Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "The Myth of Homeland Security", Marcus J. Ranum

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKMYHLSC.RVW 20031124 The Myth of Homeland Security , Marcus J. Ranum, 2004, 0-471-45879-1, U$24.99/C$37.50 %A Marcus J. Ranum mjr@ranum.com %C 5353
    Message 1 of 1 , Jan 23, 2004
    • 0 Attachment
      BKMYHLSC.RVW 20031124

      "The Myth of Homeland Security", Marcus J. Ranum, 2004, 0-471-45879-1,
      U$24.99/C$37.50
      %A Marcus J. Ranum mjr@...
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 2004
      %G 0-471-45879-1
      %I John Wiley & Sons, Inc.
      %O U$24.99/C$37.50 416-236-4433 fax: 416-236-4448
      %O http://www.amazon.com/exec/obidos/ASIN/0471458791/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/0471458791/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/0471458791/robsladesin03-20
      %P 244 p.
      %T "The Myth of Homeland Security"

      Regular readers of the RISKS-FORUM Digest come to know a number of
      phrases that are repeated over and over again, in assessing risks and
      problems in technical systems. One is "single point of failure" and
      another is "cascading failure." Yet another, and the one that Ranum
      seems to be concentrating on, is "protecting against the wrong
      threat." The book starts out, in "It's Another Code Orange Day,"
      noting that the vast new machinery of airline security has not caught
      any terrorists, and also notes that the defenders are completely
      disorganized.

      Chapter one asserts that Homeland Security is (along with a number of
      other similar terms) a convenient invention. Information warfare is
      derided as such a device, and although I could agree in terms of books
      such as Erbschloe's (cf. BKINFWFR.RVW), I don't think Ranum gives
      enough thought to the work by Dorothy Denning (cf. BKINWRSC.RVW). The
      one myth that the author attacks in chapter two is of superior
      attackers and defenders. The anti-FBI stance is somewhat overblown,
      even though there are numerous examples to support it, both in the
      book and elsewhere. Politics, in chapter three, is mostly about the
      PATRIOT Act (and finding out that it stands for "Provide Appropriate
      Tools Required to Intercept and Obstruct Terrorism" is almost worth
      the price of the book all by itself), although Ranum's seemingly
      deliberate attempts to avoid being politically pigeon-holed make it
      difficult to determine exactly what his point is. Merging inefficient
      agencies is unlikely to help things, as is pointed out in chapter
      four. Immigration, in chapter five, looks at weak borders (and, rather
      ironically, Ranum seems to be promoting the myth of terrorist entry
      through Canada), but the text also admits that the 9/11 attackers all
      had valid visas, and ultimately suggests no solutions. Chapter six
      notes that TSA (Transportation Safety Administration) salaries are
      higher, and hiring requirements more stringent, than before (and the
      book has previously indicated that TSA personnel are more
      professional), but Ranum points out a few instances of hiring
      irregularities, and then flatly states that airport security is a
      sieve. He is also seemingly inconsistent in his positions, arguing
      generally against biometrics and profiling, but then apparently
      endorsing them. The arguments are not reasoned: he is for a national
      identity system, but admits elsewhere that the 9/11 terrorists had
      valid identification. Chapter seven says that the army is good, the
      border patrol is looking for the wrong things (although this is
      confusingly amended to a position that they have the technology but
      aren't using it), and the FBI and CIA have an ongoing turf fight.
      Having stated that he is not interested in media bashing, Ranum spends
      most of chapter eight anecdotally doing just that. There is a token
      mention of access to information, and a final assertion that probably
      nothing can be done about the problem of the media because the public
      is so gullible.

      Cyberattacks are an unreal myth, says chapter nine, but our
      information infrastructure is mostly undefended. The lack of
      standardization in government systems is seen as making government
      systems harder to defend (even though homogeneity means that a single
      attack can penetrate everything). While this material starts off very
      well, possibly due to Ranum's greater familiarity with strictly
      technical issues, he makes numerous errors in regard to viruses and
      malware. His lack of experience in this specific area reappears in
      chapter ten, where he says that even outdated antivirus scanners
      should have caught Code Red because the exploit was a known one.
      However, scanners would not have caught Code Red since it did not
      write itself out to a file, and also because scanners search for
      strings or patterns, not exploits. (If anything should have caught
      Code Red it was more likely to have been the firewalls that Ranum has
      made his name in designing.) Computer insecurity is put down to being
      on the cutting edge (advanced technologies being less completely
      understood), but is also due to foolish government purchasing
      procedures.

      Those of us who work in the security field can certainly sympathize
      with the tone of Ranum's work. Yes, governments (and businesses) are
      foolish. Yes, the general public sees a complex problem in simplistic
      terms. Yes, you can find instances of stupidity in any large
      enterprise. But does any of this have a real bearing on how security
      can be improved, or how we should look at it? (Particularly to a non-
      American audience, this book must read like a long string of sometimes
      whiny complaints.) Yes, Ranum starts off by saying that he is not
      actually offering solutions, but that bald statement hardly absolves
      him of not offering anything, including insights. While this work is
      at least well-informed about the problems, I am at a loss to explain
      the adulation that has been heaped upon it by many of my colleagues,
      aside from the fact that we all feel very much the same way.

      Presumably, however, we are not the target audience, and the book is
      aimed at demonstrating to the general public that Homeland Security
      is, as the cover graphically puts it, a house of cards. Pointing out
      that the Emperor has no clothes does have some merit, although the
      rewards of the activity are questionable at best. When addressing a
      non-technical audience, the anecdotal evidence provided is probably
      more realistic than a closely reasoned argument. However, the lack of
      clear suggestions for improvement, and inconsistency in positions,
      detract from the book's value.

      We can agree that security is a mess, and that governments can create
      enormous boondoggles. This book is among many that make the point,
      but does not do much to improve the situation.

      copyright Robert M. Slade, 2003 BKMYHLSC.RVW 20031124


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      God is real. Unless declared integer.
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.