Schneier on Security 204
brothke writes "There is a perception in both the
private and government sector, that security, both physical and digital, is
something you can buy. Witness the mammoth growth of airport security
products following 9/11, and the sheer number of vendors at security
conferences. With that, government officials and corporate executives
often think you can simply buy products and magically get instant security by
flipping on the switch. The reality is that security is not something
you can buy; it is something you must get." Keep reading for the rest of Ben's review.
Perhaps no one in the world
gets security like author Bruce Schneier does. Schneier is a
person who I am proud to have as a colleague [Schneier and I
are both employed by the same parent company, but work in different divisions,
in different parts of the country]. Schneier on Security is a
collection of the best articles that Bruce has written from June 2002 to June
2008, mainly from his
Crypto-Gram
Newsletter, his
blog,
and other newspapers and magazine. The book is divided into 12 sections,
covering nearly the entire range of security issues from terrorism, aviation,
elections, economics, psychology, the business of security and much
more.
| Schneier on Security | |
| author | Bruce Schneier |
| pages | 336 |
| publisher | Wiley |
| rating | 10 |
| reviewer | Ben Rothke |
| ISBN | 978-0470395356 |
| summary | The best articles from one of security's best |
Two of the terms Schneier uses extensively throughout the book are intelligence and economics. From an intelligence perspective, he feels that Washington has spent far too much on hardware and other trendy security devices that create a sense of security theater. The security theater gives an aura and show of security, but in reality, has little real effect.
The lack of intelligence is most manifest with airports, which are a perfect example of misguided security. Schneier notes that current trends in US airport security requires that people remove their shoes, due to a one-time incident with shoe-based explosive. Such an approach completely misses the point. Also, Schneier notes that the attempt to create a no-fly list, by feeding a limited set of characteristics into a computer, which is somehow expected to divine a person's terrorist leaning, is farcical.
Schneier therefore feels that the only way to effectively uncover terrorist plats is via intelligence and investigations, not via large-scale processing of everyone. Intelligence is an invaluable tool against terrorism, and the beauty of it is that it works regardless of what the terrorists are plotting. The bottom line according to Schneier in the book is that too much of the United State's counterterrorism security spending is not designed to protect us from the terrorists; but instead to protect public officials from criticism when another attack occurs.
Schneier also astutely notes that for the most part, security is not really so much of a technical issue, rather one of economics. A perfect example he gives is that of bulletproof vests. Since they are so effective, why doesn't everyone wear them all of the time? The reason people don't is that they do not think they are worth the cost. It is not worth the money or inconvenience, as the risk of being shot for most people is quite low. As a security consumer, people have made the calculation that not wearing a bulletproof vest is a good security trade-off. Schneier also notes that much of what is being proposed as national security is a bad security trade-off. It is not worth it and as consumers, the public is being ripped off.
Another recurring theme throughout the book is how the Bush administration has little by little eroded the Constitution, all in the name of fighting terrorism. Schneier notes that the brilliant framework the founding fathers created by creating divisions of power (executive, legislative, judicial) with checks and balances violates a basic unwritten rule, that the government should be granted only limited powers, and for limited purposes. Since there is a certainty that government powers will be abused.
Schneier observes that the USA PATRIOT is a perfect example of this abuse. The Constitution was designed and carefully outlines which powers each branch may exercise. While Schneier is best-known as a cryptographer and security expert, Schneier on Security also shows him to be a defender of the Constitution. In a number of essays in the book, he shows how unchecked presidential powers is bad not only for security, but for the preservation of democracy.
In chapter 8, on the topic of the economics of security, Schneier suggests a three-step program for improving computer and network security. He notes that none of them have anything to do with technology; they all have to do with businesses, economics, and people.
In chapter 9, on the psychology of security, Schneier writes that he tells people that if something is in the news, then they do not have to worry about it. He writes that the very definition of news is something that hardly ever happens. It's when something is not in the news, when it is so common that it is no longer news, drunk drivers killing people, domestic violence, deaths from diabetes, etc., that is when you should start worrying. And much of the terrorist threats that the Department of Homeland Security is spending tens of billions of dollars on, are those news threats, such as shoe bombers and liquid explosives that present very little real threat to the people of the US.
A fundamental theme of the book is that security is a trade-off. And far too many people have made the security trade-off without thinking if it is truly worth it. In essay after essay, Schenier challenges those assertions. Since 9/11, much has been given up in the name of terrorism, and that has been personal privacy and security. Schenier asks, has it been worth it?
Schneier on Security is an exceptionally important book that is overflowing with thought-provoking articles. Schneier gets above vague adages such as the war on terror and gets to the heart of the matter. His insight details what the real threats are, and what we should really be worrying about. The irony is that what Washington does is often the exact opposite of what should be done.
Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack. Schneier on Security is a manifesto of what should have been done, and what should be done. The book is eye-opening from the first page to the last. It lets you know that the next time you see grandma asked to take her shoes off by a TSA agent at the airport, why she is simply a bit player in the large security theater. And why spending tens of billions on a charade like that, makes that a tragedy of epic proportions.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Schneier on Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Afterword (Score:5, Interesting)
Two things:
First, Van Gogh painted Bruce Schneier's portrait [petroz.com] over a hundred years ago.
Well ok, that's not Bruce but it sure looks like him, doesn't it? The linked picture is a Van Gogh self-portrait.
Secondly, I want to point to an afterward to Cory Doctorow's Little Brother [craphound.com]. Bruce Schneier writes:
That's just a snippet, as the book is one long HTML page do a word search on "Bruce Schneier" to find the afterword.
Re:Afterword (Score:5, Insightful)
And one who breaks security is like the one who alerts the king about wearing no clothes. You WILL get punished. You WILL be dealt with.
I saw this all the time at schools, jobs and like. People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.
If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.
Re:Afterword (Score:5, Insightful)
People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.
Sometimes, but I don't think that it's about some smart-person-persecution system. The big problem is that, if somebody points out a security hole, it must be fixed. Even if the hole has been noticed before but was ignored because the odds of exploitation are so remote as to negate the sense in repairing it, once it's been reported it must be addressed - The risk of exploitation is now magnified greatly because of the liability lying on whoever ignores the request - Nobody wants to hear "I told you so" after a security incident. So, if the weakness is ludicrously expensive to fix and very minor, you are correct that it will probably annoy whoever you point it out to. It's not that they don't like you because you're smart, it's because they may have to do something silly or possibly face the consequences of exposed inaction.
If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.
That's kind of messed up. Maybe you've worked in some really dysfunctional places, but just throwing in the towel is doing a disservice to everyone involved. Just be sure you do a critical assessment of what you're suggesting before voicing it formally so that you can be sure that you're really improving things instead of making them worse. Otherwise, like Schneier points out, everyone winds up removing their shoes and throwing away their shampoo as a reaction to a couple of very remote threats.
Of course, there are obvious exceptions.
Re: (Score:2)
That's the thing: all security can be broken. All security has some sort of a hole or another. People do not want to hear about "possible avenues of attack".
Security really comes down to trust: do you trust the person you hired to not sell the company out or do evil to the company?
The problems that beget lower security can be attributed to a cost of business.
Re: (Score:2)
That's the thing: all security can be broken. All security has some sort of a hole or another.
While this is true, you ignore the most important point. All security holes are not created equal. There's some VERY dumb security problems I've come across or heard about over the years that would be VERY easy to exploit. Most (if not all) of them have been fixed. There's others that would be much more difficult to exploit.
You're correct that people don't want to hear about "possible avenues of attack". They
Re: (Score:2)
You mean, there are places in the security business that aren't dysfunctional?
That's why I stopped working in IT security. Employees punished for trying to help, incredible amounts of snake oil, kickbacks for purchasing snake oil, totally clueless people attracted to the "spook" aspect, people and vendors acting "spooky" for no good reason, and did I mention the spook wannabes?
Re: (Score:2)
Sometimes, but I don't think that it's about some smart-person-persecution system. The big problem is that, if somebody points out a security hole, it must be fixed. Even if the hole has been noticed before but was ignored because the odds of exploitation are so remote as to negate the sense in repairing it, once it's been reported it must be addressed
That depends entirely on whom the security hole has been reported to; if you only report it to a few people, and only to those able to fix it, they might look kindly on it [like when I did that with my university's /etc/passwd]. I think the increased awareness is one of the arguments in the full disclosure versus limited disclosure debate [I won't advocate one position over another in that debate, and you can find all the arguments for both sides on your own time].
Re:Afterword (Score:5, Interesting)
Amen.
I recently relocated to a rather rural area and I've met a lot of... shall we call them "simple" people. They look like country bumpkins, and many rarely leave the area, but several have surprised me with their insights.
One was an older man who worked construction his whole life. He once flew out to see his son's family in another state. While waiting to board his return flight he was sitting facing the key-pad door that led to the tarmac. He heard one person type "Beep... Beep... Beep... Bip-bip-bip." Then another. He realized that the six-digit code was three different numbers, followed by three identical numbers.
So he watched. After fifteen minutes he got the code. It was something like "264000." He wrote it on his boarding pass. When we handed the pass to the attendant at the gate she asked, "Sir, do you need this number?" He responded, "No, I don't need the code to your locked door over there." And then he boarded the plane.
A few minutes later two airport police officers came on the plane and asked him if he'd mind answering a few questions. He missed his flight (though they took mercy on him and put him on a later flight) while he was read the riot act. At no point did anyone thank him, nor did it seem that they were willing to find fault with their system or people who let out their ubersecret code.
He was wrong for hearing the code. He was wrong for watching the employees type the code.
Re: (Score:2)
That is a perfect example of the exact trade-off security-conscious people must deal with.
