In this month’s The Atlantic (not yet online) a brilliant article about 4G security in the form of an interview with Bruce Schneier.
The moral, Schneier came to believe, is that security measures are characterized less by their success than by their manner of failure. All security systems eventually miscarry in one way or another. But when this happens to the good ones, they stretch and sag before breaking, each component failure leaving the whole as unaffected as possible.
In other words, they need to be flexible, adaptive, and decentralized. Sound familiar? He then goes on to criticize the current plans as exactly the opposite.
Okay, somebody steals your thumbprint, Schneier says. Because weve centralized all the functions, the thief can tap your credit, open your medical records, start your car, any mumber of things. Now what do you do? With a credit card, the bank can issue you a new card with a new number. But this is your thumb – you cant get a new one.
The consequences of identity fraud might be offset if biometric licenses and visas helped prevent terrorism. Yet smart cards would not have stopped the terrorists who attached the World Trade center and the Pentagon. According to the FBI, all the hijackers seem to have been who they said they were; their intentions, not their identities, were the issue. Each entered the country with a valid visa, and each had a photo ID in his real name (some obtained their IDs fraudulently, but the fakes correctly identified them). What problem is being solved here? Schneier asks. (my emphasis)
And so do I. He goes on:
“The trick to remember is that technology cant save you, Schneier says. we know this in our own lives. We realize theres no magic anti-burglary dust that we can sprinkle on our cars to prevent them from being stolen. We know that car alarms dont provide much protection. The Club at best makes burglars steal the car next to you. For real safety we park on nice streets where people notice if somebody smashes the window. Or we park in garages, where somebody watches the car. In both cases people are the essential security element. You always build the system around people.
Thats 4th Generation security. Its built around attentive, empowered people.