Bruce Schneier | ||||
Schneier on SecurityA blog covering security and security technology. « July 2007 | Main | September 2007 » August 2007 ArchivesFriday Squid Blogging: Squid ChowderPut a big heavy pot on the stove and get some heat under it. Fry up the bacon until it starts to get crispy. Toss in the onions. Stir around until they start to get soft. Pile in the potatoes. Pour in two cans of vegetable broth. Stir. Toss in the squid, the bay leaves and the other seasonings. Cook over medium heat, stirring now and then, until the squid is past the rubber band phase (about half an hour), then another ten minutes. About this time the skin will probably be coming off of the potato pieces. (I never peel potatoes). Pour in the milk and the evaporated milk. Medium low heat, stir occasionally until it is almost boiling. Extricate the bay leaves. Put the lid on the pot. Turn off the heat. Wait 15 minutes or until you can't stand it any more. Ladle into bowls. Eat. Posted on August 31, 2007 at 04:44 PM • 10 Comments • View Blog Reactions Trends in Physical SecurityAnyone have any ideas? Posted on August 31, 2007 at 12:01 PM • 45 Comments • View Blog Reactions Computer Forensics Case StudyThis is a report on the presentation of computer forensic evidence in a UK trial. There are three things that concern me here:
In general, computer forensics is rather ad hoc. Traditional rules of evidence are broken all the time. But this seems like a pretty egregious example. Posted on August 31, 2007 at 06:13 AM • 45 Comments • View Blog Reactions Australian Porn Filter CrackedThe headline is all you need to know: Teen cracks AU$84 million porn filter in 30 minutes (AU$84 million is $69.5 million U.S.; that's real money.) Remember that the issue isn't that one smart kid can circumvent the censorship software, it's that one smart kid -- maybe this one, maybe another one -- can write a piece of shareware that allows everyone to circumvent the censorship software. It's the same with DRM; technical measures just aren't going to work. Posted on August 30, 2007 at 12:50 PM • 35 Comments • View Blog Reactions Entering Passwords Through Eye MovementReducing Shoulder-surfing by Using Gaze-based Password Entry Posted on August 30, 2007 at 06:12 AM • 25 Comments • View Blog Reactions Technical Details on the FBI's Wiretapping NetworkThere's a must-read article on Wired.com about DCSNet (Digital Collection System Network), the FBI's high-tech point-and-click domestic wiretapping network. The information is based on nearly 1,000 pages of documentation released under FOIA to the EFF. Together, the surveillance systems let FBI agents play back recordings even as they are being captured (like TiVo), create master wiretap files, send digital recordings to translators, track the rough location of targets in real time using cell-tower information, and even stream intercepts outward to mobile surveillance vans. Much, much more in the article. (And much chatter on this Slashdot thread.) EDITED TO ADD (8/31): Commentary by Matt Blaze and Steve Bellovin. Posted on August 29, 2007 at 11:39 AM • 26 Comments • View Blog Reactions Thieves Steal Drug-Sniffing DogOkay; this is clever: Rex IV, a highly trained Belgian Malinois sheepdog with a string of drug hauls behind him, was checked on to a flight from Mexico City this week with seven other police dogs bound for an operation in the northern state of Sinaloa. Whatever drug lord ordered that hit probably saved himself a whole lot of grief. EDITED TO ADD (8/29): The dog was found in a park: Working on a tip, federal police found Rex IV -- a highly trained Belgian Malinois sheepdog with a string of drug hauls to its name -- tied to a tree in a park in the gritty Iztapalapa neighborhood, a Public Security Ministry spokesman said. Why didn't they just slit the dog's throat? I take it back: not so clever. Posted on August 29, 2007 at 06:59 AM • 54 Comments • View Blog Reactions New German Hacking LawThere has been much written about the new German hacker-tool law, which went into effect earlier this month. Dark Reading has the most interesting speculation: Many security people say the law is so flawed and so broad and that no one can really comply with it. "In essence, the way the laws are phrased now, there is no way to ever comply... even as a non-security company," says researcher Halvar Flake, a.k.a. Thomas Dullien, CEO and head of research at Sabre Security. Posted on August 28, 2007 at 01:32 PM • 51 Comments • View Blog Reactions Mission Creep at Counterterrorism "Fusion Centers"Fusion centers are state-run, with funding help from the Department of Homeland Security. It's all sort of ad hoc, but their purpose is to "fuse" federal, state, and local intelligence against terrorism. But -- no surprise -- they're not doing much actual fusion, and they're more commonly used for other purposes. From a Congressional Research Service report dated June 6, 2007: Fusion centers are state-created entities largely financed and staffed by the states, and there is no one "model" for how a center should be structured. State and local law enforcement and criminal intelligence seem to be at the core of many of the centers. Although many of the centers initially had purely counterterrorism goals, for numerous reasons, they have increasingly gravitated toward an all-crimes and even broader all-hazards