Schneier on Security

There are some entertaining stories of the same genre from the Manhattan Project, when one guy would be carrying materiel that was incredibly expensive to produce and completely irreplaceable, due to time constraints.

Some level of stealth is good. It's like steganography : hiding important data inside an unimportant flow of data. But this is for the real and physical world.

Now let's try to imagine what would happen if this guy got mugged in the airport toilets, or had a car accident. Or if the parcel was lost in the mail system for the diamond story.

It's simple : we would be the first ones to loudly criticize the incredible lack of security.

Commenting a posteriori about security - after the events took place and we already know if the strategy was a success or a failure - is quite easy.

This is no more security by obscurity than is a password protected access control. After all, all the bad guys need in order to get in is to know your password, right?

I call this "security by anonymity". The bad guys don't know they should be looking for you. It is highly effective, but has some sever practical limitations:
1. It cannot be relied on in any mass-market product.
2. It cannot be used too often

For example, whenever I have no choice but to leave my laptop in the car while I'm away, I always make sure I put it in the luggage compartment (where you cannot see from outside that it's there), and if at all possible, I try to do so prior to getting to where my car is parked.

Occasionally, that fails, however. I have more than one friend whose car was broken into for unrelated reasons, but once broken into, the thieves did look at the luggage compartment and did take the laptops. In other words, this is a method that is still effective, but if too frequently used will not be very effective.

Shachar

The question is, were there any attempts to steal the diamond?

And is this really "security through obscurity"? Couriers are a common sight. And doing this once is different than having this as a standard practice.

The only difference I see is the extreme value of the object being transported.

Now, if their standard practice for shipping valuable was to have it couriered in such a fashion, and just hope that no one ever blabs ... yeah, that would be security through obscurity.

many years ago, when I first started to fly on business, I was in the hotel getting ready to come home. nervous about my ticket, I kept taking it out of my bag (or wherever) to be sure I had it. somehow, the last time, I left it on the bed instead of putting it back in the bag, so at the airport I had to buy another one, nearly miss my flight, go through a hassle straightening out the money at work, and call myself an idiot at least 500 times. if I had been feigenbaum I'd have put the dime in my bag, a very small carryon (so as to not chance being forced to check it), and left it there...repetitive checking doesn't necessarily buy more security, and in his case it could have drawn attention where none was wanted.

I think it was probably a lot less secure than it should have been, soley by the fact that he was so nervous and was checking it the whole time. An observant crook can do behavioural profiling just as well as a TSA agent. The crook might not have known exactly what was valuable in the briefcase, but watching Feigenbaums behaviour would have convinced him that the briefcase was worth stealing.

Would have been easier/wiser to have it made/taped into a belt buckle, rather than in his pocket/case.

I don't recall ever hearing of a snatch-theft, or armed pro stealing a victims belt...
And belt buckles are 'normal' metal objects for airport security.

Agree with Bruce: SBO has it's place: e.g. passwords/phrases, asymetric crypto keys (RSA/EC etc).

Am I the only one that has a problem with how awfully this article is written?

Feigenbaum had purchased a coach ticket, to avoid suspicion, but found himself upgraded to first class. That was a worry, because people in flip-flops, T-shirts and grubby jeans do not regularly ride in first class. But it would have been more suspicious to decline a free upgrade. So Feigenbaum forced himself to sit in first class, where he found himself to be the only passenger in flip-flops.

Speaking as a regular flip-flop, t-shirt, jeans wearing user of first class - this makes it sound like he has never been on a plane before.

All across the country, Feigenbaum kept checking to make sure the dime was safe by reaching into his briefcase to feel for it. Feigenbaum did not actually take the dime out of his briefcase, as it is suspicious to stare at dimes.

The image I have of this guy is someone constantly looking around, nervous, declining all service, and poking at his briefcase ... in other words - acting very suspicious.

ugh ... i see "blockquotes" are filtered on this site. imagine the second and fourth paragraphs are indented...

Speaking as someone who has done transport and escort duties of this type in the past . . . what a putz.

You take the object of interest and make two different carriers of different colors. One is real; the other is a can't-tell-with-a-glance-fake. The principal carries the fake. The escort carries the real one. Or vice versa. Something like that. You immediately give up the fake if ambushed or attacked.

As for securing it in your pocket, you have a zippered pocket discreetly sewn into your pants, or a beltpack if that fits your jeans and T-shirt look. You do NOT carry a briefcase with flip flops and jeans.

