Schneier on Security

A blog covering security and security technology.

« February 2006 | Main | April 2006 »

March 2006 Archives

Friday Squid Blogging: Ben Deacon, Squid Researcher

Third item on the page:

According to juicy folklore and loose legend, for centuries, the inky waters of our deepest oceans have been home to that most mysterious of marine creatures -- the giant squid. Well, as we speak, visitors to Melbourne's aquarium can take a gander at the real thing, a 7m-long squid, caught in New Zealand and frozen in a block of ice.

For 30 years, almost obsessively, one real scientific character from across the Tasman has been chasing these elusive creatures and Ben Deacon caught up with him, hard at what's clearly become his life's work.

Posted on March 31, 2006 at 03:05 PM • 7 Comments • View Blog Reactions

iJacking

The San Francisco Bay Guardian is reporting on a new crime: people who grab laptops out of their owners' hands and then run away. It's called "iJacking," and there seems to be a wave of this type of crime at Internet cafes in San Francisco:

In 2004 the SFPD Robbery Division recorded 17 strong-arm laptop robberies citywide. This increased to 30 cases in 2005, a total that doesn't even include thefts that fall under the category of "burglary," when a victim isn't present. (SFPD could not provide statistics on the number of laptop burglaries.)

In the past three months alone, Park Station, the police precinct that includes the Western Addition, has reported 11 strong-arm laptop robberies, a statistic that suggests this one district may exceed last year's citywide total by the end of 2006.

Some stories:

Maloney was absorbed in his work when suddenly a hooded person yanked the laptop from Maloney's hands and ran out the door. Maloney tried to grab his computer, but he stumbled across a few chairs and landed on the floor as the perpetrator dashed to a vehicle waiting a quarter block away.

[...]

Two weeks before Maloney's robbery, on a Sunday afternoon, a man had been followed out of the Starbucks on the corner of Fulton Street and Masonic Avenue and was assaulted by two suspects in broad daylight. According to the police report, the suspects dragged the victim 15 feet along the pavement, kicking him in the face before stealing his computer.

In early February a women had her laptop snatched while sitting in Ali's Café. She pursued the perpetrator out the door, only to be blindsided by a second accomplice. Ali described the assault as "a football tackle" so severe it left the victim's eyeglasses in the branches of a nearby tree. In the most recent laptop robbery, on March 16 in a café on the 900 block of Valencia Street, police say the victim was actually stabbed.

It's obvious why these thefts are occurring. Laptops are valuable, easy to steal, and easy to fence. If we want to "solve" this problem, we need to modify at least one of those characteristics. Some Internet cafes are providing locking cables for their patrons, in an attempt to make them harder to steal. But that will only mean that the muggers will follow their victims out of the cafes. Laptops will become less valuable over time, but that really isn't a good solution. The only thing left is to make them harder to fence.

This isn't an easy problem. There are a bunch of companies that make solutions that help people recover stolen laptops. There are programs that "phone home" if a laptop is stolen. There are programs that hide a serial number on the hard drive somewhere. There are non-removable tags users can affix to their computers with ID information. But until this kind of thing becomes common, the crimes will continue.

Reminds me of the problem of bicycle thefts.

Posted on March 31, 2006 at 01:06 PM • 67 Comments • View Blog Reactions

Cubicle Farms are a Terrorism Risk

The British security service MI5 is warning business leaders that their offices are probably badly designed against terrorist bombs. The common modern office consists of large rooms without internal walls, which puts employees at greater risk in the event of terrorist bombs.

From The Scotsman:

The trend towards open-plan offices without internal walls could put employees at increased risk in the event of a terrorist bomb, MI5 has warned business leaders. The advice comes as the Security Service steps up its advice to companies on how to prepare for an attack. MI5 has produced a 40-page leaflet, "Protecting Against Terrorism", which will be distributed to large businesses and public-sector bodies across Britain. Among the guidance in the pamphlet is that bosses should consider the security implications of getting rid of internal walls.

Open-plan offices are increasingly popular as businesses seek to improve communication and cooperation between employees. But MI5 points out that there are potential risks, too. "If you are converting your building to open-plan accommodation, remember that the removal of internal walls reduces protection against blast and fragments," the leaflet says.

All businesses should make contingency plans for keeping staff safe in the event of a bomb attack, the Security Service advises. Instead of automatically evacuating staff, companies are recommended to gather workers in a designated "protected space" until the location of the bomb can be confirmed. "Since glass and other fragments may kill or maim at a considerable distance from the centre of a large explosion, moving staff into protected spaces is often safer than evacuating them on to the streets," the leaflet cautions. Interior rooms with reinforced concrete or masonry walls often make suitable protected spaces, as they tend to remain intact in the event of an explosion outside the building, employers are told. But open-plan offices often lack such places, and can have other effects on emergency planning: "If corridors no longer exist then you may also lose your evacuation routes, assembly or protected spaces, while the new layout will probably affect your bomb threat contingency procedures." Companies converting to open-plan are told to ensure that there is no significant reduction in staff protection, "for instance by improving glazing protection."

Posted on March 31, 2006 at 05:14 AM • 30 Comments • View Blog Reactions

An Economic Analysis of Airport Security Screening

Interesting paper: "Passenger Profiling, Imperfect Screening, and Airport Security," by Nicola Persico and Petra E. Todd. The authors use game theory to investigate the optimal screening policy, in a scenario when there are different social groups (separated by felons, race, religion, etc.) with different preferences for crime and/or terrorism.

