Blog related program activities
I've been on the lookout for a good, frequently updated, digest of security publications, advisories and blogs. I found one: http://www.infosecdaily.net/ .
Civilian air defense
A couple of weeks ago, the U.S. Department of Homeland Security awarded a contract for devices to protect commercial aircraft from shoulder-fired missiles:
WASHINGTON, D.C. - The U.S. Department of Homeland Security's Science and Technology division today announced that teams led by BAE Systems, Northrop Grumman and United Airlines have been selected for agreement negotiations. The team will be expected to develop a plan and test prototypes to help determine whether a viable technology exists that could be deployed to address the potential threat that MAN-Portable Air Defense Systems (MANPADS) pose to commercial aircraft.
Despite the curious name, I have nothing funny to say about this. Defense systems for commercial aircraft are a perfect example of where we should be investing in security technology. The threat is significant, the timing is not too late and the problem should lend itself reasonably well to technological amelioration.
In parallel to looking for ways to defend from missile strikes, we should also be looking for ways to electronically revoke new weapons if they fall into the wrong hands. MANPADS are particularly well suited for this approach because their effectiveness is closely tied to sophisticated targeting software. If you fry the guidance system, the stinger turns into a bazooka. It’s hard to hit a moving plane with a bazooka - even a 747.
Of course, “smart shutoff” functionality would only help us with new weapons manufactured by the U.S. or cooperative countries, but these are probably going to be the most dangerous weapons available and the least susceptible to defensive countermeasures after launch. We all know how top of the line American hardware can get find its way to unwanted places from time to time.
Various attempts at electronic weapon revocation have been tried before, but I think recent advancements in technology warrant a new attempt. I’d like to get some industry cooperation on this issue and see what can be done.
Apparently IBM has patented a method of paying programmers to work on open source software. This is a fantastic development for those of us under doctor’s orders to get more irony in our diet. The new patent is U.S. No. 6,658,642. Actually, I’m willing to give IBM the benefit of the doubt on this one. The idea itself seems reasonably novel. Maybe they intend to offer free licenses to this patent to all open source software workers as a way of protecting the community. That would be swell.
Now, I’m the last person on the planet who should be complaining about U.S. patent law, but sometimes an application gets through that seems - bear with me while I search for the right word… ah, here we go – unsound. As a service to my readers, I’d like to offer a guaranteed (“guarantee not guaranteed”) way of protecting yourself from being unreasonably sued for patent infringement in the future:
Step 1: Obtain a business process patent on the idea of “Making Money by Suing Other Companies and/or Individuals for Patent Infringement.” (You’re thinking this won’t work because only one person can own such a patent – you’re overestimating my audience.)
Step 2: Wait until someone sues you for patent infringement, then BAM! You got ‘em for violating your patent from step 1.
Legal scholars and fans of recursion may note that many currently litigious companies may claim “prior art” on your patent since they’ve been suing people for years before you filed your application. You’d probably settle out of court long before this comes up, but if you insist on even more devious protection…
Step 3 (advanced): After obtaining the patent from step 1, obtain another patent called, “Defending Against the Patent From Step 1 By Claiming to Have Prior Art Based On Having Sued People in the Past.” Aha! Now you've got ‘em coming and going.
NB: Before following any legal advice from me, please remember that I am not a licensed attorney and may not always place your best interests above having a good laugh.
Sorting out certificate validation
Dr. Bob Dulude, CoreStreet’s CSO, has just written a handy whitepaper comparing the security aspects of three approaches to digital certificate validation. There’s been a fair amount of misinformation (perhaps disinformation) on this important topic and “Vulnerability Analysis of Certificate Validation Systems” is 12 pages of serious record-straightening.
Bob’s paper, while not up to the comedic standards expected by the reader(s) of this blog, is an excellent high-level technical overview of the main issues. The conclusion is that Distributed OCSP (D-OCSP) has the most favorable security characteristics against denial-of-service, intrusion and replay attacks.
Progress at Amazon
When I made my first ever on-line purchase in 1996, Amazon.com only sold books. Now, I can buy a wedding ring, duck bacon, ninja claws and golf boxers. That should be everything I need too sneak onto Hilton Head Island in case my Renaissance Weekend invitation gets lost in the mail again this year.
We win an award
CoreStreet has been chosen as the recipient of the 2003 Frost & Sullivan award for Technology Innovation. The researchers at F&S singled out our work in finally making PKI practical for huge government deployments. I want to congratulate and thank our outstanding team (and especially the engineers, marketers and sales staff that aren’t on that list so they don’t get stolen by recruiters). I may be a merely an “expert”, but I work with folks who really know how to get the big job done!
This market is showing very strong signs of life. 2004 is going to be interesting.
