|[Ben]:||Coca-Cola and the NSA ||No discussion found|
|Reprinted from Bruce Schneier's Crypto-Gram|
Security Notes from All Over:
Coca-Cola has a new contest. Hidden inside 100 cans of Coke there's a SIM card, GPS transmitter, and a
microphone. The winners activate the Coke can by pressing a button, which will call a central monitoring
facility. Then Coke tracks the winners down using the GPS transmitter and surprises them with their prize.
NSA engineers drink Coke. Lots and lots of Coke. The possibility that an active microphone in a Coke can
could be in one of the NSA's highly secure facilities is worth considering. A reasonable threat analysis might
look like this: "You know, the chances that one of these 100 cans out of hundreds of millions of cans ends up
in our building is extremely small -- somewhere around 1 in 100,000 -- so it's not worth worrying about."
But the NSA's Information Staff Security Office) decreed differently: "It is important that ALL cans of Coca-
Cola within our spaces be inspected. This includes cans already in our buildings and those being delivered on
a daily basis. If you discover one of these cans, DO NOT activate it. Instead, you should alert your ISSO
immediately and report the incident."
This is hysterical. Can you imagine inspecting every can of Coke entering the NSA, opening each of the
hundreds of cases of Coke and inspecting every can for a GPS transmitter? What does this cost? What is the
NSA not doing because they're doing this instead?
Of course the engineers at NSA are already starting to create Coke cans with antennas, circuit boards, and
keypads. They are leaving them around snack messes as practical jokes.
And where's Pepsi in all of this? Shouldn't they be advertising "surveillance-free cola"?
Funny stuff, but there's a serious point here. Again and again, security decisions are clouded by agenda. The
NSA's Coca-Cola inspection policy is an example of CYA. Some executive within NSA didn't want to be personally
responsible for a GPS receiver slipping through security, so he decided that everything should be inspected.
It's a small risk to the greater population, but it's a larger risk to him. His agenda is different from that
of society's, but because his agenda matters more to him and it's his decision, his is what gets followed.
We as a society need to figure out how to make security trade-off decisions another way. Having specific
individuals or corporations make security trade-offs for us based on their agenda isn't making us more secure,
and it's costing us a whole lot of money.
Coca-Cola and the NSA