Schneier on Security

A blog covering security and security technology.

« July 2006 | Main | September 2006 »

August 2006 Archives

Behavioral Profiling Nabs Warren Jeffs

This is interesting:

A paper license tag, a salad and stories that didn't make sense pricked the suspicions of a state trooper who stopped the car of a wanted fugitive polygamist in Las Vegas.

But it was the pumping carotid artery in the neck of Warren Steed Jeffs that convinced Nevada Highway Patrolman Eddie Dutchover that he had cornered someone big.

This is behavioral profiling done right, and it reminds me of the Diana Dean story. (Here's another example of behavioral profiling done right, and here is an article by Malcolm Gladwell on profiling and generalizations.)

Behavioral profiling is tough to do well. It requires intelligent and well-trained officers. Done badly, it quickly defaults to racial profiling. But done well, it'll do far more to keep us safe than object profiling (e.g., banning liquids on aircraft).

Posted on August 31, 2006 at 01:11 PM • 53 Comments • View Blog Reactions

Ross Anderson's Security Engineering

Ross Anderson's Security Engineering is a great book. And I'm not saying that because I wrote the foreword. Since it was published in 2001, I have regularly recommended it to engineers interested in security.

None of this is news. What is news is that you can download the book, free and legally.

Posted on August 31, 2006 at 07:45 AM • 15 Comments • View Blog Reactions

Terrorists as Pirates

"The Dread Pirate Bin Ladin" argues that, legally, terrorists should be treated as pirates under international law:

More than 2,000 years ago, Marcus Tullius Cicero defined pirates in Roman law as hostis humani generis, "enemies of the human race." From that day until now, pirates have held a unique status in the law as international criminals subject to universal jurisdiction—meaning that they may be captured wherever they are found, by any person who finds them. The ongoing war against pirates is the only known example of state vs. nonstate conflict until the advent of the war on terror, and its history is long and notable. More important, there are enormous potential benefits of applying this legal definition to contemporary terrorism.

[...]

President Bush and others persist in depicting this new form of state vs. nonstate warfare in traditional terms, as with the president's declaration of June 2, 2004, that "like the Second World War, our present conflict began with a ruthless surprise attack on the United States." He went on: "We will not forget that treachery and we will accept nothing less than victory over the enemy." What constitutes ultimate victory against an enemy that lacks territorial boundaries and governmental structures, in a war without fields of battle or codes of conduct? We can't capture the enemy's capital and hoist our flag in triumph. The possibility of perpetual embattlement looms before us.

If the war on terror becomes akin to war against the pirates, however, the situation would change. First, the crime of terrorism would be defined and proscribed internationally, and terrorists would be properly understood as enemies of all states. This legal status carries significant advantages, chief among them the possibility of universal jurisdiction. Terrorists, as hostis humani generis, could be captured wherever they were found, by anyone who found them. Pirates are currently the only form of criminals subject to this special jurisdiction.

Second, this definition would deter states from harboring terrorists on the grounds that they are "freedom fighters" by providing an objective distinction in law between legitimate insurgency and outright terrorism. This same objective definition could, conversely, also deter states from cracking down on political dissidents as "terrorists," as both Russia and China have done against their dissidents.

Recall the U.N. definition of piracy as acts of "depredation [committed] for private ends." Just as international piracy is viewed as transcending domestic criminal law, so too must the crime of international terrorism be defined as distinct from domestic homicide or, alternately, revolutionary activities. If a group directs its attacks on military or civilian targets within its own state, it may still fall within domestic criminal law. Yet once it directs those attacks on property or civilians belonging to another state, it exceeds both domestic law and the traditional right of self-determination, and becomes akin to a pirate band.

Third, and perhaps most important, nations that now balk at assisting the United States in the war on terror might have fewer reservations if terrorism were defined as an international crime that could be prosecuted before the International Criminal Court.

Ross Anderson recognized the parallels between terrorism and piracy back in 2001.

Posted on August 30, 2006 at 07:57 AM • 101 Comments • View Blog Reactions

Details on the British Terrorist Arrest

Details are emerging:

• There was some serious cash flow from someone, presumably someone abroad.
• There was no imminent threat.
• However, the threat was real. And it seems pretty clear that it would have bypassed all existing airport security systems.
• The conspirators were radicalized by the war in Iraq, although it is impossible to say whether they would have been otherwise radicalized without it.
• They were caught through police work, not through any broad surveillance, and were under surveillance for more than a year.

What pisses me off most is the second item. By arresting the conspirators early, the police squandered the chance to learn more about the network and arrest more of them -- and to present a less flimsy case. There have been many news reports detailing how the U.S. pressured the UK government to make the arrests sooner, possibly out of political motivations. (And then Scotland Yard got annoyed at the U.S. leaking plot details to the press, hampering their case.)

My initial comments on the arrest are here. I still think that all of the new airline security measures are an overreaction (This essay makes the same point, as well as describing a 1995 terrorist plot that was remarkably similar in both materials and modus operandi -- and didn't result in a complete ban on liquids.)

As I said on a radio interview a couple of weeks ago: "We ban guns and knives, and the terrorists use box cutters. We ban box cutters and corkscrews, and they hide explosives in their shoes. We screen shoes, and the terrorists use liquids. We ban liquids, and the terrorist will use something else. It's not a fair game, because the terrorists get to see our security measures before they plan their attack." And it's not a game we can win. So let's stop playing, and play a game we actually can win. The real lesson of the London arrests is that investigation and intelligence work.

EDITED TO ADD (8/29): Seems this URL is unavailable in the U.K. See the comments for ways to bypass the block.

Posted on August 29, 2006 at 07:20 AM • 81 Comments • View Blog Reactions

World War II Statistics-and-Security Story

Estimating the number of tanks the Germans produced.

Posted on August 28, 2006 at 01:51 PM • 22 Comments • View Blog Reactions

Stupid Security Awards Nominations Open

Get your nominations in.

The "Stupid Security Awards" aim to highlight the absurdities of the security industry. Privacy International's director, Simon Davies, said his group had taken the initiative because of "innumerable" security initiatives around the world that had absolutely no genuine security benefit. The awards were first staged in 2003 and attracted over 5,000 nominations. This will be the second competition in the series.