Both of you stick together. This is miserable on a long flight, because that means you get to "hold it" until two adults entering a restroom together would not cause talk. The escorts are same-gender for obvious reasons.

There is another way to carry such a small object. You don't want the customer to ever find out how, though, as it involves saran wrap and an unlubricated condom. Plus more discomfort in using the facilities, if necessary.

Yes, that is security by obscurity.

But the fear was unfounded. I doubt anybody could have realised what this guy was transporting.

The only thing hinting at him doing something extraordinary was that he was nervous. So the fear on his part was not only unfounded, but less than clever (especially his constant checking if the coin was still there).

Not a good story.

I can only imagine the stress he was going through as he attempted to deliver the dime. I'm sure he was relieved when he got to NY. :)

brittle.

No layered defence, no chance of limiting damages or recovery.

That's bad, isn't it?

For the time that he was in the airport/airplane/airport, he was actually pretty safe. After all, just how twitchy are cops in airports?
Besides that, you've got a guy who knows he's carrying something special, so he'll be paying extra-special attention to foil pickpockets and other petty thieves while he's in the airports. In the air, he'll know for sure when someone comes near his dime, because really, how many people move around in an airplane once the doors are shut? At either end, he had a bodyguard waiting for him. The only thing he could have done differently was to wear a pair of chinos and a clean polo shirt-- look like the "all-American guy"-- which would have made him all but disappear in a crowded airport terminal more than "going ghetto" with flip-flops would have done. Indeed, if he was clean-cut/clean-shaven, dressing down would have looked out of place.
Should he have needed to, flip-flops are a bad choice for running and other similar evasive manouvering.

How did he get the dime through airport security without losing possession of it, at least temporarily?

How did he recognize the person he was to deliver it to in NY?

He is not who I'd choose to transport it, considering his nervous checking which makes him quite suspicious to both airline security and thieves.

What are the chances the diamond would get lost in the mail? I've lost things in the mail. You don't send something irreplaceable in the mail. I wouldn't even send only copies of family photos in the mail. Regardless of its use in avoiding thievery, it's a really good way to lose it altogether.

Just what *is* in all of those shipping containers at the Port of New York and/or the Port of Long Beach? Which one is full of copies of "Harry Potter" (printed in China) and which has priceless pottery? For that matter, speculate on what is *really* inside any given plain white truck. Timothy McVeigh used this to good effect, after all.

Security by obscurity is probably the most common form in the world.

I like this dime just because it doesn't say "God" on it.

This isn't security through obscurity. It's security through deception.

The former is the act of assuming that because your assets aren't public knowledge they are safe.

The latter is the use of deception to trick the attacker into thinking the assets aren't valuable.

This reminds me of a true story in the Swiss news a while back of someone who put a briefcase down on the floor whilst he was having a cup of coffee at the airport. The police who reported the story, said that the same briefcase which was subsequently stolen contained $70'000!

On second thoughts, this could be an insurance scam.

the title on the blog is a typo. the link says the coin is worth 1.9m not 1.4m

I've heard about this kind of security before, and it seems to me that criminals should be hanging around jewellry stores and alike and look for people in raggedy clothes exiting the stores... After all, people with those kind of clothes don't _usually_ go to places like that, so there's a big chance they're carrying something very valuable. ;)

Question: How hard/expensive is it to produce a perfect forgery of a rare coin? It always amazes me that rare coins can have such high values. It's just a piece of metal, without any special security features. Think about the thinking and technology that goes into making $100 bills hard to forge. An old dime has almost no security features - it didn't need them, because when minted, it contained nearly a dime's worth of silver. Suppose someone was willing to invest $1m in forging old dimes. Does anyone believe the task is impossible? If so, why?

This guy seems to have got very worked up over a mere $1.4 million. Once upon a time, that was serious money - back when a "millionaire" was a very, very rich person. Nowadays, thanks to inflation courtesy of your friendly democratic government, $1.4 million is enough to make someone comfortable. A 50/50 chance of losing it, admittedly, would make one sweat. The vanishingly small risk Feigenbaum took really didn't justify his nerves. But they do him credit nevertheless. "Eternal vigilance is the price of profitability".

