Schneier on Security

A blog covering security and security technology.

All Subversive Organizations Now Must Register in South Carolina

This appears not to be a joke:

The state's "Subversive Activities Registration Act," passed last year and now officially on the books, states that "every member of a subversive organization, or an organization subject to foreign control, every foreign agent and every person who advocates, teaches, advises or practices the duty, necessity or propriety of controlling, conducting, seizing or overthrowing the government of the United States ... shall register with the Secretary of State."

There's even a $5 filing fee.

By "subversive organization," the law means "every corporation, society, association, camp, group, bund, political party, assembly, body or organization, composed of two or more persons, which directly or indirectly advocates, advises, teaches or practices the duty, necessity or propriety of controlling, conducting, seizing or overthrowing the government of the United States [or] of this State."

Wow, is that idiotic or what?

Here's the form.

Does the Republican Party count as an organization that "directly ... advocates ... controlling ... the government"? I think it does. I think all political parties count under that definition.

How about we all fill in a copy and send it to them.

EDITED TO ADD (2/9): I misquoted the statute: "(1) 'Subversive organization' means every corporation, society, association, camp, group, bund, political party, assembly, body or organization, composed of two or more persons, which directly or indirectly advocates, advises, teaches or practices the duty, necessity or propriety of controlling, conducting, seizing or overthrowing the government of the United States, of this State or of any political subdivision thereof by force or violence or other unlawful means;"

It's the last clause that rules out most of us.

Posted on February 9, 2010 at 12:09 PM • 41 Comments

Outguessing the Terrorists

Isn't it a bit embarrassing for an "expert on counter-terrorism" to be quoted as saying this?

Bill Tupman, an expert on counter-terrorism from Exeter University, told BBC News: "The problem is trying to predict the mind of the al-Qaeda planner; there are so many things they might do.

"And it is also necessary to reassure the public that we are trying to outguess the al-Qaeda planner and we are in the process of protecting them from any threat."

I think it's necessary to convince the public to refuse to be terrorized. What frustrates me most about Abdulmutallab is that he caused terror even though his plot failed. I want us to be indomitable enough for the next attack to fail to cause terror, even if it succeeds. Remember: terrorism can't destroy our country's way of life; only our reaction to terrorism can.

Posted on February 9, 2010 at 6:07 AM • 33 Comments

The Limits of Visual Inspection

Interesting research:

Target prevalence powerfully influences visual search behavior. In most visual search experiments, targets appear on at least 50% of trials. However, when targets are rare (as in medical or airport screening), observers shift response criteria, leading to elevated miss error rates. Observers also speed target-absent responses and may make more motor errors. This could be a speed/accuracy tradeoff with fast, frequent absent responses producing more miss errors. Disproving this hypothesis, our experiment one shows that very high target prevalence (98%) shifts response criteria in the opposite direction, leading to elevated false alarms in a simulated baggage search. However, the very frequent target-present responses are not speeded. Rather, rare target-absent responses are greatly slowed. In experiment two, prevalence was varied sinusoidally over 1000 trials as observers' accuracy and reaction times (RTs) were measured. Observers' criterion and target-absent RTs tracked prevalence. Sensitivity (d') and target-present RTs did not vary with prevalence. These results support a model in which prevalence influences two parameters: a decision criterion governing the series of perceptual decisions about each attended item, and a quitting threshold that governs the timing of target-absent responses. Models in which target prevalence only influences an overall decision criterion are not supported.

This has implications for searching for contraband at airports.

Posted on February 8, 2010 at 1:54 PM • 10 Comments

More Details on the Chinese Attack Against Google

Three weeks ago, Google announced a sophisticated attack against them from China. There have been some interesting technical details since then. And the NSA is helping Google analyze the attack.

The rumor that China used a system Google put in place to enable lawful intercepts, which I used as a news hook for this essay, has not been confirmed. At this point, I doubt that it's true.

Posted on February 8, 2010 at 6:03 AM • 26 Comments

New Attack on Threefish

At FSE 2010 this week, Dmitry Khovratovich and Ivica Nikolic presented a paper where they cryptanalyze ARX algorithms (algorithms that use only addition, rotation, and exclusive-OR operations): "Rotational Cryptanalysis of ARX." In the paper, they demonstrate their attack against Threefish. Their attack breaks 39 (out of 72) rounds of Threefish-256 with a complexity of 2^252.4, 42 (out of 72) rounds of Threefish-512 with a complexity of 2⁵⁰⁷, and 43.5 (out of 80) rounds of Threefish-1024 with a complexity of 2^1014.5. (Yes, that's over 2¹⁰⁰⁰. Don't laugh; it really is a valid attack, even though it -- or any of these others -- will never be practical.)

This is excellent work, and represents the best attacks against Threefish to date. (I suspect that the attacks can be extended a few more rounds with some clever cryptanalytic tricks, but no further.) The security of full Threefish isn't at risk, of course; there's still plenty of security margin.

