Schneier on Security
A blog covering security and security technology.
July 2005 Archives
Dog Poop Girl
Here's the basic story: A woman and her dog are riding the Seoul subways. The dog poops in the floor. The woman refuses to clean it up, despite being told to by other passangers. Someone takes a picture of her, posts it on the Internet, and she is publicly shamed -- and the story will live on the Internet forever. Then, the blogosphere debates the notion of the Internet as a social enforcement tool.
The Internet is changing our notions of personal privacy, and how the public enforces social norms.
Daniel Solove writes:
The dog-shit-girl case involves a norm that most people would seemingly agree to -- clean up after your dog. Who could argue with that one? But what about when norm enforcement becomes too extreme? Most norm enforcement involves angry scowls or just telling a person off. But having a permanent record of one’s norm violations is upping the sanction to a whole new level. The blogosphere can be a very powerful norm-enforcing tool, allowing bloggers to act as a cyber-posse, tracking down norm violators and branding them with digital scarlet letters.
If this incident is any guide, then anyone acting outside the accepted norms of whatever segment of humanity surrounds him had better tread lightly. The question we need to answer is: is this the sort of society we want to live in? And if not, what technological or legal controls do we need to put in place to ensure that we don't?
I believe that, as complicated as it might be, the law must play a role here. The stakes are too important. While entering law into the picture could indeed stifle freedom of discussion on the Internet, allowing excessive norm enforcement can be stifling to freedom as well.
Microsoft Permits Pirated Software to Receive Security Patches
Microsoft wants to make pirated software less useful by preventing it from receiving patches and updates. At the same time, it is in everyone's best interest for all software to be more secure: legitimate and pirated. This issue has been percolating for a while, and I've written about it twice before. After much back and forth, Microsoft is going to do the right thing:
From now on, customers looking to get the latest add-ons to Windows will have to verify that their copy of the operating system is legit....
Microsoft deserves praise for this.
Cisco Harasses Security Researcher
I've written about full disclosure, and how disclosing security vulnerabilities is our best mechanism for improving security -- especially in a free-market system. (That essay is also worth reading for a general discussion of the security trade-offs.) I've also written about how security companies treat vulnerabilities as public-relations problems first and technical problems second. This week at BlackHat, security researcher Michael Lynn and Cisco demonstrated both points.
Lynn was going to present security flaws in Cisco's IOS, and Cisco went to inordinate lengths to make sure that information never got into the hands of the their consumers, the press, or the public.
Cisco threatened legal action to stop the conference's organizers from allowing a 24-year-old researcher for a rival tech firm to discuss how he says hackers could seize control of Cisco's Internet routers, which dominate the market. Cisco also instructed workers to tear 20 pages outlining the presentation from the conference program and ordered 2,000 CDs containing the presentation destroyed.
Not being able to censor the information, Cisco decided to act as if it were no big deal:
In a release shortly after the presentation, Cisco stated, "It is important to note that the information Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. Lynn's research explores possible ways to expand exploitations of known security vulnerabilities impacting routers." And went on to state "Cisco believes that the information Lynn presented at the Blackhat conference today contained proprietary information and was illegally obtained." The statement also refers to the fact that Lynn stated in his presentation that he used a popular file decompressor to 'unzip' the Cisco image before reverse engineering it and finding the flaw, which is against Cisco's use agreement.
The Cisco propaganda machine is certainly working overtime this week.
The security implications of this are enormous. If companies have the power to censor information about their products they don't like, then we as consumers have less information with which to make intelligent buying decisions. If companies have the power to squelch vulnerability information about their products, then there's no incentive for them to improve security. (I've written about this in connection to physical keys and locks.) If free speech is subordinate to corporate demands, then we are all much less safe.
Full disclosure is good for society. But because it helps the bad guys as well as the good guys (see my essay on secrecy and security for more discussion of the balance), many of us have championed "responsible disclosure" guidelines that give vendors a head start in fixing vulnerabilities before they're announced.
The problem is that not all researchers follow these guidelines. And laws limiting free speech do more harm to society than good. (In any case, laws won't completely fix the problem; we can't get laws passed in every possible country security researchers live.) So the only reasonable course of action for a company is to work with researchers who alert them to vulnerabilities, but also assume that vulnerability information will sometimes be released without prior warning.
I can't imagine the discussions inside Cisco that led them to act like thugs. I can't figure out why they decided to attack Michael Lynn, BlackHat, and ISS rather than turn the situation into a public-relations success. I can't believe that they thought they could have censored the information by their actions, or even that it was a good idea.
Cisco's customers want information. They don't expect perfection, but they want to know the extent of problems and what Cisco is doing about them. They don't want to know that Cisco tries to stifle the truth:
Joseph Klein, senior security analyst at the aerospace electronic systems division for Honeywell Technology Solutions, said he helped arrange a meeting between government IT professionals and Lynn after the talk. Klein said he was furious that Cisco had been unwilling to disclose the buffer-overflow vulnerability in unpatched routers. "I can see a class-action lawsuit against Cisco coming out of this," Klein said.
ISS didn't come out of this looking very good, either:
"A few years ago it was rumored that ISS would hold back on certain things because (they're in the business of) providing solutions," [Ali-Reza] Anghaie, [a senior security engineer with an aerospace firm, who was in the audience,] said. "But now you've got full public confirmation that they'll submit to the will of a Cisco or Microsoft, and that's not fair to their customers.... If they're willing to back down and leave an employee ... out to hang, well what are they going to do for customers?"