Suppose that all people who attempt to break a system were entitled to do so if they come forward with their methods. This would allow anyone to commit any number of attempted felonies so long as they were not successful. My own counterargument would be that the person who would exploit these holes for malicious purposes wouldn't come forward and thus would be unstoppable if we assume that they aren't caught.
Still, by
Re: (Score:2)
So I explained the problem to our head of security. he agreed that I was right and that absolutely nothing would be done about it. The new cards are a global policy and 60000 people are using them now and it is too la
Re: (Score:2, Insightful)
It's a win.
--
JimFive
Re: (Score:2)
Surely you mean, "He was wrong in the eyes of the people to whom he reported the problem."
If you want to make a difference, report problems to someone who can make a difference. Someone has responded and referred to "the attendant at the gate" as "the authorities." That's the problem with this anecdote: None of the people involved were authorities. They had privileged access, but no authority to do anything about the ex
Re: (Score:2)
Good grief. They KNEW he wasn't any kind of threat. What would be the pointing in explaining anything? And why should a person EXPECT to be abused like that, except for having heard anecdotes like this one?
He could have done better, but he didn't do anything wrong -- except that he forgot to hate and distrust The Man.
Suppose some day HE sees something suspicious that he probably ought to report. W
Re: (Score:2)
You're confusing The Man with The Employees. The Man is far, far away from the keypad. He has hired thousands of people to insulate him from the keypad, in order to make his decisions in isolation.
Just because someone has the root password doesn't mean that they care, or have the authority to fix a security hole.
I say "has the root password" because that's how I think of the people between the front door of the airport and the jetway who can upgrade your ticket if they want to.
Add to that the TSA contractor
Re: (Score:2)
You're confusing The Man with The Employees. The Man is far, far away from the keypad. He has hired thousands of people to insulate him from the keypad, in order to make his decisions in isolation.
The Man is the Sum of the Employees.
Re:Afterword (Score:5, Insightful)
Specifically, they were trying to turn their problem - which was a lack of awareness that they were being observed keying in the number, into his problem, which is being a busybody. One is a disciplinary offense, the other is just bullshit. But if they can make everyone feel that he has done something heinously wrong (and consequently that they have done nothing wrong themselves), they can hide the severity of their own errors in a shroud of fud. Which matters when evaluation time comes around and you're looking forward to that bonus. Nobody cares, you see, that it is instilling into people the apathy that could allow another 9/11 to happen, they're looking at goals closer to home.
Re: (Score:2)
The lock is there because everything outside that door is a security area.
No unauthorized people are allowed accessed to the tarmac.
Out there you have access to the planes, tools, checked baggage, airport vehicles, and fuel (probably including all of gas, diesel, and jet fuel).
Re: (Score:3, Insightful)
Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.
Only because people have no clue about security.
When most people hear about a security vulnerability, they do indeed think that they have two options:
1. Fix it.
2. Bury all information about it.
The reality is that the third option is the one that is frequently the right one: Acknowledge it and move on. Security vulnerabilities are everywhere. It's better to be aware of them than not. And yes it's a good idea to fix them if doing so is not overly onerous. However it is not always necessary to fix them
Re: (Score:2)
You are thinking it is still 1950. Relying on people's good nature will get you a rude surprise today. It isn't 1950 and Mrs. Cleaver doesn't live up the street. Indeed, most people aren't feeling remorse.
In the town where I live they put up lights along a bicycle path. The path is relatively isolated from other homes so at night there is nobody around. Some people figured this out and removed all of (3 or for miles worth) the electrical wire for the lights. Probably got several hundred dollars for it
Re: (Score:2)
Your average retailer is looking at 2% to 5% in shrinkage, every day.
Sorry, that's just not true. Your average retailer looks at less than 2% shrinkage, per year, check the stats.
And overall, most humans are still very moral. There's only a fairly small number of people who have the combination of energy and anti-social nature to do this. This could change - the neo-Cons have tried to make a virtue of psychopathy - but for right now your average guy is, if he's not feeling threatened, pretty decent.
Re: (Score:2)
Yes, I knew I was comparing apples and oranges, but the point was that the original number was off by well over an order of magnitude if not two. To seriously imagine that 5% of the items disappear from a store, each and every day, is madness.
Re: (Score:2)
Your average retailer is looking at 2% to 5% in shrinkage, every day.
Certainly not true for average retailers. Bad laundries maybe.
Re:Afterword (Score:5, Insightful)
No, it's better to simply accept the occasional teenager who "beats the system." Oftentimes the best "security" is just social norms.
I would highlight this with another example. My friends and I would often go to a particular restaurant to eat. This restaurant serves popcorn to eat while waiting for the meal and they have some relatively cheap appetizers. We'd order one small appetizer and fill up on popcorn. To some people, looking from the outside, this would look like "gaming the system", where we take something intended to help paying customers and use it without paying.