approach. While many of the centers have prevention of attacks as a high priority, little "true fusion," or analysis of disparate data sources, identification of intelligence gaps, and pro-active collection of intelligence against those gaps which could contribute to prevention is occurring. Some centers are collocated with local offices of federal entities, yet in the absence of a functioning intelligence cycle process, collocation alone does not constitute fusion. Honestly, the report itself is kind of boring, even for this sort of thing. There's an interesting section on proactive vs. reactive security (p. 25): Most fusion centers respond to incoming requests, suspicious activity reports, and/or finished information/intelligence products. This approach largely relies on data points or analysis that are already identified as potentially problematic. As mentioned above, it could be argued that this approach will only identify unsophisticated criminals and terrorists. The 2007 Fort Dix plot may serve as a good example -- would law enforcement have ever become aware of this plot if the would-be perpetrators hadn't taken their jihad video to a video store to have it copied? While state homeland security and law enforcement officials appear to have reacted quickly and passed the information to the FBI, would they have ever been able to find would-be terrorists within their midst if those individuals avoided activities, criminal or otherwise, that might bring to light their plot? Here's another article on the topic. Posted on August 28, 2007 at 06:30 AM • 13 Comments • View Blog Reactions Stupidest Terrorist Overreaction Yet?What? Are the police taking stupid pills? Two people who sprinkled flour in a parking lot to mark a trail for their offbeat running club inadvertently caused a bioterrorism scare and now face a felony charge. The competition is fierce, but I think this is a winner. What bothers me most about the news coverage is that there isn't even a suggestion that the authorities' response might have been out of line. Mayoral spokeswoman Jessica Mayorga said the city plans to seek restitution from the Salchows, who are due in court Sept. 14. Translation: We screwed up, and we want someone to pay for our mistake. Posted on August 27, 2007 at 02:34 PM • 125 Comments • View Blog Reactions Padlocked Flash DriveClever idea. Only five buttons, a maximum of ten digits for the PIN, and almost certainly a gazillion ways to get around the padlock function once you pry the case open -- but definitely on the right track. Posted on August 27, 2007 at 10:08 AM • 44 Comments • View Blog Reactions Friday Squid Blogging: Kinetic Squid SculptureInstructions and video for building a giant squid kinetic sculpture. More pictures here. Posted on August 24, 2007 at 03:37 PM • 3 Comments • View Blog Reactions Profile on Schneier in the City PagesThe Minneapolis City Pages published a nice profile on me this week. Posted on August 24, 2007 at 01:38 PM • 14 Comments • View Blog Reactions Drug Testing an Entire CommunityYou won't identity individual users, but you can test for the prevalence of drug use in a community by testing the sewage water. Presumably, if you push the sample high enough into the pipe, you can test groups of houses or even individual houses. EDITED TO ADD (7/13): Here's information on drug numbers in the Rhine. They estimated that, for a population of 38,5 million feeding wastewater into the Rhine down to DĂĽsseldorf, cocaine use amounts to 11 metric tonnes per year. Street value: 1.64 billion Euros. Posted on August 24, 2007 at 12:35 PM • 42 Comments • View Blog Reactions Interview with National Intelligence Director Mike McConnellMike McConnell, U.S. National Intelligence Director, gave an interesting interview to the El Paso Times. I don't think he's ever been so candid before. For example, he admitted that the nation's telcos assisted the NSA in their massive eavesdropping efforts. We already knew this, of course, but the government has steadfastly maintained that either confirming or denying this would compromise national security. There are, of course, moments of surreality. He said that it takes 200 hours to prepare a FISA warrant. Ryan Single calculated that since there were 2,167 such warrants in 2006, there must be "218 government employees with top secret clearances sitting in rooms, writing only FISA warrants." Seems unlikely. But most notable is this bit: Q. So you're saying that the reporting and the debate in Congress means that some Americans are going to die? Ah, the politics of fear. I don't care if it's the terrorists or the politicians, refuse to be terrorized. (More interesting discussions on the interview here, here, here, here, here, and here.) Posted on August 24, 2007 at 06:30 AM • 41 Comments • View Blog Reactions "Cyberwar" in EstoniaI had been thinking about writing about the massive distributed-denial-of-service attack against the Estonian government last April. It's been called the first cyberwar, although it is unclear that the Russian government was behind the attacks. And while I've written about cyberwar in general, I haven't really addressed the Estonian attacks. Now I don't have to. Kevin Poulsen has written an excellent article on both the reality and the hype surrounding the attacks on Estonia's networks, commenting on a story in the magazine