Bruce Schneier | ||||
Schneier on SecurityA blog covering security and security technology. « July 2005 | Main | September 2005 » August 2005 Archives276 British SpiesThe website Cryptome has a list of 276 MI6 agents: This combines three lists of MI6 officers published here on 13 May 1999 (116 names), 21 August 2005 (74 names), and 27 August 2005 (121 names). According to Silicon.com: It is not the first time this kind of information has been published on the internet and Foreign Office policy is to neither confirm nor deny the accuracy of such lists. But a spokesman slammed its publication for potentially putting lives in danger. On the other hand: The website is run by John Young, who "welcomes" secret documents for publication and recently said there was a "need to name as many intelligence officers and agents as possible". Discuss. Posted on August 31, 2005 at 02:28 PM • 63 Comments • View Blog Reactions Trusted Computing Best PracticesThe Trusted Computing Group (TCG) is an industry consortium that is trying to build more secure computers. They have a lot of members, although the board of directors consists of Microsoft, Sony, AMD, Intel, IBM, SUN, HP, and two smaller companies who are voted on in a rotating basis. The basic idea is that you build a computer from the ground up securely, with a core hardware "root of trust" called a Trusted Platform Module (TPM). Applications can run securely on the computer, can communicate with other applications and their owners securely, and can be sure that no untrusted applications have access to their data or code. This sounds great, but it's a double-edged sword. The same system that prevents worms and viruses from running on your computer might also stop you from using any legitimate software that your hardware or operating system vendor simply doesn't like. The same system that protects spyware from accessing your data files might also stop you from copying audio and video files. The same system that ensures that all the patches you download are legitimate might also prevent you from, well, doing pretty much anything. (Ross Anderson has an excellent FAQ on the topic. I wrote about it back when Microsoft called it Palladium.) In May, the Trusted Computing Group published a best practices document: "Design, Implementation, and Usage Principles for TPM-Based Platforms." Written for users and implementers of TCG technology, the document tries to draw a line between good uses and bad uses of this technology. The principles that TCG believes underlie the effective, useful, and acceptable design, implementation, and use of TCG technologies are the following: It's basically a good document, although there are some valid criticisms. I like that the document clearly states that coercive use of the technology -- forcing people to use digital rights management systems, for example, are inappropriate: The use of coercion to effectively force the use of the TPM capabilities is not an appropriate use of the TCG technology. I like that the document tries to protect user privacy: All implementations of TCG-enabled components should ensure that the TCG technology is not inappropriately used for data aggregation of personal information/ I wish that interoperability were more strongly enforced. The language has too much wiggle room for companies to break interoperability under the guise of security: Furthermore, implementations and deployments of TCG specifications should not introduce any new interoperability obstacles that are not for the purpose of security. That sounds good, but what does "security" mean in that context? Security of the user against malicious code? Security of big media against people copying music and videos? Security of software vendors against competition? The big problem with TCG technology is that it can be used to further all three of these "security" goals, and this document is where "security" should be better defined. Complaints aside, it's a good document and we should all hope that companies follow it. Compliance is totally voluntary, but it's the kind of document that governments and large corporations can point to and demand that vendors follow. But there's something fishy going on. Microsoft is doing its best to stall the document, and to ensure that it doesn't apply to Vista (formerly known as Longhorn), Microsoft's next-generation operating system. The document was first written in the fall of 2003, and went through the standard review process in early 2004. Microsoft delayed the adoption and publication of the document, demanding more review. Eventually the document was published in June of this year (with a May date on the cover). Meanwhile, the TCG built a purely software version of the specification: Trusted Network Connect (TNC). Basically, it's a TCG system without a TPM. The best practices document doesn't apply to TNC, because Microsoft (as a member of the TCG board of directors) blocked it. The excuse is that the document hadn't been written with software-only applications in mind, so it shouldn't apply to software-only TCG systems. This is absurd. The document outlines best practices for how the system is used. There's nothing in it about how the system works internally. There's nothing unique to hardware-based systems, nothing that would be different for software-only systems. You can go through the document yourself and replace all references to "TPM" or "hardware" with "software" (or, better yet, "hardware or software") in five minutes. There are about a dozen changes, and none of them make any meaningful difference. The only reason I can think of for all this Machiavellian maneuvering is that the TCG board of directors is making sure that the document doesn't apply to Vista. If the document isn't published until after Vista is released, then obviously it doesn't apply. Near as I can tell, no one is following this story. No one is asking why TCG best practices apply to hardware-based systems if they're writing software-only specifications. No one is asking why the document doesn't apply to all TCG systems, since it's obviously written without any particular technology in mind. And no one is asking why the TCG is delaying the adoption of any software best practices. I believe the reason is Microsoft and Vista, but clearly there's some investigative reporting to be done. (A version of this essay previously appeared on CNet's News.com and ZDNet.) EDITED TO ADD: This comment completely misses my point. Which is odd; I thought I was pretty clear. EDITED TO ADD: There is a thread on SlashDot on the topic. EDITED TO ADD: The Sydney Morning Herald republished this essay. Also "The Age." Posted on August 31, 2005 at 08:27 AM • 56 Comments • View Blog Reactions Unintended Information RevelationHere's a new Internet data-mining research program with a cool name: Unintended Information Revelation: Existing search engines process individual documents based on the number of times a key word appears in a single document, but UIR constructs a concept chain graph used to search for the best path connecting two ideas within a multitude of documents. I'm a big fan of research, and I'm glad to see it being done. But I hope there is a lot of discussion and debate before we deploy something like this. I want to be convinced that the false positives don't make it useless as an intelligence-gathering tool. Posted on August 30, 2005 at 12:53 PM • 15 Comments • View Blog Reactions Tamper-Evident Paper MailingsWe've all received them in the mail: envelopes from banks with PINs, access codes, or other secret information. The letters are somewhat tamper-proof, but mostly they're designed to be tamper-evident: if someone opens the letter and reads the information, you're going to know. The security devices include fully sealed packaging, and black inks that obscure the secret information if you hold the envelope up to the light. Researchers from Cambridge University have been looking at the security inherent in these systems, and they've written a paper that outlines how to break them: Abstract. Tamper-evident laser-printed PIN mailers are used by many institutions to issue PINs and other secrets to individuals in a secure manner. Such mailers are created by printing the PIN using a normal laser, but on to special stationery and using a special font. The background of the stationery disguises the PIN so that it cannot be read with the naked eye without tampering. We show that currently deployed PIN mailer technology (used by the major UK banks) is vulnerable to trivial attacks that reveal the PIN without tampering. We describe image processing attacks, where a colour difference between the toner and the stationary "masking pattern" is exploited. We also describe angled light attacks, where the reflective properties of the toner and stationery are exploited to allow the naked eye to separate the PIN from the backing pattern. All laser-printed mailers examined so far have been shown insecure. According to a researcher website: It should be noted that we sat on this report for about 9 months, and the various manufacturers all have new products which address to varying degrees the issues raised in the report. BBC covered the story. Posted on August 30, 2005 at 07:59 AM • 20 Comments • View Blog Reactions Security at VisaGood article on security at Visa in light of the CardSystems fiasco. (The article echoes some of the security arguments I made in this post.) Posted on August 29, 2005 at 01:57 PM • 12 Comments • View Blog Reactions Identity Thief Steals HouseFrom Plastic: James Cook left on a business trip to Florida, and his wife Paula went to Oklahoma to care for her sick mother. When the two returned to Frisco, Texas, several days later, their keys didn't work. The locks on the house had been changed. This is a perfect example of the sort of fraud issue that a national ID card won't solve. The problem is not that identity credentials are too easy to forge. The problem is that the criminal needed nothing more than "Mrs. Cook's Social Security number, driver's license number and a copy of her signature." And the solution isn't a harder-to-forge card; the solution is to make the procedure for transferring real-estate ownership more onerous. If the Denton County Courthouse had better transaction authentication procedures, the particulars of identity authentication -- a national ID, a state driver's license, biometrics, or whatever -- wouldn't matter. If we are ever going to solve identity theft, we need to think about it properly. The problem isn't misused identity information; the problem is fraudulent transactions. Posted on August 29, 2005 at 07:42 AM • 55 Comments • View Blog Reactions Privacy Risks of Used Cell PhonesIgnore the corporate sleaziness by Cingular for the moment -- they sold used cell phones meant