However, today, not a month goes by when I don't eat there with at least a group of 6 people, and my wife and I go there all the time. Had a manager or waitress been a hardass and kicked us out, my friends and I certainly wouldn't be eating there on a regular basis today. Sometimes it's better to accept the short term loss if it builds customer loyalty.
Re: (Score:2)
The reality is that the third option is the one that is frequently the right one: Acknowledge it and move on.
Unfortunately, in many cases, this isn't an option any more. In the current litigious society, if a security flaw can possibly be exploited, there's no way a company can go on record saying, "Yeah, we know about this vulnerability, but the costs of fixing it outweigh the benefits." If the vulnerability is later found and exploited, that sort of statement will be seen as tantamount to an admission of guilt in the court of public opinion, if not the court of law.
Re: (Score:2)
Or a movie theater can be tricked by having people exit with already-used tickets, and bring other friends in using them.
Could you elaborate on how that works? I think the movie theaters you talk about don't work like those I think of. Here's my typical use case:
(1) Buy ticket. On the ticket, there's the name of the movie, date and time of when it's shown, and a seat address. There's also a removable part with some of the same information. (2) Go up to man between me and screen; he removes the removable part and lets me pass. (3) watch movie. (4) throw out ticket and leave.
What's your attack on that system? Is your sy
Re: (Score:2)
And one who breaks security is like the one who alerts the king about wearing no clothes. You WILL get punished. You WILL be dealt with.
Maybe because, in most cases, security is meant to deter the casual threat. You don't need to be some kind of super-spy to break into my apartment, but then the purpose of having a lock on my door isn't to keep super-spies out. Still, I don't particularly want you standing outside my door offering tutorials on how to pick my lock.
Re: (Score:2)
This has nothing to do with smart people, it has to do with people who undermine the purpose of the system. In the case of "security" systems, many of them are not intended (from the point of view of at least some of the responsible parties: often there is a conflict) to provide security, they are intended to provide t
Re: (Score:2)
As convincing and well-established that argument is in our world, it doesn't extend indefinitely to the real one. When someone doesn't lock their door, you don't reward the guy who sneaks into everyone's house to prove he can. There are some areas where you know that insecurity exists, and rely on individual prosecution or ignorance (security through obscurity) to make the system maintainable. Near-perfect security is difficult and cumbersome, so why invest in it for anything but the most critical systems?
Re: (Score:2)
If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.
No ifs, ands, or buts about it.
Some time ago I found a gapingly large security whole in a major credit card company's online credit card processing system when I was being paid to implement an online shopping cart system. It was a terrible, nasty security hole - bad enough that I could have purchased anything I wanted to at any vendor's website that used this gateway for FREE, without the use of a
Re:Afterword (Score:5, Insightful)
I like the idea of security systems working against their intended purpose. It reminds me of a recent incident at the office/retail complex where I work.
There's a fountain in the middle of a round-about, the intended purpose is to entertain visitors to the resturaunts around it. This fountain had multiple signs worded "Smile, you are being recorded"; a somewhat polite reminder to behave so to speak. Of course, there aren't any places to hide cameras in the nearby buildings, and there are no cameras installed. Someone figured this out, and put soap in the fountain. Now there are no friendly warning signs.
It was surely interesting that the poster of these signs wasn't intelligent enough to figure out that the signs would not deter bad behavior, but did understand after the fact.
Re: (Score:2)
A security system in a store that simply moves the thieves next door is accomplishing the objective of the shopkeeper. Absolutely, and at minimal cost. Catching shoplifters is not the objective, it is the prevention of theft.
A basic problem we are now faced with in the US is that 50 years ago societal pressure was enough to ensure that most people obeyed the law, were nice to other people and we generally had a civil society. These pressures are breaking down, in some ways because of unassimilated immigr
Re:Afterword (Score:4, Interesting)
Well, I was only six 50 years ago, but it did seem that there were fewer thieves. Certainly our governments and industries weren't run by thieves like they are now. But you would have to show some stats to convince me that eat-and-run and shoplifting are more prevalent. I'd say with the advent of security tags on merchandice, all the cameras, there HAS to be a lot less, or today's thieves are smarter than your grandpa's thieves.
I don't think you can blame immigration on it, not in the US at least. We have always been a nation of immigrants.
I know that when I was a teenager, kids were as awful as they are today. And you don't hear about lynchings, or hear the word "nigger", at least not from white people. I'm not sure people are more dishonest than then.
I do know that geezers are a hell of a lot nastier than they were back then. Rich peole are nastier too.
Re: (Score:2)
O RLY?
I'm pretty sure the only difference is that 50 years ago they put a bit more effort into appearing respectable (and the lack of social transparency made that easier).
Re: (Score:2)
Re: (Score:2)
Two things:
First, Van Gogh painted Bruce Schneier's portrait [petroz.com] over a hundred years ago.