Despite their thuggish behavior, this has been a public-relations disaster for Cisco. Now it doesn't matter what they say -- we won't believe them. We know that the public-relations department handles their security vulnerabilities, and not the engineering department. We know that they think squelching information and muzzling researchers is more important than informing the public. They could have shown that they put their customers first, but instead they demonstrated that short-sighted corporate interests are more important than being a responsible corporate citizen.
And these are the people building the hardware that runs much of our infrastructure? Somehow, I don't feel very secure right now.
EDITED TO ADD: I am impressed with Lynn's personal integrity in this matter:
When Mr. Lynn took the stage yesterday, he was introduced as speaking on a different topic, eliciting boos. But those turned to cheers when he asked, "Who wants to hear about Cisco?" As he got started, Mr. Lynn said, "What I just did means I'm about to get sued by Cisco and ISS. Not to put too fine a point on it, but bring it on."
Lynn closed his talk by directing the audience to his resume and asking if anyone could give him a job.
Michael Lynn, a former ISS researcher, and the Black Hat organisers agreed to a permanent injunction barring them from further discussing the presentation Lynn gave on Wednesday. The presentation showed how attackers could take over Cisco routers, a problem that Lynn said could bring the Internet to its knees.
My hope is that Cisco realized that continuing with this would be a public-relations disaster.
EDITED TO ADD: Lynn's BlackHat presentation is on line.
EDITED TO ADD: The FBI is getting involved.
EDITED TO ADD: The link to the presentation, above, has been replaced with a cease-and-desist letter. A copy of the presentation is now here.
Automatic Surveillance Via Cell Phone
Your cell phone company knows where you are all the time. (Well, it knows where your phone is whenever it's on.) Turns out there's a lot of information to be mined in that data.
Eagle's Realty Mining project logged 350,000 hours of data over nine months about the location, proximity, activity and communication of volunteers, and was quickly able to guess whether two people were friends or just co-workers....
This is worrisome from a number of angles: government surveillance, corporate surveillance for marketing purposes, criminal surveillance. I am not mollified by this comment:
People should not be too concerned about the data trails left by their phone, according to Chris Hoofnagle, associate director of the Electronic Privacy Information Center.
We're building an infrastructure of surveillance as a side effect of the convenience of carrying our cell phones everywhere.
Risks of Losing Portable Devices
As PDAs become more powerful, and memory becomes cheaper, more people are carrying around a lot of personal information in an easy-to-lose format. The Washington Post has a story about this:
Personal devices "are carrying incredibly sensitive information," said Joel Yarmon, who, as technology director for the staff of Sen. Ted Stevens (R-Alaska), had to scramble over a weekend last month after a colleague lost one of the office's wireless messaging devices. In this case, the data included "personal phone numbers of leaders of Congress. . . . If that were to leak, that would be very embarrassing," Yarmon said.
I've noticed this in my own life. If I didn't make a special effort to limit the amount of information on my Treo, it would include detailed scheduling information from the past six years. My small laptop would include every e-mail I've sent and received in the past dozen years. And so on. A lot of us are carrying around an enormous amount of very personal data.
And some of us are carrying around personal data about other people, too:
Companies are seeking to avoid becoming the latest example of compromised security. Earlier this year, a laptop computer containing the names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen from the car of an MCI financial analyst in Colorado. In another case, a former Morgan Stanley employee sold a used BlackBerry on the online auction site eBay with confidential information still stored on the device. And in yet another incident, personal information for 665 families in Japan was recently stolen along with a handheld device belonging to a Japanese power-company employee.
There are several ways to deal with this -- password protection and encryption, of course. More recently, some communications devices can be remotely erased if lost.
Monopolies and DRM
Security has become a strategic concern at Microsoft but security must not be permitted to become a tool of further monopolization.
A year before that, I wrote about Microsoft's trusted computer system (called Palladium -- Pd for short -- at the time):
Pay attention to the antitrust angle. I guarantee you that Microsoft believes Pd is a way to extend its market share, not to increase competition.
Intel and Microsoft are using DRM technology to cut Linux out of the content market.
This whole East Fork scheme is a failure from the start. It brings nothing positive to the table, costs you money, and rights. If you want to use Linux to view your legitimately purchased media, you will be a criminal. In fact, if you want to take your legitimately bought media with you on a road trip and don't feel the need to pay again for it -- fair use, remember -- you are also a criminal. Wonderful.
UK Police and Encryption
From The Guardian:
Police last night told Tony Blair that they need sweeping new powers to counter the terrorist threat, including the right to detain a suspect for up to three months without charge instead of the current 14 days....
On Channel 4 News today, Sir Ian Blair was asked why the police wanted to extend the time they could hold someone without charges from 14 days to 3 months. Part of his answer was that they sometimes needed to access encrypted computer files and 14 days was not enough time for them to break the encryption.
There's something fishy going on here.
It's certainly possible that password-guessing programs are more successful with three months to guess. But the Regulation of Investigatory Powers (RIP) Act, which went into effect in 2000, already allows the police to jail people who don't surrender encryption keys:
If intercepted communications are encrypted (encoded and made secret), the act will force the individual to surrender the keys (pin numbers which allow users to decipher encoded data), on pain of jail sentences of up to two years.
Encrypted VOIP Phone
Phil Zimmermann (of PGP fame) is about to debut his encrypted VOIP phone project. I presume it will be free and open source, and that the cryptography will be strong enough for any application. I don't know when it will be released, but it's certainly an excellent idea.
Does anyone know of any other encrypted VOIP projects, either open source or otherwise?
How Banks Profit from ID Theft
Wells Fargo is profiting because its customers are afraid of identity theft:
The San Francisco bank, in conjunction with marketing behemoth Trilegiant, is offering a new service called Wells Fargo Select Identity Theft Protection. For $12.99 a month, this includes daily monitoring of one's credit files and assistance in dealing with cases of fraud.
It's reprehensible that Wells Fargo doesn't offer this service for free.
Actually, that's not true. It's smart business for Wells Fargo to charge for this service. It's reprehensible that the regulatory landscape is such that Wells Fargo does not feel it's in its best interest to offer this service for free. Wells Fargo is a for-profit enterprise, and they react to the realities of the market. We need those realities to better serve the people.
Microsoft Builds In Security Bypasses
I am very suspicious of tools that allow you to bypass network security systems. Yes, they make life easier. But if security is important, than all security decisions should be made by a central process; tools that bypass that centrality are very risky.
We're always looking for new things that can allow you to do things uniquely different today. For example, this new feature tool we have would allow me to tunnel directly using HTTP into my corporate Exchange server without having to go through the whole VPN (virtual private network) process, bypassing the need to use a smart card. It's such a huge time-saver, for me at least, compared to how long it takes me now. We will be extending that functionality to the next version of Windows.
That's Martin Taylor, Microsoft's general manager of platform strategy, talking.
The Sorting Door Project
From The Register:
A former CIA intelligence analyst and researchers from SAP plan to study how RFID tags might be used to profile and track individuals and consumer goods.
Domestic Terrorism (U.S.)
Nice MSNBC piece on domestic terrorism in the U.S.:
The sentencing of Eric Rudolph, who bombed abortion clinics, a gay bar and the Atlanta Olympics, ought to be a milestone in the Global War on Terror. In Birmingham, Ala., on Monday he got life without parole. Next month he’ll stack up a couple more life terms in Georgia, which is the least he deserves. (He escaped the death penalty only because he made a deal to help law-enforcement agents find the explosives he had hidden while on the run in North Carolina.) Rudolph killed two people, but not for want of trying to kill many more. In his 1997 attack on an Atlanta abortion clinic, he set off a second bomb meant to take out bystanders and rescue workers. Unrepentant, of course, Rudolph defended his actions as a moral imperative: "Abortion is murder, and because it is murder I believe deadly force is needed to stop it." The Birmingham prosecutor declared that Rudolph had "appointed himself judge, jury and executioner."
We've recently learned that London's Metropolitan Police has a shoot-to-kill policy when dealing with suspected suicide terrorists. The theory is that only a direct headshot will kill the terrorist immediately, and thus destroy the ability to execute a bombing attack.
Roy Ramm, former Met Police specialist operations commander, said the rules for confronting potential suicide bombers had recently changed to "shoot to kill"....
This policy is based on the extremely short-sighted assumption that a terrorist needs to push buttons to make a bomb explode. In fact, ever since World War I, the most common type of bomb carried by a person has been the hand grenade. It is entirely conceivable, especially when a shoot-to-kill policy is known to be in effect, that suicide bombers will use the same kind of dead-man's trigger on their bombs: a detonate that is activated when a button is released, rather than when it is pushed.
This is a difficult one. Whatever policy you choose, the terrorists will adapt to make that policy the wrong one.
The police are now sorry they accidentally killed an innocent they suspected of being a suicide bomber, but I can certainly understand the mistake. In the end, the best solution is to train police officers and then leave the decision to them. But honestly, policies that are more likely to result in living incarcerated suspects -- and recover well from false alarms -- that can be interrogated are better than policies that are more likely to result in corpses.
EDITED TO ADD these comments by Nicholas Weaver:
"One other thing: The suspect was on the ground, and immobilized. Thus the decision was made to shoot the suspect, repeatedly (7 times) in the head, based on the perception that he could have been a suicide attacker (who dispite being a suicide attacker, wasn't holding a dead-man's switch. Or heck, wire up the bomb to a $50 heart-rate monitor).
"If this is policy, it is STUPID: There is an easy way for the attackers to counter it, and when you have a subway execution of an innocent man, the damage (in the hearts and minds of british muslims) is immense.
"One thing to remember:
"These were NON uniformed officers, and the suspect was brasilian (and probably didn't speak very good english).
"Why did he run? What would YOU do if three individuals accosted you, speaking a language which you were unfamiliar with, drawing weapons? You would RUN LIKE HELL!
"I find the blaming the victim ('but he was running!') reprehensible."
ANOTHER EDIT: The consensus seems to be that he spoke English well enough. I don't think we can blame the officers without a whole lot more details about what happened, and possibly not even then. Clearly they were under a lot of stress, and made a split-second decision.
But I think we can reasonably criticize the shoot-to-kill policy that the officers were following. That policy is a threat to our security, and our society.
Last Friday the GAO issued a new report on Secure Flight. It’s couched in friendly language, but it’s not good:
During the course of our ongoing review of the Secure Flight program, we found that TSA did not fully disclose to the public its use of personal information in its fall 2004 privacy notices as required by the Privacy Act. In particular, the public was not made fully aware of, nor had the opportunity to comment on, TSA's use of personal information drawn from commercial sources to test aspects of the Secure Flight program. In September 2004 and November 2004, TSA issued privacy notices in the Federal Register that included descriptions of how such information would be used. However, these notices did not fully inform the public before testing began about the procedures that TSA and its contractors would follow for collecting, using, and storing commercial data. In addition, the scope of the data used during commercial data testing was not fully disclosed in the notices. Specifically, a TSA contractor, acting on behalf of the agency, collected more than 100 million commercial data records containing personal information such as name, date of birth, and telephone number without informing the public. As a result of TSA's actions, the public did not receive the full protections of the Privacy Act.
Get that? The TSA violated federal law when it secretly expanded Secure Flight’s use of commercial data about passengers. It also lied to Congress and the public about it.
Much of this isn't new. Last month we learned that:
The federal agency in charge of aviation security revealed that it bought and is storing commercial data about some passengers -- even though officials said they wouldn't do it and Congress told them not to.
Secure Flight is a disaster in every way. The TSA has been operating with complete disregard for the law or Congress. It has lied to pretty much everyone. And it is turning Secure Flight from a simple program to match airline passengers against terrorist watch lists into a complex program that compiles dossiers on passengers in order to give them some kind of score indicating the likelihood that they are a terrorist.
Which is exactly what it was not supposed to do in the first place.
For those who have not been following along, Secure Flight is the follow-on to CAPPS-I. (CAPPS stands for Computer Assisted Passenger Pre-Screening.) CAPPS-I has been in place since 1997, and is a simple system to match airplane passengers to a terrorist watch list. A follow-on system, CAPPS-II, was proposed last year. That complicated system would have given every traveler a risk score based on information in government and commercial databases. There was a huge public outcry over the invasiveness of the system, and it was cancelled over the summer. Secure Flight is the new follow-on system to CAPPS-I.
EPIC has more background information.
Back in January, Secure Flight was intended to just be a more efficient system of matching airline passengers with terrorist watch lists.
I am on a working group that is looking at the security and privacy implications of Secure Flight. Before joining the group I signed an NDA agreeing not to disclose any information learned within the group, and to not talk about deliberations within the group. But there's no reason to believe that the TSA is lying to us any less than they're lying to Congress, and there's nothing I learned within the working group that I wish I could talk about. Everything I say here comes from public documents.
In January I gave some general conclusions about Secure Flight. These have not changed.
One, assuming that we need to implement a program of matching airline passengers with names on terrorism watch lists, Secure Flight is a major improvement -- in almost every way -- over what is currently in place. (And by this I mean the matching program, not any potential uses of commercial or other third-party data.)
What has changed is the scope of Secure Flight. First, it started using data from commercial sources, like Acxiom. (The details are even worse.) Technically, they're testing the use of commercial data, but it's still a violation. Even the DHS started investigating:
The Department of Homeland Security's top privacy official said Wednesday that she is investigating whether the agency's airline passenger screening program has violated federal privacy laws by failing to properly disclose its mission.
The TSA's response to being caught violating their own Privacy Act statements? Revise them:
According to previous official notices, TSA had said it would not store commercial data about airline passengers.
Actually, it's not. And it's better to change the Privacy Act statement before violating the old one. Changing it after the fact just looks bad.
The point of Secure Flight match airline passengers against lists of suspected terrorists. But the vast majority of people flagged by this list simply have the same name, or a similar name, as the suspected terrorist: Ted Kennedy and Cat Stevens are two famous examples. The question is whether combining commercial data with the PNR (Passenger Name Record) supplied by the airline could reduce this false-positive problem. Maybe knowing the passenger's address, or phone number, or date of birth, could reduce false positives. Or maybe not; it depends what data is on the terrorist lists. In any case, it’s certainly a smart thing to test.
But using commercial data has serious privacy implications, which is why Congress mandated all sorts of rules surrounding the TSA testing of commercial data -- and more rules before it could deploy a final system -- rules that the TSA has decided it can ignore completely.
Commercial data had another use under CAPPS-II In that now-dead program, every passenger would be subjected to a computerized background check to determine their "risk" to airline safety. The system would assign a risk score based on commercial data: their credit rating, how recently they moved, what kind of job they had, etc. This capability was removed from Secure Flight, but now it's back:
The government will try to determine whether commercial data can be used to detect terrorist "sleeper cells" when it checks airline passengers against watch lists, the official running the project says....
Also this Congressional hearing (emphasis mine):
THOMPSON: There are a couple of questions I'd like to get answered in my mind about Secure Flight. Would Secure Flight pick up a person with strong community roots but who is in a terrorist sleeper cell or would a person have to be a known terrorist in order for Secure Flight to pick him up?
My fear is that TSA has already decided that they’re going to use commercial data, regardless of any test results. And once you have commercial data, why not build a dossier on every passenger and give them a risk score? So we're back to CAPPS-II, the very system Congress killed last summer. Actually, we're very close to TIA (Total/Terrorism Information Awareness), that vast spy-on-everyone data-mining program that Congress killed in 2003 because it was just too invasive.