for charity -- and focus on the privacy implications. Cingular didn't erase any of the personal information on the used phones they sold. This reminds me of Simson Garfinkel's analysis of used hard drives. He found that 90% of them contained old data, some of it very private and interesting. Erasing data is one of the big problems of the information age. We know how to do it, but it takes time and we mostly don't bother. And sadly, these kinds of privacy violations are more the norm than the exception. I don't think it will get better unless Cingular becomes liable for violating its customers' privacy like that. EDITED TO ADD: I already wrote about the risks of losing small portable devices. Posted on August 26, 2005 at 02:58 PM • 45 Comments • View Blog Reactions Peggy Noonan and Movie-Plot Terrorist ThreatsPeggy Noonan is opposed to the current round of U.S. base closings because, well, basically because she thinks they'll be useful if the government ever has to declare martial law. I don't know anything about military bases, and what should be closed or remain open. What's interesting to me is that her essay is a perfect example of thinking based on movie-plot threats: Among the things we may face over the next decade, as we all know, is another terrorist attack on American soil. But let's imagine the next one has many targets, is brilliantly planned and coordinated. Imagine that there are already 100 serious terror cells in the U.S., two per state. The members of each cell have been coming over, many but not all crossing our borders, for five years. They're working jobs, living lives, quietly planning. This game of "let's imagine" really does stir up emotions, but it's not the way to plan national security policy. There's a movie plot to justify any possible national policy, and another to render that same policy ineffectual. This of course is pure guessing on my part. I can't prove it with data. That's precisely the problem. Posted on August 26, 2005 at 11:37 AM • 59 Comments • View Blog Reactions U.S. Government Computers Attacked from ChinaFrom the Washington Post: Web sites in China are being used heavily to target computer networks in the Defense Department and other U.S. agencies, successfully breaching hundreds of unclassified networks, according to several U.S. officials. Posted on August 26, 2005 at 07:59 AM • 28 Comments • View Blog Reactions Actors Playing New York City PolicemenDid you know you could be arrested for carrying a police uniform in New York City? With security tighter in the Big Apple since Sept. 11, 2001, the union that represents TV and film actors has begun advising its New York-area members to stop buying police costumes or carrying them to gigs, even if their performances require them. This seems like overkill to me. I understand that a police uniform is an authentication device -- not a very good one, but one nonetheless -- and we want to make it harder for the bad guys to get one. But there's no reason to prohibit screen or stage actors from having police uniforms if it's part of their job. This seems similar to the laws surrounding lockpicks: you can be arrested for carrying them without a good reason, but locksmiths are allowed to own the tools of their trade. Here's another bit from the article: Under police department rules, real officers must be on hand any time an actor dons a police costume during a TV or film production. I guess that's to prevent the actor from actually impersonating a policeman. But how often does that actually happen? Is this a good use of police manpower? Does anyone know how other cities and countries handle this? Posted on August 25, 2005 at 12:52 PM • 57 Comments • View Blog Reactions A Socio-Technical Approach to Internet SecurityInteresting research grant from the NSF: Technical security measures are often breached through social means, but little research has tackled the problem of system security in the context of the entire socio-technical system, with the interactions between the social and technical parts integrated into one model. Similar problems exist in the field of system safety, but recently a new accident model has been devised that uses a systems-theoretic approach to understand accident causation. Systems theory allows complex relationships between events and the system as a whole to be taken into account, so this new model permits an accident to be considered not simply as arising from a chain of individual component failures, but from the interactions among system components, including those that have not failed. Posted on August 25, 2005 at 07:38 AM • 7 Comments • View Blog Reactions Cameras in the New York City SubwaysNew York City is spending $212 million on surveillance technology: 1,000 video cameras and 3,000 motion sensors for the city's subways, bridges, and tunnels. Why? Why, given that cameras didn't stop the London train bombings? Why, when there is no evidence that cameras are effectice at reducing either terrorism and crime, and every reason to believe that they are ineffective? One reason is that it's the "movie plot threat" of the moment. (You can hear the echos of the movie plots when you read the various quotes in the news stories.) The terrorists bombed a subway in London, so we need to defend our subways. The other reason is that New York City officials are erring on the side of caution. If nothing happens, then it was only money. But if something does happen, they won't keep their jobs unless they can show they did everything possible. And technological solutions just make everyone feel better. If I had $212 million to spend to defend against terrorism in the U.S., I would not spend it on cameras in the New York City subways. If I had $212 million to defend New York City against terrorism, I would not spend it on cameras in the subways. This is nothing more than security theater against a movie plot threat. On the plus side, the money will also go for a new radio communications system for subway police, and will enable cell phone service in underground stations, but not tunnels. Posted on August 24, 2005 at 01:10 PM • 73 Comments • View Blog Reactions Ambient Radiation SensorsHere's a piece of interesting research out of Ohio State: it's a passive sensor that could be cheaper, better, and less intrusive than technologies like backscatter X-rays: "Unlike X-ray machines or radar instruments, the sensor doesn't have to generate a signal to detect objects it spots them based on how brightly they reflect the natural radiation that is all around us every day." First millimeter-wave detection systems, and now this. There's some interesting research in remote sensing going on, and there are sure to be some cool security applications. Posted on August 24, 2005 at 08:17 AM • 12 Comments • View Blog Reactions Bluetooth SpamAdvertisers are beaming unwanted content to Bluetooth phones at a distance of 100 meters. Sure, it's annoying, but worse, there are serious security risks. Don't believe this: Furthermore, there is no risk of downloading viruses or other malware to the phone, says O'Regan: "We don't send applications or executable code." The system uses the phone's native download interface so they should be able to see the kind of file they are downloading before accepting it, he adds. This company might not send executable code, but someone else certainly could. And what percentage of people who use Bluetooth phones can recognize "the kind of file they are downloading"? We've already seen two ways to steal data from Bluetooth devices. And we know that more and more sensitive data is being stored on these small devices, increasing the risk. This is almost certainly another avenue for attack. Posted on August 23, 2005 at 12:24 PM • 37 Comments • View Blog Reactions RFID in British License PlatesThe British government is testing a scheme to put active -- the kind that are independently powered -- RFID chips in automobile license plates. They can be read at least 300 feet away, and probably much, much further. Posted on August 23, 2005 at 07:24 AM • 37 Comments • View Blog Reactions Bluetooth As a Laptop SensorThieves are using Bluetooth phones to find Bluetooth-enabled laptops in parked cars, which they then steal. Nice example of unintended security consequences of a new technology. And more evidence that new features need to be turned off by default. Posted on August 22, 2005 at 01:20 PM • 37 Comments • View Blog Reactions The Kutztown 13Thirteen Pennsylvania high-school kids -- Kutztown 13 -- are being charged with felonies: They're being called the Kutztown 13 -- a group of high schoolers charged with felonies for bypassing security with school-issued laptops, downloading forbidden internet goodies and using monitoring software to spy on district administrators. There's more to the story, though. Here's some good commentary on the issue: What the parents don't mention — but the school did in a press release— is that it wasn't as if the school came down with the Hammer of God out of nowhere. Yes, the kids should be punished. No, a felony comviction is not the way to punish them. The problem is that the punishment doesn't fit the crime. Breaking the rules is what kids do. Society needs to deal with that, yes, but it needs to deal with that in a way that doesn't ruin lives. Deterrence is critical if we are to ever have a lawful society on the internet, but deterrence has to come from rational prosecution. This simply isn't rational. EDITED TO ADD (2 Sep): It seems that charges have been dropped. Posted on August 22, 2005 at 06:56 AM • 83 Comments • View Blog Reactions Airline Security, Trade-offs, and AgendaAll security decisions are trade-offs, and smart security trade-offs are ones where the security you get is worth what you have to give up. This sounds simple, but it isn't. There are differences between perceived risk and actual risk, differences between perceived security and actual security, and differences between perceived cost and actual cost. And beyond that, there are legitimate differences in trade-off analysis. Any complicated security decision affects multiple players, and each player evaluates the trade-off from his or her own perspective. I call this "agenda," and it is one of the central themes of Beyond Fear. It is clearly illustrated in the current debate about rescinding the prohibition against small pointy things on airplanes. The flight attendants are against the change. Reading their comments, you can clearly see their subjective agenda: "As the front-line personnel with little or no effective security training or means of self defense, such weapons could prove fatal to our members," Patricia A. Friend, international president of the Association of Flight Attendants, said in a letter to Edmund S. "Kip" Hawley, the new leader of the