Nostromo: it's not trivial to forge an old coin. In the case of valuable ones, at least, collectors are pretty sophisticated in their examination of microscopic features of the metal, the oxide layer, and so on. If a coin is old enough to have serious value, it'll probably cost you at least hundreds if not thousands of dollars to forge convincingly enough to sell; and bear in mind that valuable coins are by definition rare, and often unique; a $1.9 million coin certainly would be. So you can't sell very many of those before people start asking difficult questions. Even for the first one, you'll need a really good cover story for where it came from.

supersaurus and others who are concerned about his frequently checking the coin in his briefcase: once you're on board the plane and the plane is in the air, nobody not already on the plane is going to be able to rob you. So the threat of robbery at that point seems pretty far-fetched - there would have to be someone already on the plane who either already knows you're carrying the item, or could put go from "I notice that person is checking his briefcase frequently" through "Maybe he has something valuable in it that would also be valuable to me" to "I'll attack him now." (I suppose instead they could phone a confederate on the ground to organize an ambush at the destination, but that's also pretty far-fetched.) Lots of business travellers carry items like documents that are valuable to them and would be boring and worthless to almost anyone else, so I don't think "I'll attack him now" is a very likely reaction to a business traveller who frequently checks his briefcase. Accidental loss seems like a much more serious threat than robbery, during the time the plane is in the air.

"Question: How hard/expensive is it to produce a perfect forgery of a rare coin? It always amazes me that rare coins can have such high values. It's just a piece of metal, without any special security features. Think about the thinking and technology that goes into making $100 bills hard to forge. An old dime has almost no security features - it didn't need them, because when minted, it contained nearly a dime's worth of silver. Suppose someone was willing to invest $1m in forging old dimes. Does anyone believe the task is impossible? If so, why?"

There are two parts to the answer. One, it's surprisingly hard to forge one of these old coins. The amount of testing they're subject to is scarily impressive.

And two, rare things like these have pedigrees. If you show up with a new one, there are going to be all sorts of questions, and people will be suspicious.

This is not to say that it's impossible to forge small rarities, and there have been some spectacular scams in the currency and the art world. But it's not as easy as all that.

re: brittle

Yes, it's brittle. However, it is a good example of a time when security through obscurity works - one-off transactions.

The big benefit of security through obscurity is that it's cheap as hell. No fancy countermeasures, few if any highly trained personnel, etc. The secondary benefit is that you limit your attack surface by simply not *appearing* to be worthy of attack -> even if the courier in this case was mugged, who's going to bother to rifle the guy's pants for a dime when they can just grab his wallet and go?

The big disadvantage of security through obscurity, its brittleness, isn't that big of a disadvantage in one-off scenarios. If you're routinely transporting extremely valuable items using this method, somebody will get wise and hijack a shipment. But if you're doing this once, or once in a great while, the sheer infrequency of it means a lower profile is probably more effective than more rigorous controls.

He's *paranoid*. People wear jeans and flip flops in first class all the time. He had preconceived notions even before he got on the plane since he wanted to downgrade even before boarding.

Why was he the only one in first class wearing flip-flops? Because everyone else had the sense to take off the flip flops and put on the complimentary socks and slippers. Paranoia guarantees you see only what you want to see.

Good thing nobody tried to be nice to this guy, he probably would have thought it was a plot to steal the dime.

Security through Anonymity
Security through Deception

My analogy is that it is the courier equivalent of a one-time pad.

"Yes, it's brittle. However, it is a good example of a time when security through obscurity works - one-off transactions."

My step-grandfather, God rest his soul, used to tell the story of how he and his colleagues on Hatton Gardens - a street full of jewelers in London - would exchange consignments of valuable gems. They'd call the local high-security couriers, who'd arrive with all due pomp and circumstance and would carry out a locked chest, which would be appropriately delivered, and would contain nothing of value. At some point either before or after this, someone else would "pop out for lunch" with the real valuables stashed in a handkerchief in his pocket. Apparently they used this for most large transactions, regardless of whether the real courier was dropping the gems off at the business down the street or they had to go over to Holland to make the delivery.

I've often wondered how anyone ever managed to go out for a sandwich without getting mugged by a robber playing the odds.

> Suppose someone was willing to invest $1m in forging old dimes.

The problem is, there is a limit to how many times you can forge the same rare coin and have it still be worth anything. There are two ways to go. The obvious way is that you make new molds practically every time you make a coin. If you're going to do that, then you have to forge the really valuable ones, which are subject to a lot of scrutiny. If you only forge the semi-rare coins that are much easier to pass off, then you could make multiples from each mold, but then you have to find multiple buyers, preferably without anyone catching onto the fact that you have multiple identical coins to sell. These are not trivial concerns.

I think the thing more suspicious than him sitting in first class with flip-flops is someone wearing flip-flops and a tshirt walking around with a briefcase.

This is a bit like James Bond and Harry Potter. British Secret Service HQ is always visible, but unnoticed just like wizarding locations are ignored by muggles.

