http://emergentchaos.com/archives/2009/12/the-new-school-of-air-travel-security.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2009/12/the-new-school-of-air-travel-security.html/comment-page-1#comment-6299 Dan Weber Sat, 02 Jan 2010 13:14:37 +0000 http://emergentchaos.com/?p=3284#comment-6299 I'm not sure I buy Matt Blaze's argument that randomization of security procedures benefits the terrorists. The people trying to bring down planes have finite resources, and they have to decide whether they send their good people on an untested mission or their expendable people to test security. I’m not sure I buy Matt Blaze’s argument that randomization of security procedures benefits the terrorists. The people trying to bring down planes have finite resources, and they have to decide whether they send their good people on an untested mission or their expendable people to test security.

]]> http://emergentchaos.com/archives/2009/12/the-new-school-of-air-travel-security.html/comment-page-1#comment-6298 Chris Palmer Fri, 01 Jan 2010 17:49:58 +0000 http://emergentchaos.com/?p=3284#comment-6298 I don't agree that failures are rare in information security. They are rare if you consider the ratio of bad attacks :: successful transactions (e.g. a normal day in Amazon.com's business), but they are not rare if you consider bad attacks :: day or victims :: attack. Tens of millions of people can be affected by a single breach, as we have seen. And breaches seem to keep happening, don't they? Another difference is that in infosec, failures are more and more analyzed in public -- and we're learning from them. They are not public enough, and they are not analyzed well enough, but it's definitely starting to work. Attackers agree that attacking Windows is much harder now than it used to be. Finally, infosec procedures are not bizarre and arbitrary. Maybe input validation seems bizarre and arbitrary to a newbie web app developer, but to the rest of us it makes a lot of sense. People who think BitLocker is bizarre and arbitrary tend to stop thinking that after their first laptop theft. TSA truly is bizarre and arbitrary. That is because they are incompetent and probably malicious. But software vendors have to satisfy paying customers who often have alternatives in the market, so they tend to get their act together in the medium term or die out. Can you come up with any compelling, specific examples of modern/state-of-the-art infosec being as bad as modern air travel security? For example, Microsoft in the 90s does not count as "modern", nor do those software vendors who still think we live in the 90s (names omitted to protect the guilty). I don’t agree that failures are rare in information security. They are rare if you consider the ratio of bad attacks :: successful transactions (e.g. a normal day in Amazon.com’s business), but they are not rare if you consider bad attacks :: day or victims :: attack. Tens of millions of people can be affected by a single breach, as we have seen. And breaches seem to keep happening, don’t they?
Another difference is that in infosec, failures are more and more analyzed in public — and we’re learning from them. They are not public enough, and they are not analyzed well enough, but it’s definitely starting to work. Attackers agree that attacking Windows is much harder now than it used to be.
Finally, infosec procedures are not bizarre and arbitrary. Maybe input validation seems bizarre and arbitrary to a newbie web app developer, but to the rest of us it makes a lot of sense. People who think BitLocker is bizarre and arbitrary tend to stop thinking that after their first laptop theft.
TSA truly is bizarre and arbitrary. That is because they are incompetent and probably malicious. But software vendors have to satisfy paying customers who often have alternatives in the market, so they tend to get their act together in the medium term or die out.
Can you come up with any compelling, specific examples of modern/state-of-the-art infosec being as bad as modern air travel security? For example, Microsoft in the 90s does not count as “modern”, nor do those software vendors who still think we live in the 90s (names omitted to protect the guilty).

]]>