hard: It’s not simply a matter of tossing a piece of technology at a problem. The devil is in the details, and the details are complicated.
One of the more compelling security stories I worked on involved a casino that had a real culture of security. It had lots of technology, and everyone expected to be watched. The CIO has no problem checking his laptop in and out every day, and dealers yell out every time they break a $20 bill. It reminds me of the example you’ve used of the bell on cash registers being there to alert the store owner that the clerk is handling money.
schneier: It’s an old culture—a culture that’s used to dealing with cash and that isn’t forgiving of security breaches. For decades, they’ve had a culture of people watching people watching people: Dealers watch customers, pit bosses watch dealers, floor managers watch pit bosses and the cameras watch everybody.
There are audits and controls every which way,
business. So now the question is, What sort of controls can I put in place—whether preventive or auditing—to limit the amount of damage that is inevitable, because I’m hiring pleasant people as employees?
schneier: That’s expensive. You can decide you want to pay it, you could have all the employees at a retail store be friendly, and hire an equal number of guards to look around. You get hospitality, and you get security, but you probably don’t get profits. You might be able to train people to create that kind of culture, but that’s expensive, too.
because they’re dealing in a high-volume cash business. However, they needed to build a system of checks and balances. They couldn’t just have everything be on credit cards and check it at the end of the month.
schneier: You probably can’t do it, and it’s probably wrong to try. People are inherently nice—and social. The reason social engineering works is because people are polite and helpful and friendly. You could inculcate them to be mean, surly, suspicious and nasty, but you’d probably go out of business.
Imagine setting up a bank where everyone is strip-searched when they go into the building. It would be more secure, but it wouldn’t be a very profitable bank. And imagine a department store where everybody is watching everything, and everybody is suspicious. Nobody is going to shop there.
Security is a tradeoff. These types of human security issues, human attacks, social engineering, all prey on the inherent qualities that you want in your employees. You want them to be friendly and helpful. You want them to be team players. You can turn them into something else, but your company is going to suffer.
We’re probably going to have to accept a certain amount of social engineering as the price of being in
schneier: The security of voting machines points to two big issues. The first one is that security is actually very hard. People think technology magically makes security worries a thing of the past, but that’s not true. These voting machine companies are no better than any other software or hardware computer company. And because the systems were proprietary—because the companies had a vested interest in keeping the flaws secret—the public didn’t know about them.
That’s why we need to have backup systems that work. When you have an insecure system, or a system that could be insecure, the way you make it secure is often by having secure backup procedures or secure procedures around the system. That’s why people who understand computer security call for voter verifiable paper trails. Then, no matter what the machine is or what it does, whether it works or not, whether it’s hackable or not, it’s got a paper backup to fall back on if something happens.
The other issue with voting is that we only do it every other year. An ATM system gets used thousands of times a day, every day, so problems are found and fixed. With voting, we forget about it, so it’s much harder to build up any institutional knowledge of how to do it. People came to the voting booths, and the machines were different this year. They’ve never been
References:
Archives