Posted on March 30, 2006 at 01:59 PM • 21 Comments • View Blog Reactions

Evading Copyright Through XOR

Monolith is an open-source program that can XOR two files together to create a third file, and -- of course -- can XOR that third file with one of the original two to create the other original file.

The website wonders about the copyright implications of all of this:

Things get interesting when you apply Monolith to copyrighted files. For example, munging two copyrighted files will produce a completely new file that, in most cases, contains no information from either file. In other words, the resulting Mono file is not "owned" by the original copyright holders (if owned at all, it would be owned by the person who did the munging). Given that the Mono file can be combined with either of the original, copyrighted files to reconstruct the other copyrighted file, this lack of Mono ownership may be seem hard to believe.

The website then postulates this as a mechanism to get around copyright law:

What does this mean? This means that Mono files can be freely distributed.

So what? Mono files are useless without their corresponding Basis files, right? And the Basis files are copyrighted too, so they cannot be freely distributed, right? There is one more twist to this idea. What happens when we use Basis files that are freely distributable? For example, we could use a Basis file that is in the public domain or one that is licensed for free distribution. Now we are getting somewhere.

None of the aforementioned properties of Mono files change when we use freely distributable Basis files, since the same arguments hold. Mono files are still not copyrighted by the people who hold the copyrights over the corresponding Element files. Now we can freely distribute Mono files and Basis files.

Interesting? Not really. But what you can do with these files, in the privacy of your own home, might be interesting, depending on your proclivities. For example, you can use the Mono files and the Basis files to reconstruct the Element files.

Clever, but it won't hold up in court. In general, technical hair splitting is not an effective way to get around the law. My guess is that anyone who distributes that third file -- they call it a "Mono" file -- along with instructions on how to recover the copyrighted file is going to be found guilty of copyright violation.

The correct way to solve this problem is through law, not technology.

Posted on March 30, 2006 at 08:07 AM • 77 Comments • View Blog Reactions

80 Cameras for 2,400 People

This story is about the remote town of Dillingham, Alaska, which is probably the most watched town in the country. There are 80 surveillance cameras for the 2,400 people, which translates to one camera for every 30 people.

The cameras were bought, I assume, because the town couldn't think of anything else to do with the $202,000 Homeland Security grant they received. (One of the problems of giving this money out based on political agenda, rather than by where the actual threats are.)

But they got the money, and they spent it. And now they have to justify the expense. Here's the movie-plot threat the Dillingham Police Chief uses to explain why the expense was worthwhile:

"Russia is about 800 miles that way," he says, arm extending right.

"Seattle is about 1,200 miles back that way." He points behind him.

"So if I have the math right, we're closer to Russia than we are to Seattle."

Now imagine, he says: What if the bad guys, whoever they are, manage to obtain a nuclear device in Russia, where some weapons are believed to be poorly guarded. They put the device in a container and then hire organized criminals, "maybe Mafiosi," to arrange a tramp steamer to pick it up. The steamer drops off the container at the Dillingham harbor, complete with forged paperwork to ship it to Seattle. The container is picked up by a barge.

"Ten days later," the chief says, "the barge pulls into the Port of Seattle."

Thompson pauses for effect.

"Phoooom," he says, his hands blooming like a flower.

The first problem with the movie plot is that it's just plain silly. But the second problem, which you might have to look back to notice, is that those 80 cameras will do nothing to stop his imagined attack.

We are all security consumers. We spend money, and we expect security in return. This expenditure was a waste of money, and as a U.S. taxpayer, I am pissed that I'm getting such a lousy deal.

Posted on March 29, 2006 at 01:13 PM • 47 Comments • View Blog Reactions

Chameleon Weapons

You can't detect them, because they look normal:

One type is the exact size and shape of a credit card, except that two of the edges are lethally sharp. It's made of G10 laminate, an ultra-hard material normally employed for circuit boards. You need a diamond file to get an edge on it.

[...]

Another configuration is a stabbing weapon which is indistinguishable from a pen. This one is made from melamine fiber, and can sit snugly inside a Bic casing. You would only find out it was not the real thing if you tried to write with it. It's sharpened with a blade edge at the tip which Defense Review describes as "scary sharp."

Also:

The FBI's extensive Guide to Concealable Weapons has 89 pages of weapons intended to get through security. These are generally variations of a knifeblade concealed in a pen, comb or a cross -- and most of them are pretty obvious on X-ray.

Posted on March 29, 2006 at 06:58 AM • 51 Comments • View Blog Reactions

MySpace Used as Forensics Tool

From CNN:

Detectives used profiles posted on the MySpace social networking Web site to identify six suspects in a rape and robbery....

[...]

She knew only their first names but their pictures were posted on MySpace.

"Primarily, we pulled up her friends list. It helped us identify some of the players," said Bartley.

Posted on March 28, 2006 at 01:19 PM • 14 Comments • View Blog Reactions

Al Qaeda Hacker Captured

Irhabi 007 has been captured.

For almost two years, intelligence services around the world tried to uncover the identity of an Internet hacker who had become a key conduit for al-Qaeda. The savvy, English-speaking, presumably young webmaster taunted his pursuers, calling himself Irhabi -- Terrorist -- 007. He hacked into American university computers, propagandized for the Iraq insurgents led by Abu Musab al-Zarqawi and taught other online jihadists how to wield their computers for the cause.

