Blogs

Bruce Schneier makes a strong argument against the case for profiling at U.S. airports in his column for Forbes. In addition to believing profiling is a bad idea for a number of reasons—it's inaccurate, serves to alienate those "who are in the best position to discover and alert authorities about Muslim plots before the terrorists even get to the airport," and just plain wrong—he also argues that "it actually puts us all at risk."

Past events have proven that terrorists come in all shapes, sizes, sexes and skin colors—from Umar Farouk Abdul Mutallab, the Nigerian underwear bomber, to Jose Padilla, the Hispanic-American accused of plotting a dirty bomb attack on American soil. Terrorists will find ways to avoid profiing, which is why Schneier argues that randomized secondary screening is more effective because it creates too much uncertainty and acts as a deterrent. "Focusing on a profile increases the risk that TSA agents will miss those who don’t match it," Schneier writes.

Schneier points out that what people really want when they argue for profiling are TSA agents who can apply judgement in their decisions of who to screen more carefully. And with controversial headlines about TSA agents patting down wheelchair-bound senior citizens (including, last week, former Secretary of State Henry Kissinger) and four-year-old girls, who doesn't think TSA agents may be a little out of touch with reality. (Though TSA agents did just last week discover weapons in a child's stuffed animals and an elderly person's walker.) Unfortunately, Schneier points out it's unlikely TSA agents will be applying good judgment any time soon. "Judgment requires better-educated, more expert, and much-higher-paid screeners." Schneier writes. "And the personal career risks to a TSA agent of being wrong when exercising judgment far outweigh any benefits from being sensible."

As usual, Schneier does a good job arguing against "security theater" and for sensible security practices that strike the right balance between managing risk and allowing people to travel without fear of molestation.

Have you ever dreamed of being a TSA baggage screener? To sit for hours at a time watching x-rayed images of carry-on luggage, trying to pick out the knife from among your clothes, toothbrush, laptop, shoes, belts, and whatever else you shove in there to avoid checking luggage? Me neither.

But someone thought it might be fun. I wasn't so sure when I saw a new game for my iPhone called Airport Scanner, which puts you in the TSA baggage screener's seat and purports to make airport security fun. In a press release, one of the game's creators said the company's goal "is to create unique games out of everyday life experiences that are fun and interesting." Have they visited an airport, I asked. What is "fun and interesting" about passing through a TSA security checkpoint?

Oh well, I paid the $0.99 to try it anyway. My report: It turns out it is sort of fun to pick out knives, ice skates, ninja stars, and sticks of dynamite from luggage. I'm not sure how long the game will keep my interest, but it's certainly entertaining for now.

Interesting development to the story about AQAP's foiled plot to bomb another U.S. airliner with an underwear bomb.

The New York Times is reporting that the informant who tipped off the CIA to the plot was the suicide bomber himself. This agent infiltrated the Yemen-based terror cell, volunteered for the suicide mission, and eventually left Yemen with the bomb and delivered it to CIA and other inteliigence agencies, the newspaper reported. This underwear bomb is reportedly more sophisticated than the one used in an unsuccessful airplane bombing over Detroit on Christmas Day in 2009. A U.S. official told the newspaper that this underwear bomb could be detonated two ways in case one method failed, and "undoubtedly would have brought down an aircraft," the newspaper reported.

The informant also delivered information that led to the drone strike that killed Fahd al-Quso, a senior AQAP member, on Sunday.

The name and nationality of the agent is understandably not being disclosed. Though it was disclosed that it was not the CIA that recruited him.

Give that man a medal.

BETHESDA, Md.—I attended TechSec earlier this year, and I’ve just returned from ISC West, and it’s clear to me that many people still don’t understand the difference between real cloud solutions and products that merely connect to the Internet. It’s equally clear that many vendors are not helping matters, and are in fact actively confusing the market.

Let’s begin by reminding ourselves what the cloud is all about. At a bare minimum, “cloud” unequivocally implies “hosted.” The National Institute of Technology and Standards has published the most widely accepted and universally referenced definitions of cloud technology (NIST SP 800-145), and every one of them includes the concept of hosting.

In practical terms, this key definition excludes systems that merely support connections to the Internet for remote access. Think about it: If Internet connectivity was the main criterion, your PC with an AOL account in 1995 would have qualified as a “cloud system.” In our industry, IP-based security products connected to the Internet solve many important problems, but they are not cloud products in and of themselves. To say otherwise is highly confusing and is a disservice to customers.

A common offender in this regard is the new breed of IP security appliances—not the products, but the marketing. First, let me say that I fully believe there is an important niche for products with an appliance architecture. For end users who can’t yet wrap their heads around the cloud, it’s a comfortable alternative to the complexity and expense of legacy server designs. But making the leap from a local device that can be remotely accessed through holes in the customer’s firewall to “cloud-based system” is a pretty big fib indeed.

A second point of distinction: Simply moving a software application from a local server to a third-party data center does not make it a cloud application.

Here again, we look to NIST to clarify matters: Cloud systems are distinguished by multi-tenancy, metered usage, rapid provisioning and massive scalability. Think about it this way: If you have a server with an old application architecture, and you move it 1,000 miles to someone else’s data center, have you transformed it into a cloud application? No, you have not; in fact, you’re just playing hide-the-server. And hiding the server won’t magically support thousands of end-user organizations (scalable, multi-tenancy) or suddenly be any faster for new users to provision.

Common offenders at the recent ISC event were typically old-line software systems that needed a fresh coat of virtual paint to get gussied up for the show. In one of the more egregious examples I saw, one company claimed to be offering a security system “using cloud-based protocols.” Ummm … that’s just good old IP.

They can call it cloud, but this was just an old-fashioned case of remote access. Clearly, marketing departments are eager to shoehorn the word “cloud” into their publicity and literature. It’s no wonder people are confused.

So, where are the real cloud applications? By category, the biggest emerging crop is in video surveillance, variously known as hosted video or Video Software as a Service (VSaaS).

Many of these are true cloud applications because they are:

a) hosted;

b) multi-tenant, supporting numerous customers in a single instance;

c) massively scalable;

d) sold per-camera-per-month as a metered service.

There were many examples of VSaaS at the show and this whole area of the industry is still developing in terms of pricing, features and market fit.

My hope is that as customers become better educated about the cloud, we will see less misapplication of the term. For those of us in the cloud business, it is our job to provide leadership, clear away confusion, and help them along.

Steve Van Till is president and CEO of Brivo Systems, a provider of software-as-a-service applications for security management based in Bethesda, Md.