I am being sarcastic, you know? Only the computer illiterate will be surprised that the boarding passes you print out on your home printer can be faked. I don't expect members of Congress to be computer or technology experts, but even if their eyes and brains don't tell them this, don't any of them have smart, computer-savvy aids with a clue?

One of many news items about this is at www.wired.com/news/technology/0,72023-0.html.

In a more recent post, Rep. Edward Markey (D-MA) repented of calling for Soghoian's arrest, but still sugested bad judgement. Dr. Avi Rubin also weighed in, "Even if he has a legitimate point, it shows a real lapse in judgement"

I suppose. Still, what's the difference between what I print out on my printer when I "check in," to a flight using an airline's web site and Soghoian's? Right, one is real. But, still... how does the TSA agent know that?

Right. He or she doesn't.

This Infoworld column illustrates something I've talked about before, but have never given a name. I'll start calling it the "Everyone is a security expert" syndrome. I've alluded to it in the following blog entries:

• News Flash: Security is an Architecture
• History Lost
• The Same Old Drum Beat

In the above-cited column, Roger A. Grimes, makes the declaration, "Security by obscurity: It works!" and states:

Almost every computer security "expert" alive repeats the mantra that security by obscurity is no security at all, despite overwhelming evidence to the contrary. I propose that it should be a valid part of any computer defense plan, and in fact, can be one of your best defenses.

Before writing angry hate mail to your new security columnist, let me explain further. First, I did't say security by obscurity was the only defense technique someone should use. I didn't even say it was real security, but I am saying that it should be an important part of most computer defense strategies.

I read that and shook my head in dismay. Not because he is wrong. But, because he thinks this is a new idea. Except that none—no not one—of the computer and network security experts I know would or have ever said that. It is an often misstated security axiom (I list as a "bogon" in my list of security axioms), that is more correctly stated, that depending or relying soley on obscurity for security is misguided and gives a sense of security that is false. I say this in a February 2001 Letter to the Editor of Information Security Magazine, wherein I say in part

...surely there is nothing wrong with security through obscurity. Keeping secret keys secret is an excellent example of this, and we count on it for much of the crypto-based security on the Internet. What many security professionals rail against is depending completely, totally and only on security through obscurity, and doing so forever.

And in a 2001 column I wrote for WatchGuard Technologies, I wrote, "Though 'security through obscurity' is unwise as a sole defense, there is absolutely nothing wrong with making it harder for an attacker to attack."

Even in early 1994, in an early firewall paper with Marcus Ranum,\ A Network Perimeter With Secure External Access, we wrote, "Security through obscurity is counter-productive. Easy-to-understand measures are more likely to be sound, and are easier to administer."

And Bruce Schneier, in his May 15, 2002 Crypto-Gram Newsletter, writes about "Secrecy, Security, and Obscurity."

So, Mr. Grimes, welcome aboard, and thanks for helping the security community to get this important message out. But, I am concerned. Your by-line would lead one to believe that you are the new "Security Advisor" columnist. How come you are just getting this?