Assuming the British authorities are to be believed, he definitely was a terrorist:

Suddenly last fall, Irhabi 007 disappeared from the message boards. The postings ended after Scotland Yard arrested a 22-year-old West Londoner, Younis Tsouli, suspected of participating in an alleged bomb plot. In November, British authorities brought a range of charges against him related to that plot. Only later, according to our sources familiar with the British probe, was Tsouli's other suspected identity revealed. British investigators eventually confirmed to us that they believe he is Irhabi 007.

[...]

Tsouli has been charged with eight offenses including conspiracy to murder, conspiracy to cause an explosion, conspiracy to cause a public nuisance, conspiracy to obtain money by deception and offences relating to the possession of articles for terrorist purposes and fundraising.

Okay. So he was a terrorist. And he used the Internet, both as a communication tool and to break into networks. But this does not make him a cyberterrorist.

Interesting article, though.

Here's the SlashDot thread on the topic.

Posted on March 28, 2006 at 07:27 AM • 18 Comments • View Blog Reactions

Quasar Encryption

Does anyone have the faintest clue what they're talking about here? If I had to guess, it's just another random-number generator. It definitely doesn't sound like two telescopes pointing at the same piece of key can contruct the same key -- now that would be cool.

The National Institute of Information and Communications Technology is trying to patent a system of encryption using electromagnetic waves from Quasars.

According to The Nihon Keizai Shimbun, this technology is used to take cosmic radio waves are received through a radio telescope, encrypt and then retransmit them. Because cosmic waves are irregular, it is virtually impossible for others to decipher them. A spokesman is quoted as saying that the system could be used for the transmission of state secrets and other sensitive information.

The radio telescope can decipher the information by observing the cosmic wave patterns emitted by a particular quasar selected in advance. Even if the encrypted data is stolen, it is impossible to read it without the appropriate quasar's radio signals.

The only way to really break the code is to know which radio telescope the coder is using and what Quasar it is pointing at. Only then do you have a slim chance of decoding it.

I can see the story on the home page of Nikkei.net Interactive, but can't get at the story without a login.

Posted on March 27, 2006 at 01:21 PM • 58 Comments • View Blog Reactions

Secret Doors

Creative Home Engineering can make secret doors and hidden passageways for your home.

Pull a favorite book from your library shelf and watch a cabinet section recess to reveal a hidden passageway.

Twist a candlestick and your fireplace rotates, granting access to a hidden room.

Who cares about the security properties? I want one.

Posted on March 27, 2006 at 11:50 AM • 80 Comments • View Blog Reactions

Firefox Bug Causes Relationship to Break Up

A couple -- living together, I assume -- and engaged to be married shared a computer. He used Firefox to visit a bunch of dating sites, being smart enough not to have the browser save his password. But Firefox did save the names of the sites it was told never to save the password for. She happened to stumble on this list. The details are left to the imagination, but they broke up.

Most bug reports aren't this colorful.

Posted on March 27, 2006 at 07:53 AM • 58 Comments • View Blog Reactions

Enigma?

I don't know what this is, but it sure looks like a working model of an Enigma. And it's beautiful.

Posted on March 25, 2006 at 10:52 AM • 50 Comments • View Blog Reactions

Friday Squid Blogging: Sepioloidea lineolata

If Friday cat blogging involves cute pictures of cats, shouldn't Friday squid blogging include cute pictures of squid?

Posted on March 24, 2006 at 04:16 PM • 15 Comments • View Blog Reactions

"Terrorist with Nuke" Movie Plot

Since when did The New Scientist hire novelists to write science stories?

A truck pulls up in front of New York City's Grand Central Station, one of the most densely crowded spots in the world. It is a typical weekday afternoon, with over half a million people in the immediate area, working, shopping or just passing through. A few moments later the driver makes his delivery: a 10-kiloton atomic explosion.

Almost instantly, an electromagnetic pulse knocks out all electronics within a radius of 4 kilometres. The shock wave levels every building within a half-kilometre, killing everyone inside, and severely damages virtually all buildings for a kilometre in every direction. Detonation temperatures of millions of degrees ignite a firestorm that rapidly engulfs the area, generating winds of 600 kilometres an hour.

Within seconds, the blast, heat and direct exposure to radiation have killed several hundred thousand people. Perhaps they are the lucky ones. What follows is, if anything, even worse.

The explosion scoops ...

EDITED TO ADD (3/24): Here's the full article.

Posted on March 24, 2006 at 11:51 AM • 41 Comments • View Blog Reactions

Security Overreaction

Who needs terrorists? We can cause terror all by ourselves:

A worker at a Downtown building who was using a pellet gun with a scope to scare pigeons prompted a massive police response that led to the shutdown of several blocks this afternoon.

[...]

Dozens of motorcycle and special response officers responded to the area.

The Fort Pitt Tunnels inbound were shut down temporarily.

The Port Authority was forced to reroute buses around the area.

People in some buildings were told to stay inside while those in others were evacuated.

Students who attend Pittsburgh High School for the Creative & Performing Arts (CAPA High) remained in their Fort Duquesne Boulevard school this afternoon until the situation was resolved.

The All-City Senior Orchestra rehearsal scheduled for 4 p.m. at CAPA High has been canceled.

Students who attend all other Pittsburgh Public Schools have been dismissed since Port Authority buses and school buses that normally travel through Downtown were being re-routed.

Community College of Allegheny County canceled evening classes at its Downtown center tonight on Stanwix Street.

Before the all-clear was given and roads were reopened, police searched buildings floor-by-floor looking for the gunman and stationed snipers in surrounding buildings.

