-- Eugen* Leitl <a href="http://www.lrz.de/~ui22204/">leitl</a> ______________________________________________________________ ICBMTO: N48 04'14.8'' E11 36'41.2'' http://www.lrz.de/~ui22204 57F9CFD3: ED90 0433 EB74 E4A9 537F CFF5 86E7 629B 57F9 CFD3 ---------- Forwarded message ---------- Date: Wed, 3 Oct 2001 02:20:55 -0500 (CDT) From: InfoSec News To: isn@attrition.org Subject: Re: [ISN] CRYPTO-GRAM SPECIAL ISSUE, September 30, 2001 Forwarded from: Aj Effin Reznor Pardon the rant. Since Bruce went down his yellow brick road to the Land Where Full Disclosure Is Bad, I have been wondering about the usefulness of a crypto guy functioning as the head of a security company. "InfoSec News was known to say....."

Watching the television on September 11, my primary reaction was amazement.

Thanks for reminding us that you're human...

supports and collapse the World Trade Center. It seems probable that they placed advantageous trades on the world's stock markets just before the attack. No one planned for an attack like this. We like to think that human beings don't make plans like this.

From what I've gathered since the 11th, this *was* planned for, in a sense. The scenario was deemed unlikely enough that any preparation for such an occurance was considered pointless.

It was also a new type of attack. One of the most difficult things about a

(This line is important in a minute).

Airline Security Regulations

Computer security experts have a lot of expertise that can be applied to the real world. First and foremost, we have well-developed senses of what security looks like. We can tell the difference between real security and snake oil. And the new airport security rules, put in place after September 11, look and smell a whole lot like snake oil.

"We" computer security experts. (A) Bruce does crypto, not security. When he made the cutover, and rapidly rose to the rank of "expert" is unknown to me. (B) It's always been said that no one who calls themself an expert in anything, is. And chances are the ones who don't, are.

All the warning signs are there: new and unproven security measures, no real threat analysis, unsubstantiated security claims. The ban on cutting

Claims like "full disclosure is bad." I'd like to see what studies this ideology is based on.

Parked cars now must be 300 feet from airport gates. Why? What security problem does this solve? Why doesn't the same problem imply that passenger drop-off and pick-up should also be that far away? Curbside check-in has been eliminated. What's the threat that this security measure has solved? Why, if the new threat is hijacking, are we suddenly worried about bombs?

Pudding, including proof. Since this is a new style of hijacking, then clearly this is all we must concentrate on? I didn't see people taking down firewalls just because Code Red & Nimda passed right through and hit web servers. No, new threats need to be responded to without neglecting every previous threat. Bruce seems to think that just because these guys were so clever, that they'd never resort back to a simple car bomb parked next to an airport terminal. No, they'd never go low-tech. Think: Boxcutters.

The rule limiting concourse access to ticketed passengers is another one that confuses me. What exactly is the threat here? Hijackers have to be on the planes they're trying to hijack to carry out their attack, so they have to have tickets. And anyone can call Priceline.com and "name their own price" for concourse access.

Unless they were simply planting a bomb in the luggage compartment. You know, like an airport-employed *baggage*handler* would be able to do. Bruce is making far too many assumptions which, instead of bordering on the fanatical are instead bordering on the blind.

Increased inspections -- of luggage, airplanes, airports -- seem like a good idea, although it's far from perfect. The biggest problem here is

Inspection of what, a hijacker? Until a hijacking occurs, any terrorist is merely a potential hijacker. What are these inspections for that Bruce supports? Bombs? The same ones he thinks are a non-issue now?

Positive bag matching -- ensuring that a piece of luggage does not get loaded on the plane unless its owner boards the plane -- is actually a good security measure, but assumes that bombers have self-preservation as a guiding force. It is completely useless against suicide bombers.

Now bombs *are* an issue again! This waffling is feeling rather Clinton-esque!

The real point of photo ID requirements is to prevent people from reselling tickets. Nonrefundable tickets used to be regularly advertised in the newspaper classifieds. Ads would read something like "Round trip, Boston

This much I agree with.

Biometrics in Airports

You have to admit, it sounds like a good idea. Put cameras throughout airports and other public congregation areas, and have automatic face-recognition software continuously scan the crowd for suspected terrorists. When the software finds one, it alerts the authorities, who swoop down and arrest the bastards. Voila, we're safe once again.

Speaking of snake oil... face recognition! Is the security expert not noticing the oil being passed?

security badge that includes a picture that a guard looks at. Implemented properly, biometrics can be an effective part of an access control system.

Excluding cost-prohibitive systems, many can be easily tricked. Once someone hacks your "code" (print, retinal scan, etc), how do you *change* it? 'Splain, Lucy!

Terrorists and Steganography

Guess what? Al-Qaeda may use steganography. According to nameless "U.S. officials and experts" and "U.S. and foreign officials," terrorist groups are "hiding maps and photographs of terrorist targets and posting instructions for terrorist activities on sports chat rooms, pornographic bulletin boards and other Web sites."

No Proof.

It doesn't surprise me that terrorists are using this trick. The very

No Proof.

To make it work in practice, the terrorists would need to set up some sort of code. Just as Hanssen knew to collect his package when he saw the chalk mark, a virtual terrorist will need to know to look for his message. (He can't be expected to search every picture.) There are lots of ways to communicate a signal: timestamp on the message, an uncommon word in the subject line, etc. Use your imagination here; the possibilities are limitless.

For once we see the broad imagination and not the narrow focus we saw above. Perhaps Bruce is now in his zone again, instead of thinking within an area where he doesn't seem to be quite as comfortable. How Bruce presents himself as a "security expert" is really beyond me...

Protecting Privacy and Liberty

to provide security on the Internet. This works; my company catches attackers -- both outside hackers and insiders -- all the time. We do it by monitoring the audit logs of network products: firewalls, IDSs, routers,

Ah yes, log auditing. A low-level AI with a human overlord. Nothing like retroactive "response". Valor. Kimble. Schneier?! -aj. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail.