Bruce Schneier | ||||
Schneier on SecurityA blog covering security and security technology. « October 2005 | Main | December 2005 » November 2005 ArchivesGoogle and PrivacyDaniel Solove on Google and privacy: A New York Times editorial observes:At a North Carolina strangulation-murder trial this month, prosecutors announced an unusual piece of evidence: Google searches allegedly done by the defendant that included the words "neck" and "snap." The data were taken from the defendant's computer, prosecutors say. But it might have come directly from Google, which -- unbeknownst to many users -- keeps records of every search on its site, in ways that can be traced back to individuals. Solove goes on to argue that if companies like Google want to collect people's data (even if people are willing to supply it), the least they can do is fight for greater protections against government access to that data. While this won't address all the problems, it would be a step forward to see companies like Google use their power to foster meaningful legislative change. EDITED TO ADD (12/3): Here's an op ed from The Boston Globe on the same topic. Posted on November 30, 2005 at 03:08 PM • 57 Comments • View Blog Reactions Hacking Wiretapping SystemsThis is absolutely fascinating research by Matt Blaze on evading telephone wiretapping systems. Here's the paper. Here's a news article. Posted on November 30, 2005 at 12:13 PM • 9 Comments • View Blog Reactions Open-Source IntelligenceHow here's a good idea: US intelligence chief John Negroponte announced Tuesday the creation of a new CIA-managed center to exploit publicly available information for intelligence purposes. Posted on November 30, 2005 at 10:42 AM • 39 Comments • View Blog Reactions Cybercrime PaysThis sentence jumped out at me in an otherwise pedestrian article on criminal fraud: "Fraud is fundamentally fuelling the growth of organised crime in the UK, earning more from fraud than they do from drugs," Chris Hill, head of fraud at the Norwich Union, told BBC News. I'll bet that most of that involves the Internet to some degree. And then there's this: Global cybercrime turned over more money than drug trafficking last year, according to a US Treasury advisor. Valerie McNiven, an advisor to the US government on cybercrime, claimed that corporate espionage, child pornography, stock manipulation, phishing fraud and copyright offences cause more financial harm than the trade in illegal narcotics such as heroin and cocaine. This doesn't bode well for computer security in general. Posted on November 30, 2005 at 06:05 AM • 21 Comments • View Blog Reactions Counterfeiting Ring in ColombiaPolice assisted by U.S. Secret Service agents on Sunday broke up a network capable of printing millions of dollars a month of excellent quality counterfeit money and arrested five suspects during a raid on a remote village in northwest Colombia, officials said. It's a big industry there: Fernandez said Valle del Cauca, of which Cali is the state capital, has turned into a center of global counterfeiting. "Entire families are dedicated to falsifying and trafficking money." And: Colombia is thought to produce more than 40 percent of fake money circulating around the world. Posted on November 29, 2005 at 04:29 PM • 27 Comments • View Blog Reactions Miami Police Stages "Random Shows of Force"They actually think this is a good idea: Miami police announced Monday they will stage random shows of force at hotels, banks and other public places to keep terrorists guessing and remind people to be vigilant. Boy, is this one a mess. How does "in-your-face" affect getting the people on your side? What happens if someone refuses to show an ID? What good is demanding an ID in the first place? And if I were writing a movie plot, I would plan my terrorist attack for a different part of town when the police were out playing pretend. The response from the ACLU of Florida is puzzling, though. Let's hope he just didn't understand what was being planned. EDITED TO ADD (11/29): This article is in error. EDITED TO ADD (11/30): more info. Posted on November 29, 2005 at 01:07 PM • 52 Comments • View Blog Reactions Missed Cellphone Calls as Bomb TriggersWhat is it with this week? I can't turn around without seeing another dumb movie-plot threat: A Thai minister has claimed that by returning missed calls on their cell phones people from the Muslim-majority southern provinces could unintentionally trigger bombs set by Islamic militants. Posted on November 29, 2005 at 10:01 AM • 46 Comments • View Blog Reactions A Science-Fiction Movie-Plot ThreatThis has got to be the most bizarre movie-plot threat to date: alien viruses downloaded via the SETI project: In his [Richard Carrigan, a particle physicist at the US Fermi National Accelerator Laboratory in Illinois] report, entitled "Do potential Seti signals need to be decontaminated?", he suggests the Seti scientists may be too blase about finding a signal. "In science fiction, all the aliens are bad, but in the world of science, they are all good and simply want to get in touch." His main concern is that, intentionally or otherwise, an extra-terrestrial signal picked up by the Seti team could cause widespread damage to computers if released on to the internet without being