This is a reprint from Bruce Schneier’s blog on security.

This is an interesting paper on the efficacy of terrorism:

This study analyzes the political plights of twenty-eight terrorist groups — the complete list of foreign terrorist organizations (FTOs) as designated by the U.S. Department of State since 2001. The data yield two unexpected findings. First, the groups accomplished their forty-two policy objectives only 7 percent of the time. Second, although the groups achieved certain types of policy objectives more than others, the key variable for terrorist success was a tactical one: target selection. Groups whose attacks on civilian targets outnumbered attacks on military targets systematically failed to achieve their policy objectives, regardless of their nature.

The author believes that correspondent inference theory explains this. Basically, the theory says that people infer the motives of an actor based on the consequences of the action. So people assume that the motives of a terrorist are wanton death and destruction, and not the stated aims of the terrorist group:

The theory posited here is that terrorist groups that target civilians are unable to coerce policy change because terrorism has an extremely high correspondence. Countries believe that their civilian populations are attacked not because the terrorist group is protesting unfavorable external conditions such as territorial occupation or poverty. Rather, target countries infer from the short-term consequences of terrorism — the deaths of innocent citizens, mass fear, loss of confidence in the government to offer protection, economic contraction, and the inevitable erosion of civil liberties — the objectives of the terrorist group. In short, target countries view the negative consequences of terrorist attacks on their societies and political systems as evidence that the terrorists want them destroyed. Target countries are understandably skeptical that making concessions will placate terrorist groups believed to be motivated by these maximalist objectives.

This certainly explains a great deal about the U.S.’s reaction to the 9/11 attacks. Many people — along with our politicians and press — believe that al Qaeda terrorism is different, and they’re just out to kill us all. (In fact, I’m sure I’ll get blog comments along those lines.) The paper examines this belief: where it came from, how it manifested itself, and why it is wrong.

Security guru Bruce Schneier recently wrote an essay for Information Security contrasting George Orwell’s “Big Brother” to current trends in technology:

Big Brother isn’t what he used to be. George Orwell extrapolated his totalitarian state from the 1940s. Today’s information society looks nothing like Orwell’s world, and watching and intimidating a population today isn’t anything like what Winston Smith experienced.

1984’s police state was centralized; today’s is decentralized. Your phone company knows who you talk to, your credit card company knows where you shop and NetFlix knows what you watch. Your ISP can read your email, your cell phone can track your movements and your supermarket can monitor your purchasing patterns. There’s no single government entity bringing this together, but there doesn’t have to be. As Neal Stephenson said, the threat is no longer Big Brother, but instead thousands of Little Brothers.

The fear isn’t an Orwellian government deliberately creating the ultimate totalitarian state… It’s that we’re doing it ourselves, as a natural byproduct of the information society.

You can read the full essay here.

Here’s an interesting essay by Bruce Schneier discussing the psychology of security and how humans evaluate risk. It discusses many fascinating research studies regarding human decision making, and helps illuminate why people have a perception of security that is so different from the reality of security.

Read the rest…

Back in December, a list of 34,000 MySpace usernames and passwords was released on the Internet. Hackers had used a phishing attack to lure MySpace users to a fake login page. There, users would try to login, only to have their username and password sent to a server in France. This is a classic example of people failing to follow one of the golden rules of email: “Don’t trust links in email… ever”.

What I found interesting was some of the analysis security experts did on the released data. From Bruce Schneier’s artcle in Wired:

The top 20 passwords are (in order):

password1, abc123, myspace1, password, blink182, qwerty1, f*ckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1, and monkey.

If your password is in the list, or is as horribly insecure as these are, I suggest changing it… hackers aren’t stupid. In many cases they are professional engineers. There is enough money to be made by stealing this stuff that many criminals can now afford to hire professionals.

Here’s something else I found interesting from an article in InfoWorld by Roger Grimes:

I was surprised about how many Christian-sounding — for example, “Ilovejesus” — log-on names were associated with the worst cuss words.

I think that one speaks for itself…

And there’s always something funny from Dilbert:

The Washington Post is reporting about how Microsoft enlisted the National Security Agency’s help in securing the next version of Windows. Sounds good, huh? Looks like Microsoft is doing everything is can to secure Vista. The NSA is the best-of-best when it comes to this stuff, so who better to turn to, right?

Well, there’s a subtle reason why this is not good, and I believe Bruce Schneier offers a good summary as to why this is:

It’s called the “equities issue.” Basically, the NSA has two roles: eavesdrop on their stuff, and protect our stuff. When both sides use the same stuff — Windows Vista, for example — the agency has to decide whether to exploit vulnerabilities to eavesdrop on their stuff or close the same vulnerabilities to protect our stuff. In its partnership with Microsoft, it could have decided to go either way: to deliberately introduce vulnerabilities that it could exploit, or deliberately harden the OS to protect its own interests.

So, which choice did they make? We’ll probably never know, but given the current administration’s feeling about privacy and warrentless eavesdropping, this whole thing doesn’t make me feel any better about Vista security.

The real irony of the whole thing is that this could make Vista seem more secure, when actually the opposite is true. There’s an old saying in the security field: “No security is better than poor security.” When there’s no security, at least people are cautious with their data. With the “illusion” of security, people tend to act as if they are truly secure.

As a side note, this is an example of why security is so hard to get right. In many ways, true security is counter-intuitive… that’s part of what makes this field so interesting.