Identification vs. knowledge

Security Strategies This newsletter is sponsored by FireEye Perspectives Editorial Webcast: What You Don't Know About Crimeware Can Cost You Cybercrime is on the rise AND getting more nefarious. Script kiddies kept us busy with their pesky hacks, but the name of the game today is profit, meaning attacks are targeted and more dangerous. This webcast looks at how the game is changing and what it means for corporate IT shops. Network World's Security Strategies Newsletter, 05/22/07 Identification vs. knowledge By M. E. Kabay In my last two columns, I commented on the REAL ID Act and some of the doubts about its usefulness in national security. The confusion of identification and security comes in part from the normal application of identification and authentication in restricted, known populations such as groups of employees. We are used to assuming - correctly, we hope - that employees have been vetted to some reasonable extent before they are hired. Therefore identifying someone who is on a list of employees and authenticating their identity makes sense: it helps to reduce risk. But the situation is quite different when we simply label people with _no_ information about their trustworthiness. Being born in the United States (or being a legal resident, for that matter) is no guarantee of safety or sanity; see the Southern Poverty Law Center’s Intelligence Project for some mood-souring details of the world of native-born American terrorists. Discover the Business of Gaining Organizational Support for your Security Initiatives. September 10-11, 2007 | The Fairmont Chicago How do you get everyone from the boardroom to the mailroom to comply with your security initiatives? Come collaborate with peers on critical business topics like this at The Security Standard-the only business summit for senior security executives. For the latest in planning and management strategies. Click here for more details The confusion between identification and knowledge reminds me of an incident that occurred in 1966 when I was a biology student at McGill University. The lab assistant told us that we would have to memorize the Latin names for the formal classification of 10 plants. I asked, “What, just the names? Nothing about the plants themselves? No information about their habitat, life cycle, pests or anything? Just names??” Readers will not be surprised to find that I was an arrogant young man when I was 16 - after all, what would you expect, if you’ve read my stuff? Therefore I protested, “That’s ridiculous. Knowing a plant’s name tells us nothing more than how to point to it if someone else knows the name. Identifying a plant is not equivalent to knowing about its biology.” I should point out that I had been learning Latin names of plants and animals since I was a child - as part of what I liked to know about them. But when the quiz came around I crossed my arms and said loudly, “I refuse to participate in this farce.” I got zero, but I stand by my position even more than 40 years later. And by the way, when students criticize my exam questions, I give them extra points if their objections and suggestions are well founded! But back to security: I greatly fear that the emphasis on identifying people when they travel - by air, mind you, not by bus or even by some trains - is more a matter of political theater than a significant contribution to the security of travelers or to national security. Insisting on identification papers for air travelers has the same purpose and about the same value as asking all air travelers to remove their shoes in the security inspection: it makes people who don’t know much about security feel that The Nation Is In Safe Hands but it does not have much to do with improving security. And thank goodness that idiot Richard Reid didn’t put explosives in his underpants. If you are interested in reading more of my analysis of travel safety, please see the essay “Airport Safety” in PDF or HTML.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. IT jargon you just love to hate 3. A cynic rips open source 3. Cisco routers cause major outage in Japan 4. Alltel agrees to $27.5B buyout 5. Top 15 controversial Microsoft quotes 6. Foundry readies monster Ethernet switch 7. Microsoft won't sue over Linux - yet 8. DoD software protection comes to commercial sector 9. Why Argonne has pulled the plug on VoIP 10. Wireless vendors target enterprise nets with 802.11n products MOST E-MAILED STORY: Cisco routers cause major outage in Japan

Contact the author: M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor of Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. Special discount for Network World Security Strategies readers: For a 10% discount on the upcoming INFOSEC Year in Review workshop in Marina Del Ray, Calif., on June 4-5, 2007, use code WNW07 when registering online or by phone. This newsletter is sponsored by FireEye Perspectives Editorial Webcast: What You Don't Know About Crimeware Can Cost You Cybercrime is on the rise AND getting more nefarious. Script kiddies kept us busy with their pesky hacks, but the name of the game today is profit, meaning attacks are targeted and more dangerous. This webcast looks at how the game is changing and what it means for corporate IT shops. ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007