Funny, I used to watch him on Saturday Night Live back in the 80's: http://en.wikipedia.org/wiki/Dennis_Miller [wikipedia.org]
Well ok, that's not Bruce but it sure looks like him, doesn't it? The linked picture is a Van Gogh self-portrait.
That's because super-secret security experts are masters of disguises. Bruce regularly travels as a comedian as a cover.
And you'll find that all the employees of his company are called "Bruce."
Re: (Score:2)
Looks like Kelsey Grammar only with more forehead (Score:2, Funny)
I didn't think that was possible.
Security can be bought (Score:5, Funny)
The price is usually money, time, emotional energy, study, and perhaps reduced functionality.
Then again, that's probably the point of the book.
Re:Security can be bought (Score:5, Insightful)
Whether it can be bought or not is perhaps besides the point.
Because it can certainly be sold.
Re: (Score:2)
Security can be bought
The price is usually money, time, emotional energy, study, and perhaps reduced functionality.
Wait a minute. Emotional energy? Reduced functionality? Sounds like someone's buying themselves a whole lot of insecurity.
Security (Score:4, Insightful)
"Buying" security is easy, because throwing money at a problem is always the simplest path.
Educating gatekeepers and end-users is vastly harder and much more expensive, because it not only costs money, it costs time..
Re:Security (Score:5, Informative)
Educating users is probabaly the easiest and cheapest way to reduce risk. It doesn't cost a lot of money or take a lot of time. The problem is most companies just don't do it. You might be looking at a cost of $100 per employee per year and 30 minutes to an hour to take a class.
Most companies mention it during orientation but never provide on-going training or support to their employees when it comes to security issues. In this case the infosec team needs to get out of their cubes and walk around and talk to people to be sure they can advise fellow employees on security risks and get the lowdown on which manager proposed something stupid this week. 90% of the security teams job should be education be it educating developers, system admins, general counsel, marketing, exec admins, or the board of directors.
Risk (Score:2)
It's called transferring risk.
Absolutely. And insurance is the classic mechanism for transferring risk. Schneier develops this idea extensively in "Secrets and Lies."
An insurance policy coverts a set of risks into a fixed expense for a period of time. It can do so even when those risks are due to events outside your control. You cite some great examples.
But insurers may charge a higher fee for unmitigated risk, or they may not agree to underwrite the risk at all if mitigations are not performed.
Re: (Score:2)
Educating gatekeepers and end-users is vastly harder and much more expensive, because it not only costs money, it costs time..
Well, time is money, so really it's all about money.
Except it's not. Deploying thousands of security drones and tons of expensive machinery costs a lot more than a few classes. It's not about money. It's about convincing people that you're Doing Something. All that effort against mentally retarded terrorist serves the same purpose as Mayor Quimby's Bear Patrol: it's a conspicuous and easy-to-understand effort that everybody can relate to. Educating airline personnel on good security practices might be more
Re: (Score:2)
It's not about money.
Sure it is. For the security salesmen it's about convincing politicians and civil servants that they need to buy expensive security systems. Preferably with lots of blinking lights and even better, As Seen in the Movies, with technology that you can claim is sufficiently 'advanced' to justify the hefty pricetag.
For politicians it's another money/power making issue as they can justify sweeping spending and control with it. They're not overly difficult to talk into buying the pointless ju
Bruce Almightly (Score:4, Interesting)
Re: (Score:2)
Yup. I've been saying it for years and routinely been modded down for it - Bruce is a columnist and a consultant. He succeeds not by being right, but by being popular or at least generating lots of buzz. This book is just building the brand, repeating and repackaging everything he has said a dozens times before so that they Faithful can shower him with money.
The only difference between Bruce and Billy Mays is that Billy is at least honest in what he does.
Re: (Score:2)
What I have a problem with is the security pundits who add no real value to the discussion besides stating the obvious . His success today is more like that of an IT pop star preaching to the choir. Anger and jealousy don't fit into it....I can admire his past achievements and disagree with his current approach at the same time.
Re: (Score:3, Interesting)
What I have a problem with is the security pundits who add no real value to the discussion besides stating the obvious . His success today is more like that of an IT pop star preaching to the choir. Anger and jealousy don't fit into it....I can admire his past achievements and disagree with his current approach at the same time.
I think I can shed some light on this. Bruce's job is to convince your boss about the stuff you already know. Your boss will believe Bruce because 1) he's Bruce and 2) he's not you
Re: (Score:2)
Question (Score:5, Funny)
If Chuck Norris [chucknorrisfacts.com] tried to break Bruce Schneier's security [geekz.co.uk], what would happen?
Re:Question (Score:4, Funny)
You would reach "beard critical mass", at which point the Large Hadron Collider would turn into a very surprised sperm whale and a bowl of petunias.
Why do you think you never see them together?
Re: (Score:2)
Maybe Chuck Norris and Bruce Schneier are one and the same person, and anyone who figures that out gets roundhouse kic$(&$*& NO CARRIER
Re: (Score:2)
No, I'm pretty sure that Bruce Schneier isn't a retarded douchebag who endorsed Mike Huckabee.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Another question: could Bruce Schneier design a system so secure, even he couldn't crack it?