"The situation has become ridiculous" said Mr Davies. "Security has become the smokescreen for incompetent and robotic managers the world over".

Unworkable security practices and illusory security measures do nothing to help issues of real public concern. They only hinder the public, intrude unnecessary into our private lives and often reduce us to the status of cattle.

[...]

Privacy International is calling for nominations to name and shame the worst offenders. The competition closes on October 31st 2006. The award categories are:

• Most Egregiously Stupid Award
• Most Inexplicably Stupid Award
• Most Annoyingly Stupid Award
• Most Flagrantly Intrusive Award
• Most Stupidly Counter Productive Award

The competition will be judged by an international panel of well-known security experts, public policy specialists, privacy advocates and journalists.

Posted on August 28, 2006 at 07:39 AM • 19 Comments • View Blog Reactions

Friday Squid Blogging: Piglet Squid

Great pictures.

Posted on August 25, 2006 at 03:12 PM • 12 Comments • View Blog Reactions

Dropped iPod Leads to Terror Alert

This is a surreal story about a guy who accidentally drops his iPod into an airplane toilet, prompting a full-scale terror alert. Overreaction at its worst.

Posted on August 25, 2006 at 01:46 PM • 46 Comments • View Blog Reactions

Stephen Colbert Computer Security Tips

Stephen Colbert on protecting your computer: Part 1 and Part 2.

Posted on August 25, 2006 at 12:06 PM • 20 Comments • View Blog Reactions

USBDumper

USBDumper (article is in French; here's the software) is a cute little utility that silently copies the contents of an inserted USB drive onto the PC. The idea is that you install this piece of software on your computer, or on a public PC, and then you collect the files -- some of them personal and confidential -- from anyone who plugs their USB drive into that computer. (This blog post talks about a version that downloads a disk image, allowing someone to recover deleted files as well.)

No big deal to anyone who worries about computer security for a living, but probably a rude shock to salespeople, conference presenters, file sharers, and many others who regularly plug their USB drives into strange PCs.

EDITED TO ADD (10/24): USBDumper 2.2 has been released. The webpage includes a number of other useful utilities.

Posted on August 25, 2006 at 06:47 AM • 40 Comments • View Blog Reactions

Skype Call Traced

Kobi Alexander fled the United States ten days ago. He was tracked down in Sri Lanka via a Skype call:

According to the report, Alexander was located after making a one-minute call via the online telephone Skype service. The call, made from the Sri Lankan capital Colombo, alerted intelligence agencies to his presence in the country.

Ars Technica explains:

The fugitive former CEO may have been convinced that using Skype made him safe from tracking, but he -- and everyone else that believes VoIP is inherently more secure than a landline -- was wrong. Tracking anonymous peer-to-peer VoIP traffic over the Internet is possible (PDF). In fact, it can be done even if the parties have taken some steps to disguise the traffic.

Let this be a warning to all of you who thought Skype was anonymous.

Posted on August 24, 2006 at 01:45 PM • 47 Comments • View Blog Reactions

What the Terrorists Want

On Aug. 16, two men were escorted off a plane headed for Manchester, England, because some passengers thought they looked either Asian or Middle Eastern, might have been talking Arabic, wore leather jackets, and looked at their watches -- and the passengers refused to fly with them on board. The men were questioned for several hours and then released.

On Aug. 15, an entire airport terminal was evacuated because someone's cosmetics triggered a false positive for explosives. The same day, a Muslim man was removed from an airplane in Denver for reciting prayers. The Transportation Security Administration decided that the flight crew overreacted, but he still had to spend the night in Denver before flying home the next day. The next day, a Port of Seattle terminal was evacuated because a couple of dogs gave a false alarm for explosives.

On Aug. 19, a plane made an emergency landing in Tampa, Florida, after the crew became suspicious because two of the lavatory doors were locked. The plane was searched, but nothing was found. Meanwhile, a man who tampered with a bathroom smoke detector on a flight to San Antonio was cleared of terrorism, but only after having his house searched.

On Aug. 16, a woman suffered a panic attack and became violent on a flight from London to Washington, so the plane was escorted to the Boston airport by fighter jets. "The woman was carrying hand cream and matches but was not a terrorist threat," said the TSA spokesman after the incident.

And on Aug. 18, a plane flying from London to Egypt made an emergency landing in Italy when someone found a bomb threat scrawled on an air sickness bag. Nothing was found on the plane, and no one knows how long the note was on board.

I'd like everyone to take a deep breath and listen for a minute.

The point of terrorism is to cause terror, sometimes to further a political goal and sometimes out of sheer hatred. The people terrorists kill are not the targets; they are collateral damage. And blowing up planes, trains, markets or buses is not the goal; those are just tactics. The real targets of terrorism are the rest of us: the billions of us who are not killed but are terrorized because of the killing. The real point of terrorism is not the act itself, but our reaction to the act.

And we're doing exactly what the terrorists want.

We're all a little jumpy after the recent arrest of 23 terror suspects in Great Britain. The men were reportedly plotting a liquid-explosive attack on airplanes, and both the press and politicians have been trumpeting the story ever since.

In truth, it's doubtful that their plan would have succeeded; chemists have been debunking the idea since it became public. Certainly the suspects were a long way off from trying: None had bought airline tickets, and some didn't even have passports.

Regardless of the threat, from the would-be bombers' perspective, the explosives and planes were merely tactics. Their goal was to cause terror, and in that they've succeeded.

Imagine for a moment what would have happened if they had blown up 10 planes. There would be canceled flights, chaos at airports, bans on carry-on luggage, world leaders talking tough new security measures, political posturing and all sorts of false alarms as jittery people panicked. To a lesser degree, that's basically what's happening right now.

Our politicians help the terrorists every time they use fear as a campaign tactic. The press helps every time it writes scare stories about the plot and the threat. And if we're terrified, and we share that fear, we help. All of these actions intensify and repeat the terrorists' actions, and increase the effects of their terror.