Transportation Security Administration. "They may not assist in breaking through a flightdeck door, but they could definitely lead to the deaths of flight attendants and passengers".... The flight attendants are not evaluating the security countermeasure from a global perspective. They're not trying to figure out what the optimal level of risk is, what sort of trade-offs are acceptable, and what security countermeasures most efficiently achieve that trade-off. They're looking at the trade-off from their perspective: they get more benefit from the countermeasure than the average flier because it's their workplace, and the cost of the countermeasure is borne largely by the passengers. There is nothing wrong with flight attendants evaluating airline security from their own agenda. I'd be surprised if they didn't. But understanding agenda is essential to understanding how security decisions are made. Posted on August 19, 2005 at 12:48 PM • 60 Comments • View Blog Reactions Infants on the Terrorist Watch ListImagine you're in charge of airport security. You have a watch list of terrorist names, and you're supposed to give anyone on that list extra scruitiny. One day someone shows up for a flight whose name is on that list. They're an infant. What do you do? If you have even the slightest bit of sense, you realize that an infant can't be a terrorist. So you let the infant through, knowing that it's a false alarm. But if you have no flexibility in your job, if you have to follow the rules regardless of how stupid they are, if you have no authority to make your own decisions, then you detain the baby. EDITED TO ADD: I know what the article says about the TSA rules: The Transportation Security Administration, which administers the lists, instructs airlines not to deny boarding to children under 12 -- or select them for extra security checks -- even if their names match those on a list. Whether the rules are being followed or ignored is besides my point. The screener is detaining babies because he thinks that's what the rules require. He's not permitted to exercise his own common sense. Security works best when well-trained people have the authority to make decisions, not when poorly-trained people are slaves to the rules (whether real or imaginary). Rules provide CYA security, but not security against terrorism. Posted on August 19, 2005 at 08:03 AM • 37 Comments • View Blog Reactions Zotob and VariantsI've been reading the massive press coverage about Zotob (technical details are here, here, and here), and can't figure out what the big deal is about. Yes, it propagates in Windows 2000 without user intervention, which is always nastier. It uses a Microsoft plug-and-play vulnerability, which is somewhat interesting. But the only reason I can think of that CNN did rolling coverage on it is that CNN was hit by it. Posted on August 18, 2005 at 07:57 AM • 47 Comments • View Blog Reactions New Cryptanalytic Results Against SHA-1Xiaoyun Wang, one of the team of Chinese cryptographers that successfully broke SHA-0 and SHA-1, along with Andrew Yao and Frances Yao, announced new results against SHA-1 yesterday at Crypto's rump session. (Actually, Adi Shamir announced the results in their name, since she and her student did not receive U.S. visas in time to attend the conference.) Shamir presented few details -- and there's no paper -- but the time complexity of the new attack is 263. (Their previous result was 269; brute force is 280.) He did say that he expected Wang and her students to improve this result over the next few months. The modifications to their published attack are still new, and more improvements are likely over the next several months. There is no reason to believe that 263 is anything like a lower limit. But an attack that's faster than 264 is a significant milestone. We've already done massive computations with complexity 264. Now that the SHA-1 collision search is squarely in the realm of feasibility, some research group will try to implement it. Writing working software will both uncover hidden problems with the attack, and illuminate hidden improvements. And while a paper describing an attack against SHA-1 is damaging, software that produces actual collisions is even more so. The story of SHA-1 is not over. Again, I repeat the saying I've heard comes from inside the NSA: "Attacks always get better; they never get worse." Meanwhile, NIST is holding a workshop in late October to discuss what the security community should do now. The NIST Hash Function Workshop should be interesting, indeed. (Here is one paper that examines the effect of these attacks on S/MIME, TLS, and IPsec.) EDITED TO ADD: Here are Xiaoyun Wang's two papers from Crypto this week: "Efficient Collision Search Attacks on SHA-0" and "Finding Collisions in the Full SHA-1Collision Search Attacks on SHA1." And here are the rest of her papers. Posted on August 17, 2005 at 02:06 PM • 63 Comments • View Blog Reactions Chinese Cryptographers Denied U.S. VisasChinese cryptographer Xiaoyun Wang, the woman who broke SHA-1 last year, was unable to attend the Crypto conference to present her paper on Monday. The U.S. government didn't give her a visa in time: On Monday, she was scheduled to explain her discovery in a keynote address to an international group of researchers meeting in California. Sadly, this is now common: Although none of the scientists were officially denied visas