Source: www.schneier.com – Author: Bruce Schneier
Comments
Vampire Power Adapter •
I believe. Cannot prove. But believe. Strongly. This is also how the vampires of Twilight fame were able to sparkle. Securely.
Clive Robinson •
@ ALL,
I thought I had Trademarked “Magic pixie dust” thinking etc years and years ago[1]…
Unlike “patents” trade marks are eternal as long as you feed them, so pardon me whilst I flick a little seed in the budgie cage.
So where do I send my “cease and desist notice” to 😉
[1] You will find it in several places on this blog, and other places if you search for it. If memory serves correctly I first used it to describe the p155 p00r alleged TRNG circuits in Intel Chips. Which can be shown to be very poor digitised sin wave generators followed by a crappy crypto algorithm to hide / obfuscate the actual numpty RNG.
Security and magic have a bond. Some of Tristan Harris’ essays make
useful reading for security engineers.
Vendors have a high bar to beat the ADE651.
The fact that this exists, and let’s face it, BigTech products from the
“Insecurity Industry”, bodes deeper problems; that for most people all
technology is now magic.
Funny as Shostack’s “magic security dust” is, it’s terrifying that so many
people in positions of power and responsibility would not appreciate the difference between a
joke and a proof. That’s a tragic multi-generational failure of education for
our technological society.
As a student I was once privileged to meet James Randi and now feel that our
work as security thinkers “on the side of the people”, is to perform a similar role of
debunking, while a majority learn magic only hoping to trick others for
profit. That so many people want to be tricked, as technology has become the
new secular religion, only makes the job more interesting.
Cybersecurity and radical scepticism are deeply entwined. Which makes the loss of Ross
Anderson, an indomitable scientist and humanist in our field, all the more painful
imho.
mark •
I need some, now that those libraries for ssh are vulnerable! Where can I buy it (and some of the snake oil, as well, so I can lubricate the bits in my ethernet)?
tfb •
@cybershow
I had forgotten about the ADE 651. But the situation is slightly more complicated than it looks. I knew someone whose job involved making sniffers for various chemicals, including explosives. At the time (late 70s I think, not after about 1982 anyway) you could make good sniffers which were portable in the ‘backpack with the guts of the thing in it’ sense, very expensive and probably required expensive and frequent looking-after to keep them from getting contaminated. Or you could make cheap sniffers which you could hand-hold and which … worked, just about.
The company he worked for made both, but they sold a lot of the cheap sniffers. They did not lie about how effective they were: the specs were available and the people who bought them (airport security people really) knew their limitations.
Because only one of the reasons they were buying them was how good they were: the other, arguably more important reason, was psychological: when you decide to sniff someone’s luggage, you watch them like a hawk. If they’re just bored and annoyed, fine; if they’re sweating and nervous, neither they nor their luggage gets on the plane and (if the cheap sniffer didn’t find anything) you crank up the good sniffer you have in the back room. And because you can afford ten times as many cheap sniffers, you can look at ten times, or more, people.
Note 1: the cheap sniffers were not fake like the ADE 651: they did work, just not enormously well. Note 2: things later converged and good, small, cheap sniffers are now much, much easier. In fact I would not be at all surprised if machine learning has not helped things a lot recently as it should be a good application for it (the person I knew is now dead so I don’t know anything that’s happened in the area for the last more-than-a-decade).
@tbf
Good story about the staged used of tech. Quite a common model in medicine, with cheap,
disposable but inaccurate tests at the front line, then progressively more expensive
machines that go ping as diagnosis proceeds.
Bruce has written a lot on the value of security theatre here. Definitely there’s a
place for placebo/psych-only methods to beat the bushes a bit. I actually think most
CCTV cameras perform that role.
But I suppose the ethics revolve around “who is in on the trick?” and “what’s the false
positive cost?”, and “where does the false negative land?”.
Take the thorough debunking of polygraphy and the “Lie behind the lie-detector”.
Criminals dumb enough to believe a machine can tell if they’re lying may also be
interested in some unbreakable crypto-phones the FBI have to sell them. I’m happy that
deception is useful and works in those cases.
But deception about technology tends to pull in people around it. It’s indiscriminate,
and they’re already too eager to believe. Before long you’ve got judges and juries
believing in “lie detectors”. Indiscriminate weapons always come home to roost. And
for the ATSC (ADE 651) company it’s a complete externality; some poor Iraqi recruit
wandering off into a minefield optimistically brandishing a magic coat-hanger…
BTW, I think you’re right that electronic noses have advanced greatly with novel
junctions and carbon nanotubes as to become a “lab on a chip”. I don’t keep up with the
tech much either but if you do a bit of sniffing around (!) the amazing advances I last
heard of were detecting cancers and other disease from breath and sweat.
Rene Bastien •
I am selling dehydrated water if anyone is interested. Only available on April 1st each year.
lurker •
@Adrien
Surprisingly for the French, they candidly admit [FAQ] that their powder is not magic.
Clive Robinson •
@ Rene Bastien, ALL,
Re : Snow Joke…
I am selling dehydrated water if anyone is interested.
It must be more than thirty years now but I used to know a rather nice young lady[1] who joked that the main part of her job was “Making dehydrated water”.
At the time she worked in a lab that tested water to see if it was potable. By testing for organic and mineral contaminates and such. Part of one of the tests involved evaporating off the water as it made testing easier.
But she was also a researcher and had done a stint down at the South pole (a place I’ve always wanted to go). So she also used to point out that the dryest deserts in the world are down there with the “Dry Valleys” of McMurdo sound[2], even though they have saline lakes at the bottom…
[1] Julie in the unlikely event you read this, I hope you are doing well.
[2] Apparently the definition of a desert is based on rainfall and as it does not get warm enough to rain… But also there is a strange vertically descending “fall wind” pattern that can exceed 200kph that evaporates any snow or similar rapidly… Apparently the place is so inhospitable “even the bugs live indoors”. That is the microbes are only found “inside rocks” and not on their surfaces or underneath them.
Dave •
I don’t want to bring too much attention to the French, but they were doing this for a long time: https://www.poudreverte.org/
I think several people have had similar ideas. Marcus Ranum used to hand out labels at conferences that you could apply to spray bottles that described various types of security effects achievable by spraying the substance onto computers and network gear. I think one was something like Pest-Away, which gets rid of hackers, crackers, script kiddies, and security consultants.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Original Post URL: https://www.schneier.com/blog/archives/2024/04/magic-security-dust.html
Category & Tags: Uncategorized – Uncategorized