Posted on March 24, 2006 at 07:59 AM • 49 Comments • View Blog Reactions

London Rejects Subway Scanners

Rare outbreak of security common sense in London:

London Underground is likely to reject the use of passenger scanners designed to detect weapons or explosives as they are "not practical", a security chief for the capital's transport authority said on 14 March 2006.

[...]

"Basically, what we know is that it's not practical," he told Government Computing News. "People use the tube for speed and are concerned with journey time. It would just be too time consuming. Secondly, there's just not enough space to put this kind of equipment in."

"Finally there's also the risk that you actually create another target with people queuing up and congregating at the screening points."

Posted on March 23, 2006 at 01:39 PM • 19 Comments • View Blog Reactions

Airport Passenger Screening

It seems like every time someone tests airport security, airport security fails. In tests between November 2001 and February 2002, screeners missed 70 percent of knives, 30 percent of guns and 60 percent of (fake) bombs. And recently (see also this), testers were able to smuggle bomb-making parts through airport security in 21 of 21 attempts. It makes you wonder why we're all putting our laptops in a separate bin and taking off our shoes. (Although we should all be glad that Richard Reid wasn't the "underwear bomber.")

The failure to detect bomb-making parts is easier to understand. Break up something into small enough parts, and it's going to slip past the screeners pretty easily. The explosive material won't show up on the metal detector, and the associated electronics can look benign when disassembled. This isn't even a new problem. It's widely believed that the Chechen women who blew up the two Russian planes in August 2004 probably smuggled their bombs aboard the planes in pieces.

But guns and knives? That surprises most people.

Airport screeners have a difficult job, primarily because the human brain isn't naturally adapted to the task. We're wired for visual pattern matching, and are great at picking out something we know to look for -- for example, a lion in a sea of tall grass.

But we're much less adept at detecting random exceptions in uniform data. Faced with an endless stream of identical objects, the brain quickly concludes that everything is identical and there's no point in paying attention. By the time the exception comes around, the brain simply doesn't notice it. This psychological phenomenon isn't just a problem in airport screening: It's been identified in inspections of all kinds, and is why casinos move their dealers around so often. The tasks are simply mind-numbing.

To make matters worse, the smuggler can try to exploit the system. He can position the weapons in his baggage just so. He can try to disguise them by adding other metal items to distract the screeners. He can disassemble bomb parts so they look nothing like bombs. Against a bored screener, he has the upper hand.

And, as has been pointed out again and again in essays on the ludicrousness of post-9/11 airport security, improvised weapons are a huge problem. A rock, a battery for a laptop, a belt, the extension handle off a wheeled suitcase, fishing line, the bare hands of someone who knows karate ... the list goes on and on.

Technology can help. X-ray machines already randomly insert "test" bags into the stream -- keeping screeners more alert. Computer-enhanced displays are making it easier for screeners to find contraband items in luggage, and eventually the computers will be able to do most of the work. It makes sense: Computers excel at boring repetitive tasks. They should do the quick sort, and let the screeners deal with the exceptions.

Sure, there'll be a lot of false alarms, and some bad things will still get through. But it's better than the alternative.

And it's likely good enough. Remember the point of passenger screening. We're not trying to catch the clever, organized, well-funded terrorists. We're trying to catch the amateurs and the incompetent. We're trying to catch the unstable. We're trying to catch the copycats. These are all legitimate threats, and we're smart to defend against them. Against the professionals, we're just trying to add enough uncertainty into the system that they'll choose other targets instead.

The terrorists' goals have nothing to do with airplanes; their goals are to cause terror. Blowing up an airplane is just a particular attack designed to achieve that goal. Airplanes deserve some additional security because they have catastrophic failure properties: If there's even a small explosion, everyone on the plane dies. But there's a diminishing return on investments in airplane security. If the terrorists switch targets from airplanes to shopping malls, we haven't really solved the problem.

What that means is that a basic cursory screening is good enough. If I were investing in security, I would fund significant research into computer-assisted screening equipment for both checked and carry-on bags, but wouldn't spend a lot of money on invasive screening procedures and secondary screening. I would much rather have well-trained security personnel wandering around the airport, both in and out of uniform, looking for suspicious actions.

When I travel in Europe, I never have to take my laptop out of its case or my shoes off my feet. Those governments have had far more experience with terrorism than the U.S. government, and they know when passenger screening has reached the point of diminishing returns. (They also implemented checked-baggage security measures decades before the United States did -- again recognizing the real threat.)

And if I were investing in security, I would invest in intelligence and investigation. The best time to combat terrorism is before the terrorist tries to get on an airplane. The best countermeasures have value regardless of the nature of the terrorist plot or the particular terrorist target.

In some ways, if we're relying on airport screeners to prevent terrorism, it's already too late. After all, we can't keep weapons out of prisons. How can we ever hope to keep them out of airports?

A version of this essay originally appeared on Wired.com.

Posted on March 23, 2006 at 07:03 AM • 82 Comments • View Blog Reactions

Australian Bank Fraud

I really wish this article had more details about the crime. Basically, a criminal ring used an authentication failure with fax transmissions to steal (unsuccessfully, as it turned out) $150 million Australian dollars.

Posted on March 22, 2006 at 12:08 PM • 13 Comments • View Blog Reactions

New Kind of Door Lock

There's a new kind of door lock from the Israeli company E-Lock. It responds to sound. Instead of carrying a key, you carry a small device that makes a series of quick knocking sounds. Just touching it to the door causes the door to open; there's no keyhole. The device, called a "KnocKey," has a keypad and can be programmed to require a PIN before operation -- for even greater security.

