The twilight zone

I have developed a specific interest in the twilight zone between different aspects of security, where security and safety issues crosses, or where there are physical and logical security issues or differences between technical issues and psychological acceptance of security (even usability).

Usability AND security (not OR) is the name of an excellent book edited by Lorrie Faith Cranor and Simson Garfinkel. They cover psychological acceptance of security, secure systems, privacy and anonymity systems, etc. One of the pioneers in the softer aspects of information security is Ka-Ping Yee with his Secure Interaction Design, SID, which contain some really good ideas and rule of thumb. He have provided some nice posters on the matter.

Matt Blaze have written several excelent articles on this subject, including Safecracking for the Computer Scientist and Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks, where he applies modern ideas from computer science to attack traditional security systems. By performing his research he have received some critic from locksmiths and others. Hey, even Nobel laureate Richard Feynman is known to be a safe cracker!

Another, similar type of interesting research where real-world security meets information security is the research performed by Ross Anderson on ATM machines in Why Cryptosystems fail, by Avi Rubin of Johns Hopkins and Ed Felen of Princeton on Electronic voting machines, etc.

The last couple of years I've found Process Control Systems, SCADA and similar industrial applicactions of special interest, since it is an area where there security and safety meets (collide?). Another aspect of this collision is the cultural differences in the groups working, i.e. IT staff versus the staff working with process control. There are many security aspects in the industrial IT field that is simply different from traditional IT - scarce resources, unwillingness to change (upgrade software? no way!), and, many systems have a completely different life cycle. I will write more on this in coming articles.