checked. Here's his website. Although you have to admit, it could make a cool movie EDITED TO ADD (12/16): Here's a good rebuttal. Posted on November 29, 2005 at 07:16 AM • 59 Comments • View Blog Reactions Interdicting Terrorist FundingWant to make the country safer from terrorism? Take the money now being wasted on national ID cards, massive data mining projects, fingerprinting foreigners, airline passenger profiling, etc., and use it to fund worldwide efforts to interdict terrorist funding: The government's efforts to help foreign nations cut off the supply of money to terrorists, a critical goal for the Bush administration, have been stymied by infighting among American agencies, leadership problems and insufficient financing, a new Congressional report says. More: One unidentified Treasury official quoted anonymously in the report said that the intergovernmental process for deterring terrorist financing abroad is "broken" and that the State Department "creates obstacles rather than coordinates effort." A State Department official countered that the real problem lies in the Treasury Department's reluctance to accept the State Department's leadership in the process. Posted on November 28, 2005 at 09:44 PM • 17 Comments • View Blog Reactions Giving the U.S. Military the Power to Conduct Domestic SurveillanceMore nonsense in the name of defending ourselves from terrorism: The Defense Department has expanded its programs aimed at gathering and analyzing intelligence within the United States, creating new agencies, adding personnel and seeking additional legal authority for domestic security activities in the post-9/11 world. The police and the military have fundamentally different missions. The police protect citizens. The military attacks the enemy. When you start giving police powers to the military, citizens start looking like the enemy. We gain a lot of security because we separate the functions of the police and the military, and we will all be much less safer if we allow those functions to blur. This kind of thing worries me far more than terrorist threats. Posted on November 28, 2005 at 02:11 PM • 36 Comments • View Blog Reactions Safecracking with Thermal ImagingPosted on November 28, 2005 at 11:37 AM • 31 Comments • View Blog Reactions European Terrorism Law and Music DownloadersThe European music industry is lobbying the European Parliament, demanding things that the RIAA can only dream about: The music and film industries are demanding that the European parliament extends the scope of proposed anti-terror laws to help them prosecute illegal downloaders. In an open letter to MEPs, companies including Sony BMG, Disney and EMI have asked to be given access to communications data - records of phone calls, emails and internet surfing - in order to take legal action against pirates and filesharers. Current proposals restrict use of such information to cases of terrorism and organised crime. Our society definitely needs a serious conversation about the fundamental freedoms we are sacrificing in a misguided attempt to keep us safe from terrorism. It feels both surreal and sickening to have to defend our fundamental freedoms against those who want to stop people from sharing music. How is it possible that we can contemplate so much damage to our society simply to protect the business model of a handful of companies? Posted on November 27, 2005 at 12:20 PM • 83 Comments • View Blog Reactions Hoofnagle's Consumer Privacy Top 10Chris Hoofnagle is the West Coast Director for EPIC. It's his list. I've been working for some time on writing easy-to-understand guides for protecting privacy. Here's my "top 10" things you can do with very little money or effort to protect your privacy. Good stuff. Posted on November 25, 2005 at 08:46 AM • 17 Comments • View Blog Reactions Vote Someone Else's SharesDo you own shares of a Janus mutual fund? Can you vote your shares through a website called vote.proxy-direct.com? If so, you can vote the shares of others. If you have a valid proxy number, you can add 1300 to the number to get another valid proxy number. Once entered, you get another person's name, address, and account number at Janus! You could then vote their shares too. It's easy. Probably illegal. Definitely a great resource for identity thieves. Certainly pathetic. Posted on November 24, 2005 at 10:41 AM • 41 Comments • View Blog Reactions Twofish Cryptanalysis RumorsRecently I have been hearing some odd "Twofish has been broken" rumors. I thought I'd quell them once and for all. Rumors of the death of Twofish has been greatly exaggerated. The analysis in question is by Shiho Moriai and Yiqun Lisa Yin, who published their results in Japan in 2000. Recently, someone either got a copy of the paper or heard about the results, and rumors started spreading. Here's the actual paper. It presents no cryptanalytic attacks, only some hypothesized differential characteristics. Moriai and Yin discovered byte-sized truncated differentials for 12- and 16-round Twofish (the full cipher has 16 rounds), but were unable to use them in any sort of attack. They also discovered a larger, 5-round truncated differential. No one has been able to convert these differentials into an attack, and Twofish is nowhere near broken. On the other hand, they are excellent and interesting results -- and it's a really good paper. In more detail, here are the paper's three results:
The paper theorizes that all of these characteristics might be useful in an attack, but I would be very careful about drawing any conclusions. It can be very tricky to go from single-path characteristics whose probability is much smaller than the chances of it happening by chance in an ideal cipher, to a real attack. The problem is in the part where you say "let's just assume all other paths behave randomly." Often the other paths do not behave randomly, and attacks that look promising fall flat on their faces. We simply don't know whether these truncated differentials would be useful in a distinguishing attack. But what we do know is that even if everything works out perfectly to the cryptanalyst's benefit, and if an attack is possible, then such an attack is likely to require a totally unrealistic number of chosen plaintexts. 2100 plaintexts is something like a billion billion DVDs' worth of data, or a T1 line running for a million times the age of the universe. (Note that these numbers might be off by a factor of 1,000 or so. But honestly, who cares? The numbers are so huge as to be irrelevent.) And even with all that data, a distinguishing attack is not the same as a key recovery attack. Again, I am not trying to belittle the results. Moriai and Yin did some great work here, and they deserve all kinds of credit for it. But even from a theoretical perspective, Twofish isn't even remotely broken. There have been no extensions to these results since they were published five years ago. The best Twofish cryptanalysis is still the work we did during the design process: available on the Twofish home page. Posted on November 23, 2005 at 12:15 PM • 33 Comments • View Blog Reactions Today's Movie-Plot Threat: Electronic Pulses from SpaceNo. Really: The United States is highly vulnerable to attack from electronic pulses caused by a nuclear blast in space, according to a new book on threats to U.S. security. The "single most serious national-security challenge." Absolutely nothing more serious. Sheesh. Posted on November 23, 2005 at 07:39 AM • 57 Comments • View Blog Reactions Australian Minister's Sensible Comments on Airline Security Sparks OutcryI'm the first to admit that I don't know anything about Australian politics. I don't know who Amanda Vanstone is, what she stands for, and what other things she's said about any other topic. But I happen to think she's right about airline security: In a wide-ranging speech to Adelaide Rotarians, Senator Vanstone dismissed many commonwealth security measures as essentially ineffective. "To be tactful about these things, a lot of what we do is to make people feel better as opposed to actually achieve an outcome," Senator Vanstone said. And: During her Adelaide speech, Senator Vanstone implied the use of plastic cutlery on planes to thwart terrorism was foolhardy. Implied? I'll say it outright. It's stupid. For all its faults, I'm always pleased when Northwest Airlines gives me a real metal knife, and I am always annoyed when American Airlines still gives me a plastic one. "Has it ever occurred to you that you just smash your wine glass and jump at someone, grab the top of their head and put it in their carotid artery and ask anything?" Senator Vanstone told her audience of about 100 Rotarians. "And believe me, you will have their attention. I think of this every time I see more money for the security agencies." Okay, so maybe that was a bit graphic for the Rotarians. But her comments are basically right, and don't deserve this kind of response: "(Her) extraordinary outburst that airport security was a sham to make the public feel good has made a mockery of the Howard Government's credibility in this important area of counter-terrorism," Mr Bevis said yesterday. "And for Amanda Vanstone to once again put her foot in her mouth while John Howard is overseas for serious talks on terrorism is appalling. She should apologise and quit, or if the Prime Minister can't shut her up he should sack her." But Mr. Bevis, airport security is largely a sham to make the public feel better about flying. And if your Prime Minister doesn't know that, then you should worry about how serious his talks will be. Vanstone has been defending herself: Vanstone rejected calls from the Labor Party opposition for her resignation over the comments they said trivialised an important issue, saying she was not ridiculing security measures. Plastic knives on airplanes drive me crazy too, and they don't do anything to improve our security against terrorism. I know nothing about Vanstone and her policies, but she has this one right. Posted on November 22, 2005 at 01:41 PM • 96 Comments • View Blog Reactions Surveillance and OversightChristmas 2003, Las Vegas. Intelligence hinted at a terrorist attack on New Year's Eve. In the absence of any real evidence, the FBI tried to compile a real-time database of everyone who was visiting the city. It collected customer data from airlines, hotels, casinos, rental car companies, even storage locker rental companies. All this information went into a massive database -- probably close to a million people overall -- that the FBI's