I happened to be browsing CNN and noticed a story entitled, “Cameras that scold.”  The short description read:

“Residents and police say talking surveillance cameras reduce crime.  CNN’s Gary Nurenberg reports ( April 8 )”

Basically, the city of Baltimore has, at residents’ requests, installed surveillance cameras that are activated by motion detection sensors.  Upon activation, it alerts:

“Your photograph was just taken.  We will use it prosecute you.”

You can check out the video here.  (Just to warn you in advance, it’s a pop-up window, so you may have to adjust your pop-up blocker.)

The assumption, by the community - both residential and law enforcement - is that crime has been reduced since the implementation of these cameras.  However, that’s not what one can really conclude.  The cameras are isolated security measures; that is, while they may deter criminals from the target they monitor, this says nothing about reducing the amount of crime that will actually take place.

What you have here isn’t a way to solve the problem; it just moves the problem somewhere else.  You see this a lot - protecting targets (especially those already hit).  This isn’t practical, nor does it make sense.  Have you tried counting all the possible targets? Me neither. Suppose we have a front door and back door.  A criminal comes in the front door, so afterwards, we install surveillance cameras above the front door.  Does this reduce any crime?  No, it just lets the criminal know that he’ll have to use the back door next time.

There have been numerous reports on the ineffectiveness of surveillance cameras; it was also found more effective to just increase lighting in areas prone to crime, and have more law enforcement units patrolling such areas.  The important generalization here is to make sure that your security measure doesn’t relocate the problem; it should reduce the occurrence of it.  As taxpayers and consumers, this affects us.

Even in a computer security context, it’s important to make sure your security mechanisms are cost-effective, and not just a deterrence that point adversaries to another target in which to mount their attack.  Again, this is another situation where those with an influence on decisions, and those who ultimately make them, don’t understand the concept of making good trade-offs.  The cost is real, but the security isn’t.

This question is aimed at both developers and consumers. The role I fulfil is strictly cryptanalytical; that is, when I work on a project, I conceptualize what the security infrastructure should look like, from a cryptographic standpoint, but the developers ultimately implement this conceptualization of mine. Oftentimes, when I’m brought onto the project, there is already an infrastructure in place, and nine times out of ten, it’s insecure, because it’s either missing something or doing something wrong. I’m in the process of writing a rather large series on this, but that’s all the details I’m relinquishing for now.

Anyhow, my question is this. As a developer, what types of goals do you try to achieve, cryptographically? I know this is context-dependent, but at the bare minimum, what do you feel is sufficient, for preserving confidentiality and integrity? As a consumer, what do you look for in a cryptographic solution? What characteristics are deciding factors?

Okay, so one question turned into four. Oh well. Hehe. I ask because I’ve noticed a lot of falsified stigmas and misconceptions that lead to developers falling short and consumers looking for the wrong things. An ongoing interest of mine is learning more about why cryptography fails so often at the implementation level, and why some bad cryptographic products are able to gather a large fan base. More importantly, I’m learning for the sake of suggesting ways to mitigate the effects of these issues, and in some cases, avoid them altogether.

Thanks in advance, and a great Thursday to y’all from the Carolinas!

Well folks, I have finally hopped on the blog bandwagon, which I am excited about.  I have a personal weblog at http://www.justintroutman.org/blog/, but it’s reserved for intense cryptanalytical miscellany only, such as the latest cryptanalysis from around the community, and my own research.  Here, I’ll discuss a variety of issues - some more cryptographic than others.  Oh, and I cordially invite you - no, wait, I not only cordially invite you, but encourage you to pass along any questions or topics you may have, that you’d like to see elaborated on.  Who knows; it may be the type of question or topic to devote an article to.  I’ll be on the look-out for some interesting security issues, of which I’ll be posting soon.  So, until then - bon voyadios!

Cheers,

Justin

The Weekly Permutation’s focus shifts from happenings in the cryptographic community, to general computer security, to the politics that affect it all.

Cryptographic coverage includes everything from the latest cryptanalysis of block ciphers and hash functions to the use of cryptography in a malicious context, such as cryptoviral information extortion.

In regards to general computer security and the politics surrounding it varied topics, ranging from the legal ramifications of full disclosure to just plain rotten security decisions and products.