To put this in practice, you'd dress up your website to look like something innocuous. Bank of America's online banking site would look like "Aunt Suzy's recipe swapping blog", for example. Only if you hit the correct blog entry (April 1?) would you actually get to connect to your online transactions. I doubt this would help with security on the web, though. The effectiveness of this technique is the secrecy, which is blown out of the water when you have to share it with all 14 million customers and put it on the web for Google to find it and advertise it for you.

There is something to be said for it though. You don't have to label the external interface to your intranet "intranet" in public DNS, for example. You could call it "test" and put on a sample website that periodically changes, but have an unlinked, "hidden" website for your company's external intranet access.

I wouldn't call this security through obscurity, because you wouldn't rely on it to protect you. You'd use it as an added layer to lower the externally perceived target value of what would otherwise be seen as a valuable target. "Perceived Value Diminution?"

I'm glad they include a photo of the dealer. Now if I ever see him on red-eye flights to large cities I know who to mug...

Derf - MI6 headquarters is one of the most dramatic building in London - unless its a decoy...

http://www.dklphotography.co.uk/gallery/v/London-Photo-Gallery/MI6_Headquarters.jpg.html

My dad used to work for a large national jewelry chain. I was surprised to learn that shipments of stones, bands, and even finished pieces would often be sent via UPS from location to location, as well as to and from vendors.

Small boxes, brown paper wrapping. No insurance. ("Attracts too much attention, and is too expensive...")

I imagine that it would be difficult to rob someone on a plane and get away with it, anyway.

How would you do it?

My grandfather ran a grocery store on the edge of town in 50s to the 70s and stayed open until 10 PM. Each night he would take the cash and put it in a regular brown paper bag, put the evening's groceries on top of the money and walk out to his truck. He was never robbed, but the store was broken into many times and torn apart, presumably they were looking for a safe - of which there was none.

The back door of the store was broken into so many times that he eventually had to build one 3.5 inches thick out of stacked solid 3x4s clad with stainless. The walls were paper thin and could easily been punched through and a few brighter buglers did.

I once watched an armed security convoy set up outside a bank, police, army and a private security truck. Just before it left two bank employees came out and put a large metal box in the back of a small red mini which was also parked outside the bank. The convoy with the red car following it then left. I've always wondered was the cash in the truck or the car.

Remember those blue coin books you had as a kid? Fill one with dimes, some in the wrong slots. Bring a numismatic book too. Spend your time looking at them if you must. Anyone ask, it's a gift for your kid.

Tons of alternative that only work IF nobody knows about your game.

Some of the suggested alternative transport methods (belt, coin book, etc.) have ignored a point made at the beginning - the coin is (as with most validated excpetionally rare coins) encased in solid plastic - 3 inches square.

Given the required timetable, I agree that the best transport method was definitely by person, though. I once sent some documents Express Courier and two days later flew to the same destination - arriving a day before the documents.

Hmmm, on a tangent, I'm fleshing out the idea of a "counterfeiting sweetspot". We have an object worth $1.9M, which is NOT one of a kind, but a small known (non-complete) subset (9) of a small total possible number of samples (27). We also have many similar but not the same samples to copy from (same year, different mint, different close year, same mint, etc.). Imagine if a copy could be made worth the same amount. One could hire an engraver, a metallurgist, a numismatist, etc. (all of whom were willing to lift the veil of legality) and just make another one! One could probably melt down other similar coins to get the right alloy for that time in history. One could even imagine buying an antique from the same region and year just to get dust samples to add for just the right touch. As long as the personnel and material costs were much less than $1.9M, the endeavor would be profitable! A proper "random discovery" cover story of sufficient believability would be the final step. Hmmm, has this type of thing happened?
Of course all the usual precautions of compartmentalization of information, physical security, communications security, etc. would be essential to minimize the uncovering of the plot.

I bought the diamond for my wife's wedding ring from an Antwerp dealer who met up with me at a coffee shop in London, on one of his trips there, to show me a number of stones of the right size and quality. He was dressed in a three-piece suit, and was carrying a locked briefcase, in which I assumed he was carrying the diamonds. In fact they were stashed in small pockets sewn into the inside lining of his waistcoat. I don't know the total value of the diamonds in his waistcoat, but judging by some of the bigger stones he showed me that he had brought across for other people, I would be surprised if it was less than a couple of hundred thousand pounds. The only flaw in his security by obscurity was that it was a very hot summer's day, and he was the only person wearing a heavy three piece woollen suit.