Secure Flight is a mess in lots of other ways, too. A March GAO report said that Secure Flight had not met nine out of the ten conditions mandated by Congress before TSA could spend money on implementing the program. (If you haven't read this report, it's pretty scathing.) The redress problem -- helping people who cannot fly because they share a name with a terrorist -- is not getting any better. And Secure Flight is behind schedule and over budget.
It's also a rogue program that is operating in flagrant disregard for the law. It can’t be killed completely; the Intelligence Reform and Terrorism Prevention Act of 2004 mandates that TSA implement a program of passenger prescreening. And until we have Secure Flight, airlines will still be matching passenger names with terrorist watch lists under the CAPPS-I program. But it needs some serious public scrutiny.
EDITED TO ADD: Anita Ramasastry's commentary is worth reading.
There is a great discussion about profiling going on in the comments to the previous post. To help, here is what I wrote on the subject in Beyond Fear (pp. 133-7):
Good security has people in charge. People are resilient. People can improvise. People can be creative. People can develop on-the-spot solutions. People can detect attackers who cheat, and can attempt to maintain security despite the cheating. People can detect passive failures and attempt to recover. People are the strongest point in a security process. When a security system succeeds in the face of a new or coordinated or devastating attack, it's usually due to the efforts of people.
A couple of other points (not from the book):
Searching Bags in Subways
The New York City police will begin randomly searching people's bags on subways, buses, commuter trains, and ferries.
"The police can and should be aggressively investigating anyone they suspect is trying to bring explosives into the subway," said Christopher Dunn, associate legal director at the New York Civil Liberties Union. "However, random police searches of people without any suspicion of wrongdoing are contrary to our most basic constitutional values. This is a very troubling announcement."
If the choice is between random searching and profiling, then random searching is a more effective security countermeasure. But Dunn is correct above when he says that there are some enormous trade-offs in liberty. And I don't think we're getting very much security in return.
Especially considering this:
[Police Commissioner Raymond] Kelly stressed that officers posted at subway entrances would not engage in racial profiling, and that passengers are free to "turn around and leave."
"Okay guys; here are your explosives. If one of you gets singled out for a search, just turn around and leave. And then go back in via another entrance, or take a taxi to the next subway stop."
And I don't think they'll be truly random, either. I think the police doing the searching will profile, because that's what happens.
It's another "movie plot threat." It's another "public relations security system." It's a waste of money, it substantially reduces our liberties, and it won't make us any safer.
Final note: I often get comments along the lines of "Stop criticizing stuff; tell us what we should do." My answer is always the same. Counterterrorism is most effective when it doesn't make arbitrary assumptions about the terrorists' plans. Stop searching bags on the subways, and spend the money on 1) intelligence and investigation -- stopping the terrorists regardless of what their plans are, and 2) emergency response -- lessening the impact of a terrorist attack, regardless of what the plans are. Countermeasures that defend against particular targets, or assume particular tactics, or cause the terrorists to make insignificant modifications in their plans, or that surveil the entire population looking for the few terrorists, are largely not worth it.
EDITED TO ADD: A Citizen's Guide to Refusing New York Subway Searches.
Visa and Amex Drop CardSystems
Remember CardSystems Solutions, the company that exposed over 40 million identities to potential fraud? (The actual number of identities that will be the victims of fraud is almost certainly much, much lower.)
Both Visa and American Express are dropping them as a payment processor:
Within hours of the disclosure that Visa was seeking a replacement for CardSystems Solutions, American Express said Tuesday it would no longer do business with the company beginning in October.
The biggest problem with CardSystems' actions wasn't that it had bad computer security practices, but that it had bad business practices. It was holding exception files with personal information even though it was not supposed to. It was not for marketing, as I originally surmised, but to find out why transactions were not being authorized. It was disregrading the rules it agreed to follow.
Technical problems can be remediated. A dishonest corporate culture is much harder to fix. This is what I sense reading between the lines:
Visa had been weighing the decision for a few weeks but as recently as mid-June said that it was working with CardSystems to correct the problem. CardSystems hired an outside security assessor this month to review its policies and practices, and it promised to make any necessary upgrades by the end of August. CardSystems, in its statement yesterday, said the company's executives had been "in almost daily contact" with Visa since the problems were discovered in May.
CardSystems Solutions Inc. "has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts," said Rosetta Jones, a spokeswoman for Foster City, Calif.-based Visa....
At this point, it is unclear what MasterCard and Discover will do.
MasterCard International Inc. is taking a different tack with CardSystems. The credit card company expects CardSystems to develop a plan for improving its security by Aug. 31, "and as of today, we are not aware of any deficiencies in its systems that are incapable of being remediated," spokeswoman Sharon Gamsin said.
I think this is a positive development. I have long said that companies like CardSystems won't clean up their acts unless there are consequences for not doing so. Credit card companies dropping CardSystems sends a strong message to the other payment processors: improve your security if you want to stay in business.
(Some interesting legal opinions on the larger issue of disclosure are here.)
Anti-Missile Defenses for Commercial Aircraft
In yet another "movie-plot threat" defense, the U.S. government is starting to test anti-missile lasers on commercial aircraft.