Re: (Score:2)
I think you'll find that Chuck Norris can exist in any universe he damn well pleases.
Dealing with symptoms (Score:5, Interesting)
Everything he talks about is just dealing with the symptoms. Terrorism is a symptom of very desperate people who feel that they're being shit on by someone.
I've been thinking about terrorism lately and its causes and its implementers. most terrorism is centered on what's happening in the Middle East. Now before someone accuses me of being anti-Islamic or racist or whatever, hear me out.
Terrorism is the result of very desperate people who have lost all hope and feel powerless. The Middle East and its people have been shit on for a couple of millennia; whether by western powers, other in the Middle East (Persians and Turks), Asians. These are people who have felt shit on by the World and there's nothing they can do about it. The creation of Israel was the straw that broke the camels back - so to speak.
To make a long story short, if we gave autonomy to the Middle east (Oil supplies be damned!), meaning pull out completely. I think terrorism would stop or at the very least, decrease dramatically.
I also disagree with folks who think that if we were to leave the Middle East, others would gain control of the Oil thereby sending us into a depression or putting our military and defense in jeopardy. It won't happen.
Re: (Score:2)
There is plenty of terrorism (or was lately) in Indonesia, Ireland, and ex-Soviet republics (true, close to the Middle East area) without involvement from the well-known (or less well known) Middle East factions. Also, there was terrorism in the U S of A that did not involved any kind of arabic or Middle East factions.
Agree with the rest of the post
Re: (Score:2)
Sure. That'll help.
I suppose we'll have to forget about the domestic terrorism in OK City. Or the terrorism in the Phillipines. Or Columbia. Or Bolivia, or Argentina, and gosh, the rest of S America. Forget about Africa, too. Maybe the Tamils will surrender peacefully. Maybe the Hindus will stop fighting. Will the IRA cease fire-- really? How about the Basque?
In each case, there's a group that fights the rule of law and with unrestricted, murderous violence.
Your argument is about civility underneath. Withou
Re: (Score:2)
As a certain Comedy Central host once said: Taliban is Taliban!
Re: (Score:2)
It's only terrorism if non-christian brownish people do it. Didn't you get the talking points?
I'm kind of curious as to who you think are putting forward these talking points? It can't be Necons who are pretty quick to mention domestic terrorism when convenient.
Re: (Score:2)
yes, the random terrorism (e.g., Somali pirates that took over that Ukrainian freighter a couple of weeks ago) is that. But the more organized terror groups are after power.
Ahem...taken from the last Crypto-Gram: (Score:4, Interesting)
The Seven Habits of Highly Ineffective Terrorists
[...]
Conventional wisdom holds that terrorism is inherently political, and that people become terrorists for political reasons. This is the "strategic" model of terrorism, and it's basically an economic model. It posits that people resort to terrorism when they believe -- rightly or wrongly -- that terrorism is worth it; that is, when they believe the political gains of terrorism minus the political costs are greater than if they engaged in some other, more peaceful form of protest. It's assumed, for example, that people join Hamas to achieve a Palestinian state; that people join the PKK to attain a Kurdish national homeland; and that people join al-Qaida to, among other things, get the United States out of the Persian Gulf.
If you believe this model, the way to fight terrorism is to change that equation, and that's what most experts advocate. Governments tend to minimize the political gains of terrorism through a no-concessions policy; the international community tends to recommend reducing the political grievances of terrorists via appeasement, in hopes of getting them to renounce violence. Both advocate policies to provide effective nonviolent alternatives, like free elections.
Historically, none of these solutions has worked with any regularity. Max Abrahms, a predoctoral fellow at Stanford University's Center for International Security and Cooperation, has studied dozens of terrorist groups from all over the world. He argues that the model is wrong. In a paper published this year in International Security that -- sadly -- doesn't have the title "Seven Habits of Highly Ineffective Terrorists," he discusses, well, seven habits of highly ineffective terrorists. These seven tendencies are seen in terrorist organizations all over the world, and they directly contradict the theory that terrorists are political maximizers:
Terrorists, he writes, (1) attack civilians, a policy that has a lousy track record of convincing those civilians to give the terrorists what they want; (2) treat terrorism as a first resort, not a last resort, failing to embrace nonviolent alternatives like elections; (3) don't compromise with their target country, even when those compromises are in their best interest politically; (4) have protean political platforms, which regularly, and sometimes radically, change; (5) often engage in anonymous attacks, which precludes the target countries making political concessions to them; (6) regularly attack other terrorist groups with the same political platform; and (7) resist disbanding, even when they consistently fail to achieve their political objectives or when their stated political objectives have been achieved.
Abrahms has an alternative model to explain all this: People turn to terrorism for social solidarity. He theorizes that people join terrorist organizations worldwide in order to be part of a community, much like the reason inner-city youths join gangs in the United States.