computers analyzed, looking for links to known terrorists. Of course, no terrorist attack occurred and no plot was discovered: The intelligence was wrong. A typical American citizen spending the holidays in Vegas might be surprised to learn that the FBI collected his personal data, but this kind of thing is increasingly common. Since 9/11, the FBI has been collecting all sorts of personal information on ordinary Americans, and it shows no signs of letting up. The FBI has two basic tools for gathering information on large groups of Americans. Both were created in the 1970s to gather information solely on foreign terrorists and spies. Both were greatly expanded by the USA Patriot Act and other laws, and are now routinely used against ordinary, law-abiding Americans who have no connection to terrorism. Together, they represent an enormous increase in police power in the United States. The first are FISA warrants (sometimes called Section 215 warrants, after the section of the Patriot Act that expanded their scope). These are issued in secret, by a secret court. The second are national security letters, less well known but much more powerful, and which FBI field supervisors can issue all by themselves. The exact numbers are secret, but a recent Washington Post article estimated that 30,000 letters each year demand telephone records, banking data, customer data, library records, and so on. In both cases, the recipients of these orders are prohibited by law from disclosing the fact that they received them. And two years ago, Attorney General John Ashcroft rescinded a 1995 guideline that this information be destroyed if it is not relevant to whatever investigation it was collected for. Now, it can be saved indefinitely, and disseminated freely. September 2005, Rotterdam. The police had already identified some of the 250 suspects in a soccer riot from the previous April, but most were unidentified but captured on video. In an effort to help, they sent text messages to 17,000 phones known to be in the vicinity of the riots, asking that anyone with information contact the police. The result was more evidence, and more arrests. The differences between the Rotterdam and Las Vegas incidents are instructive. The Rotterdam police needed specific data for a specific purpose. Its members worked with federal justice officials to ensure that they complied with the country's strict privacy laws. They obtained the phone numbers without any names attached, and deleted them immediately after sending the single text message. And their actions were public, widely reported in the press. On the other hand, the FBI has no judicial oversight. With only a vague hinting that a Las Vegas attack might occur, the bureau vacuumed up an enormous amount of information. First its members tried asking for the data; then they turned to national security letters and, in some cases, subpoenas. There was no requirement to delete the data, and there is every reason to believe that the FBI still has it all. And the bureau worked in secret; the only reason we know this happened is that the operation leaked. These differences illustrate four principles that should guide our use of personal information by the police. The first is oversight: In order to obtain personal information, the police should be required to show probable cause, and convince a judge to issue a warrant for the specific information needed. Second, minimization: The police should only get the specific information they need, and not any more. Nor should they be allowed to collect large blocks of information in order to go on "fishing expeditions," looking for suspicious behavior. The third is transparency: The public should know, if not immediately then eventually, what information the police are getting and how it is being used. And fourth, destruction. Any data the police obtains should be destroyed immediately after its court-authorized purpose is achieved. The police should not be able to hold on to it, just in case it might become useful at some future date. This isn't about our ability to combat terrorism; it's about police power. Traditional law already gives police enormous power to peer into the personal lives of people, to use new crime-fighting technologies, and to correlate that information. But unfettered police power quickly resembles a police state, and checks on that power make us all safer. As more of our lives become digital, we leave an ever-widening audit trail in our wake. This information has enormous social value -- not just for national security and law enforcement, but for purposes as mundane as using cell-phone data to track road congestion, and as important as using medical data to track the spread of diseases. Our challenge is to make this information available when and where it needs to be, but also to protect the principles of privacy and liberty our country is built on. This essay originally appeared in the Minneapolis Star-Tribune. Posted on November 22, 2005 at 06:06 AM • 34 Comments • View Blog Reactions The Sony Rootkit Saga ContinuesI'm just not able to keep up with all the twists and turns in this story. (My previous posts are here, here, here, and here, but a way better summary of the events is on BoingBoing: here, here, and here. Actually, you