It could take years before passenger planes carry protection against missiles, a weapon terrorists might use to shoot down jets and cause economic havoc in the airline industry. The tests will help the nation's leaders decide if they should install laser systems on all 6,800 aircraft in the U.S. airline fleet at a cost of at least $6 billion.
I think the airline industry is missing something here. If they linked the anti-missile lasers with the in-seat entertainment systems, cross-country flights would be much more exciting.
New Cybersecurity Position at DHS
There's a major reorganization going on at the Department of Homeland Security. One of the effects is the creation of a new post: assistant secretary for cyber and telecommunications security.
Honestly, it doesn't matter where the nation's chief cybersecurity chief sits in the organizational chart. If he has the authority to spend money and write regulations, he can do good. If he only has the power to suggest, plead, and cheerlead he'll be as frustrated as all the previous ones were.
How to Not Fix the ID Problem
Several of the 9/11 terrorists had Virginia driver's licenses in fake names. These were not forgeries; these were valid Virginia IDs that were illegally sold by Department of Motor Vehicle workers.
So what did Virginia do to correct the problem? They required more paperwork in order to get an ID.
But the problem wasn't that it was too easy to get an ID. The problem was that insiders were selling them illegally. Which is why the Virginia "solution" didn't help, and the problem remains:
The manager of the Virginia Department of Motor Vehicles office at Springfield Mall was charged yesterday with selling driver's licenses to illegal immigrants and others for up to $3,500 apiece.
And after we spend billions on the REAL ID act, and require even more paperwork to get a state ID, the problem will still remain.
Turning Cell Phones off in Tunnels
In response to the London bombings, officials turned off cell phones in tunnels around New York City, in an attempt to thwart bombers who might use cell phones as remote triggering devices. (Phone service has been restored in two of the four tunnels. As far as I know, it is still not available in th other two.)
This is as idiotic as it gets. It's a perfect example of what I call "movie plot security": imagining a particular scenario rather than focusing on the broad threats. It's completely useless if a terrorist uses something other than a cell phone: a kitchen timer, for example. Even worse, it harms security in the general case. Have people forgotten how cell phones saved lives on 9/11? Communications benefits the defenders far more than it benefits the attackers.
Thinking About Suicide Bombers
Remember the 1996 movie Independence Day? One of the characters was a grizzled old fighter pilot who had been kidnapped and degraded by the alien invaders years before. He flew his plane into the alien spaceship when his air-to-air missile jammed, causing the spaceship to explode. Everybody in the movie, as well as the audience, considered this suicide bomber a hero.
What's the difference?
Partly it's which side you're rooting for, but mostly it's that the pilot defended his planet by attacking the invaders. Terrorism targets innocents, and no one is a hero for killing innocents. Killing people who are invading and occupying your planet -- or country -- can be heroic, as can sacrificing yourself in the process.
This is an interesting observation in light of the previous post, where a professor makes the observation that the motivation of suicide terrorism is to repel what is perceived to be an occupation force.
What are the lessons here for Iraq? I think there are three. One, the insurgents (or whatever we're calling them these days) would do best by attacking military targets and not civilian ones. Two, the coalition forces (or whatever we're calling them these days) need to do everything they can not to be perceived as invaders or occupiers. And three, the terrorists should try to advance a worldview where there are no innocents, only invaders and occupiers. To the extent that the bombing victims are perceived to be invaders and occupiers, those who kill them defending their country will be viewed as heroic by the people.
There are no lessons for London. There was no invasion. Every victim was an innocent. No one should consider the terrorists heros.
Causes of Suicide Terrorism
Here's an absolutely fascinating interview with Robert Pape, a University of Chicago professor who has studied every suicide terrorist attack since 1980.
RP: This wealth of information creates a new picture about what is motivating suicide terrorism. Islamic fundamentalism is not as closely associated with suicide terrorism as many people think. The world leader in suicide terrorism is a group that you may not be familiar with: the Tamil Tigers in Sri Lanka.
UPDATED TO ADD: Salon reviewed the book.
Secure RSS Syndication
Seems like a good idea to me.
London Bombing and the Usefulness of Terrorist Watch Lists
According to the London Times:
Security sources confirmed that none of the bombers was on any MI5 file, although one had links to a person investigated by police.
NIST Publication on Discrete Log Crypto
NIST (The United States' National Institute of Standards and Technology) has released a draft of "Special Publication 800-56, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography." They're looking for comments before the document is finalized. Send comments to firstname.lastname@example.org by Friday, August 19th, with "Comments on SP800-56" in the subject line.
The problem with spyware is that it can be in the eye of the beholder. There are companies that decry the general problem, but have their own software report back to a central server.
This kind of thing can result in a conflict of interest: "Spyware is spyware only if I don't have a corporate interest in it." Here's the most recent example:
Microsoft's Windows AntiSpyware application is no longer flagging adware products from Claria Corp. as a threat to PC users.
If you're a user of AntiSpyware, you can fix this. Claria's spyware is now flagged as "Ignore" by default, but you can still change the action to "Quarantine" or "Remove." I recommend "Remove."
Edited to add: Actually, I recommend using a different anti-spyware program.
Security Risks of Airplane WiFi
Federal law enforcement officials, fearful that terrorists will exploit emerging in-flight broadband services to remotely activate bombs or coordinate hijackings, are asking regulators for the power to begin eavesdropping on any passenger's internet use within 10 minutes of obtaining court authorization.