(I am not saying that the politicians and press are terrorists, or that they share any of the blame for terrorist attacks. I'm not that stupid. But the subject of terrorism is more complex than it appears, and understanding its various causes and effects are vital for understanding how to best deal with it.)

The implausible plots and false alarms actually hurt us in two ways. Not only do they increase the level of fear, but they also waste time and resources that could be better spent fighting the real threats and increasing actual security. I'll bet the terrorists are laughing at us.

Another thought experiment: Imagine for a moment that the British government arrested the 23 suspects without fanfare. Imagine that the TSA and its European counterparts didn't engage in pointless airline-security measures like banning liquids. And imagine that the press didn't write about it endlessly, and that the politicians didn't use the event to remind us all how scared we should be. If we'd reacted that way, then the terrorists would have truly failed.

It's time we calm down and fight terror with antiterror. This does not mean that we simply roll over and accept terrorism. There are things our government can and should do to fight terrorism, most of them involving intelligence and investigation -- and not focusing on specific plots.

But our job is to remain steadfast in the face of terror, to refuse to be terrorized. Our job is to not panic every time two Muslims stand together checking their watches. There are approximately 1 billion Muslims in the world, a large percentage of them not Arab, and about 320 million Arabs in the Middle East, the overwhelming majority of them not terrorists. Our job is to think critically and rationally, and to ignore the cacophony of other interests trying to use terrorism to advance political careers or increase a television show's viewership.

The surest defense against terrorism is to refuse to be terrorized. Our job is to recognize that terrorism is just one of the risks we face, and not a particularly common one at that. And our job is to fight those politicians who use fear as an excuse to take away our liberties and promote security theater that wastes money and doesn't make us any safer.

This essay originally appeared on Wired.com.

EDITED TO ADD (3/24): Here's another incident.

EDITED TO ADD (3/29): There have been many more incidents since I wrote this -- all false alarms. I've stopped keeping a list.

Posted on August 24, 2006 at 07:08 AM • 284 Comments • View Blog Reactions

Privacy Risks of Public Mentions

Interesting paper: "You are what you say: privacy risks of public mentions," Proceedings of the 29th Annual International ACM SIGIR Conference on Research and Development in Information Retrieval, 2006.

Abstract:

In today's data-rich networked world, people express many aspects of their lives online. It is common to segregate different aspects in different places: you might write opinionated rants about movies in your blog under a pseudonym while participating in a forum or web site for scholarly discussion of medical ethics under your real name. However, it may be possible to link these separate identities, because the movies, journal articles, or authors you mention are from a sparse relation space whose properties (e.g., many items related to by only a few users) allow re-identification. This re-identification violates people's intentions to separate aspects of their life and can have negative consequences; it also may allow other privacy violations, such as obtaining a stronger identifier like name and address.This paper examines this general problem in a specific setting: re-identification of users from a public web movie forum in a private movie ratings dataset. We present three major results. First, we develop algorithms that can re-identify a large proportion of public users in a sparse relation space. Second, we evaluate whether private dataset owners can protect user privacy by hiding data; we show that this requires extensive and undesirable changes to the dataset, making it impractical. Third, we evaluate two methods for users in a public forum to protect their own privacy, suppression and misdirection. Suppression doesn't work here either. However, we show that a simple misdirection strategy works well: mention a few popular items that you haven't rated.

Unfortunately, the paper is only available to ACM members.

EDITED TO ADD (8/24): Paper is here.

Posted on August 23, 2006 at 02:11 PM • 23 Comments • View Blog Reactions

TrackMeNot

In the wake of AOL's publication of search data, and the New York Times article demonstrating how easy it is to figure out who did the searching, we have TrackMeNot:

TrackMeNot runs in Firefox as a low-priority background process that periodically issues randomized search-queries to popular search engines, e.g., AOL, Yahoo!, Google, and MSN. It hides users' actual search trails in a cloud of indistinguishable 'ghost' queries, making it difficult, if not impossible, to aggregate such data into accurate or identifying user profiles. TrackMeNot integrates into the Firefox 'Tools' menu and includes a variety of user-configurable options.

Let's count the ways this doesn't work.

One, it doesn't hide your searches. If the government wants to know who's been searching on "al Qaeda recruitment centers," it won't matter that you've made ten thousand other searches as well -- you'll be targeted.

Two, it's too easy to spot. There are only 1,673 search terms in the program's dictionary. Here, as a random example, are the program's "G" words:

gag, gagged, gagging, gags, gas, gaseous, gases, gassed, gasses, gassing, gen, generate, generated, generates, generating, gens, gig, gigs, gillion, gillions, glass, glasses, glitch, glitched, glitches, glitching, glob, globed, globing, globs, glue, glues, gnarlier, gnarliest, gnarly, gobble, gobbled, gobbles, gobbling, golden, goldener, goldenest, gonk, gonked, gonking, gonks, gonzo, gopher, gophers, gorp, gorps, gotcha, gotchas, gribble, gribbles, grind, grinding, grinds, grok, grokked, grokking, groks, ground, grovel, groveled, groveling, grovelled, grovelling, grovels, grue, grues, grunge, grunges, gun, gunned, gunning, guns, guru, gurus

The program's authors claim that this list is temporary, and that there will eventually be a TrackMeNot server with an ever-changing word list. Of course, that list can be monitored by any analysis program -- as could any queries to that server.

In any case, every twelve seconds -- exactly -- the program picks a random pair of words and sends it to either AOL, Yahoo, MSN, or Google. My guess is that your searches contain more than two words, you don't send them out in precise twelve-second intervals, and you favor one search engine over the others.

Three, some of the program's searches are worse than yours. The dictionary includes:

HIV, atomic, bomb, bible, bibles, bombing, bombs, boxes, choke, choked, chokes, choking, chain, crackers, empire, evil, erotics, erotices, fingers, knobs, kicking, harier, hamster, hairs, legal, letterbomb, letterbombs, mailbomb, mailbombing, mailbombs, rapes, raping, rape, raper, rapist, virgin, warez, warezes, whack, whacked, whacker, whacking, whackers, whacks, pistols

Does anyone reall think that searches on "erotic rape," "mailbombing bibles," and "choking virgins" will make their legitimate searches less noteworthy?