Wired: Writer Joshua Davis was dispatched to the smoking ruins of Estonia to assess the damage wrought by last spring's DDoS attacks against the country's web, e-mail and DNS servers. Josh is a talented writer, and he returned with a story that offers some genuine insights -- a few, though, are likely unintentional. Read the whole thing. Posted on August 23, 2007 at 01:18 PM • 15 Comments • View Blog Reactions First RespondersI live in Minneapolis, so the collapse of the Interstate 35W bridge over the Mississippi River earlier this month hit close to home, and was covered in both my local and national news. Much of the initial coverage consisted of human interest stories, centered on the victims of the disaster and the incredible bravery shown by first responders: the policemen, firefighters, EMTs, divers, National Guard soldiers and even ordinary people, who all risked their lives to save others. (Just two weeks later, three rescue workers died in their almost-certainly futile attempt to save six miners in Utah.) Perhaps the most amazing aspect of these stories is that there's nothing particularly amazing about it. No matter what the disaster -- hurricane, earthquake, terrorist attack -- the nation's first responders get to the scene soon after. Which is why it's such a crime when these people can't communicate with each other. Historically, police departments, fire departments and ambulance drivers have all had their own independent communications equipment, so when there's a disaster that involves them all, they can't communicate with each other. A 1996 government report said this about the first World Trade Center bombing in 1993: "Rescuing victims of the World Trade Center bombing, who were caught between floors, was hindered when police officers could not communicate with firefighters on the very next floor." And we all know that police and firefighters had the same problem on 9/11. You can read details in firefighter Dennis Smith's book and 9/11 Commission testimony. The 9/11 Commission Report discusses this as well: Chapter 9 talks about the first responders' communications problems, and commission recommendations for improving emergency-response communications are included in Chapter 12 (pp. 396-397). In some cities, this communication gap is beginning to close. Homeland Security money has flowed into communities around the country. And while some wasted it on measures like cameras, armed robots and things having nothing to do with terrorism, others spent it on interoperable communications capabilities. Minnesota did that in 2004. It worked. Hennepin County Sheriff Rich Stanek told the St. Paul Pioneer-Press that lives were saved by disaster planning that had been fine-tuned and improved with lessons learned from 9/11: "We have a unified command system now where everyone -- police, fire, the sheriff's office, doctors, coroners, local and state and federal officials -- operate under one voice,'' said Stanek, who is in charge of water recovery efforts at the collapse site. Others weren't so lucky. Louisiana's first responders had catastrophic communications problems in 2005, after Hurricane Katrina. According to National Defense Magazine: Police could not talk to firefighters and emergency medical teams. Helicopter and boat rescuers had to wave signs and follow one another to survivors. Sometimes, police and other first responders were out of touch with comrades a few blocks away. National Guard relay runners scurried about with scribbled messages as they did during the Civil War. A congressional report on preparedness and response to Katrina said much the same thing. In 2004, the U.S. Conference of Mayors issued a report on communications interoperability. In 25 percent of the 192 cities surveyed, the police couldn't communicate with the fire department. In 80 percent of cities, municipal authorities couldn't communicate with the FBI, FEMA and other federal agencies. The source of the problem is a basic economic one, called the collective action problem. A collective action is one that needs the coordinated effort of several entities in order to succeed. The problem arises when each individual entity's needs diverge from the collective needs, and there is no mechanism to ensure that those individual needs are sacrificed in favor of the collective need. Jerry Brito of George Mason University shows how this applies to first-responder communications. Each of the nation's 50,000 or so emergency-response organizations -- local police department, local fire department, etc. -- buys its own communications equipment. As you'd expect, they buy equipment as closely suited to their needs as they can. Ensuring interoperability with other organizations' equipment benefits the common good, but sacrificing their unique needs for that compatibility may not be in the best immediate interest of any of those organizations. There's no central directive to ensure interoperability, so there ends up being none. This is an area where the federal government can step in and do good. Too much of the money spent on terrorism defense has been overly specific: effective only if the terrorists attack a particular target or use a particular tactic. Money spent on emergency response is different: It's effective regardless of what the terrorists plan, and it's also effective in the wake of natural or infrastructure