Schneier on Security

A blog covering security and security technology.

Marc Rotenberg on Google's Italian Privacy Case

Interesting commentary:

I don't think this is really a case about ISP liability at all. It is a case about the use of a person's image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established in the United States.

The video at the center of this case was very popular in Italy and drove lots of users to the Google Video site. This boosted advertising and support for other Google services. As a consequence, Google actually had an incentive not to respond to the many requests it received before it actually took down the video.

Back in the U.S., here is the relevant history: after Brandeis and Warren published their famous article on the right to privacy in 1890, state courts struggled with its application. In a New York state case in 1902, a court rejected the newly proposed right. In a second case, a Georgia state court in 1905 endorsed it.

What is striking is that both cases involved the use of a person's image without their consent. In New York, it was a young girl, whose image was drawn and placed on an oatmeal box for advertising purposes. In Georgia, a man's image was placed in a newspaper, without his consent, to sell insurance.

Also important is the fact that the New York judge who rejected the privacy claim, suggested that the state assembly could simple pass a law to create the right. The New York legislature did exactly that and in 1903 New York enacted the first privacy law in the United States to protect a person's "name or likeness" for commercial use.

The whole thing is worth reading.

Posted on March 9, 2010 at 12:36 PM • 12 Comments

Guide to Microsoft Police Forensic Services

The "Microsoft Online Services Global Criminal Compliance Handbook (U.S. Domestic Version)" (also can be found here, here, and here) outlines exactly what Microsoft will do upon police request. Here's a good summary of what's in it:

The Global Criminal Compliance Handbook is a quasi-comprehensive explanatory document meant for law enforcement officials seeking access to Microsoft's stored user information. It also provides sample language for subpoenas and diagrams on how to understand server logs.

I call it "quasi-comprehensive" because, at a mere 22 pages, it doesn't explore the nitty-gritty of Microsoft's systems; it's more like a data-hunting guide for dummies.

When it was first leaked, Microsoft tried to scrub it from the Internet. But they quickly realized that it was futile and relented.

Lots more information.

Posted on March 9, 2010 at 6:59 AM • 9 Comments

Google in The Onion

Funny:

MOUNTAIN VIEW, CA—Responding to recent public outcries over its handling of private data, search giant Google offered a wide-ranging and eerily well-informed apology to its millions of users Monday.

"We would like to extend our deepest apologies to each and every one of you," announced CEO Eric Schmidt, speaking from the company's Googleplex headquarters. "Clearly there have been some privacy concerns as of late, and judging by some of the search terms we've seen, along with the tens of thousands of personal e-mail exchanges and Google Chat conversations we've carefully examined, it looks as though it might be a while before we regain your trust."

Google expressed regret to some of its third-generation Irish-American users on Smithwood between Barlow and Lake.

Added Schmidt, "Whether you're Michael Paulson who lives at 3425 Longview Terrace and makes $86,400 a year, or Jessica Goldblatt from Lynnwood, WA, who already has well-established trust issues, we at Google would just like to say how very, truly sorry we are."

Posted on March 8, 2010 at 2:24 PM • 15 Comments

Eating a Flash Drive

How not to destroy evidence:

In a bold and bizarre attempt to destroy evidence seized during a federal raid, a New York City man grabbed a flash drive and swallowed the data storage device while in the custody of Secret Service agents, records show.

The article wasn't explicit about this -- odd, as it's the main question any reader would have -- but it seems that the man's digestive tract did not destroy the evidence.

Posted on March 8, 2010 at 11:00 AM • 51 Comments

De-Anonymizing Social Network Users

Interesting paper: "A Practical Attack to De-Anonymize Social Network Users."

Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions of registered users, and they are interesting from a security and privacy point of view because they store large amounts of sensitive personal user data.

In this paper, we introduce a novel de-anonymization attack that exploits group membership information that is available on social networking sites. More precisely, we show that information about the group memberships of a user (i.e., the groups of a social network to which a user belongs) is often sufficient to uniquely identify this user, or, at least, to significantly reduce the set of possible candidates. To determine the group membership of a user, we leverage well-known web browser history stealing attacks. Thus, whenever a social network user visits a malicious website, this website can launch our de-anonymization attack and learn the identity of its visitors.

The implications of our attack are manifold, since it requires a low effort and has the potential to affect millions of social networking users. We perform both a theoretical analysis and empirical measurements to demonstrate the feasibility of our attack against Xing, a medium-sized social network with more than eight million members that is mainly used for business relationships. Our analysis suggests that about 42% of the users that use groups can be uniquely identified, while for 90%, we can reduce the candidate set to less than 2,912 persons. Furthermore, we explored other, larger social networks and performed experiments that suggest that users of Facebook and LinkedIn are equally vulnerable (although attacks would require more resources on the side of the attacker). An analysis of an additional five social networks indicates that they are also prone to our attack.