And four, it wastes a whole lot of bandwidth. A query every twelve seconds translates into 2,400 queries a day, assuming an eight-hour workday. A typical Google response is about 25K, so we're talking 60 megabytes of additional traffic daily. Imagine if everyone in the company used it.

I suppose this kind of thing would stop someone who has a paper printout of your searches and is looking through them manually, but it's not going to hamper computer analysis very much. Or anyone who isn't lazy. But it wouldn't be hard for a computer profiling program to ignore these searches.

As one commentator put it:

Imagine a cop pulls you over for speeding. As he approaches, you realize you left your wallet at home. Without your driver's license, you could be in a lot of trouble. When he approaches, you roll down your window and shout. "Hello Officer! I don't have insurance on this vehicle! This car is stolen! I have weed in my glovebox! I don't have my driver's license! I just hit an old lady minutes ago! I've been running stop lights all morning! I have a dead body in my trunk! This car doesn't pass the emissions tests! I'm not allowed to drive because I am under house arrest! My gas tank runs on the blood of children!" You stop to catch a breath, confident you have supplied so much information to the cop that you can't possibly be caught for not having your license now.

Yes, data mining is a signal-to-noise problem. But artificial noise like this isn't going to help much. If I were going to improve on this idea, I would make the plugin watch the user's search patterns. I would make it send queries only to the search engines the user does, only when he is actually online doing things. I would randomize the timing. (There's a comment to that effect in the code, so presumably this will be fixed in a later version of the program.) And I would make it monitor the web pages the user looks at, and send queries based on keywords it finds on those pages. And I would make it send queries in the form the user tends to use, whether it be single words, pairs of words, or whatever.

But honestly, I don't know that I would use it even then. The way serious people protect their web-searching privacy is through anonymization. Use Tor for serious web anonymization. Or Black Box Search for simple anonymous searching (here's a Greasemonkey extension that does that automatically.) And set your browser to delete search engine cookies regularly.

Posted on August 23, 2006 at 06:53 AM • 81 Comments • View Blog Reactions

Educating Users

I've met users, and they're not fluent in security. They might be fluent in spreadsheets, eBay, or sending jokes over e-mail, but they're not technologists, let alone security people. Of course, they're making all sorts of security mistakes. I too have tried educating users, and I agree that it's largely futile.

Part of the problem is generational. We've seen this with all sorts of technologies: electricity, telephones, microwave ovens, VCRs, video games. Older generations approach newfangled technologies with trepidation, distrust and confusion, while the children who grew up with them understand them intuitively.

But while the don't-get-it generation will die off eventually, we won't suddenly enter an era of unprecedented computer security. Technology moves too fast these days; there's no time for any generation to become fluent in anything.

Earlier this year, researchers ran an experiment in London's financial district. Someone stood on a street corner and handed out CDs, saying they were a "special Valentine's Day promotion." Many people, some working at sensitive bank workstations, ran the program on the CDs on their work computers. The program was benign -- all it did was alert some computer on the Internet that it was running -- but it could just have easily been malicious. The researchers concluded that users don't care about security. That's simply not true. Users care about security -- they just don't understand it.

I don't see a failure of education; I see a failure of technology. It shouldn't have been possible for those users to run that CD, or for a random program stuffed into a banking computer to "phone home" across the Internet.

The real problem is that computers don't work well. The industry has convinced everyone that people need a computer to survive, and at the same time it's made computers so complicated that only an expert can maintain them.

If I try to repair my home heating system, I'm likely to break all sorts of safety rules. I have no experience in that sort of thing, and honestly, there's no point in trying to educate me. But the heating system works fine without my having to learn anything about it. I know how to set my thermostat and to call a professional if anything goes wrong.

Punishment isn't something you do instead of education; it's a form of education -- a very primal form of education best suited to children and animals (and experts aren't so sure about children). I say we stop punishing people for failures of technology, and demand that computer companies market secure hardware and software.

This originally appeared in the April 2006 issue of Information Security Magazine, as the second part of a point/counterpoint with Marcus Ranum. You can read Marcus's essay here, if you are a subscriber. (Subscriptions are free to "qualified" people.)

EDITED TO ADD (9/11): Here's Marcus's half.

Posted on August 22, 2006 at 12:35 PM • 79 Comments • View Blog Reactions

Ten Worst Privacy Debacles of All Time

Not a bad list:

10. ChoicePoint data spill
9. VA laptop theft
8. CardSystems hacked
7. Discovery of data on used hard drives for sale
6. Philip Agee's revenge
5. Amy Boyer's murder
4. Testing CAPPS II
3. COINTELPRO
2. AT&T lets the NSA listen to all phone calls
1. The creation of the Social Security Number

EDITED TO ADD (8/22): Daniel Solove comments.

Posted on August 22, 2006 at 06:19 AM • 45 Comments • View Blog Reactions

Call Forwarding Credit Card Scam

This is impressive:

A fraudster contacts an AT&T service rep and says he works at a pizza parlor and that the phone is having trouble. Until things get fixed, he requests that all incoming calls be forwarded to another number, which he provides.

Pizza orders are thus routed by AT&T to the fraudster's line. When a call comes in, the fraudster pretends to take the customer's order but says payment must be made in advance by credit card.

The unsuspecting customer gives his or her card number and expiration date, and before you can say "extra cheese," the fraudster is ready to go on an Internet shopping spree using someone else's money.

Those of us who know security have been telling people not to trust incoming phone calls -- that you should call the company if you are going to divulge personal information to them. Seems like that advice isn't foolproof.

The problem is the phone company, of course. They're forwarding calls based on an unauthenticated request. AT&T doesn't really want to talk about details:

He was reluctant to discuss the steps AT&T has taken to improve its call-forwarding system so this sort of thing doesn't happen again. What, for example, is to prevent someone from convincing AT&T to forward all calls to a local flower store or some other business that takes orders by phone?

"We had some guidelines in place that we believe were effective," Britton said. "Now we have extra precautions."