Clever idea, but there's the usual security hyperbole:

Since there is no keyhole or contact point on the door, this unique mechanism offers a significantly higher level of security then existing technology.

More accurate would be to say that the security vulnerabilities are different than existing technology. We know a lot about the vulnerabilities of conventional locks, but we know very little about the security of this system. But don't confuse this lack of knowledge with increased security.

Posted on March 22, 2006 at 05:15 AM • 48 Comments • View Blog Reactions

DHS Privacy and Integrity Report

Last year, the Department of Homeland Security finally got around to appointing its DHS Data Privacy and Integrity Advisory Committee. It was mostly made up of industry insiders instead of anyone with any real privacy experience. (Lance Hoffman from George Washington University was the most notable exception.)

And now, we have something from that committee. On March 7th they published their "Framework for Privacy Analysis of Programs, Technologies, and Applications."

This document sets forth a recommended framework for analyzing programs, technologies, and applications in light of their effects on privacy and related interests. It is intended as guidance for the Data Privacy and Integrity Advisory Committee (the Committee) to the U.S. Department of Homeland Security (DHS). It may also be useful to the DHS Privacy Office, other DHS components, and other governmental entities that are seeking to reconcile personal data-intensive programs and activities with important social and human values.

It's surprisingly good.

I like that it is a series of questions a program manager has to answer: about the legal basis for the program, its efficacy against the threat, and its effects on privacy. I am particularly pleased that their questions on pages 3-4 are very similar to the "five steps" I wrote about in Beyond Fear. I am thrilled that the document takes a "trade-off" approach; the last question asks: "Should the program proceed? Do the benefits of the program...justify the costs to privacy interests....?"

I think this is a good starting place for any technology or program with respect to security and privacy. And I hope the DHS actually follows the recommendations in this report.

Posted on March 21, 2006 at 03:07 PM • 13 Comments • View Blog Reactions

No Funding for Homeland Security

Really interesting article by Robert X. Cringely on the lack of federal funding for security technologies.

After the 9-11 terrorist attacks, the United States threw its considerable fortune into the War on Terror, of which a large component was Homeland Security. We conducted a couple wars abroad, both of which still seem to be going on, and took a vast domestic security bureaucracy and turned it into a different and even more vast domestic security bureaucracy. We could argue all day about whether or not America is more secure as a result of these changes, but we'd all agree that a lot of money has been spent. In fact, from a pragmatic point of view, ALL the money has been spent, and that's the point of this particular column. For a variety of reasons, there is no money left to spend on homeland security ­ none, nada, zilch. We're busted.

I think his assessment is spot on.

Posted on March 21, 2006 at 12:39 PM • 15 Comments • View Blog Reactions

Fake 300, 600, and 1,000 Euro Notes Passed as Real

They're deliberately fake, made in Germany for a promotion. But they're being passed as real:

Cologne newsagent Bernd Friedhelm, 33, accepted one of the fake 600 euro notes from an unknown customer who bought two cartons of cigarettes and walked off with 534 euros in change.

Friedhelm said: "He told me it was a new type of note and I just figured I hadn't seen one before."

This is why security is so hard: people.

Posted on March 21, 2006 at 06:47 AM • 59 Comments • View Blog Reactions

Security Through Begging

From TechDirt:

Last summer, the surprising news came out that Japanese nuclear secrets leaked out, after a contractor was allowed to connect his personal virus-infested computer to the network at a nuclear power plant. The contractor had a file sharing app on his laptop as well, and suddenly nuclear secrets were available to plenty of kids just trying to download the latest hit single. It's only taken about nine months for the government to come up with its suggestion on how to prevent future leaks of this nature: begging all Japanese citizens not to use file sharing systems -- so that the next time this happens, there won't be anyone on the network to download such documents.

Even if their begging works, it solves the wrong problem. Sad.

EDITED TO ADD (3/22): Another article.

Posted on March 20, 2006 at 02:01 PM • 15 Comments • View Blog Reactions

Writing about IEDs

Really good article by a reporter who has been covering improvised explosive devices in Iraq:

Last summer, a U.S. Colonel in Baghdad told me that I was America's enemy, or very close to it. For months, I had been covering the U.S. military's efforts to deal with the threat of IEDs, improvised explosive devices. And my writing, he told me, was going too far -- especially this January 2005 Wired News story, in which I described some of the Pentagon's more exotic attempts to counter these bombs.

None of the material in the story -- the stuff about microwave blasters or radio frequency jammers -- was classified, he admitted. Most of it had been taken from open source materials. And many of the systems were years and years from being fielded. But by bundling it all together, I was doing a "world class job of doing the enemy's research for him, for free." So watch your step, he said, as I went back to my ride-alongs with the Baghdad Bomb Squad -- the American soldiers defusing IEDs in the area.

Today, I hear that the President and the Pentagon's higher-ups are trotting out the same argument. "News coverage of this topic has provided a rich source of information for the enemy, and we inadvertently contribute to our enemies' collection efforts through our responses to media interest," states a draft Defense Department memo, obtained by Inside Defense. "Individual pieces of information, though possibly insignificant taken alone, when aggregated provide robust information about our capabilities and weaknesses."

In other words, Al Qaeda hasn't discovered how to Google, yet. Don't help 'em out.

Posted on March 20, 2006 at 11:53 AM • 41 Comments • View Blog Reactions

Chairman of Qantas Stopped at Airport Security

She had airplane blueprints. Oh, and she was a woman -- which cast immediate suspicion on her story.