Terrorists never use SSH, after all. (I suppose that's the next thing the DHS is going to try to ban.)
Forged Documents in National Archives Change History
A recently published book claims that Himmler was murdered by the British Special Operations Executive, rather than him committing suicide after the Allies captured him. The book was based on documents found -- apparently in good faith -- in the UK's National Archive, which now appear to have been faked and inserted.
Documents from the National Archives used to substantiate claims that British intelligence agents murdered Heinrich Himmler in 1945 are forgeries, The Daily Telegraph can reveal today.
It seems that the security effort at the National Archives is directed towards preventing people from removing documents. But the effects of adding forged documents could be much worse.
In December, I gave a long interview to a literary magazine called Turnrow. That interview was finally published, and it's even better than I remembered.
Stealing WiFi Access
Police have arrested a man for using someone else's wireless Internet network in one of the first criminal cases involving this fairly common practice.
Near as I can tell, there was no other criminal activity involved. The man who used someone else's wireless wasn't doing anything wrong it it; he was just using the Internet.
Security Risks of Street Photography
Interesting article on the particular art form of street photography. One ominous paragraph:
More onerous are post-9/11 restrictions that have placed limits on photographing in public settings. Tucker has received e-mails from professionals detained by authorities for photographing bridges and elevated trains. "There are places where photographing people on the street may become illegal," observes Westerbeck.
New York Times on Identity Theft
I got some really good quotes in this New York Times article on identity theft:
Which is why I wish William Proxmire were still on the case. What we need right now is someone in power who can put the burden for this problem right where it belongs: on the financial and other institutions who collect this data. Let's face it: by the time even the most vigilant consumer discovers his information has been used fraudulently, it's already too late. "When people ask me what can the average person do to stop identity theft, I say, 'nothing,'" said Bruce Schneier, the chief technology officer of Counterpane Internet Security. "This data is held by third parties and they have no impetus to fix it."
Terrorism Defense: A Failure of Imagination
The 9/11 Commission report talked about a "failure of imagination" before the 9/11 attacks:
The most important failure was one of imagination. We do not believe leaders understood the gravity of the threat. The terrorist danger from Bin Ladin and al Qaeda was not a major topic for policy debate among the public, the media, or in the Congress. Indeed, it barely came up during the 2000 presidential campaign.
More generally, this term has been used to describe the U.S. government's response to the terrorist threat. We spend a lot of money defending against what they did last time, or against particular threats we imagine, but ignore the general threat or the root causes of terrorism.
With the London bombings, we're doing it again. I was going to write a long post about this, but Richard Forno already wrote a nice essay.
The London bombs went off over 12 hours ago.
Surveillance Cameras and Terrorism
I was going to write something about the foolishness of adding cameras to public spaces as a response to terrorism threats, but Scott Henson said it already:
Homeland Security Ubermeister Michael Chertoff just told NBC's Tim Russert on Meet the Press this morning that the United States should invest in "cameras and dogs" to protect subway, rail and bus transit systems from terrorist attacks.
The Hymn Project exists to break the iTunes mp4 copy-protection scheme, so you can hear the music you bought on any machine you want.
The purpose of the Hymn Project is to allow you to exercise your fair-use rights under copyright law. The various software provided on this web site allows you to free your iTunes Music Store purchases (protected AAC / .m4p) from their DRM restrictions with no loss of sound quality. These songs can then be played outside of the iTunes environment, even on operating systems not supported by iTunes and on hardware not supported by Apple.
Initially, the software recovered your iTunes password (your key, basically) from your hard drive. In response, Apple obfuscated the format and no one has yet figured out how to recover the keys cleanly. To get around this, they developed a program called FairKeys that impersonates iTunes and contacts the server. Since the iTunes client can still get your password, this works.
FairKeys ... pretends to be a copy of iTunes running on an imaginary computer, one of the five computers that you're currently allowed to authorize for playing your iTMS purchases. FairKeys logs into Apple's web servers to get your keys the same way iTunes does when it needs to get new keys. At least for now, at this stage of the cat-and-mouse game, FairKeys knows how to request your keys and how to decode the response which contains your keys, and once it has those keys it can store them for immediate or future use by JHymn.
More security by inconvenience, and yet another illustration of the neverending arms race between attacker and defender.
The Doghouse: Privacy.li
This company has a heartwarming description on its website:
PRIVACY.LI - Privacy from the Principality of Liechtenstein, in the heart of the Alps, nestled between Switzerland and Austria. In times of turmoil and insecurity, witch hunt and suspicions, expropriations and diminishing credibility of our world leaders it's always good to have a place you can turn to. This is the humble effort to provide a place to the privacy and freedom concerned world citizens to meet, discuss, help each other and foster ones desire for liberty and freedom.
But they have no intention of letting their customers know anything about themselves.
Oh yeah, and their "DriveCrypt" product includes "real Time, 1344 bit - Military Strength encryption."
Somehow, my heart is no longer warm.
London Transport Bombings
I am on vacation today and this weekend, and won't be able to read about the London Transport bombings in depth until Monday. For now I would just like to express my sympathy and condolences to those directly affected, and the good people of London, England, Europe, and the world. Targeting innocents might be an effective tactic, but that doesn't make it any less craven and despicable.