It seems to me that AT&T would solve this problem more quickly if it were liable. Shouldn't a pizza customer who has been scammed be allowed to sue AT&T? After all, the phone company didn't route the customer's calls properly. Does the credit card company have a basis for a suit? Certainly the pizza parlor does, but the effects of AT&T's sloppy authentication are much greater than a few missed pizza orders.

Posted on August 21, 2006 at 01:35 PM • 43 Comments • View Blog Reactions

Fraudulent Australian Census Takers

In Australia, criminals are posing as census takers and harvesting personal data for fraudulent purposes.

EDITED TO ADD (8/21): I didn't notice that this link is from 2001. Sorry about missing that, but it actually makes the story more interesting. This is the sort of identity-theft tactic that I would have expected to see this year, as criminals have gotten more and more sophisticated. It surprises me that they were doing this five years ago as well.

Posted on August 21, 2006 at 06:24 AM • 17 Comments • View Blog Reactions

Friday Squid Blogging: 13-foot Tentacle Found off Santa Cruz Coast

From KSBY:

A fisherman snags a rare catch in the Santa Barbara Channel, a tentacle belonging to a giant squid.

The 13-foot-long tentacle was found floating near Santa Cruz Island last week. Little is known about the species, it is only the fourth confirmed specimen ever found in Southern California.

"They are definitely present off our coast, they are probably not very common here and they probably live in deep water, this one here was caught near the Santa Cruz Basin, which is several thousand feet deep," said Eric Hochberg, Santa Barbara Museum of Natural History Curator.

The tentacle likely surfaced after the rest of the squid was eaten by a whale.

Posted on August 18, 2006 at 03:20 PM • 17 Comments • View Blog Reactions

Behavioral Profiling

I've long been a fan of behavioral profiling, as opposed to racial profiling. The U.S. has been testing such a program. While there are legitimate fears that this could end up being racial profiling in disguise, I think this kind of thing is the right idea. (Although I am less impressed with this kind of thing.)

EDITED TO ADD (8/18): Funny cartoon on profiling.

Posted on August 18, 2006 at 01:21 PM • 51 Comments • View Blog Reactions

Gel-Filled Bras

From the TSA's web page on prohibited items:

We encourage everyone to pack gel-filled bras in their checked baggage.

Everyone? Do I have to as well? Where should I go buy one?

EDITED TO ADD (8/21): Language Log makes a serious comment.

Posted on August 18, 2006 at 11:22 AM • 56 Comments • View Blog Reactions

Human/Bear Security Trade-Off

Interesting example:

Back in the 1980s, Yosemite National Park was having a serious problem with bears: They would wander into campgrounds and break into the garbage bins. This put both bears and people at risk. So the Park Service started installing armored garbage cans that were tricky to open -- you had to swing a latch, align two bits of handle, that sort of thing. But it turns out it's actually quite tricky to get the design of these cans just right. Make it too complex and people can't get them open to put away their garbage in the first place. Said one park ranger, "There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists."

It's a tough balance to strike. People are smart, but they're impatient and unwilling to spend a lot of time solving the problem. Bears are dumb, but they're tenacious and are willing to spend hours solving the problem. Given those two constraints, creating a trash can that can both work for people and not work for bears is not easy.

Posted on August 18, 2006 at 07:02 AM • 62 Comments • View Blog Reactions

Network Security Podcast

I was interviewed by Martin McKeay.

Posted on August 17, 2006 at 03:57 PM • 24 Comments • View Blog Reactions

1963 FBI Fingerprint Book on Project Gutenberg

The Science of Fingerprints: Classification and Uses, FBI, 1963. Introduction by J. Edgar Hoover.

You can buy a real copy here.

Posted on August 17, 2006 at 12:49 PM • 8 Comments • View Blog Reactions

Hanko Security

A futile attempt to improve the security of Japan's hanko identification system.

Posted on August 17, 2006 at 08:15 AM • 23 Comments • View Blog Reactions

Random Bag Searches in Subways

Last year, New York City implemented a program of random bag searches in the subways. It was a silly idea, and I wrote about it then. Recently the U.S. Court of Appeals for the 2nd Circuit upheld the program. Daniel Solove wrote about the ruling:

The 2nd Circuit panel concluded that the program was "reasonable" under the 4th Amendment's special needs doctrine. Under the special needs doctrine, if there are exceptional circumstances that make the warrant and probable cause requirements unnecessary, then the search should be analyzed in terms of whether it is "reasonable." Reasonableness is determined by balancing privacy against the government 's need. The problem with the 2nd Circuit decision is that under its reasoning, nearly any search, no matter how intrusive into privacy, would be justified. This is because of the way it assesses the government's side of the balance. When the government's interest is preventing the detonation of a bomb on a crowded subway, with the potential of mass casualties, it is hard for anything to survive when balanced against it.

The key to the analysis should be the extent to which the search program will effectively improve subway safety. In other words, the goals of the program may be quite laudable, but nobody questions the importance of subway safety. Its weight is so hefty that little can outweigh it. The important issue is whether the search program is a sufficiently effective way of achieving those goals that it is worth the trade-off in civil liberties. On this question, unfortunately, the 2nd Circuit punts. It defers to the law enforcement officials:

That decision is best left to those with "a unique understanding of, and responsibility for, limited public resources, including a finite number of police officers." Accordingly, we ought not conduct a "searching examination of effectiveness." Instead, we need only determine whether the Program is "a reasonably effective means of addressing" the government interest in deterring and detecting a terrorist attack on the subway system...

Instead, plaintiffs claim that the Program can have no meaningful deterrent effect because the NYPD employs too few checkpoints. In support of that claim, plaintiffs rely upon various statistical manipulations of the sealed checkpoint data.

We will not peruse, parse, or extrapolate four months' worth of data in an attempt to divine how many checkpoints the City ought to deploy in the exercise of its day to day police power. Counter terrorism experts and politically accountable officials have undertaken the delicate and esoteric task of deciding how best to marshal their available resources in light of the conditions prevailing on any given day. We will not and may not second guess the minutiae of their considered decisions. (internal citations omitted)

Although courts should not take a "know it all" attitude, they must not defer on such a critical question. The problem with many security measures is that they are not a very wise expenditure of resources. It is costly to have a lot of police officers engage in these random searches when they could be doing other things or money could be spent on other measures. A very small number of random searches in a subway system of over 4 million riders a day seems more symbolic that effective. If courts don't question the efficacy of security measures in the name of terrorism, then it allows law enforcement officials to win nearly all the time. The government just needs to come into court and say "terrorism" and little else will matter.