We have always stood by the security of Threefish with any set of non-obviously-bad constants. Still, a trivial modification -- changing a single constant in the key schedule -- dramatically reduces the number of rounds through which this attack can penetrate. If NIST allows another round of tweaks to the SHA-3 candidate algorithms, we will almost certainly take the opportunity to improve Skein's security; we'll change this constant to a value that removes the rotational symmetries that this technique exploits. If they don't, we're still confident of the security of Threefish and Skein.

And we're always pleased to see more cryptanalysis against Threefish and Skein.

Posted on February 7, 2010 at 8:06 AM • 24 Comments

Friday Squid Blogging: Squid Cookie

I wonder if it's tasty.

Posted on February 5, 2010 at 4:15 PM • 10 Comments

10 Cartoons about Airport Security

A slide show.

Posted on February 5, 2010 at 1:52 PM • 9 Comments

Scaring the Senate Intelligence Committee

This is unconscionable:

At Tuesday's hearing, Senator Dianne Feinstein, Democrat of California and chairwoman of the Senate Intelligence Committee, asked Mr. Blair [the Director of National Intelligence] to assess the possibility of an attempted attack in the United States in the next three to six months.

He replied, "The priority is certain, I would say" -- a response that was reaffirmed by the top officials of the C.I.A. and the F.B.I.

I don't know what "the priority is certain" actually means, but now everyone is reporting that these agencies claim there will be a terrorist attack in the U.S. during the next six months.

Posted on February 5, 2010 at 11:59 AM • 38 Comments

World's Largest Data Collector Teams Up With Word's Largest Data Collector

Does anyone think this is a good idea?

Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users -- from future attack.

EPIC has filed a Freedom of Information Act Request, asking for records pertaining to the partnership. That would certainly help, because otherwise we have no idea what's actually going on.

I've already written about why the NSA should not be in charge of our nation's cyber security.

Posted on February 5, 2010 at 6:02 AM • 27 Comments

Security and Function Creep

Security is rarely static. Technology changes both security systems and attackers. But there’s something else that changes security's cost/benefit trade-off: how the underlying systems being secured are used. Far too often we build security for one purpose, only to find it being used for another purpose -- one it wasn't suited for in the first place. And then the security system has to play catch-up.

Take driver's licenses, for example. Originally designed to demonstrate a credential -- the ability to drive a car -- they looked like other credentials: medical licenses or elevator certificates of inspection. They were wallet-sized, of course, but they didn't have much security associated with them. Then, slowly, driver's licenses took on a second application: they became age-verification tokens in bars and liquor stores. Of course the security wasn't up to the task -- teenagers can be extraordinarily resourceful if they set their minds to it -- and over the decades driver's licenses got photographs, tamper-resistant features (once, it was easy to modify the birth year), and technologies that made counterfeiting harder. There was little value in counterfeiting a driver's license, but a lot of value in counterfeiting an age-verification token.

Today, US driver's licenses are taking on yet another function: security against terrorists. The Real ID Act -- the government's attempt to make driver's licenses even more secure -- has nothing to do with driving or even with buying alcohol, and everything to do with trying to make that piece of plastic an effective way to verify that someone is not on the terrorist watch list. Whether this is a good idea, or actually improves security, is another matter entirely.

You can see this kind of function creep everywhere. Internet security systems designed for informational Web sites are suddenly expected to provide security for banking Web sites. Security systems that are good enough to protect cheap commodities from being stolen are suddenly ineffective once the price of those commodities rises high enough. Application security systems, designed for locally owned networks, are expected to work even when the application is moved to a cloud computing environment. And cloud computing security, designed for the needs of corporations, is expected to be suitable for government applications as well -- maybe even military applications.

Sometimes it's obvious that security systems designed for one environment won't work in another. We don't arm our soldiers the same way we arm our policemen, and we can't take commercial vehicles and easily turn them into ones outfitted for the military. We understand that we might need to upgrade our home security system if we suddenly come into possession of a bag of diamonds. Yet many think the same security that protects our home computers will also protect voting machines, and the same operating systems that run our businesses are suitable for military uses.

But these are all conscious decisions, and we security professionals often know better. The real problems arise when the changes happen in the background, without any conscious thought. We build a network security system that's perfectly adequate for the threat and -- like a driver's license becoming an age-verification token -- the network accrues more and more functions. But because it has already been pronounced "secure," we can't get any budget to re-evaluate and improve the security until after the bad guys have figured out the vulnerabilities and exploited them.

I don't like having to play catch-up in security, but we seem doomed to keep doing so.

This essay originally appeared in the January/February 2010 issue of IEEE Security and Privacy.