I would also like to urge everyone not to get wrapped up in the particulars of the terrorist tactics. We need to resist the urge to react against the particulars of this particular terrorist plot, and to keep focused on the terrorists' goals. Spending billions to defend our trains and busses at the expense of other counterterrorist measures makes no sense. Terrorists are out to cause terror, and they don't care if they bomb trains, busses, shopping malls, theaters, stadiums, schools, markets, restaurants, discos, or any other collection of 100 people in a small space. There are simply too many targets to defend, and we need to think smarter than protecting the particular targets the terrorists attacked last week.
Smart counterterrorism focuses on the terrorists and their funding -- stopping plots regardless of their targets -- and emergency response that limits their damage.
I'll have more to say later. But again, my sympathy goes out to those killed and injured, their family and friends, and everyone else in the world indirectly affected by these acts as they are endlessly repeated in the media.
Millimeter-Wave Detection System
Russia's Black-Market Data Trade
Interesting story on the market for data in Moscow:
This Gorbushka vendor offers a hard drive with cash transfer records from Russia's central bank for $1,500 (Canadian).
At the Gorbushka kiosk, sales are so brisk that the vendor excuses himself to help other customers while the foreigner considers his options: $43 for a mobile phone company's list of subscribers? Or $100 for a database of vehicles registered in the Moscow region?
I don't know whether you can buy data about people in other countries, but it is certainly plausible.
Noticing Data Misuse
Everyone seems to be looking at their databases for personal information leakages.
Tax liens, mortgage papers, deeds, and other real estate-related documents are publicly available in on-line databases run by registries of deeds across the state. The Globe found documents in free databases of all but three Massachusetts counties containing the names and Social Security numbers of Massachusetts residents....
Isn't that part of the problem, though? It's easy to say "we haven't seen any cases of fraud using our information," because there's rarely a way to tell where information comes from. The recent epidemic of public leaks comes from people noticing the leak process, not the effects of the leaks. So everyone thinks their data practices are good, because there have never been any documented abuses stemming from leaks of their data, and everyone is fooling themselves.
A Comment on the UK National ID Card Program
An amusing Flash animation featuring a musical opinion of Clarke's proposed UK national ID card.
Evaluating the Effectiveness of Security Countermeasures
Amidst all the emotional rhetoric about security, it's nice to see something well-reasoned. This New York Times op-ed by Nicholas Kristof looks at security as a trade-off, and makes a distinction between security countermeasures that reduce the threat and those that simply shift it.
The op ed starts with countermeasures against car theft.
Sold for $695, the LoJack is a radio transmitter that is hidden on a vehicle and then activated if the car is stolen. The transmitter then silently summons the police - and it is ruining the economics of auto theft....
This model could be applied to home burglar alarms:
Conventional home alarms are accompanied by warning signs and don't reduce crime but simply shift the risk to the next house. What if we encouraged hidden silent alarms to change the economics of burglary?
I wrote about this in Beyond Fear:
A burglar who sees evidence of an alarm system is more likely to go rob the house next door. As far as the local police station is concerned, this doesn't mitigate the risk at all. But for the homeowner, it mitigates the risk just fine.
The difference is the perspective of the defender.
Problems with perspectives show up in counterterrorism defenses all the time. Also from Beyond Fear:
It's important not to lose sight of the forest for the trees. Countermeasures often focus on preventing particular terrorist acts against specific targets, but the scope of the assets that need to be protected encompasses all potential targets, and they all must be considered together. A terrorist's real target is morale, and he really doesn't care about one physical target versus another. We want to prevent terrorist acts everywhere, so countermeasures that simply move the threat around are of limited value. If, for example, we spend a lot of money defending our shopping malls, and bombings subsequently occur in crowded sports stadiums or movie theaters, we haven't really received any value from our countermeasures.
I like seeing thinking like this in the media, and wish there were more of it.
Much has been written about the insecurity of passwords. Aside from being guessable, people are regularly tricked into providing their passwords to rogue servers because they can't distinguish spoofed windows and webpages from legitimate ones.
Here's a clever scheme by Rachna Dhamija and Doug Tygar at the University of California Berkeley that tries to deal with the problem. It's called "Dynamic Security Skins," and it's a pair of protocols that augment passwords.
First, the authors propose creating a trusted window in the browser dedicated to username and password entry. The user chooses a photographic image (or is assigned a random image), which is overlaid across the window and text entry boxes. If the window displays the user's personal image, it is safe for the user to enter his password.
Second, to prove its identity, the server generates a unique abstract image for each user and each transaction. This image is used to create a "skin" that automatically customizes the browser window or the user interface elements in the content of a webpage. The user's browser can independently reach the same image that it expects to receive from the server. To verify the server, the user only has to visually verify that the images match.
Not a perfect solution by any means -- much Internet fraud bypasses authentication altogether -- but two clever ideas that use visual cues to ensure security. You can also verify server authenticity by inspecting the SSL certificate, but no one does that. With this scheme, the user has to recognize only one image and remember one password, no matter how many servers he interacts with. In contrast, the recently announced Site Key (Bank of America's implementation of the Passmark scheme) requires users to save a different image with each server.
Powered by Movable Type. Photo at top by Geoffrey Stone.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.