by the United States Consulate, officials at the State Department and National Academy of Sciences said this week that the situation was not uncommon. These delays can make it impossible for some foreign researchers to attend U.S. conferences. There are researchers who need to have their paper accepted before they can apply for a visa. But the paper review and selection process, done by the program committee in the months before the conference, doesn't finish early enough. Conferences can move the submission and selection deadlines earlier, but that just makes the conference less current. In Wang's case, she applied for her visa in early July. So did her student. Dingyi Pei, another Chinese researcher who is organizing Asiacrypt this year, applied for his in early June. (I don't know about the others.) Wang has not received her visa, and Pei got his just yesterday. This kind of thing hurts cryptography, and hurts national security. The visa restrictions were designed to protect American advanced technologies from foreigners, but in this case they're having the opposite effect. We are all more secure because there is a vibrant cryptography research community in the U.S. and the world. By prohibiting Chinese cryptographers from attending U.S. conferences, we're only hurting ourselves. NIST is sponsoring a workshop on hash functions (sadly, it's being referred to as a "hash bash") in October. I hope Wang gets a visa for that. Posted on August 17, 2005 at 11:53 AM • 45 Comments • View Blog Reactions Sensible Airline SecurityLooks like the DHS and TSA are finally beginning to realize that small pointy things are not a terrorist threat to aviation. They never were. Posted on August 17, 2005 at 09:08 AM • 53 Comments • View Blog Reactions Unmanned Planes Patrolling BordersPosted on August 16, 2005 at 07:59 AM • 39 Comments • View Blog Reactions Cryptographically-Secured Murder ConfessionFrom the Associated Press: Joseph Duncan III is a computer expert who bragged online, days before authorities believe he killed three people in Idaho, about a tell-all journal that would not be accessed for decades, authorities say. This is the kind of story that the government likes to use to illustrate the dangers of encryption. How can we allow people to use strong encryption, they ask, if it means not being able to convict monsters like Duncan? But how is this different than Duncan speaking the confession when no one was able to hear? Or writing it down and hiding it where no one could ever find it? Or not saying anything at all? If the police can't convict him without this confession -- which we only have his word for as existing -- then maybe he's innocent? Technologies have good and bad uses. Encryption, telephones, cars: they're all used by both honest citizens and by criminals. For almost all technologies, the good far outweighs the bad. Banning a technology because the bad guys use it, denying everyone else the beneficial uses of that technology, is almost always a bad security trade-off. EDITED TO ADD: Looking at the details of the encryption, it's certainly possible that the authorities will break the diary. It probably depends on how random a key Duncan chose, although possibly on whether or not there's an implementation error in the cryptographic software. If I had more details, I could speculate further. Posted on August 15, 2005 at 02:17 PM • 56 Comments • View Blog Reactions Terrorists, Steganography, and False AlarmsRemember all thost stories about the terrorists hiding messages in television broadcasts? They were all false alarms: The first sign that something was amiss came a few days before Christmas Eve 2003. The US department of homeland security raised the national terror alert level to "high risk". The move triggered a ripple of concern throughout the airline industry and nearly 30 flights were grounded, including long hauls between Paris and Los Angeles and subsequently London and Washington. It's a signal-to-noise issue. If you look at enough noise, you're going to find signal just by random chance. It's only signal that rises above random chance that's valuable. And the whole notion of terrorists using steganography to embed secret messages was ludicrous from the beginning. It makes no sense to communicate with terrorist cells this way, given the wide variety of more efficient anonymous communications channels. I first wrote about this in September of 2001. Posted on August 15, 2005 at 11:03 AM • 23 Comments • View Blog Reactions Secure Flight NewsAccording to Wired News, the DHS is looking for someone in Congress to sponsor a bill that eliminates congressional oversight over the Secure Flight program. The bill would allow them to go ahead with the program regardless of GAO's assessment. (Current law requires them to meet ten criteria set by Congress; the most recent GAO report said that they did not meet nine of them.) The bill would allow them to use commercial data even though they have not demonstrated its effectiveness. (The DHS funding bill passed by both the House and the Senate prohibits them from using commercial data during passenger screening, because there has been absolutely no test results showing that it is effective.) In this new bill, all that would be required to go ahead with Secure Flight would be for Secretary Chertoff to say so: Additionally, the proposed changes would permit Secure Flight to be rolled out