On Wednesday 31 October 2001 10:19, Crispin Cowan wrote:
> Chris & Kathleen wrote:
> > hi All
> > this is not funny people in Portland have almost gone ballistic there.
> > many are frightened and scared from Sep 11The so this kind of stuff
> > does not surprise me. We need to remember to keep calm and don't let
> > this kind of stuff rattle us. Granted the person who did this thing
> > may have had a grudge or was playing a bad practical joke, but we need
> > to keep level heads. We also need to NOT let this stuff become a joke
> > - as there is a real danger out there. It''s not funny and we should
> > not treat it as such.
>
> I beg to differ. The threat is absurdly small compared to the level of
> self-imposed denial-of-service we are enduring. One is more likely to be
> hit by lightning than hurt by a terrorist attack. This is precisely
> analagous to shutting down your servers because your IDS issued an
> alert. It's a bad idea for computer networks, and I hazard to say it is
> a bad idea for civic systems to similarly over-react.
I have seen people do just that over other situations where fear and
misinformation prevail. ("Can you say Y2K boys and girl? I knew you could!")
The idea that a server cannot come to harm if you just turn it off, not
realizing that other servers depend on that one... (Ever see what happens to
a site when someone shuts down all the DNS servers servicing a domain? You
become an "un-company." Double-plus ungood.)
> I feel that it is high time that people stop jumping at shadows, and
> carry on with normal life. Moreover, it is well past high time that we
> stop imposing stupid, ineffective "security" measures that mostly make
> the public feel good, but have no real protective value.
"But if they are afraid, they won't question and give us everything we ask
for!"
There are a whole bunch of groups that feed on fear. Law enforcement and the
military are getting everything on their Christmas wish list out of this. So
are the various companies selling to those groups. The news media is getting
high ratings and more and more viewers hooked. (Sure beat the "Your child
could be in danger from <scare source X> stories".)
Unfortunately, even some in the security industry feed off that fear.
Security people need to remain level-headed. Panic and paranoia does not
help the thought process. If you are going to defend systems against an
unknown, you need to have all of your wits about you, or else you end up
spending huge amounts of time and money on things that don't help, and may
make things worse.
If I can scare you into doing something stupid, it can become a denial of
service attack in and of itself.
> For instance, can someone tell me the useful purpose of having armed
> soldiers at the airport metal detectors? The soldiers don't do anything,
> they just stand there. It's not like they know anything about detecting
> contraband in luggage anyway. At best, they can defend the airport gate
> against a frontal assault by an armed gang. But only a very small one.
> And no terrorist would use that approach anyway, because they would
> never get the plane off the ground. So what is the point?
The point is that it gives people who lack the power of actual analysis and
reason a belief that they are "safe". (Which, unfortunately, tends to cover
far too many Americans. (My personal belief is that far to many Americans can
no longer discern between fantasy and reality, which explains "Zero
Tolerance" and most laws out of Congress.))
Schneier had an excellent comment in his Sept 30 Cryptogram on the issue of
airports and security. His main point was there was no threat model used in
the planning. They just made up a bunch of rules, some good and some bad. The
reports I have seen since then tend to back up the assertion. (Random and
meaningless reasons used to search and detain, that have little to do with
actual security and more to do with fear and insecurity.)
The article can be found at: http://www.counterpane.com/crypto-gram-0109a.html
> Perennial question: is non-computer infrastructure topical to CRIME?
Yes, actually. Physical security concerns are defiantly on topic. (As are
panic overreactions.) The reason is that they tend to mirror on the computer
side as well.
I have seen places that had all sorts of computer security measures in place,
but you could walk in and out of buildings with hardware. I have also seen
places where the physical security was quite tight (to the point of
absurdity), but there was next to no OS level security.
The best denial of service attack is hauling away the server.
The way other security concerns are handled (or not handled) tend to mirror
in the computer field.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:29:22 PDT