company. Last month he pointed to ICS Atlanta (note: server currently down) which peddles a "virtually unbreakable" encryption product, based on an undisclosed algorithm that "uses no math" and "does not use a 'key'". Yes, that's right --- a computer program that encrypts text with "no math". That was pretty funny.

    Little did I know that the fun was just beginning.

    This month, Schneier got an email from ICS Atlanta's Ken Lavender, who states: "I am APPAULED at your 'comments' that you had made on your website," and goes on to make a totally entertaining ass out of himself. Read the last entry in the reader comments section.

No comments:

Post a Comment