to the nation's airports after Homeland Security chief Michael Chertoff certifies the program will be effective and not overly invasive. The current bill requires independent congressional investigators to make that determination. Looks like the DHS, being unable to comply with the law, is trying to change it. This is a rogue program that needs to be stopped. In other news, the TSA has deleted about three million personal records it used for Secure Flight testing. This seems like a good idea, but it prevents people from knowing what data the government had on them -- in violation of the Privacy Act. Civil liberties activist Bill Scannell says it's difficult to know whether TSA's decision to destroy records so swiftly is a housecleaning effort or something else. My previous essay on Secure Flight is here. Posted on August 15, 2005 at 09:43 AM • 13 Comments • View Blog Reactions E-Mail Interception Decision ReversedIs e-mail in transit communications or data in storage? Seems like a basic question, but the answer matters a lot to the police. A U.S. federal Appeals Court has ruled that the interception of e-mail in temporary storage violates the federal wiretap act, reversing an earlier court opinion. The case and associated privacy issues are summarized here. Basically, different privacy laws protect electronic communications in transit and data in storage; the former is protected much more than the latter. E-mail stored by the sender or the recipient is obviously data in storage. But what about e-mail on its way from the sender to the receiver? On the one hand, it's obviously communications on transit. But the other side argued that it's actually stored on various computers as it wends its way through the Internet; hence it's data in storage. The initial court decision in this case held that e-mail in transit is just data in storage. Judge Lipez wrote an inspired dissent in the original opinion. In the rehearing en banc (more judges), he wrote the opinion for the majority which overturned the earlier opinion. The opinion itself is long, but well worth reading. It's well reasoned, and reflects extraordinary understanding and attention to detail. And a great last line: If the issue presented be "garden-variety"... this is a garden in need of a weed killer. I participated in an Amicus Curiae ("friend of the court") brief in the case. Here's another amicus brief by six civil liberties organizations. There's a larger issue here, and it's the same one that the entertainment industry used to greatly expand copyright law in cyberspace. They argued that every time a copyrighted work is moved from computer to computer, or CD-ROM to RAM, or server to client, or disk drive to video card, a "copy" is being made. This ridiculous definition of "copy" has allowed them to exert far greater legal control over how people use copyrighted works. Posted on August 15, 2005 at 07:59 AM • 13 Comments • View Blog Reactions Do-it-Yourself Security CheckpointPhotograph from What-the-Hack. Posted on August 14, 2005 at 12:09 PM • 24 Comments • View Blog Reactions The Devil's Infosec DictionaryI want "The Devil's Infosec Dictionary" to be funnier. And I wish the entry that mentions me -- "Cryptography: The science of applying a complex set of mathematical algorithms to sensitive data with the aim of making Bruce Schneier exceedingly rich" -- were more true. In any case, I'll bet the assembled here can come up with funnier infosec dictionary definitions. Post them as comments here, and -- if there are enough good ones -- I'll collect them up on a single page. Posted on August 13, 2005 at 10:48 AM • 105 Comments • View Blog Reactions Fingerprinting PaperThis could make an enormous difference in security against forgeries: The scientists built a laser scanner that sweeps across the surface of paper, cardboard, or plastic, recording all of the unique microscopic imperfections that are a natural part of manufacturing such materials. Scientific American has more details: All nonreflective surfaces are rough on a microscopic level. James D. R. Buchanan and his colleagues at Imperial College London report today in the journal Nature on the potential for this characteristic to "provide strong, in-built, hidden security for a wide range of paper, plastic or cardboard objects." Using a focused laser to scan a variety of objects, the team measured how the light scattered at four different angles. By calculating how far the light moved from a mean value, and transforming the fluctuations into ones and zeros, the researchers developed a unique fingerprint code for each object. The scanning of two pieces of paper from the same pack yielded two different identifiers, whereas the fingerprint for one sheet stayed the same even after three days of regular use. Furthermore, when the team put the paper through its paces--screwing it into a tight ball, submerging it in cold water, baking it at 180 degrees Celsius, among other abuses--its fingerprint remained easily recognizable. To ensure the security of currency, you could fingerprint every bill and store the fingerprints in a large database. Or you can digitally sign the fingerprint and print it on the bill itself. The fingerprint is large enough to use as an encryption key, which opens up a bunch of other security possibilities. This idea isn't new. I remember currency anti-counterfeiting research in which fiber-optic bits were added