Posted on February 4, 2010 at 6:35 AM • 38 Comments

Anonymity and the Internet

Universal identification is portrayed by some as the holy grail of Internet security. Anonymity is bad, the argument goes; and if we abolish it, we can ensure only the proper people have access to their own information. We'll know who is sending us spam and who is trying to hack into corporate networks. And when there are massive denial-of-service attacks, such as those against Estonia or Georgia or South Korea, we'll know who was responsible and take action accordingly.

The problem is that it won't work. Any design of the Internet must allow for anonymity. Universal identification is impossible. Even attribution -- knowing who is responsible for particular Internet packets -- is impossible. Attempting to build such a system is futile, and will only give criminals and hackers new ways to hide.

Imagine a magic world in which every Internet packet could be traced to its origin. Even in this world, our Internet security problems wouldn't be solved. There's a huge gap between proving that a packet came from a particular computer and that a packet was directed by a particular person. This is the exact problem we have with botnets, or pedophiles storing child porn on innocents' computers. In these cases, we know the origins of the DDoS packets and the spam; they're from legitimate machines that have been hacked. Attribution isn't as valuable as you might think.

Implementing an Internet without anonymity is very difficult, and causes its own problems. In order to have perfect attribution, we'd need agencies -- real-world organizations -- to provide Internet identity credentials based on other identification systems: passports, national identity cards, driver's licenses, whatever. Sloppier identification systems, based on things such as credit cards, are simply too easy to subvert. We have nothing that comes close to this global identification infrastructure. Moreover, centralizing information like this actually hurts security because it makes identity theft that much more profitable a crime.

And realistically, any theoretical ideal Internet would need to allow people access even without their magic credentials. People would still use the Internet at public kiosks and at friends' houses. People would lose their magic Internet tokens just like they lose their driver's licenses and passports today. The legitimate bypass mechanisms would allow even more ways for criminals and hackers to subvert the system.

On top of all this, the magic attribution technology doesn't exist. Bits are bits; they don't come with identity information attached to them. Every software system we've ever invented has been successfully hacked, repeatedly. We simply don't have anywhere near the expertise to build an airtight attribution system.

Not that it really matters. Even if everyone could trace all packets perfectly, to the person or origin and not just the computer, anonymity would still be possible. It would just take one person to set up an anonymity server. If I wanted to send a packet anonymously to someone else, I'd just route it through that server. For even greater anonymity, I could route it through multiple servers. This is called onion routing and, with appropriate cryptography and enough users, it adds anonymity back to any communications system that prohibits it.

Attempts to banish anonymity from the Internet won't affect those savvy enough to bypass it, would cost billions, and would have only a negligible effect on security. What such attempts would do is affect the average user's access to free speech, including those who use the Internet's anonymity to survive: dissidents in Iran, China, and elsewhere.

Mandating universal identity and attribution is the wrong goal. Accept that there will always be anonymous speech on the Internet. Accept that you'll never truly know where a packet came from. Work on the problems you can solve: software that's secure in the face of whatever packet it receives, identification systems that are secure enough in the face of the risks. We can do far better at these things than we're doing, and they'll do more to improve security than trying to fix insoluble problems.

The whole attribution problem is very similar to the copy-protection/digital-rights-management problem. Just as it's impossible to make specific bits not copyable, it's impossible to know where specific bits came from. Bits are bits. They don't naturally come with restrictions on their use attached to them, and they don't naturally come with author information attached to them. Any attempts to circumvent this limitation will fail, and will increasingly need to be backed up by the sort of real-world police-state measures that the entertainment industry is demanding in order to make copy-protection work. That's how China does it: police, informants, and fear.

Just as the music industry needs to learn that the world of bits requires a different business model, law enforcement and others need to understand that the old ideas of identification don't work on the Internet. For good or for bad, whether you like it or not, there's always going to be anonymity on the Internet.

This essay originally appeared in Information Security, as part of a point/counterpoint with Marcus Ranum. You can read Marcus's response below my essay.

EDITED TO ADD (2/5): Microsoft's Craig Mundie wants to abolish anonymity as well.

What Mundie is proposing is to impose authentication. He draws an analogy to automobile use. If you want to drive a car, you have to have a license (not to mention an inspection, insurance, etc). If you do something bad with that car, like break a law, there is the chance that you will lose your license and be prevented from driving in the future. In other words, there is a legal and social process for imposing discipline. Mundie imagines three tiers of Internet ID: one for people, one for machines and one for programs (which often act as proxies for the other two).

Posted on February 3, 2010 at 6:16 AM • 60 Comments

More Movie Plot Terrorist Threats

The Foreign Policy website has its own list of movie-plot threats: machine-gun wielding terrorists on paragliders, disease-laden insect swarms, a dirty bomb made from smoke detector parts, planning via online games, and botulinum in the food supply. The site fleshes these threats out a bit, but it's nothing regular readers of this blog can't imagine for themselves.

Maybe they should have their own movie-plot threat contest.

Posted on February 2, 2010 at 6:34 AM • 52 Comments

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.