Schneier on Security
A blog covering security and security technology.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
In the episode that aired on May 9th, about eight or nine minutes in, there's a scene with a copy of Applied Cryptography prominently displayed on the coffee table. This isn't the first time that my books have appeared on that TV show.
That's pretty cool, and I can imagine all sorts of reasons to get one of those. But I'm sure there are all sorts of unforeseen security vulnerabilities in this system. And even worse, a single vulnerability can affect all the locks. Remember that vulnerability found last year in hotel electronic locks?
Anyone care to guess how long before some researcher finds a way to hack this one? And how well the maker anticipated the need to update the firmware to fix the vulnerability once someone finds it?
I'm not saying that you shouldn't use this lock, only that you understand that new technology brings new security risks, and electronic technology brings new kinds of security risks. Security is a trade-off, and the trade-off is particularly stark in this case.
As part of the fallout of the Boston bombings, we're probably going to get some new laws that give the FBI additional investigative powers. As with the Patriot Act after 9/11, the debate over whether these new laws are helpful will be minimal, but the effects on civil liberties could be large. Even though most people are skeptical about sacrificing personal freedoms for security, it's hard for politicians to say no to the FBI right now, and it's politically expedient to demand that something be done.
If our leaders can't say no -- and there's no reason to believe they can -- there are two concepts that need to be part of any new counterterrorism laws, and investigative laws in general: transparency and accountability.
Long ago, we realized that simply trusting people and government agencies to always do the right thing doesn't work, so we need to check up on them. In a democracy, transparency and accountability are how we do that. It's how we ensure that we get both effective and cost-effective government. It's how we prevent those we trust from abusing that trust, and protect ourselves when they do. And it's especially important when security is concerned.
First, we need to ensure that the stuff we're paying money for actually works and has a measureable impact. Law-enforcement organizations regularly invest in technologies that don't make us any safer. The TSA, for example, could devote an entire museum to expensive but ineffective systems: puffer machines, body scanners, FAST behavioral screening, and so on. Local police departments have been wasting lots of post-9/11 money on unnecessary high-tech weaponry and equipment. The occasional high-profile success aside, police surveillance cameras have been shown to be a largely ineffective police tool.
Sometimes honest mistakes led organizations to invest in these technologies. Sometimes there's self-deception and mismanagement—and far too often lobbyists are involved. Given the enormous amount of security money post-9/11, you inevitably end up with an enormous amount of waste. Transparency and accountability are how we keep all of this in check.
Second, we need to ensure that law enforcement does what we expect it to do and nothing more. Police powers are invariably abused. Mission creep is inevitable, and it results in laws designed to combat one particular type of crime being used for an ever-widening array of crimes. Transparency is the only way we have of knowing when this is going on.
For example, that's how we learned that the FBI is abusing National Security Letters. Traditionally, we use the warrant process to protect ourselves from police overreach. It's not enough for the police to want to conduct a search; they also need to convince a neutral third party -- a judge -- that the search is in the public interest and will respect the rights of those searched. That's accountability, and it's the very mechanism that NSLs were exempted from.
When laws are broken, accountability is how we punish those who abused their power. It's how, for example, we correct racial profiling by police departments. And it's a lack of accountability that permits the FBI to get away with massive data collection until exposed by a whistleblower or noticed by a judge.
Third, transparency and accountability keep both law enforcement and politicians from lying to us. The Bush Administration lied about the extent of the NSA's warrantless wiretapping program. The TSA lied about the ability of full-body scanners to save naked images of people. We've been lied to about the lethality of tasers, when and how the FBI eavesdrops on cell-phone calls, and about the existence of surveillance records. Without transparency, we would never know.
A decade ago, the FBI was heavily lobbying Congress for a law to give it new wiretapping powers: a law known as CALEA. One of its key justifications was that existing law didn't allow it to perform speedy wiretaps during kidnapping investigations. It sounded plausible -- and who wouldn't feel sympathy for kidnapping victims? -- but when civil-liberties organizations analyzed the actual data, they found that it was just a story; there were no instances of wiretapping in kidnapping investigations. Without transparency, we would never have known that the FBI was making up stories to scare Congress.
If we're going to give the government any new powers, we need to ensure that there's oversight. Sometimes this oversight is before action occurs. Warrants are a great example. Sometimes they're after action occurs: public reporting, audits by inspector generals, open hearings, notice to those affected, or some other mechanism. Too often, law enforcement tries to exempt itself from this principle by supporting laws that are specifically excused from oversight...or by establishing secret courts that just rubber-stamp government wiretapping requests.
Furthermore, we need to ensure that mechanisms for accountability have teeth and are used.
As we respond to the threat of terrorism, we must remember that there are other threats as well. A society without transparency and accountability is the very definition of a police state. And while a police state might have a low crime rate -- especially if you don't define police corruption and other abuses of power as crime -- and an even lower terrorism rate, it's not a society that most of us would willingly choose to live in.
We already give law enforcement enormous power to intrude into our lives. We do this because we know they need this power to catch criminals, and we're all safer thereby. But because we recognize that a powerful police force is itself a danger to society, we must temper this power with transparency and accountability.
This essay previously appeared on TheAtlantic.com.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
At Chase Bank, we recognize the value of online banking -- it’s quick, convenient, and available any time you need it. Unfortunately, though, the threats posed by malware and identity theft are very real and all too common nowadays. That’s why, when you’re finished with your online banking session, we recommend three simple steps to protect your personal information: log out of your account, close your web browser, and then charter a seafaring vessel to take you 30 miles out into the open ocean and throw your computer overboard.
EDITED TO ADD (5/11): How The Onion got hacked.
From a FOIAed Department of Transportation document on investigative techniques:
A "mail cover" is the process by which the U.S. Postal Service records any data appearing on the outside cover of any class of mail, sealed or unsealed, or by which a record is made of the contents of unsealed (second-, third-, or fourth-class) mail matter as allowed by law. This "rnail cover" is done to obtain information in the interest of protecting national security, locating a fugitive, or obtaining evidence of commission or attempted commission of a felony crime, or assist in the identification of property, proceeds, or assets forfeitable under law.
Seems to be the paper mail equivalent of a pen register. I'd never heard of the term before.
Maybe the tide is turning:
America is in a hole. The last response of the blowhards and cowards who have put it there is always: "So what would you do: set them free?" Our answer remains, yes. There is clearly a risk that some of them would then commit some act of violence -- in Yemen, elsewhere in the Middle East or even in America itself. That risk can be lessened by surveillance. But even if another outrage were to happen, the evil of "Gitmo" has recruited far more people to terrorism than a mere 166. Mr Obama should think about America's founding principles, take out his pen and end this stain on its history.
I agree 100%.
This isn't the first time people have pointed out that our politics are creating more terrorists than they're killing -- especially our drone strikes -- but I don't expect this sort of security trade-off analysis from the Economist.
Latanya Sweeney has demonstrated how easy it can be to identify people from their birth date, gender, and zip code. The anonymous data she reidentified happened to be DNA data, but that's not relevant to her methods or results.
Of the 1,130 volunteers Sweeney and her team reviewed, about 579 provided zip code, date of birth and gender, the three key pieces of information she needs to identify anonymous people combined with information from voter rolls or other public records. Of these, Sweeney succeeded in naming 241, or 42% of the total. The Personal Genome Project confirmed that 97% of the names matched those in its database if nicknames and first name variations were included.
Her results are described here.
Last week, an employee error caused the monitors at LAX to display a building evacuation order:
At a little before 9:47 p.m., the message read: "An emergency has been declared in the terminal. Please evacuate." An airport police source said officers responded to the scene at the Tom Bradley International Terminal, believing the system had been hacked. But an airport spokeswoman said it was an honest mistake.
I think the real news has nothing to do with how susceptible those systems are to hacking. It's this line:
Castles said there were no reports of passengers evacuating the terminal and the problem was fixed within about 10 minutes.
So now we know: building evacuation announcements on computer screens are ineffective.
She said airport officials are looking into ways to ensure a similar problem does not occur again.
That probably means that they're going to make sure an erroneous evacuation message doesn't appear on the computer screens again, not that everyone doesn't ignore the evacuation message when there is an actual emergency.
I have no idea if "former counterterrorism agent for the FBI" Tom Clemente knows what he's talking about, but that's certainly what he implies here:
More recently, two sources familiar with the investigation told CNN that Russell had spoken with Tamerlan after his picture appeared on national television April 18.
I'm very skeptical about Clemente's comments. He left the FBI shortly after 9/11, and he didn't have any special security clearances. My guess is that he is speaking more about what the NSA and FBI could potentially do, and not about what they are doing right now. And I don't believe that the NSA could save every domestic phone call, not at this time. Possibly after the Utah data center is finished, but not now. They could be saving the all the metadata now, but I'm skeptical about that too.
EDITED TO ADD (5/7): Interesting comments. I think it's worth going through the math. There are two possible ways to do this. The first is to collect, compress, transport, and store. The second is to collect, convert to text, transport, and store. So, what data rates, processing requirements, and storage sizes are we talking about?
Powered by Movable Type. Photo at top by Geoffrey Stone.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.