Playing Twisted Mind Games
I was busy installing a firewall on my network in Jakarta a few weeks ago when I heard what sounded like thunder. Only it wasn't: There was just one clap, and the rumbling that followed was short, like bad reverb in an outdated studio. I peered out of the window. Half a mile away to the west, a plume of black smoke was rising from the J.W. Marriott Hotel. The terrorists had struck again.
Though almost everyone considers such events terrible, no two people react the same way to the insecurity of living in a city that has more than its share of explosions. Some folks I talked to somehow concluded that because police quickly identified the suspected perpetrators, there'd be no more bombs. Some won't go near a mall, hotel or crowded area, while others reckon that because hotels have now adopted tough security, they're the safest places.
If all this sounds like a warped game of logic, that's what security is. If you don't believe me, grab a copy of the excellent new book Beyond Fear, by security guru Bruce Schneier , published this week by Copernicus Books. Mr. Schneier, founder of Counterpane Internet Security Inc., a technology-security consultancy, wrote the bible for tech security, Secrets and Lies. The new book, his third, takes a more general look at security. Written in an authoritative and easily digestible style, Beyond Fear takes the mystique out of security, whether you're running a computer, a home or the Empire State Building. Security, Mr. Schneier drills home, is "a state of mind, but a mind focused on problem-solving and problem-anticipating and problem-imagining." Security, in other words, is psychological.
Take my security problem, for example. How do I convince the folks running my apartment complex that we are now at greater risk than before, since no right-thinking terrorist is going to try to get past the beefed-up security at hotels? Those administrators might agree to install a concrete barrier that requires vehicles to zigzag through the entrance, but will they ignore the likelihood of a terrorist driving through the unprotected exit gate instead? And what's the good of checking only vehicles that don't have residents' stickers on their windshields if those removable stickers could just be switched to another vehicle? Sound security means recognizing that however good your security system is, it's nothing if it isn't flexible enough to account for an attacker with brains.
Of course, all this reasoning applies to technology, too. The SoBig virus that recently attacked computer networks succeeded in slowing down the Internet for several reasons, some of them due to the misguided efforts of those who are supposed to know better. And while SoBig failed to be as destructive as some feared, it did manage to clog the Internet by invading address books and sending out thousands of copies of itself via e-mail. All this was made worse by the fact that servers stripped off the worm and directed some of the e-mails back to the senders, along with an automated message informing them they had been sending out infected e-mails.
Misleading Messages
The automated messages were usually composed by whatever antivirus software was running on the server (which added a bit of advertising to the e-mail). In fact, such messages were in most cases misleading and inaccurate, because SoBig sent out e-mails from uninfected as well as infected accounts. So, Joe B.'s name might have been in the sender field, but that didn't mean he sent the e-mail, or that he was infected, just that someone who was infected had Joe's e-mail address in his address book. In other words, much of SoBig's traffic was actually generated by the antivirus manufacturers themselves, wrongly informing people that they were infected (and suggesting they buy the manufacturers' flawed software as a solution).
The bottom line for security, Mr. Schneier says, is that it's a process, not a product. Installing antivirus software is no good if you don't update the software to address new threats. Even then, you may be unlucky: Antivirus software has to wait for a new attack in order to identify the threat and know how to prepare an update that protects the user.
As Mr. Schneier makes clear, security is only as good as its weakest link. Take the problem of credit-card fraud over the Internet. Indonesia, where I live, is a major transgressor, so an obvious solution for most vendors is to bar shipments here. Fraudsters get around that by entering the street and city address where they want the package to be delivered, along with a different country -- which courier companies "correct" without informing the shipper.
The courier companies have lots of built-in mechanisms to protect customers, such as requiring a contact phone number and a name. But according to police, they won't check the address or phone number until the goods have arrived at the depot closest to the destination. All a fraudster has to do is check the shipment's progress on the Internet -- a service provided by the courier -- and, once the order is at the depot, call and say he'll pick it up in person. All those built-in security checks are therefore rendered useless -- and in most cases, the only information you need to collect the package is the tracking number and destination address. Only too late will the shipper and the original vendor discover that the address and phone number are fake.
Mr. Schneier's book is littered with similar teasers, designed to make you think hard about the nature of security -- and see that it isn't a big mystery after all. Read the book.
“安全”新解
几周前