disasters. No particular disaster, whether intentional or accidental, is common enough to justify spending a lot of money on preparedness for a specific emergency. But spending money on preparedness in general will pay off again and again. This essay originally appeared on Wired.com. EDITED TO ADD (7/13): More research. Posted on August 23, 2007 at 03:23 AM • 46 Comments • View Blog Reactions Perceptions of RiskAnother article about risk perception, and why we worry about the wrong things: Newsrooms are full of English majors who acknowledge that they are not good at math, but still rush to make confident pronouncements about a global-warming "crisis" and the coming of bird flu. Much of what's written here I've said previously, and it echoes this article from Time Magazine (and also this great op-ed from the Los Angeles Times). EDITED TO ADD (7/13): A great graphic. Posted on August 22, 2007 at 01:43 PM • 69 Comments • View Blog Reactions Identification Technology in Personal-Use TasersTaser -- yep, that's the company's name as well as the product's name -- is now selling a personal-use version of their product. It's called the Taser C2, and it has an interesting embedded identification technology. Whenever the weapon is fired, it also sprays some serial-number bar-coded confetti, so a firing can be traced to a weapon and -- presumably -- the owner. Anti-Felon Identification (AFID) Posted on August 22, 2007 at 06:57 AM • 47 Comments • View Blog Reactions "Safe Bedside Table"More security furniture: yikes! Posted on August 21, 2007 at 01:55 PM • 55 Comments • View Blog Reactions Another E-Voting Problem: Not-Secret BallotsOhio law permits anyone to walk into a county election office and obtain two crucial documents: a list of voters in the order they voted, and a time-stamped list of the actual votes. "We simply take the two pieces of paper together, merge them, and then we have which voter voted and in which way," said James Moyer, a longtime privacy activist and poll worker who lives in Columbus, Ohio. EDITED TO ADD (9/13): Commentary by Ed Felton. Posted on August 21, 2007 at 07:01 AM • 56 Comments • View Blog Reactions Code Talking for the DumbA 29-year-old man was taped using the code language Pig Latin to organise reprisal gangs the day after the Cronulla riots, a Sydney court heard today. Yep, Pig Latin. Posted on August 20, 2007 at 03:48 PM • 17 Comments • View Blog Reactions U.S. Government Threatens Retaliation Against States who Reject REAL IDREAL ID is the U.S. government plan to impose uniform regulations on state driver's licenses. It's a national ID card, in all but cosmetic form. (Here is my essay on the security costs and benefits. These two sites are also good resources.) Most states hate it: 17 have passed legislation rejecting REAL ID, and many others have such legislation somewhere in process. Now it looks like the federal government is upping the ante, and threatening retaliation against those states that don't implement REAL ID: The cards would be mandatory for all "federal purposes," which include boarding an airplane or walking into a federal building, nuclear facility or national park, Homeland Security Secretary Michael Chertoff told the National Conference of State Legislatures last week. Citizens in states that don't comply with the new rules will have to use passports for federal purposes. This sounds tough, but it's a lot of bluster. The states that have passed anti-REAL-ID legislation lean both Republican and Democrat. The federal government just can't say that citizens of -- for example -- Georgia (which passed a bill in May authorizing the Governor to delay implementation of REAL ID) can't walk into a federal courthouse without a passport. Or can't board an airplane without a passport -- imagine the lobbying by Delta Airlines here. They just can't. Posted on August 20, 2007 at 06:01 AM • 90 Comments • View Blog Reactions DefCon Badge AuctionI am auctioning my DefCon speaker badge on eBay. The curious phrasing -- "upon completion of this auction, Schneier will donate an amount equal to the purchase price to the Electronic Privacy Information Center" -- is because eBay has complex rules for charity auctions. So, technically, I am not donating the proceeds of the auction; I am donating a completely different pile of money equal to the proceeds of the auction. EDITED TO ADD (8/22): Sold for $335. Thank you all. Posted on August 18, 2007 at 10:57 AM • 18 Comments • View Blog Reactions Friday Squid Blogging: The Word of the Day is "Squid"At least it was on August 13: "NBC Nightly News" anchor Brian Williams had a cameo on "Sesame Street" today, introducing the word of the day, which was "squid." Just in case there was any confusion, he said the word "squid" 19 times. Squid squid squid squid squid! There's video at that link, too. You can watch him ending his report with the words: "Good day, and good squid." Another link. Posted on August 17, 2007 at 03:52 PM • 6 Comments • View Blog Reactions On the Ineffectiveness of Security CamerasInformation from San Francisco public housing developments: The 178 video cameras that keep watch on San Francisco public housing developments have never helped police officers arrest a homicide suspect even though about a quarter of the city's homicides occur on or near public housing property, city officials say. That's