to the paper pulp, and a "fingerprint" was taken using a laser. It didn't work then, but it was clever. Posted on August 12, 2005 at 10:30 AM • 44 Comments • View Blog Reactions TSA and SpamA reader sent this to me. He's corresponding with the TSA about getting his name off the watch list, and was told that he should turn off his e-mail spam filter. -----Original Message----- Posted on August 12, 2005 at 08:15 AM • 18 Comments • View Blog Reactions UK Border SecurityThe Register comments on the government using a border-security failure to push for national ID cards: The Government spokesman the media could get hold of last weekend, leader of the House of Commons Geoff Hoon, said that the Government was looking into whether there should be "additional" passport checks on Eurostar, and added that the matter showed the need for identity cards because "it's vitally important that we know who is coming in as well as going out." Meanwhile the Observer reported plans by ministers to accelerate the introduction of the e-borders system in order to increase border security. Posted on August 11, 2005 at 01:28 PM • 20 Comments • View Blog Reactions The MD5 DefenseA team of Chinese maths enthusiasts have thrown NSW's speed cameras system into disarray by cracking the technology used to store data about errant motorists. It's true that MD5 is broken. On the other hand, it's almost certainly true that the speed cameras were correct. If there's any lesson here, it's that theoretical security is important in legal proceedings. I think that's a good thing. Posted on August 11, 2005 at 07:52 AM • 41 Comments • View Blog Reactions X-Box SecurityInteresting article: "The Hidden Boot Code of the Xbox, or How to fit three bugs in 512 bytes of security code." Microsoft wanted to lock out both pirated games and unofficial games, so they built a chain of trust on the X-Box from the hardware to the execution of the game code. Only code authorized by Microsoft could run on the X-box. The link between hardware and software in this chain of trust is the hidden "MCPX" boot ROM. The article discusses that ROM. Lots of kindergarten security mistakes. Posted on August 10, 2005 at 01:00 PM • 23 Comments • View Blog Reactions Stealing Imaginary ThingsThere's a new Trojan that tries to steal World of Warcraft passwords. That reminded me about this article, about people paying programmers to find exploits to make virtual money in multiplayer online games, and then selling the proceeds for real money. And here's a page about ways people steal fake money in the online game Neopets, including cookie grabbers, fake login pages, fake contests, social engineering, and pyramid schemes. I regularly say that every form of theft and fraud in the real world will eventually be duplicated in cyberspace. Perhaps every method of stealing real money will eventually be used to steal imaginary money, too. Posted on August 10, 2005 at 07:36 AM • 28 Comments • View Blog Reactions RFID Passport Security RevisitedI've written previously (including this op ed in the International Herald Tribune) about RFID chips in passports. An article in today's USA Today (the paper version has a really good graphic) summarizes the latest State Department proposal, and it looks pretty good. They're addressing privacy concerns, and they're doing it right. The most important feature they've included is an access-control system for the RFID chip. The data on the chip is encrypted, and the key is printed on the passport. The officer swipes the passport through an optical reader to get the key, and then the RFID reader uses the key to communicate with the RFID chip. This means that the passport-holder can control who has access to the information on the chip; someone cannot skim information from the passport without first opening it up and reading the information inside. Good security. The new design also includes a thin radio shield in the cover, protecting the chip when the passport is closed. More good security. Assuming that the RFID passport works as advertised (a big "if," I grant you), then I am no longer opposed to the idea. And, more importantly, we have an example of an RFID identification system with good privacy safeguards. We should demand that any other RFID identification cards have similar privacy safeguards. EDITED TO ADD: There's more information in a Wired story: The 64-KB chips store a copy of the information from a passport's data page, including name, date of birth and a digitized version of the passport photo. To prevent counterfeiting or alterations, the chips are digitally signed.... So it sounds like this access-control mechanism is not definite. In any case, I believe the system described in the USA Today article is a good one. Posted on August 09, 2005 at 01:27 PM • 77 Comments • View Blog Reactions The Myth of PanicThis New York Times op ed argues that panic is largely a myth. People feel stressed but they behave rationally, and it only gets called "panic" because of the stress. If our leaders are really planning for panic, in the technical sense, then they are at best wasting resources on a future that is unlikely to happen. At worst, they may be doing our enemies' work for them - while people are amazing under pressure, it cannot help to have predictions of panic drummed into them by supposed experts. Posted on August 09, 2005 at 07:25 AM • 25 Comments • View Blog Reactions |