should just read every post on the topic in Freedom to Tinker. This is also worth reading.) Many readers pointed out to me that the DMCA is one of the reasons antivirus companies aren't able to disable invasive copy-protection systems like Sony's rootkit: it may very well be illegal for them to do so. (Adam Shostack made this point.) Here are two posts about the rootkit before Russinovich posted about it. And it turns out you can easily defeat the rootkit: With a small bit of tape on the outer edge of the CD, the PC then treats the disc as an ordinary single-session music CD and the commonly used music "rip" programs continue to work as usual. (Original here.) The fallout from this has been simply amazing. I've heard from many sources that the anti-copy-protection forces in Sony and other companies have newly found power, and that copy-protection has been set back years. Let's hope that the entertainment industry realizes that digital copy protection is a losing game here, and starts trying to make money by embracing the characteristics of digital technology instead of fighting against them. I've written about that here and here (both from 2001). Even Foxtrot has a cartoon on the topic. I think I'm done here. Others are covering this much more extensively than I am. Unless there's a new twist that I simply have to comment on.... EDITED TO ADD (11/21): The EFF is suing Sony. (The page is a good summary of the whole saga.) EDITED TO ADD (11/22): Here's a great idea; Sony can use a feature of the rootkit to inform infected users that they're infected. As it turns out, there's a clear solution: A self-updating messaging system already built into Sony's XCP player. Every time a user plays a XCP-affected CD, the XCP player checks in with Sony's server. As Russinovich explained, usually Sony's server sends back a null response. But with small adjustments on Sony's end -- just changing the output of a single script on a Sony web server -- the XCP player can automatically inform users of the software improperly installed on their hard drives, and of their resulting rights and choices. This is so obviously the right thing to do. My guess is that it'll never happen. Texas is suing Sony. According to the official statement: The suit is also the first filed under the state’s spyware law of 2005. It alleges the company surreptitiously installed the spyware on millions of compact music discs (CDs) that consumers inserted into their computers when they play the CDs, which can compromise the systems. And here's something I didn't know: the rootkit consumes 1% - 2% of CPU time, whether or not you're playing a Sony CD. You'd think there would be a "theft of services" lawsuit in there somewhere. EDITED TO ADD (11/30): Business Week has a good article on the topic. Posted on November 21, 2005 at 04:34 PM • 37 Comments • View Blog Reactions Reminiscences of a 75-Year-Old Jewel ThiefThe amazing story of Doris Payne: Never did she grab the jewels and run. That wasn't her way. Instead, she glided in, engaged the clerk in one of her stories, confused them and easily slipped away with a diamond ring, usually to a waiting taxi cab. Don't think that she never got caught: She wasn’t always so lucky. She’s been arrested more times than she can remember. One detective said her arrest report is more than 6 feet long — she’s done time in Ohio, Kentucky, West Virginia, Colorado and Wisconsin. Still, the arrests are really “just the tip of the iceberg,â€? said FBI supervisory special agent Paul G. Graupmann. Posted on November 21, 2005 at 03:00 PM • 24 Comments • View Blog Reactions Possible Net Objects Fusion 9 VulnerabilityI regularly get anonymous e-mail from people exposing software vulnerabilities. This one looks interesting. Beta testers have discovered a serious security flaw that exposes a site created using Net Objects Fusion 9 (NOF9) that has the potential to expose an entire site to hacking, including passwords and log in info for that site. The vulnerability exists for any website published using versioning (that is, all sites using nPower). I don't use NOF9, and I haven't tested this vulnerability. Can someone do so and get back to me? And if it is a real problem, spread the word. I don't know yet if Website Pros prefers to pay lawyers to suppress information rather than pay developers to fix software vulnerabilities. Posted on November 21, 2005 at 12:31 PM • 12 Comments • View Blog Reactions Automatic Lie DetectorComing soon to airports: Tested in Russia, the two-stage GK-1 voice analyser requires that passengers don headphones at a console and answer "yes" or "no" into a microphone to questions about whether they are planning something illicit. Fascinating. In general, I prefer security systems that are invasive yet anonymous to ones that are based on massive databases. And automatic systems that divide people into a "probably fine" and "investigate a bit more" categories seem like a good use of technology. I have no idea whether this system works (there is a lot of evidence that it does not), what the false positive and false negative rates are (this article states a completely useless 12% false positive rate), or how easy it would be to learn how to fool the system, though. And in all of these trade-off discussions, the