From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Mon Aug 19 2002 - 21:58:28 MDT
On Monday, August 19, 2002, at 10:07 am, Robert J. Bradbury wrote:
>
> On Mon, 19 Aug 2002, Brian Atkins wrote:
>
>> So the real issue is how does government become able to do perfect
>> prediction of threats?
>
> By having smart people brainstorm about how they would conduct attacks.
> We have more smart people than non-state terrorist groups do.
> I think the terrorists have been getting their ideas from us
> so we may want to be somewhat more careful of what we discuss
> in public.
This is an excellent answer. I perform penetration testings for a
living. Usually this involves computers and networks, but it also
includes physical security. Simply trying to play the bad guy and
brainstorming techniques to break things finds lots of problems that can
be easily fixed. (This is why most security professionals believe that
open source code is so useful, because it can be tested.)
You wouldn't believe the number of banks and financial institutions
where I could just walk in and gain access. I have seen locked computer
labs where the ceiling tiles just lift up and one can climb over the
wall. I have seen badges labs with regular glass windows that anybody
could break through. I have seen super secure buildings with windows
where a pair of binoculars across the street can read the screens. I
have seen heavily locked double doors with one-inch gaps between them
(enough to reach through with a tool and turn the handle). I have seen
heavily locked doors with the hinges on the outside (that any
screwdriver could open). Simple thought about these systems easily
points out many errors in the system.
This became immediately apparent in airport security. A simple security
analysis about how to get knives past the security checkpoint realized
that restaurants, cutlery stores, and even the airline food service
delivered knives beyond the security point all the time. I myself have
pointed out that the x-ray machine is a *detection* device not a
*prevention* device. I warned almost a decade ago that anybody with a
gun can get past security because they don't stop guns, they only detect
them. Sure enough, we have had a few cases since then where
gun-weilders simply walked through security brandishing their guns, and
security couldn't stop them. These kinds of things become obvious if
you think about them and try to prevent them. The problem isn't that
security is hard, its that most systems designers didn't even try to
implement security.
>> For jetliners, no. For suitcase nukes, maybe no, although I still
>> haven't
>> heard a complete theory of interlacing defenses that will prevent them.
>
> You may never completely prevent them. But you should be able to reduce
> the probability of their occurrence. Perhaps enough that we get to
> the point where technology advancement uplifts potential terrorists
> sufficently that terrorism doesn't seem like such a good career choice.
This is like regular crime-fighting. We may never get a perfect
system. But if we stop enough criminals, it might deter others.
> The difficult part will be developing a coherent international framework
> for what to do about states, with more resources than terrorists, that
> conduct programs aimed at behaving belligerantly.
Actually, the U.S. had been the weakest link until recently. Most
foreign nations had much stronger security and considered planes from
the U.S. to be the biggest threat because of our lax security. It is
only now that we are beefing up security that we might start looking at
the security of other nations.
> General purpose anti-bioweapons are being developed now based on natural
> bioweapons (after all the green goo has been operating for a very long
> time). Actually there are some fairly general nanodefenses that are
> quite capable of dealing with a wide array of possible "nanoweapons",
> e.g. Microbiovores, the forthcoming Chromalocyte (for general purpose
> chromosome replacement therapy), and the Vasculoid organ system).
>
> And then of course, heat and radiation are perfectly good defenses
> at the macroscale for bio/nano-bugs as well as larger nanotech enabled
> weapons.
You are already proposing various things that can be done that have not
been considered before. The secret to consulting or brainstorming is
not so much that it is difficult, but that most organizations have never
directly tackled their problems before. By the time they call a
consultant or think-tank to solve their problem, they think it is
unmanageable. Usually, the consultant just starts with comment sense
procedures and steps through them methodically and efficiently.
Sometimes the clients are amazed at the results. Sometimes they are
really annoyed at how easy the solutions were.
-- Harvey Newstrom, CISSP <www.HarveyNewstrom.com> Principal Security Consultant <www.Newstaff.com>
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:16:16 MST