Pensieri di un lunatico minore

21 September 2005 Security

Star Wars security

Adam Shostack explains how there can even be a lesson on security in Star Wars:

It’s an impulse we see all too often: It’s easier to check ID than it is to make a judgment call. Maybe we can defer to the computer. We can fail to fix the voter registration system, and just check their IDs. We fail to secure the airplanes, and just check IDs. We let a fellow with a bloody sword into the country, but we checked his ID.

All “checking ID” tells you is that you checked someone’s ID. There is no guarantee of authenticity—no matter how much money you demand in esoteric counterfeit deterence—only presence. So long as the ID has exceptional value, people will forge them, and do so in methods that are indistinguishable from the original, including forging the computer records behind them.

Only by observing behavior can you hope to find risk. Bureacracy doesn’t find risk, people do. Paying attention will do 100x more than any “checkpoint.”

This entry was posted at 3:50 pm on 21 September 2005 and is filed under Security. You can follow any responses to this entry through the post-specific RSS 2.0 feed.

22 September 2005 Doug S

You said: “So long as the ID has exceptional value, people will forge them…”

Even things with “unexceptional” value are being forged. Both Subway and ColdStone are doing away with their current frequent buyer incentive programs due to forgery losses.

http://www.wired.com/news/business/0,1367,68909,00.html

Doug

22 September 2005 petrilli

Indeed, I suppose I left out the cost of forgery. The Subway stuff is trivial to forge, so people don’t have any reason not to do so. This is the reason people don’t fake nickles—the cost of forgery is higher than the value received.

The point I was trying to make was that so long as we continue to inbue more and more value into these “government issued IDs” the forgers will continue to work harder to reproduce them. I have actually seen several forged driver’s licenses which were detectable only because they were actually better made than the real ones.

23 September 2005 Randy

So you are saying that profiling is better than IDs?

If not what is it that you are proposing to take the place of IDs?

25 September 2005 petrilli

Actually I do believe profiling is the best method, I just don’t believe that racial profiling is that useful. What you need to do is behavioral profiling—i.e. pay attention to people’s behavior.

Responses are currently closed, but you can trackback from your own site.

Syndicate using either Atom or RSS.

All content of this site is covered under the Createive Commons Attribution-Noncommercial 3.0 license unless otherwise specified. The postings on this site are my own and don’t necessarily represent the positions, strategies or opinions of my employer.