Pages

Thursday, 15 August 2013

7 SECURITY MEASURES THAT WERE DOOMED FROM THE START


New Picture 48
7 Security Measures That Were Doomed From The Start
By Annalee Newitz,
io9, 14 August 2013.

Some security measures, no matter how high-tech and futuristic, are doomed to fail. Governments and corporations spend billions of dollars on these systems, but never actually protect any of their assets. Here are seven of the worst security fails in human history.

1. Enigma codes used for Axis communication during World War II

New Picture 49

This is perhaps the most famous story of how geeks helped win World War II. The Axis powers were using Enigma machines to encrypt communications between their military units. They believed that this machine-generated form of encryption could never be broken by a human. And they were right. It took mathematician Alan Turing - popularizer of the term "artificial intelligence" - to break those Enigma codes by working with other mathematicians at Bletchley Park to develop code-breaking machines. These machines are often hailed as early examples of computers. For years, the British were decrypting German communications with their machines, and knew where most of the German subs were at any given time. The Germans never guessed, until it was far too late.

These days, the arms race between encryption and code-breaking continues in the world of computer security. Cryptographers try to develop fool-proof encryption algorithms to protect everything from email privacy to bank accounts online - while code-breakers try to develop systems that can decrypt those codes. The Enigma code was just the first well-known example of computer security that failed.

2. Armoured, high tech garrison at Dien Bien Phu

New Picture 50

It seemed like a great idea at the time. Why not fight the low-tech peasant military of the Viet Minh with superior technology like aircraft? That's what French commander Henri Navarre thought when he built an armoured garrison at Dien Bien Phu, in a valley that could only be reached by aircraft. How could a bunch of Viet Minh rebels on foot ever breach their high-tech security, when French soldiers could only get there by plane? Over at History.net, Stephan Wilkinson explains all the security errors the French commander Navarre made at Dien Bien Phu:
Placing a garrison at remote, jungle-bound Dien Bien Phu in the first place was a decision an ROTC freshman might have questioned. The French depended on air support for everything from beurreto bullets - and, above all, reinforcements - but C-47s couldn't carry enough to keep the fortress supplied. Complicating matters, Navarre somehow got the artilleryman's credo backward and took the low ground (Dien Bien Phu was in a valley), which meant [Viet Minh leader] Giap's surprisingly skilled antiaircraft gunners could shoot down at landing planes. The weather between Hanoi and Dien Bien Phu was often dicey, and though the base initially had the luxury of two airstrips, the Viet Minh quickly put both out of action, forcing the French to parachute in supplies - about half of them, including stacks of artillery rounds, landed in enemy hands.
Relying too much on a high-tech form of security - aircraft, in this case - can leave you vulnerable to low-tech attacks. Also, don't ever build a garrison that relies on high-tech transport for basics like food and fuel. Remember, food security is more important than physical security. Giap's troops didn't even need to attack the French fighter planes to cripple the garrison. Instead, they sabotaged the cargo planes that the French used for food transport.

3. Passwords on the web

New Picture 45

Though we currently have no good replacements for passwords, they are a terrible way to secure your online life, whether that's on Tumblr, Google, or at your bank. A big reason for the problem is that passwords are not user-friendly - to get a really good password, you need to create a long string of nonsense characters that are hard to remember. Most of us use what are called dictionary words - strings of letters (or letters and numbers) that are real words or close to real words.

It only takes a few minutes or hours for a password breaking program to go through every possible word in the dictionary (this is called a dictionary attack) and unlock your Twitter account - even if you spelled your password cUt3k177y instead of cutekitty. Two-factor authentication can help. That's when you need a password along with an additional piece of information, which is usually a code delivered to your phone. ATMs have used this system for a long time. You need both a password and a physical card to gain access to a bank account. Unless, of course, you are doing it online. With your crappy password that's your aunt's maiden name spelled with numbers.

On top of this problem, the security systems that companies use to protect massive numbers of passwords are often deeply flawed. That's why we see so many data leaks that include hundreds of thousands of passwords or credit card numbers at once.

4. Weapons detectors, surveillance cameras, and guards in schools

New Picture 51

Computer security may be slightly bewildering, but you'd think that securing physical locations in the real world would be pretty common-sensical and straightforward. Especially if you aren't dealing with an attacking army, like Navarre was at Dien Bien Phu. Unfortunately physical security is as complicated as computer security, and is often a giant fail.

