I have sent several e-mails to DHS to protest the REAL ID system. For those of you that don't know, it is a system that will require more documentation to obtain a driver's license, and will store all of this information in a huge database that the Government will control and centralize. If you just did a shiver, congratulations you have a pulse and a brain. DHS announced today that they are pressing ahead with this, despite the opposition of several states. I urge everyone to send their comments to DHS at oscomments@dhs.gov with the docket number of DHS-2006-0030 in the subject. You can also check whether your state has, or is considering legislation against REAL ID at http://www.realnightmare.org/actioncenter/15/
My arguments against REAL ID are below.
It WILL NOT make us more secure.
The REAL ID can and will be forged, likely within hours, and the documents used to obtain one can be forged as well. None of the 9/11 hijackers, the Unibomber, or Tim McVeigh would have had any issues obtaining one, or they would have simply stolen the identity of someone else and obtained one. We should be spending money on awareness for security individuals at the airport so they can identify real security issues, and make sure there are solid procedures in place to prevent the breakdown of the physical protection systems.
Having a large database with all of this concentrated data in one location will make it much easier for an external hacker or an insider to obtain the data nicely in one location.
Identity does not equal security
Knowing who someone is, does not make it any easier to determine their intentions
There are more important issues we can spend money on that WILL make us more secure. Most of the arrests and "prevention of another terrorist attack" have been the result of good intelligence and good police work. We should instead spend our money on intelligence and our police departments.
Friday, January 11, 2008
Wednesday, January 9, 2008
ISP filtering for copyrighted material
The New York Times is reporting today that "several representatives from NBC, Microsoft, several digital filtering companies and telecom giant AT&T said the time was right to start filtering for copyrighted content at the network level" the report came from a panel discussion at CES 2008. James Cicconi, senior vice president, external & legal affairs for AT&T reported in the story that “What we are already doing to address piracy hasn’t been working. There’s no secret there.” Really! -well I know from experience that most ISPs are no good at preventing a DDoS attack either, so why don't you get your people to start there, and once you've conquered that, you can try the music thing. ISP's are unable or unwilling to take any measures to prevent Botnets form running on their network or computers on their network from sending spam or DDoS attacks, but they are interested in preventing the downloads of music. I guess there is just not enough money, or the possibility of increasing their bandwidth to worry about truly malicious traffic on their links. Either of these prospects would be almost impossible to architect on a scale that the backbone operators run at, and I would definitely not want to be the person managing the false positives for either. The music industry is changing, and the old delivery methods will someday be a thing of the past. the music industry and the ISP's that will be the delivery method of the content need to come up with a less Draconian means of meeting the needs of their customers besides capturing their traffic and deciding if it's "OK". What's next, banning nude pictures, banning executables that may or may not be pirated software. The Internet Police will pull you over "OK Mr. Comedian, do you have a key for that version of Word".
One more note - encryption will take care of any filtering they are planning to use, or are they planning on banning that too?
One more note - encryption will take care of any filtering they are planning to use, or are they planning on banning that too?
Risk Assesments and Crying Wolf
The issue with the Iranian Revolutionary Guard and the US Navy got me thinking about an article I wrote several years ago regarding how little risk Iraq posed to the United States. In summary, Iraq posed little risk to the United States, and if George Bush, and Congress made these decisions based on a risk assessment and had to prove that expenditure dollars would be spent in the areas that posed the highest risk to our country, we wouldn't be in the situation we are now. I am not saying getting rid of a dictator who killed his own people is a bad idea, it was just sold to us in the wrong way, and did not need to risk as many young lives as it has. Now we find ourselves in a similar situation with Iran. Iran definitely poses a threat to its neighboring nations, and they need to determine the risk to their countries, and enact controls and countermeasures to reduce that risk. Going back to the risk assessment for our country, I would argue that Iran poses little threat to our country due to the distance, and our countermeasures - see Jane's directory for current US arsenal. The issue on Tuesday of this week DID pose a real threat to the US ships in the area, and they had every right to turn the boats and the people aboard into shark hors d'oeuvres. I won't comment on whether the event really happened, was staged, or any of that because there are very few people that actually know, and I am not one of them. This now brings us to the point where the President is claiming that Iran is a threat to world peace and everyone needs to realize that. Hmmmm where have we heard this before, and why don't I believe you. I truly hope that Iran is not a threat to the world, and does not take any actions to make itself so, but if they are, it is going to be much harder for us to sell this to the World given our current track record with threat analysis.
Now comes the tie to Information Security.
Solid risk assessment and only remediating and professing the need for money to address high risk issues first ensures our words are heard and respected. Anything else makes us the Boy who cries wolf, and dilutes the message and importance.
Now comes the tie to Information Security.
Solid risk assessment and only remediating and professing the need for money to address high risk issues first ensures our words are heard and respected. Anything else makes us the Boy who cries wolf, and dilutes the message and importance.
Wednesday, January 2, 2008
2008 the year of documentation and processes
Over the last several years in Information Security, we have all heard the year of's
The year of PKI
The year of Identity Management
The year of Intrusion prevention
OK - you get the point
These all sound so good, and easy, just install x and all of your problems will be solved. However, we all know it is never that easy, and that most "silver bullet" solutions require that the underlying processes, and information they are meant to protect must first be understood, documented, and classified form a risk perspective. This is where most of these solutions fail to provide the protection and ROI that the salesperson will tout in their presentation. Ignoring the boring and long process of understanding where the data is that we need to protect, and how that data is used will certainly lead to security dollars being applied incorrectly, or over or under spent in certain areas. Documentation is not fun, and it is not as impressive to present to management as product x, which can be much easier to illustrate - see Mr Chairman, it is right here in this box with the pretty lights. However, only by understanding where the data is and how it is used, can we set about protecting such a valuable asset. Process documentation and procedural adherence to the processes and policies, has a measurable impact on the organization:
The year of PKI
The year of Identity Management
The year of Intrusion prevention
OK - you get the point
These all sound so good, and easy, just install x and all of your problems will be solved. However, we all know it is never that easy, and that most "silver bullet" solutions require that the underlying processes, and information they are meant to protect must first be understood, documented, and classified form a risk perspective. This is where most of these solutions fail to provide the protection and ROI that the salesperson will tout in their presentation. Ignoring the boring and long process of understanding where the data is that we need to protect, and how that data is used will certainly lead to security dollars being applied incorrectly, or over or under spent in certain areas. Documentation is not fun, and it is not as impressive to present to management as product x, which can be much easier to illustrate - see Mr Chairman, it is right here in this box with the pretty lights. However, only by understanding where the data is and how it is used, can we set about protecting such a valuable asset. Process documentation and procedural adherence to the processes and policies, has a measurable impact on the organization:
- It keeps the auditors happy
- It makes IT, and the business as a whole more efficient
- When something does break down in the process, it is less of a mystery to discover what broke
So I am proposing that 2008 is the year of documentation and processes - now doesn't that sound exciting?
Subscribe to:
Posts (Atom)