Posted on August 16, 2006 at 03:32 PM • 36 Comments • View Blog Reactions

Bruce Schneier Facts

Some of these are pretty funny.

Posted on August 16, 2006 at 12:16 PM • 80 Comments • View Blog Reactions

On the Implausibility of the Explosives Plot

Really interesting analysis of the chemistry involved in the alleged UK terrorist plot:

Based on the claims in the media, it sounds like the idea was to mix H₂O₂ (hydrogen peroxide, but not the low test kind you get at the pharmacy), H₂SO₄ (sulfuric acid, of necessity very concentrated for it to work at all), and acetone (known to people worldwide as nail polish remover), to make acetone peroxides. You first have to mix the H₂O₂ and H₂SO₄ to get a powerful oxidizer, and then you use it on acetone to get the peroxides, which are indeed explosive.

A mix of H₂O₂ and H₂SO₄, commonly called "piranha bath", is used in orgo labs around the world for cleaning the last traces out of organic material out of glassware when you need it *really* clean -- thus, many people who work around organic labs are familiar with it. When you mix it, it heats like mad, which is a common thing when you mix concentrated sulfuric acid with anything. It is very easy to end up with a spattering mess. You don't want to be around the stuff in general. Here, have a look at a typical warning list from a lab about the stuff:

http://www.mne.umd.edu/LAMP/Sop/Piranha_SOP.htm

Now you may protest "but terrorists who are willing to commit suicide aren't going to be deterred by being injured while mixing their precursor chemicals!" -- but of course, determination isn't the issue here, getting the thing done well enough to make the plane go boom is the issue. There is also the small matter of explaining to the guy next to you what you're doing, or doing it in a tiny airplane bathroom while the plane jitters about.

Now, they could of course mix up their oxidizer in advance, but then finding a container to keep the stuff in that isn't going to melt is a bit of an issue. The stuff reacts violently with *everything*. You're not going to keep piranha bath in a shampoo bottle -- not unless the shampoo bottle was engineered by James Bond's Q. Glass would be most appropriate, assuming that you could find a way to seal it that wouldn't be eaten.

Read the whole thing.

EDITED TO ADD (8/16): More speculation.

EDITED TO ADD (8/17): Even more speculation.

Posted on August 16, 2006 at 07:32 AM • 90 Comments • View Blog Reactions

Review of U.S. Customs and Border Protection Anti-Terrorist Actions

Department of Homeland Security, Office of the Inspector General, "Review of CBP Actions Taken to Intercept Suspected Terrorists at U.S. Ports of Entry," OIG-06-43, June 2006.

Results in Brief:

CBP has improved information sharing capabilities within the organization to smooth the flow of arriving passengers and increase the effectiveness of limited resources at POEs. Earlier, officers at POEs possessed limited information to help them resolve the identities of individuals mistakenly matched to the terrorist watch list, but a current initiative aims to provide supervisors at POEs with much more information to help them positively identify and clear individuals with names similar to those in the terrorist database. CBP procedures are highly prescriptive and withhold from supervisors the authority to make timely and informed decisions regarding the admissibility of individuals who they could quickly confirm are not the suspected terrorist.

As CBP has stepped up its efforts to intercept known and suspected terrorists at ports of entry, traditional missions such as narcotics interdiction and identification of fraudulent immigration documentation have been adversely affected. Recent data indicates a significant decrease over the past few years in the interception of narcotics and the identification of fraudulent immigration documents, especially at airports.

When a watchlisted or targeted1 individual is encountered at a POE, CBP generates several reports summarizing the incident. Each of these reports provides a different level of detail, and is distributed to a different readership. It is unclear, however, how details of the encounter and the information obtained from the suspected terrorist are disseminated for analysis. This inconsistent reporting is preventing DHS from developing independent intelligence assessments and may be preventing important information from inclusion in national strategic intelligence analyses.

During an encounter with a watchlisted individual, CBP officers at the POE often need to discuss sensitive details about the individual with law enforcement agencies and CBP personnel in headquarters offices. Some case details are classified. Because some CBP officers at POEs have not been granted the necessary security clearance, they are unable to review important information about a watchlisted individual and may not be able to participate with law enforcement agencies in interviews of certain individuals.

To improve the effectiveness of CBP personnel in their mission to prevent known and suspected terrorists from entering the United States, we are recommending that CBP: expand a biometric information collection program to include volunteers who would not normally provide this information when entering the United States; authorize POE supervisors limited discretion to make more timely admissibility determinations; review port of entry staffing models to ensure the current workforce is able to perform the entire range of CBP mission; establish a policy for more consistent reporting to intelligence agencies the details gathered during secondary interviews; and ensure all counterterrorism personnel at POEs are granted an appropriate security clearance.

Posted on August 15, 2006 at 01:19 PM • 23 Comments • View Blog Reactions

Stealing Credit Card Information off Phone Lines

Here's a sophisticated credit card fraud ring that intercepted credit card authorization calls in Phuket, Thailand.

The fraudsters loaded this data onto MP3 players, which they sent to accomplices in neighbouring Malaysia. Cloned credit cards were manufactured in Malaysia and sent back to Thailand, where they were used to fraudulently purchase goods and services.

It's 2006 and those merchant terminals still don't encrypt their communications?

Posted on August 15, 2006 at 06:19 AM • 28 Comments • View Blog Reactions

Faux Disclosure

Good essay on "faux disclosure": disclosing a vulnerability without really disclosing it.

You've probably heard of full disclosure, the security philosophy that calls for making public all details of vulnerabilities. It has been the subject of debates among researchers, vendors, and security firms. But the story that grabbed most of the headlines at the Black Hat Briefings in Las Vegas last week was based on a different type of disclosure. For lack of a better name, I'll call it faux disclosure. Here's why.