devil is in the details. Posted on November 21, 2005 at 08:07 AM • 26 Comments • View Blog Reactions CartoonSecurity theater humor. Posted on November 19, 2005 at 10:31 AM • 15 Comments • View Blog Reactions Prisons and GuardsThis Iowa prison break illustrates an important security principle: State Sen. Gene Fraise said he was told by prison officials that the inmates somehow got around a wire that is supposed to activate an alarm when touched. The wall also had razor wire, he said. Guards = dynamic security. Tripwires = static security. Dynamic security is better than static security. Unfortunately, some people simply don't understand the fundamentals of security: State Rep. Lance Horbach, a Republican, criticized Fraise for suggesting budget cuts were a factor in the escape. Actually, in reality you should be putting guards in the guard towers. Posted on November 18, 2005 at 03:34 PM • 42 Comments • View Blog Reactions Fraud and Western UnionWestern Union has been the conduit of a lot of fraud. But since they're not the victim, they don't care much about security. It's an externality to them. It took a lawsuit to convince them to take security seriously. Western Union, one of the world's most frequently used money transfer services, will begin warning its customers against possible fraud in their transactions. Posted on November 18, 2005 at 11:06 AM • 106 Comments • View Blog Reactions Ex-MI5 Chief Calls ID Cards "Useless"Refreshing candor: The case for identity cards has been branded "bogus" after an ex-MI5 chief said they might not help fight terror. Posted on November 18, 2005 at 06:48 AM • 26 Comments • View Blog Reactions U.S. Compromises Canadian PrivacyA Canadian reporter was able to get phone records for the personal and professional accounts held by Canadian Privacy Commissioner Jennifer Stoddart through an American data broker, locatecell.com. The security concerns are obvious. Canada has an exception in the privacy laws that allows newspapers to do this type of investigative reporting. My guess is that's the only reason we haven't seen an American reporter pull phone records on one of our government officials. Posted on November 17, 2005 at 02:32 PM • 21 Comments • View Blog Reactions Hackers and CriminalsMore evidence that hackers are migrating into crime: Since then, organised crime units have continued to provide a fruitful income for a group of hackers that are effectively on their payroll. Their willingness to pay for hacking expertise has also given rise to a new subset of hackers. These are not hardcore criminals in pursuit of defrauding a bank or duping thousands of consumers. In one sense, they are the next generation of hackers that carry out their activities in pursuit of credibility from their peers and the 'buzz' of hacking systems considered to be unbreakable. Posted on November 17, 2005 at 12:25 PM • 15 Comments • View Blog Reactions Sony's DRM Rootkit: The Real StoryThis is my sixth column for Wired.com:
EDITED TO ADD (11/17): SlashDotted. EDITED TO ADD (11/19): Details of Sony's buyback program. And more GPL code was stolen and used in the rootkit. Posted on November 17, 2005 at 09:08 AM • 152 Comments • View Blog Reactions Identity Theft Over-ReportedI'm glad to see that someone wrote this article. For a long time now, I've been saying that the rate of identity theft has been grossly overestimated: too many things are counted as identity theft that are just traditional fraud. Here's some interesting data to back that claim up: Multiple surveys have found that around 20 percent of Americans say they have been beset by identity theft. But what exactly is identity theft? Identity theft is a serious crime, and it's a major growth industry in the criminal world. But we do everyone a disservice when we count things as identity theft that really aren't. Posted on November 16, 2005 at 01:21 PM • 36 Comments • View Blog Reactions Stride-Based SecurityCan a cell phone detect if it is stolen by measuring the gait of the person carrying it? Researchers at the VTT Technical Research Centre of Finland have developed a prototype of a cell phone that uses motion sensors to record a user's walking pattern of movement, or gait. The device then periodically checks to see that it is still in the possession of its legitimate owner, by measuring the current stride and comparing it against that stored in its memory. Clever, as long as you realize that there are going to be a lot of false alarms. This seems okay: If the phone suspects it has fallen into the wrong hands, it will prompt the user for a password if they attempt to make calls or access its memory. Posted on November 16, 2005 at 06:26 AM • 29 Comments • View Blog Reactions Still More on Sony's DRM RootkitThis story is just getting weirder and weirder (previous posts here and here). Sony already said that they're stopping production of CDs with the embedded rootkit. Now they're saying that they will pull the infected disks from stores and offer free exchanges to people who inadvertently bought them. Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs. That's good news, but there's more bad news. The patch Sony is distributing to remove the rootkit opens a huge security hole: The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission. Even more interesting is that there may be at least half a million infected computers: Using statistical sampling methods and a secret feature of XCP that notifies Sony when its CDs are placed in a computer, [security researcher Dan] Kaminsky was able to trace evidence of infections in a sample that points to the probable existence of at least one compromised machine in roughly 568,200 networks worldwide. This does not reflect a tally of actual infections, however, and the real number could be much higher. I say "may be at least" because the data doesn't smell right to me. Look at the list of infected titles, and estimate what percentage of CD buyers will play them on their computers; does that seem like half a million sales to you? It doesn't to me, although I readily admit that I don't know the music business. Their methodology seems sound, though: Kaminsky discovered that each of these requests leaves a trace that he could follow and track through the internet's domain name system, or DNS. While this couldn't directly give him the number of computers compromised by Sony, it provided him the number and location (both on the net and in the physical world) of networks that contained compromised computers. That is a number guaranteed to be smaller than the total of machines running XCP. In any case, Sony's rapid fall from grace is a great example of the power of blogs; it's been fifteen days since Mark Russinovich first posted about the rootkit. In that time the news spread like a firestorm, first through the blogs, then to the tech media, and then into the mainstream media. Posted on November 15, 2005 at 03:16 PM • 57 Comments • View Blog Reactions Hans Bethe on SecurityHans Bethe was one of the first nuclear scientists, a member of the Manhattan Project, and a political activist. In this article about him, there's a great quote: Sometimes insistence on 100 percent security actually impairs our security, while the bold decision -- though at the time it seems to involve some risk -- will give us more security in the long run. Posted on November 15, 2005 at 12:41 PM • 6 Comments • View Blog Reactions NSA for KidsThe NSA has a site for kids. Crypto Cat, Decipher Dog, and friends. Posted on November 15, 2005 at 07:41 AM • 27 Comments • View Blog Reactions Airport Security Against Chemical and Biological TerrorismThere's a new report from Sandia National Laboratories (written with Lawrence Berkeley National Laboratory) titled "Guidelines to Improve Airport Preparedness Against Chemical and Biological Terrorism." It's classified, but there's an unclassified version available. (Press release. Unclassified report.) I haven't read it yet, but it looks interesting. Posted on November 14, 2005 at 03:19 PM • 12 Comments • View Blog Reactions Metadata in MS OfficeHidden metadata is in the news again. The New York Times reported that an unsigned Microsoft Word document being circulated by the Democratic National Committee was actually written by, wait for it, the Democratic National Committee. Okay, so that's not much of a revelation, but it does serve to remind us that there can be all sorts of unintended information hidden in Microsoft Office documents. The particular bits of unintended information that precipitated this news story is the metadata. Metadata is information on who created the file, what it was originally called, etc. To see your metadata, open a file, go to the "File" menu, and choose "Properties." I'll bet at least some of you will be really surprised by what's in there. Not because it's secret, but because it has nothing to do with you or your document. That's because metadata follows the file, and not its contents. Here's what I do when I want to create a MS Word document. Maybe it's a file I've written, and maybe it's a file I received from someone else. I find some other document that has basically the same style I want, open it up, delete all the contents, and save it under a new filename. MS Word doesn't change the metadata, so whatever was in the "Title," "Subject", "Author," "Company," and other fields of the original document remains in my new document. This means that occasionally those metadata fields are filled with information I've never seen of before and from who knows where. I'm sure I'm not the only one who uses this trick to avoid dealing with MS Word stylesheets. So metadata is much less a smoking gun than many make it out to be. I don't mean this to minimize the problem of hidden data in Microsoft Office documents. It's not just the metadata, but comments, deleted parts of the document, even parts of other documents (it's happened). I have two recommendations regarding Microsoft Office and hidden data. The first is to realize that programs like Word and Excel are designed for authoring documents, not for publishing them. Get into the habit of saving your documents into pdf before distributing them. (Although if you're going to redact a pdf document, be smart about it or you'll have similar problems.) The second is to install Microsoft's tool for deleting hidden data. (Works for Office 2003; there are third-party tools for older versions.) Or at least read the page about deleting private data in MS Office files. And to follow through on deleting data. This probably won't |