News article. Moral: anonymity is really, really hard -- but we knew that already.

Posted on March 8, 2010 at 6:13 AM • 28 Comments

Friday Squid Blogging: Squid Teapot

Squid teapot. Could be squiddier.

Posted on March 5, 2010 at 4:32 PM • 5 Comments

Another Interview with Me

I gave this one two days ago, at the RSA Conference.

Posted on March 5, 2010 at 12:53 PM • 11 Comments

Mariposa Botnet Shut Down

The Spanish police arrested three people in connection with the 13-million-computer Mariposa botnet.

Posted on March 5, 2010 at 6:02 AM • 41 Comments

Comprehensive National Cybersecurity Initiative

On Tuesday, the White House published an unclassified summary of its Comprehensive National Cybersecurity Initiative (CNCI). Howard Schmidt made the announcement at the RSA Conference. These are the 12 initiatives in the plan:

• Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet.
• Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.
• Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.
• Initiative #4: Coordinate and redirect research and development (R&D) efforts.
• Initiative #5. Connect current cyber ops centers to enhance situational awareness.
• Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.
• Initiative #7. Increase the security of our classified networks.
• Initiative #8. Expand cyber education.
• Initiative #9. Define and develop enduring "leap-ahead" technology, strategies, and programs.
• Initiative #10. Define and develop enduring deterrence strategies and programs.
• Initiative #11. Develop a multi-pronged approach for global supply chain risk management.
• Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains.

While this transparency is a good, in this sort of thing the devil is in the details -- and we don't have any details. We also don't have any information about the legal authority for cybersecurity, and how much the NSA is, and should be, involved. Good commentary on that here. EPIC is suing the NSA to learn more about its involvement.

Posted on March 4, 2010 at 12:55 PM • 17 Comments

Crypto Implementation Failure

Look at this new AES-encrypted USB memory stick. You enter the key directly into the stick via the keypad, thereby bypassing any eavesdropping software on the computer.

The problem is that in order to get full 256-bit entropy in the key, you need to enter 77 decimal digits using the keypad. I can't imagine anyone doing that; they'll enter an eight- or ten-digit key and call it done. (Likely, the password encrypts a random key that encrypts the actual data: not that it matters.) And even if you wanted to, is it reasonable to expect someone to enter 77 digits without making an error?

Nice idea, complete implementation failure.

EDITED TO ADD (3/4): According to the manual, the drive locks for two minutes after five unsuccessful attempts. This delay is enough to make brute-force attacks infeasible, even with only ten-digit keys.

So, not nearly as bad as I thought it was. Better would be a much longer delay after 100 or so unsuccessful attempts. Yes, there's a denial-of-service attack against the thing, but stealing it is an even more effective denial-of-service attack.

Posted on March 4, 2010 at 6:05 AM • 73 Comments

Tom Engelhardt on Fear of Terrorism

Nice essay.

Similar sentiment from Newsweek.

Posted on March 3, 2010 at 6:12 AM • 50 Comments

More on the Al-Mabhouh Assassination

Interesting essay by a former CIA field officer on the al-Mabhouh assassination:

The truth is that Mr. Mabhouh's assassination was conducted according to the book -- a military operation in which the environment is completely controlled by the assassins. At least 25 people are needed to carry off something like this. You need "eyes on" the target 24 hours a day to ensure that when the time comes he is alone. You need coverage of the police -- assassinations go very wrong when the police stumble into the middle of one. You need coverage of the hotel security staff, the maids, the outside of the hotel. You even need people in back-up accommodations in the event the team needs a place to hide.

I found this conclusion incredible:

I can only speculate about where exactly the hit went wrong. But I would guess the assassins failed to account for the marked advance in technology.

[...]

Not completely understanding advances in technology may be one explanation for the assassins nonchalantly exposing their faces to the closed-circuit TV cameras, one female assassin even smiling at one.... The other explanation -- the assassins didn't care whether their faces were identified -- doesn't seem plausible at all.

Does he really think that this professional a team simply didn't realize that there were security cameras in airports and hotels? I think that the "other explanation" is not only plausible, it's obvious.

The number of suspects is now at 27, by the way. And:

Also Monday, the sources said the UAE central bank is working with other nations to track funding and 14 credit cards -- issued mostly by a United States bank -- used by the suspects in different places, including the United States.

We'll see how well these people covered their tracks.

EDITED TO ADD (3/3): Speculation that it's Egypt or Jordan. I don't believe it.

EDITED TO ADD (3/5): More commentary on the tactics. Speculation that it was Mossad.

Posted on March 2, 2010 at 5:55 AM • 79 Comments

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.