Security researchers Dave Maynor of ISS and Johnny Cache -- a.k.a. Jon Ellch -- demonstrated an exploit that allowed them to install a rootkit on an Apple laptop in less than a minute. Well, sort of; they showed a video of it, and also noted that they'd used a third-party Wi-Fi card in the demo of the exploit, rather than the MacBook's internal Wi-Fi card. But they said that the exploit would work whether the third-party card -- which they declined to identify -- was inserted
in a Mac, Windows, or Linux laptop.

[...]

How is that for murky and non-transparent? The whole world is at risk -- if the exploit is real -- whenever the unidentified card is used. But they won't say which card, although many sources presume the card is based on the Atheros chipset, which Apple employs.

It gets worse. Brian Krebs of the Washington Post, who first reported on the exploit, updated his original story and has reported that Maynor said, "Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet."

That's part of what is meant by full disclosure these days -- giving the vendor a chance fix the vulnerability before letting the whole world know about it. That way, the thinking goes, the only people who get hurt by it are the people who get exploited by it. But damage to the responsible vendor's image is mitigated somewhat, and many in the security business seem to think that damage control is more important than anything that might happen to any of the vendor's customers.

Big deal. Publicly traded corporations like Apple and Microsoft and all the rest have been known to ignore ethics, morality, any consideration of right or wrong, or anything at all that might divert them from their ultimate goal: to maximize profits. Because of this,
some corporations only speak the truth when it is in their best interest. Otherwise, they lie or maintain silence.

Full disclosure is the only thing that forces vendors to fix security problems. The further we move away from full disclosure, the less incentive vendors have to fix problems and the more at-risk we all are.

Posted on August 14, 2006 at 01:41 PM • 47 Comments • View Blog Reactions

HSBC Insecurity Hype

The Guardian has the story:

One of Britain's biggest high street banks has left millions of online bank accounts exposed to potential fraud because of a glaring security loophole, the Guardian has learned.

The defect in HSBC's online banking system means that 3.1 million UK customers registered to use the service have been vulnerable to attack for at least two years. One computing expert called the lapse "scandalous".

The discovery was made by a group of researchers at Cardiff University, who found that anyone exploiting the flaw was guaranteed to be able to break into any account within nine attempts.

Sounds pretty bad.

But look at this:

The flaw, which is not being detailed by the Guardian, revolves around the way HSBC customers access their web-based banking service. Criminals using so-called "keyloggers" - readily available gadgets or viruses which record every keystroke made on a target computer - can easily deduce the data needed to gain unfettered access to accounts in just a few attempts.

So, the "scandalous" flaw is that an attacker who already has a keylogger installed on someone's computer can break into his HSBC account. Seems to me if an attacker has a keylogger installed on someone's computer, then he's got all sorts of security issues.

If this is the biggest flaw in HSBC's login authentication system, I think they're doing pretty good.

Posted on August 14, 2006 at 07:06 AM • 52 Comments • View Blog Reactions

Last Week's Terrorism Arrests

Hours-long waits in the security line. Ridiculous prohibitions on what you can carry onboard. Last week's foiling of a major terrorist plot and the subsequent airport security graphically illustrates the difference between effective security and security theater.

None of the airplane security measures implemented because of 9/11 -- no-fly lists, secondary screening, prohibitions against pocket knives and corkscrews -- had anything to do with last week's arrests. And they wouldn't have prevented the planned attacks, had the terrorists not been arrested. A national ID card wouldn't have made a difference, either.

Instead, the arrests are a victory for old-fashioned intelligence and investigation. Details are still secret, but police in at least two countries were watching the terrorists for a long time. They followed leads, figured out who was talking to whom, and slowly pieced together both the network and the plot.

The new airplane security measures focus on that plot, because authorities believe they have not captured everyone involved. It's reasonable to assume that a few lone plotters, knowing their compatriots are in jail and fearing their own arrest, would try to finish the job on their own. The authorities are not being public with the details -- much of the "explosive liquid" story doesn't hang together -- but the excessive security measures seem prudent.

But only temporarily. Banning box cutters since 9/11, or taking off our shoes since Richard Reid, has not made us any safer. And a long-term prohibition against liquid carry-ons won't make us safer, either. It's not just that there are ways around the rules, it's that focusing on tactics is a losing proposition.

It's easy to defend against what the terrorists planned last time, but it's shortsighted. If we spend billions fielding liquid-analysis machines in airports and the terrorists use solid explosives, we've wasted our money. If they target shopping malls, we've wasted our money. Focusing on tactics simply forces the terrorists to make a minor modification in their plans. There are too many targets -- stadiums, schools, theaters, churches, the long line of densely packed people before airport security -- and too many ways to kill people.

Security measures that require us to guess correctly don't work, because invariably we will guess wrong. It's not security, it's security theater: measures designed to make us feel safer but not actually safer.

Airport security is the last line of defense, and not a very good one at that. Sure, it'll catch the sloppy and the stupid -- and that's a good enough reason not to do away with it entirely -- but it won't catch a well-planned plot. We can't keep weapons out of prisons; we can't possibly keep them off airplanes.

The goal of a terrorist is to cause terror. Last week's arrests demonstrate how real security doesn't focus on possible terrorist tactics, but on the terrorists themselves. It's a victory for intelligence and investigation, and a dramatic demonstration of how investments in these areas pay off.

And if you want to know what you can do to help? Don't be terrorized. They terrorize more of us if they kill some of us, but the dead are beside the point. If we give in to fear, the terrorists achieve their goal even if they were arrested. If we refuse to be terrorized, then they lose -- even if their attacks succeed.

This op ed appeared today in the Minneapolis Star-Tribune.

EDITED TO ADD (8/13): The Department of Homeland Security declares an entire state of matter a security risk. And here's a good commentary on being scared.

Posted on August 13, 2006 at 08:15 AM • 131 Comments • View Blog Reactions

Getting Into the Terrorists' Heads

Funny cartoon.