Can't put your finger on it
The recent example of winsome personal diplomacy performed for Brazilian airport security workers by an American Airlines pilot has given me an idea about how to overcome a persistent obstacle to biometric adoption. Many of the arguments often made against fingerprint biometric authentication are misinformed and readily corrected, but one objection has been almost intractable. Until just now.
The accuracy problem associated with false-positive and false-negative results is a real challenge for forensic and surveillance applications, because these kinds of uses require each individual scan to be compared against thousands or millions of stored records. Picking a small group of individuals out of a large pool of people by briefly examining parts of their bodies is hard. Smart people are working on it. I’m glad it’s not me.
However, for authentication (proving that you are who you say you are) you only have to match your fingerprint against one template (allegedly your own) stored on a reliable card or other credential. False-positives are greatly diminished and false-negative errors only cause a minor inconvenience (just scan that finger again). Privacy and cost concerns are similarly addressed – you can prove that you are who you say you are while preserving appropriate anonymity. A good match-on-card or match-on-reader system combined with a reasonably secure and affordable storage medium and real-time validation is a pretty fast, accurate, private and affordable way to do strong authentication. So what’s the big problem for wide-scale public deployments?
Deep-seated psychological connotations found in many cultures equate getting your fingerprints taken with being accused of a crime. Most people don’t like being treated like criminals. Particularly high-minded ones may even be insulted by the perceived insinuation. Put Queen Elizabeth and Joe Lieberman in an airport line and see how long it’ll take them to clear security (and don’t count on face recognition to tell them apart). Changing this mindset will take a lot of patience and training - for the security professionals administrating the scans, not the finger-owners. Here’s a shortcut:
Instead of scanning the index finger or thumb, go for the intermediate digit. I propose that all new biometric scanners at public facilities be configured to accept the longest and most expressive of the fingers. Reasonable and dignified security experts (such as myself) will present our fingers without comment, but people with an innate distrust of technology or law enforcement will be so giddy from having the chance to flip the bird at authority that they’ll line up for a second run through the scanner.
Of course that still leaves Senator Lieberman, but we’ve narrowed down the search space.
The Quicker Picker Upper
There's new legislation on Capitol Hill, which seems to call for bounty hunters to help round up foreign visitors to the U.S. who overstay their visas. The House Resolution (H. R. 3452) is called the Visitor Information and Security Accountability (VISA) Act of 2003 and was introduced on November 6th, 2003 by Congressman Pete Sessions (R-Texas) and Congressman Lincoln Davis (D-Tennessee).
My general skepticism about legislation with earnestly clever names aside, the VISA act has some common sense points. Secure Identification Documents (sec. 102) and Increased Penalties for Alien Smuggling (sec. 107) seem reasonable and overdue. Where the bill loses me, is the section 201, MAINTENANCE OF STATUS/DEPARTURE BONDS AND DELIVERY BONDS. From a summary of the act:
Finally, the VISA Act seeks to take action against individuals who violate the terms of entry by:
• Introducing the private sector as a force multiplier in improving visa compliance by authorizing and requiring federally regulated Maintenance of Status/Departure bonds for those seeking U.S. visas, except for individuals from countries participating in visa waiver agreements with the U.S.
Basically, visitors from countries requiring entry visas in to the U.S. will be required to post a bond with a registered, private bond agent. If the visitor overstays their visa, the bond agent would be responsible for the now-illegal alien's apprehension and deportation.
I'm not sure I understand what all this means in practice. Presumably, it would add a significant, non-refundable, "cover charge" for every visa-holding visitor entering the U.S., and would encourage private bounty hunters to roam immigrant communities searching for visa overstays in the same way they currently do with court bail jumpers. I do not believe that the economic, political and security implications of this have been thought through very carefully.
Need to educate myself a bit more...
Hostile surroundings, no security worries
If you're planning just about anything big, important, expensive or highly symbolic here on earth, you're pretty much going to have to obsess about security at every step of the way. Among the many small joys of the NASA Mars rovers is that they can do their job without worrying about the bad guys. Sure, security is pretty tight on the ground before launch, but once the rockets are away it's just us vs. the laws of physics.
I hope I live long enough to read about the first crime committed on Mars. Wonder what it’ll be. Probably copyright infringement.
I am an expert
I was the "Expert of the Month" on CIO.com last month, taking questions about the convergence of IT and physical security. The month is over and my expertise has expired, but they've published some of the questions and answers. Here's my favorite. I'll try to answer some more and send them in soon.
There were a lot of good questions sent in to the magazine, but I've only answered four so far because I'm lazy. I think that being an expert and being lazy go hand-in-glove, or, um, butt-in-couch. Being an expert is how I get to avoid real work.
[Note to investors: This is a joke. I am not the slightest bit lazy and take to real work like a chipmunk to fresh acorns.]
Hmmm, that's two backside references in one post. This blog is getting off to an inauspicious start.