Take, for example, the much-touted addition of metal detectors, surveillance cameras, and even armed guards in American schools. You'd think that this would cut way down on crime and assault with weapons. Nope. According to a report from the National Association of School Psychologists, there is a lot of evidence that shows schools that implement these measures actually suffer from more violence, and more dire examples of it.

Based on a number of studies (here's a particularly good one), the group writes:
Research has found security strategies, such as the use of security guards and metal detectors, to be consistently ineffective in protecting students and to be associated with more incidents of school crime and disruption and higher levels of disorder in schools... Surveillance cameras in schools may have the effect of simply moving misbehaviour to places in schools or outside of schools that lack surveillance. Even more troubling, it’s possible that cameras may function as enticement to large-scale violence, such as in the case of the Virginia Tech shooter who mailed video images of himself to news outlets... Research suggests that the presence of security guards and metal detectors in schools may actually increase levels of violence in schools by strengthening the influence of youth “street” culture with its emphasis on self-protection.
Their last point, if you can ignore the goofy use of the phrase "street" culture, gets to the heart of the problem with this security strategy. When there are armed guards at school, kids feel like they need to protect themselves with weapons too. It's a perfect example of how adults lead the young by example - in this case, by sending a message that security means weaponry.

5. TSA checkpoints at airports

New Picture 52

Here's another example of high-tech, invasive security strategies failing. Despite the fact that airline passengers in the US must take off their shoes and outer layers of clothing, put all their luggage through X-ray machines, and walk through metal detectors, TSA agents are routinely unable to recognize when bombs or weapons pass through their inspection points. The situation has become so dire that security researcher Bruce Schneier has dubbed TSA inspections "security theatre" - all show, no protection.

6. "Stop and Frisk" and "Show Your Papers" programs

New Picture 46

In New York City and the state of Arizona, local laws were passed that allowed police to detain and search people who were deemed suspicious. They did not have to be involved in any kind of illegal or unusual activity to be stopped. In both cases, the suspicious individuals targeted were people of colour. In New York, the law was dubbed "Stop and Frisk," and was found to be singularly ineffective at reducing crime - as well as a violation of New Yorkers' Constitutional rights.

Parts of a similar law in Arizona, known as SB 1070 or "Show Your Papers," remains on the books. The law was designed to allow police officers to search and request papers from people they thought might be illegal aliens (again, people of colour have so far been the only ones targeted). Some clauses in SB 1070 were struck down by SCOTUS, but officers are still allowed to detain people and search them if they appear to be illegals. If studies on the effectiveness of "Stop and Frisk" are any indication, there is likely to be no decrease in illegal activity as a result of Show Your Papers law.

7. "Anonymized" genetic data

New Picture 47
Image via io9

One of the most private pieces of medical data you possess is your DNA sequence. It can reveal countless things about you, such as your genetic heritage, the identities of people in your family, and what kinds of medical conditions you have. These are all pieces of information you might not want neighbours or your employer to have. That's why genetic researchers guarantee their subjects will remain anonymous - you can donate genetic material to a cancer study, but nobody will ever know who you are. Unfortunately, they do know who you are. Last year a group of researchers at MIT revealed that it is fairly easy to figure out the identities of people who donated genetic material to research - even when their DNA has been anonymized, or supposedly stripped of personally identifying information.

On related note, genetic identification could also be the wave of the future, replacing passwords and card keys. That means you'll want to keep your DNA sequence data as secret as you keep your credit card number, or the password to your bank account. Unfortunately, the methods used to protect the security of people's genetic data is about as good as the security used to protect your passwords online. So if you were thinking of replacing your passwords with a DNA scan, go back to number 3 and start again.

[Source: io9. Edited. Some images added.]


No comments:

Post a Comment

Please adhere to proper blog etiquette when posting your comments. This blog owner will exercise his absolution discretion in allowing or rejecting any comments that are deemed seditious, defamatory, libelous, racist, vulgar, insulting, and other remarks that exhibit similar characteristics. If you insist on using anonymous comments, please write your name or other IDs at the end of your message.