Posted on August 12, 2006 at 03:09 PM • 23 Comments • View Blog Reactions

Friday Squid Blogging: Dr. Fun's Giant Squid

I'm going to miss Dr. Fun.

EDITED TO ADD (8/12): Another Dr. Fun squid cartoon.

EDITED TOADD (8/12): and another.

Posted on August 11, 2006 at 03:13 PM • 6 Comments • View Blog Reactions

Superman's Password

About a quarter of the way down on this page, you'll find a scan of a 1970s Superman comic in which a hacker kid breaks into the Fortress of Solitude's computer system, using what looks to be a TRS-80 Model III. Superman's password was "Kal-El": his Kryptonian name.

Posted on August 11, 2006 at 12:16 PM • 14 Comments • View Blog Reactions

DHS Report on US-VISIT and RFID

Department of Homeland Security, Office of the Inspector General, "Enhanced Security Controls Needed For US-VISIT's System Using RFID Technology (Redacted)," OIG-06-39, June 2006.

From the Executive Summary:

We audited the Department of Homeland Security (DHS) and select organizational components' security programs to evaluate the effectiveness of controls implemented on Radio Frequency Identification (RFID) systems. Systems employing RFID technology include a tag and reader on the front end and an application and database on the back end.

[...]

Overall, information security controls have been implemented to provide an effective level of security on the Automated Identification Management System (AIDMS). US-VISIT has implemented effective physical security controls over the RFID tags, readers, computer equipment, and database supporting the RFID system at the POEs visited. No personal information is stored on the tags used for US-VISIT. Travelers' personal information is maintained in and can be obtained only with access to the system's database. Additional security controls would need to be implemented if US-VISIT decides to store travelers' personal information on RFID-enabled forms or migrates to universally readable Generation 2 (Gen2) products.

Although these controls provide overall system security, US-VISIT has not properly configured its AIDMS database to ensure that data captured and stored is properly protected. Furthermore, while AIDMS is operating with an Authority to Operate, US-VISIT had not tested its contingency plan to ensure that critical operations could be restored in the event of a disruption. In addition, US-VISIT has not developed its own RFID policy or ensured that the standard operating procedures are properly distributed and followed at all POEs.

I wrote about US-VISIT in 2004 and again in 2006. In that second essay, I gave a price of $15B. I have since come to not believe that data, and I don't have any better information on the price. But I still think my analysis holds. I would much rather take the money spent on US-VISIT and spend it on intelligence and investigation, the kind of security that resulted in the U.K. arrests earlier this week and is likely to actually make us safer.

Posted on August 11, 2006 at 07:27 AM • 19 Comments • View Blog Reactions

Prison Shivs

A collection of 11 prison shivs confiscated over 20 years ago in New Jersey.

Think about these, and the adverse conditions they were made under, the next time you see someone's pocket knife being taken away from them at airport security. We can't keep weapons out of prisons; we can't possibly expect to keep them out of airports.

Posted on August 10, 2006 at 02:29 PM • 31 Comments • View Blog Reactions

New Airline Security Rules

The foiled UK terrorist plot has wreaked havoc with air travel in the country:

All short-haul inbound flights to Heathrow airport have been cancelled. Some flights in and out of Gatwick have been suspended.

Security has been increased at Channel ports and the Eurotunnel terminal.

German carrier Lufthansa has cancelled flights to Heathrow and the Spanish airline Iberia has stopped UK flights.

British Airways has announced it has cancelled all its short-haul flights to and from Heathrow for the rest of Thursday.

The airline added that it was also cancelling some domestic and short haul services in and out of Gatwick airport during the remainder of the day.

In addition, pretty much no carry-ons are allowed:

These measures will prevent passengers from carrying hand luggage into the cabin of an aircraft with the following exceptions (which must be placed in a plastic bag):

• Pocket size wallets and pocket size purses plus contents (for example money, credit cards, identity cards etc (not handbags);

• Travel documents essential for the journey (for example passports and travel tickets);

• Prescription medicines and medical items sufficient and essential for the flight (e.g. diabetic kit), except in liquid form unless verified as authentic;

• Spectacles and sunglasses, without cases;

• Contact lens holders, without bottles of solution;

• For those traveling with an infant: baby food, milk (the contents of each bottle must be tasted by the accompanying passenger);

• Sanitary items sufficient and essential for the flight (nappies, wipes, creams and nappy disposal bags);

• Female sanitary items sufficient and essential for the flight, if unboxed (e.g. tampons, pads, towels and wipes) tissues (unboxed) and/or handkerchiefs;

• Keys (but no electrical key fobs)

Across the Atlantic, the TSA has announced new security rules:

Passengers are not allowed to have gels or liquids of any kind at screening points or in the cabin of any airplane.

They said this includes beverages, food, suntan lotion, creams toothpaste, hair gel, or similar items. Those items must be packed into checked luggage. Beverages bought on the secure side of the checkpoint must be disposed of before boarding the plane.

There are several exceptions to the new rule. Baby formula, breast milk, or juice for small children, prescription medications where the name matched the name of a ticked passenger, as well as insulin and other essential health items may be brought onboard the plane.

See the TSA rules for more detail.

Given how little we know of the extent of the plot, these don't seem like ridiculous short-term measures. I'm sure glad I'm not flying anywhere this week.

EDITED TO ADD (8/10): Interesting analysis by Eric Rescorla.

Posted on August 10, 2006 at 07:40 AM • 258 Comments • View Blog Reactions

Doping in Professional Sports

The big news in professional bicycle racing is that Floyd Landis may be stripped of his Tour de France title because he tested positive for a banned performance-enhancing drug. Sidestepping the entire issue of whether professional athletes should be allowed to take performance-enhancing drugs, how dangerous those drugs are, and what constitutes a performance-enhancing drug in the first place, I'd like to talk about the security and economic issues surrounding the issue of doping in professional sports.

Drug testing is a security issue. Various sports federations around the world do their best to detect illegal doping, and players do their best to evade the tests. It's a classic security arms race: improvements in detection technologies lead to improvements in drug detection evasion, which in turn spur the development of better detection capabilities. Right now, it seems that the drugs are winning; in places, these drug tests are described