The evidence supports this. Individual terrorists often have no prior involvement with a group's political agenda, and often join multiple terrorist groups with incompatible platforms. Individuals who join terrorist groups are frequently not oppressed in any way, and often can't describe the political goals of their organizations. People who join terrorist groups most often have friends or relatives who are members of the group, and the great majority of terrorist are socially isolated: unmarried young men or widowed women who weren't working prior to joining. These things are true for members of terrorist groups as diverse as the IRA and al-Qaida.
For example, several of the 9/11 hijackers planned to fight in Chechnya, but they didn't have the right paperwork so they attacked America instead. The mujahedeen had no idea whom they would attack after the Soviets withdrew from Afghanistan, so they sat around until they came up with a new enemy: America. Pakistani terrorists regularly defect to another terro
Re: (Score:2)
The author has absolutely no data to back up his claims
Not really.
Just a few tidbits from the original paper. The author looked at the data collected by RAND and found out that since 1968 - 64% of Terrorist Acts Worldwide are Anonymous.
There's a lot of stuff about these organizations being politically diffuse. For example Bin Laden's fatwas throughout the 1990's were primarily aimed at Muslims! It was only in 2001 that he talked about the US. The author cites quotes from members of Al-Qaida criticizing t
Re: (Score:2)
I don't think you're racist, just not very well informed. If the American press is your source of information that doesn't surprise me. Most terrorism is not centred on the Mid East, it's just that's all the terrorism the USA cares about. The motivations for all the other terr
Re: (Score:2)
Everything he talks about is just dealing with the symptoms. Terrorism is a symptom of very desperate people who feel that they're being shit on by someone.
Terrorism is a tactic. It is the amplification of force effectiveness by achieving psychological effect. It is used by the powerful and the powerless. However, I suspect that you're after the more politically charged use of the word. There are two issues with this.
First, you're assuming that the tactic itself can be stopped by solving a particular set of political issues. That assumes that one issue won't be supplanted by another. And that those in conflict won't study history and seek tactics used by
Then what about the Jewish terrorists? (Score:2)
So, abandoning Israel would be a solution, in your point of view? Well, this might come as a surprise to you, but the Jews in Israel had armed groups [wikipedia.org] defending themselves *before* the state of Israel came into existence.
If, in your words, "Terrorism is a symptom of very desperate people who feel that they're being
Re: (Score:2)
Irrelevant, since no middle eastern person happens to be thousands of years old.
All over the world, people spend their whole lives being shit on, and hardly react at all. (e.g. Americans 230 years ago took up arms over trifles that are routinely tolerated today.) The middle easterner has no more (or less, I'll grant you) to be angry about than the average citizen of the world. Everyone is covered in shit.
There's something else
Re: (Score:2)
Re: (Score:3, Interesting)
How on earth can the middle east feel powerless when it is sucking a trillion dollars of oil money a year out of the western world?
Because >99% of those trillions go to 1% of the population?
Re: (Score:2)
Re: (Score:2)
There are foreign troops occupying their land.
Oh, you mean in Egypt? Saudi Arabia? Iran? Please, show me the foreign troops in Iran...
It's a b.s. excuse from a b.s. people that can't own up to being stupid. No wonder Obama wants to make nice with all of his buddies... liberals are just like radical islamics - no matter how much money you throw at them, they will be whining about how they are victims... when really, they are just lazy.
Re:The thesis is a joke... (Score:4, Insightful)
None there just now, but what about the US-sponsored and supplied Iraqis a couple of decades ago? There was some direct fighting between US and Iranian forces in that conflict too. Right now, the USA is occupying Iraq to the West and Afghanistan to the East. They also have bases in Saudi Arabia, Turkey and Kyrgyzstan and are propping up the regime in Pakistan. So, Iran is pretty much surrounded by US influence and the US has declared them to be evil and made demands with an implicit threat of force.
If someone fucked with my country that much, I'd be trying to kill the fuckers too.
Re: (Score:2)
Fair enough point. But let's keep some perspective.
None there just now, but what about the US-sponsored and supplied Iraqis a couple of decades ago?
Iraq got a lot more support from the French and Soviets during that time period than the US. Iraq was hardly a proxy for US action in the region. Although it was a natural choice to counter expanding Iranian influence. Iran had already set the tone with the US (although the US' involvement in pre-revolutionary Iran was a mistake).
There was some direct fighting between US and Iranian forces in that conflict too.
Certainly - after Iran had attacked US interests in the region. The US counter-attacked. Let's not make it appear that the
Re: (Score:2)
Another lovely phrase lost in translation. Ayatollah Khomeini labeled the US the great 'Shaitan', referring to a particular manifestation of the Devil: the Tempter.
Specifically, he meant that US culture was tempting the people of Iran into decadence and materialism. That's evil, to be sure, but not generically Evil.
