Sleepycatz

Security through absurd obsurity?

Those who know me know I have a problems with the notion of security through obscurity — the idea that one can achieve some measure of real security by hiding the item or knowledge which needs to be protected. As a security measure, obscurity has been around since man first hid from a predator. It has never been a consistently successful strategy. The pilfered tombs of the Pharaohs illustrate that no matter how cleaver or determined one is to hide something away, an equally cleaver thief will eventually find the treasure. That the most guarded secrets of the cold war usually flowed between adversaries in a matter of weeks speaks to the ineffectiveness of obscurity when confronted with a determined and resourceful foe. Nonetheless, obscurity remains with us as a natural response to threatening situations. The desire to protect ourselves, or our possessions, immediately invokes the evolutionary response to hide from threats.

I was fascinated to read a recent NY Times article on the obscurity devices of Aya Tsukioka. Ms. Tsukioka has created camouflaging fashions for Japan’s urban dwelling population. Though violent street crime is down in Japan sensationalist news reports have created an air of fear among city dwellers. Among Ms. Tsukioka’s inventions is a skirt which allows the wearer to disguise oneself as a vending machine:

The wearer hides behind the sheet, printed with an actual-size photo of a vending machine. Ms. Tsukioka’s clothing is still in development, but she already has several versions, including one that unfolds from a kimono and a deluxe model with four sides for more complete camouflaging.

Other creations by Ms. Tsukioka include a purse which can be disguised as a manhole cover — presumably to be thrown into the middle of the street when the carrier feels threatened — and backpack which allows a child to disguise her/himself as a fire hydrant.

There is something more then a bit disturbing with the idea that women and children should need to take on the appearance of common inanimate urban objects in order to protect themselves. Certainly it can be argued that historically these two groups have been objectified in this manner for thousands of years, and the need/desire to obscure the body in this manner is a reflection of a conservative cultural mindset. Fear, in general, tends to evoke the most primitive of responses in the human mind. The response suggested by Ms. Tsukioka’s creations is that we need to hide our humanity until the fear passes. I couldn’t disagree more.

DHS Deceit

For the past couple of weeks some friends and colleagues and I have been discussing a CNN story on the vulnerability of SCADA controlled generators. The story fed to CNN by the DHS is that power generators, under SCADA control, can be destroyed via cyber attack by telling or tricking the PLC into over-cycling the generator and thus adversely effecting the local or national power grid . After some discussion, most of us have decided that the story is largely bunk. Even if we ignore the fact that the generator shown in the DHS video appears to in the ~1500 kW size range (significantly smaller then the multi-megawatt generators used for local or regional grid generation), the idea that a critical piece of power generating equipment would lack a something as simple as a mechanical governor - an 18th c. technology - let alone an electronic one to prevent the system from operating beyond safe levels seems patently absurd. An electrical engineering friend has suggested that the current steam turbine generators used by utilities do not currently include deep levels of automatic systems — so any such attack on a utility could never effect online turbine speed. Additionally, even if such a vulnerability did somehow exist is would be very simple to insert PLC programming which did not allow for the system to run out of tolerance.

So why would DHS release such a report — we know why CNN engages in fear mongering where ever it can. The purpose seems to be alluded to near the end of the piece where CNN explains that the DHS cyber-security budget is a scant 100 million dollars. The goal here seems to be to get people riled up to pressure congress to flood DHS with more money. As fear-mongering coup de grâce, CNN finds someone to say that Iran has the same generators, SCADA systems, and passwords as those used in America. This is so appallingly absurd and transparent it simply causes my head to spin.

The problem is, that there are security concerns with SCADA systems and the desire of managers to save money and place them on an Internet connected network. The problems though instead of being related to evil cyber-terrorists are much more mundane. Such as the effect of Viruses, Trojans, and Denial of Service Attacks on these systems. If a virus should interrupt communications with a water filtration control system, for instance, this could cause response problems leading to some contamination. Fighting viruses, however, does not get you billions in taxpayer funding. Nowadays only the most fearful scenarios get the money — regardless of merit.