Posted on March 20, 2006 at 07:03 AM • 59 Comments • View Blog Reactions

The 3rd Annual Nigerian E-mail Conference

Funny:

Like most Nigerians, you're probably finding that it's increasingly difficult to earn a decent living from email. That's why you need to attend the 3rd Annual Nigerian EMail Conference.

Posted on March 18, 2006 at 10:25 AM • 17 Comments • View Blog Reactions

Friday Squid Blogging: Squid Poaching in Argentina

Squid fishing turns into an international incident back in February 2005:

A Taiwanese flagged jigger allegedly poaching in the South Atlantic was arrested by the Argentine Coast Guard after intimidating fire. This is the second incident in a week.

According to Argentine sources the 35 crew jigger was detected operating in the Isla Rasa area, 199 miles offshore Comodoro Rivadavia, and refused to stop engines when approached by a Coast Guard vessel.

Primary reports indicate that "Chich Man 1" was transporting 3,700 boxes of 12,5 kilos each of frozen squid, plus another 68 of fresh squid stored on deck.

When the jigger instead of obeying orders tried to flee the Argentine Coast Guard vessel fired intimidating shots. She was then boarded by a party of Argentine sailors and is currently being escorted to Comodoro Rivadavia where the captain will face charges of illegal fishing.

Less that a week ago another Taiwanese jigger, "Hsien Hua 6" was caught red-hand poaching in the same area and was by ARA Guerrico and escorted to Puerto Deseado.

Posted on March 17, 2006 at 03:32 PM • 8 Comments • View Blog Reactions

Power Analysis of RFID Tags

This is great work by Yossi Oren and Adi Shamir:

Abstract (Summary)

We show the first power analysis attack on passive RFID tags. Compared to standard power analysis attacks, this attack is unique in that it requires no physical contact with the device under attack. While the specific attack described here requires the attacker to actually transmit data to the tag under attack, the power analysis part itself requires only a receive antenna. This means that a variant of this attack can be devised such that the attacker is completely passive while it is acquiring the data, making the attack very hard to detect. As a proof of concept, we describe a password extraction attack on Class 1 Generation 1 EPC tags operating in the UHF frequency range. The attack presented below lets an adversary discover the kill password of such a tag and, then, disable it. The attack can be readily adapted to finding the access and kill passwords of Gen 2 tags. The main significance of our attack is in its implications ­ any cryptographic functionality built into tags needs to be designed to be resistant to power analysis, and achieving this resistance is an undertaking which has an effect both on the price and on the read range of tags.

My guess of the industry's response: downplay the results and pretend it's not a problem.

Posted on March 17, 2006 at 12:22 PM • 8 Comments • View Blog Reactions

Massive Surveillance in an Online Gaming World

Interesting.

Posted on March 17, 2006 at 07:27 AM • 5 Comments • View Blog Reactions

Movie Theaters Want to Jam Cell Phones

It makes sense.

If I were going to commit armed robbery, I'd probably want to bring a cell phone jammer with me.

EDITED TO ADD (3/25): Another article.

Posted on March 16, 2006 at 12:22 PM • 95 Comments • View Blog Reactions

RFID Chips and Viruses

Of course RFID chips can carry viruses. They're just little computers.

More info here. The coverage is more than a tad sensationalist, though.

EDITED TO ADD (3/16): I thought the attack vector was interesting: a Trojan RFID attacks the central database, rather than attacking other RFID chips directly. Metaphorically, it's a lot closer to biological viruses, because it actually requires the more powerful host being subverted, and there's no way an infected tag could propagate directly to another tag.

Posted on March 16, 2006 at 06:55 AM • 33 Comments • View Blog Reactions

Bioterrorism

Long, and interesting, article on bioterrorism.

When you read this, don't concentrate too much on what's possible right now. If the techniques discussed in the article are beyond the reach of government laboratories now, they won't be in five or ten years. And then they'll become cheaper and easier. Attackers look for leverage, and technology gives attackers leverage.

Posted on March 15, 2006 at 01:46 PM • 19 Comments • View Blog Reactions

Police Department Privilege Escalation

It's easier than you think to create your own police department in the United States.

Yosef Maiwandi formed the San Gabriel Valley Transit Authority -- a tiny, privately run nonprofit organization that provides bus rides to disabled people and senior citizens. It operates out of an auto repair shop. Then, because the law seems to allow transit companies to form their own police departments, he formed the San Gabriel Valley Transit Authority Police Department. As a thank you, he made Stefan Eriksson a deputy police commissioner of the San Gabriel Transit Authority Police's anti-terrorism division, and gave him business cards.

Police departments like this don't have much legal authority, they don't really need to. My guess is that the name alone is impressive enough.

In the computer security world, privilege escalation means using some legitimately granted authority to secure extra authority that was not intended. This is a real-world counterpart. Even though transit police departments are meant to police their vehicles only, the title -- and the ostensible authority that comes along with it -- is useful elsewhere. Someone with criminal intent could easily use this authority to evade scrutiny or commit fraud.

Deal said that his agency has discovered that several railroad agencies around California have created police departments — even though the companies have no rail lines in California to patrol. The police certification agency is seeking to decertify those agencies because it sees no reason for them to exist in California.

The issue of private transit firms creating police agencies has in recent years been a concern in Illinois, where several individuals with criminal histories created railroads as a means of forming a police agency.

The real problem is that we're too deferential to police power. We don't know the limits of police authority, whether it be an airport policeman or someone with a business card from the "San Gabriel Valley Transit Authority Police Department."