Iran has been fighting a low-grade dirty war against the US and Israel sinc
Re: (Score:2)
Crazy people ARE safe! (Score:2, Informative)
Yeah, safe and un-free! (Score:3, Insightful)
"Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack."
That is right and we can know this for certainty because if we believe Bush and his rhetoric that "Hundreds of terrorist plots have been stopped and the terrorists have been arrested" ..then where are the hundreds of trials? If there are no trials, or these plots are military "detainees" (read: "legally not prisoner"). Then why do we need civilian airport checks if civilians are not being ar
Apply within. (Score:2)
"The reality is that security is not something you can buy; it is something you must get.""
WANTED: One security professional who knows what the hell they're doing. Please apply at the door.
Bruce Schneier doesn't write books. (Score:4, Funny)
Not just about security - about everything (Score:2)
People responsible for things like airport security are ultimately bureaucrats. They are not experts, nor do they have the time or attention to get down to brass-tacks. The only thing they can do is throw money at the problem.
This how everything works from Airport Security, to product development and Q/A, to passing Financial Bailout legislation.
People who are in-charge of things often are 'executives' - meaning that they oversee a "big picture". These ar
Re: (Score:2)
Example: a brilliant scientist spends his entire life solving equations, coming up with theories, designing and building rockets. He/she is revered in his/her work and excels, and is well know...they will not generally become the head of NASA..
You mean like Dr. Werner Von Braun? He may not have been the head of NASA, but he certainly played a leadership role in the early american space efforts.
Executives don't know any better than to react - It's only the experts that really think proactively - because tha
Re: (Score:2)
The current NASA Administrator, Michael D. Griffin, was a working physicist and engineer. He does have an MBA, but he also has six engineering-related degrees. Obviously he h
Getting security... (Score:2)
"The reality is that security is not something you can buy; it is something you must get."
*sigh* Fine, make me do things the hard way. Who do I get security from, and how much will they charge me?
What do you mean I don't get it? Is my money not good around here?
ondigo (Score:3, Informative)
Sadly, that's not an unwritten rule. It is, in fact, the 10th amendment. So that just makes it an ignored rule.
Security's something one can get bribes for buying (Score:2)
More importantly, it is something that can be made expensive and trumpeted by the salesman's three best friends of Fear, Uncertainty and Doubt - leaving ample room to "reward" some of those who get to decide on spending the money of other people who cannot assess the value and actual benefit of their purchases.
and the other shoe drops (Score:2)
Why care about terrorists.. (Score:2)
Why care about terrorists when a company or bank CEO can do much more damage to much more people?
Are those beign blacklisted too? Just because they don't grow a beard doesn't mean they aren't dangerous...
Constitution Inherently, Explicitly Limits G'vment (Score:3, Insightful)
The Constitution doesn't violate the basic unwritten rule that the government should be granted only limited powers, and for limited purposes.
The 10th Amendment [wikipedia.org] clearly wrote that "unwritten rule":
The rest of the Constitution is perfectly consistent with that written rule, though the 10th Amendment does make it explicit, as seemed prudent to those who wrote and ratified the Bill of Rights so there'd be no doubt that the Constitution protected those rights.
I don't really know what that paragraph I quoted from this review is even supposed to mean. Nor have I read this latest book by Schneier. But I also have read much of Schneier's writings over the past decade plus, including some of his other books (yes, starting with _Applied Cryptography_), and even some direct email correspondence, and I do not believe that Schneier says that the Constitution violates an unwritten rule of limited government. Schneier knows as well as anyone that the Constitution is the exemplar document of inherently limited government, as the Constitution itself says, which is such rock solid conventional wisdom that it's a cliche.
Re: (Score:2)
Sure, that's important....until you actually have a security breach, and all the carefully managed "perceptions" of the auditors, clients, and management come crashing to earth.
Re:Security Isn't Important (Score:5, Insightful)
Maybe in the military or in geek super spook krad fantasy land. In the real world of business there is little to no impact to a business as a whole over any security breaches. The public record is replete with examples of businesses who seriously dropped the security ball but the effect was about as dramatic as a bug getting squished on the corporate windshield. Sure there's some goo to wipe off but the car doesn't slow down.
Microsoft, Netscape, credit card processors, insurance companies, civil administrations, many companies have slacked in their security but the worst that happened was a few negative articles in the press that were soon forgotten.
Find just one company that was shut down or went out of business because of a security breach. You just can't do it. Execs rarely even get fired over this stuff.
That's why businesses continue to have poor security. It's just not worth it. You just have to manage it, like everything else.
Re:10 (Score:4, Funny)
Not so fast Mr. Funny Guy (Score:2)
GP is clearly a troll, but you're wrong about Anonymous. Slashdot logs anonymous posts. If a TLA agency came after them, Mr. AC wouldn't be Anonymous for very long.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Oh yes, no true Scot^H^H^H^HChristian [wikipedia.org] would ever do that.
Re: (Score:2)