Posted on March 15, 2006 at 07:47 AM • 48 Comments • View Blog Reactions

Airport Security Failure

At LaGuardia, a man successfully walked through the metal detector, but screeners wanted to check his shoes. (Some reports say that his shoes set off an alarm.) But he didn't wait, and disappeared into the crowd.

The entire Delta Airlines terminal had to be evacuated, and between 2,500 and 3,000 people had to be rescreened. I'm sure the resultant flight delays rippled through the entire system.

Security systems can fail in two ways. They can fail to defend against an attack. And they can fail when there is no attack to defend. The latter failure is often more important, because false alarms are more common than real attacks.

Aside from the obvious security failure -- how did this person manage to disappear into the crowd, anyway -- it's painfully obvious that the overall security system did not fail well. Well-designed security systems fail gracefully, without affecting the entire airport terminal. That the only thing the TSA could do after the failure was evacuate the entire terminal and rescreen everyone is a testament to how badly designed the security system is.

Posted on March 14, 2006 at 12:15 PM • 31 Comments • View Blog Reactions

Basketball Prank

On March 4, University of California Berkeley (Cal) played a basketball game against the University of Southern California (USC). With Cal in contention for the PAC-10 title and the NCAA tournament at stake, the game was a must-win.

Enter "Victoria."

Victoria was a hoax UCLA co-ed, created by Cal's Rally Committee. For the previous week, "she" had been chatting with Gabe Pruitt, USC's starting guard, over AOL Instant Messenger. It got serious. Pruitt and several of his teammates made plans to go to Westwood after the game so that they could party with Victoria and her friends.

On Saturday, at the game, when Pruitt was introduced in the starting lineup, the chants began: "Victoria, Victoria." One of the fans held up a sign with her phone number.

The look on Pruitt's face when he turned to the bench after the first Victoria chant was priceless. The expression was unlike anything ever seen in collegiate or pro sports. Never did a chant by the opposing crowd have such an impact on a visiting player. Pruitt was in total shock. (This is the only picture I could find.)

The chant "Victoria" lasted all night. To add to his embarrassment, transcripts of their IM conversations were handed out to the bench before the game: "You look like you have a very fit body." "Now I want to c u so bad."

Pruitt ended up a miserable 3-for-13 from the field.

(See also here and here.)

Security morals? First, this is the cleverest social engineering attack I've read about in a long time. Second, authentication is hard in little text windows -- but it's no less important. (Although even if this were a real co-ed recruited for the ruse, authentication wouldn't have helped.) And third, you can hoodwink college basketball players if you get them thinking with their hormones.

Posted on March 14, 2006 at 12:11 PM • 104 Comments • View Blog Reactions

Bypassing the Airport Identity Check

Here's an article about how you can modify, and then print, you own boarding pass and get on an airplane even if you're on the no-fly list. This isn't news; I wrote about it in 2003.

I don't worry about it now any more than I worried about it then:

In terms of security, this is no big deal; the photo-ID requirement doesn't provide much security. Identification of passengers doesn't increase security very much. All of the 9/11 terrorists presented photo-IDs, many in their real names. Others had legitimate driver's licenses in fake names that they bought from unscrupulous people working in motor vehicle offices.

The photo-ID requirement is presented as a security measure, but business is the real reason. Airlines didn't resist it, even though they resisted every other security measure of the past few decades, because it solved a business problem: the reselling of nonrefundable tickets. Such tickets used to be advertised regularly in newspaper classifieds. An ad might read: "Round trip, Boston to Chicago, 11/22-11/30, female, $50." Since the airlines didn't check IDs and could observe gender, any female could buy the ticket and fly the route. Now that won't work. Under the guise of helping prevent terrorism, the airlines solved a business problem of their own and passed the blame for the solution on to FAA security requirements.

But the system fails. I can fly on your ticket. You can fly on my ticket. We don't even have to be the same gender.

Posted on March 14, 2006 at 07:58 AM • 26 Comments • View Blog Reactions

Credit Card Companies and Agenda

This has been making the rounds on the Internet. Basically, a guy tears up a credit card application, tapes it back together, fills it out with someone else's address and a different phone number, and send it in. He still gets a credit card.

Imagine that some fraudster is rummaging through your trash and finds a torn-up credit card application. That's why this is bad.

To understand why it's happening, you need to understand the trade-offs and the agenda. From the point of view of the credit card company, the benefits of giving someone a credit card is that he'll use it and generate revenue. The risk is that it's a fraudster who will cost the company revenue. The credit card industry has dealt with the risk in two ways: they've pushed a lot of the risk onto the merchants, and they've implemented fraud detection systems to limit the damage.

All other costs and problems of identity theft are borne by the consumer; they're an externality to the credit card company. They don't enter into the trade-off decision at all.

We can laugh at this kind of thing all day, but it's actually in the best interests of the credit card industry to mail cards in response to torn-up and taped-together applications without doing much checking of the address or phone number. If we want that to change, we need to fix the externality.

Posted on March 13, 2006 at 02:18 PM • 43 Comments • View Blog Reactions

Googling for Covert CIA Agents

It's easy to blow the cover of CIA agents using the Internet:

The CIA asked the Tribune not to publish her name because she is a covert operative, and the newspaper agreed. But unbeknown to the CIA, her affiliation and those of hundreds of men and women like her have somehow become a matter of public record, thanks to the Internet.

When the Tribune searched a commercial online data service, the result was a virtual directory of more than 2,600 CIA employees, 50 internal agency telephone numbers and the locations of some two dozen secret CIA facilities around the United States.

Only recently has the CIA recognized that in the Internet age its traditional system of providing cover for clandestine employees working overseas is fraught with holes, a discovery that is said to have "horrified" CIA Director Porter Goss.

Seems to be serious:

Not all of the 2,653 employees whose names were produced by the Tribune search are supposed to be working under cover. More than 160 are intelligence analysts, an occupation that is not considered a covert position, and senior CIA executives such as Tenet are included on the list.

Covert employees discovered

But an undisclosed number of those on the list--the CIA would not say how many--are covert employees, and some are known to hold jobs that could make them terrorist targets.

Other potential targets include at least some of the two dozen CIA facilities uncovered by the Tribune search. Most are in northern Virginia, within a few miles of the agency's headquarters. Several are in Florida, Ohio, Pennsylvania, Utah and Washington state. There is one in Chicago.

Some are heavily guarded. Others appear to be unguarded private residences that bear no outward indication of any affiliation with the CIA.

A senior U.S. official, reacting to the computer searches that produced the names and addresses, said, "I don't know whether Al Qaeda could do this, but the Chinese could."

There are more articles.

Posted on March 13, 2006 at 11:02 AM • 35 Comments • View Blog Reactions

Huge Vulnerability in GPG

GPG is an open-source version of the PGP e-mail encryption protocol. Recently, a very serious vulnerability was discovered in the software: given a signed e-mail message, you can modify the message -- specifically, you can prepend or append arbitrary data -- without disturbing the signature verification.

It appears this bug has existed for years without anybody finding it.

Moral: Open source does not necessarily mean "fewer bugs." I wrote about this back in 1999.

UPDATED TO ADD (3/13): This bug is fixed in Version 1.4.2.2. Users should upgrade immediately.

Posted on March 13, 2006 at 06:33 AM • 36 Comments • View Blog Reactions

Friday Squid Blogging: Giant Squid in Australia

On television:

According to juicy folklore and loose legend, for centuries, the inky waters of our deepest oceans have been home to that most mysterious of marine creatures -- the giant squid. Well, as we speak, visitors to Melbourne's aquarium can take a gander at the real thing, a 7m-long squid, caught in New Zealand and frozen in a block of ice.

For 30 years, almost obsessively, one real scientific character from across the Tasman has been chasing these elusive creatures and Ben Deacon caught up with him, hard at what's clearly become his life's work.

Watch the video here.

Posted on March 10, 2006 at 02:46 PM • 14 Comments • View Blog Reactions

Blowing Up ATM Machines

In the Netherlands, criminals are stealing money from ATM machines by blowing them up (article in Dutch). First, they drill a hole in an ATM and fill it with some sort of gas. Then, they ignite the gas -- from a safe distance -- and clean up the money that flies all over the place after the ATM explodes.

Sounds crazy, but apparently there has been an increase in this type of attack recently. The banks' countermeasure is to install air vents so that gas can't build up inside the ATMs.

Posted on March 10, 2006 at 12:26 PM • 49 Comments • View Blog Reactions

Flying Without ID

According to the TSA, in the 9th Circuit Case of John Gilmore, you are allowed to fly without showing ID -- you'll just have to submit yourself to secondary screening.

The Identity Project wants you to try it out. If you have time, try to fly without showing ID.

Mr. Gilmore recommends that every traveler who is concerned with privacy or anonymity should opt to become a "selectee" rather than show an ID. We are very likely to lose the right to travel anonymously, if citizens do not exercise it. TSA and the airlines will attempt to make it inconvenient for you, by wasting your time and hassling you, but they can't do much in that regard without compromising their avowed missions, which are to transport paying passengers, and to keep weapons off planes. If you never served in the armed services, this is a much easier way to spend some time keeping your society free. (Bring a copy of the court decision with you and point out some of the numerous places it says you can fly as a selectee rather than show ID. Paper tickets are also helpful, though not required.)

I'm curious what the results are.

EDITED TO ADD (11/25): Here's someone who tried, and failed.

Posted on March 10, 2006 at 07:20 AM • 83 Comments • View Blog Reactions

More on the ATM-Card Class Break

A few days ago, I wrote about the class break of Citibank ATM cards in Canada, the UK, and Russia. This is new news:

With consumers around the country reporting mysterious fraudulent account withdrawals, and multiple banks announcing problems with stolen account information, it appears thieves have unleashed a powerful new way to steal money from cash machines.

Criminals have stolen bank account data from a third-party company, several banks have said, and then used the data to steal money from related accounts using counterfeit cards at ATM machines.

The central question surrounding the new wave of crime is this: How did the thieves managed to foil the PIN code system designed to fend off such crimes? Investigators are considering the possibility that criminals have stolen PIN codes from a retailer, MSNBC has learned.

Read the whole article. Details are emerging slowly, but there's still a lot we don't know.

EDITED TO ADD (3/11): More info in these four articles.

Posted on March 09, 2006 at 03:51 PM • 53 Comments • View Blog Reactions

Danish ATM-Card Skimming

Criminals are breaking into stores and pretending to ransack them, as a cover for installing ATM skimming hardware, complete with a transmitter.

Note the last paragraph of the story -- it's in Danish, sorry -- where the company admits that this is the fourth attempt they know of criminals installing reader equipment inside ATM terminals for the purpose of skimming numbers and PINs.

Posted on March 09, 2006 at 01:40 PM • 17 Comments • View Blog Reactions

Data Mining for Terrorists

In the post 9/11 world, there's much focus on connecting the dots. Many believe that data mining is the crystal ball that will enable us to uncover future terrorist plots. B