not a scarecrow effect. A scarecrow is security theater that works: something that doesn't actually prevent crime, but deters it by scaring off criminals. Mirkarimi is saying that they have the opposite effect; the cameras make victims feel safer than they really are. Posted on August 17, 2007 at 01:25 PM • 30 Comments • View Blog Reactions Wholesale Automobile Surveillance Comes to New York CityNew York is installing an automatic toll-collection system for cars in the busiest parts of the city. It's called congestion pricing, and it promises to reduce both traffic and pollution. The problem is that it keeps an audit log of which cars are driving where. London's congestion pricing system is already being used for counterterrorism purposes -- and now for regular crime as well. The EZPass automatic toll collection system, used in New York and other places, has been used to prove infidelity in divorce court. There are good reasons for having this system, but I am worried about another wholesale surveillance tool. EDITED TO ADD (9/4): EZPass records have been used in criminal court as well. Posted on August 17, 2007 at 06:48 AM • 25 Comments • View Blog Reactions How a Linux Server Gets Turned into a ZombieA very techie forensic analysis, but interesting. Posted on August 16, 2007 at 01:34 PM • 52 Comments • View Blog Reactions Vague Threat Prompts OverreactionIt reads like a hoax: The Police Department set up checkpoints yesterday in Lower Manhattan and increased security after learning of a vague threat of a radiological attack here. Occasionally right? Which U.S. terrorist attack did it predict? Come on, people: refuse to be terrorized. Posted on August 16, 2007 at 06:04 AM • 39 Comments • View Blog Reactions How to Make a Taser Out of a Cheap CameraInstructions here. Don't tell the TSA, or they'll ban cheap cameras. EDITED TO ADD (7/13): There are new links. Posted on August 15, 2007 at 03:58 PM • 37 Comments • View Blog Reactions How to Escape from Plastic Police HandcuffsPosted on August 15, 2007 at 12:28 PM • 21 Comments • View Blog Reactions Security TheaterNice article on security theater from Government Executive: John Mueller suspects he might have become cable news programs' go-to foil on terrorism. The author of Overblown: How Politicians and the Terrorism Industry Inflate National Security Threats, and Why We Believe Them (Free Press, 2006) thinks America has overreacted. The greatly exaggerated threat of terrorism, he says, has cost the country far more than terrorist attacks ever did. Lots more in the article. Posted on August 15, 2007 at 06:18 AM • 42 Comments • View Blog Reactions Designing for SecurityInteresting article on security-aware consumer items. I especially liked the chair design with a place to hang a purse. Seems like a better idea than the "Chelsea clip." Posted on August 14, 2007 at 02:25 PM • 24 Comments • View Blog Reactions Phishing StudiesTwo studies. The first one looks at social phishing: Test subjects received an e-mail with headers spoofed so that it appeared to originate from a member of the subject's social network. The message body was comprised of the phrase "hey, check this out!" along with a link to a site ostensibly at Indiana University. The link, however, would direct browsers to www.whuffo.com, where they were asked to enter their Indiana username and password. Control subjects were sent the same message originating from a fictitious individual at the university. Okay, so no surprise there. But this is interesting research into how who we trust can be exploited. If the phisher knows a little bit about you, he can more effectively target your friends. And we all know that some men are suckers for what women tell them. Another study looked at the practice of using the last four digits of a credit-card number as an authenticator. Seems that people also trust those who know the first four digits of their credit-card number: Jakobsson also found a problem related to the practice of credit card companies identifying users by the last four digits of their account numbers, which are random. From his research, it turns out people are willing to respond to fraudulent e-mails if the attacker correctly identifies the first four digits of their account numbers, even though the first four are not random and are based on who issued thecard. Another attack comes to mind. You can write a phishing e-mail that simply guesses the last four digits of someone's credit-card number. You'll only be right one in ten thousand times, but if you send enough e-mails that might be enough. EDITED TO ADD (8/14): Math typo fixed. Posted on August 14, 2007 at 11:45 AM • 37 Comments • View Blog Reactions Conspiracy TheoriesFascinating New Scientist article (for subscribers only, but there's a copy here) on conspiracy theories, and why we believe them: So what kind of thought processes contribute to belief in conspiracy theories? A study I carried out in 2002 explored a way of thinking sometimes called “major event - major causeâ€? reasoning. Essentially, people often assume that an event with substantial, significant or wide-ranging consequences is likely to have been caused by something substantial, significant or wide-ranging. Lots of good stuff in the article, including instructions on how to create your own conspiracy theory. Posted on August 14, 2007 at 06:17 AM • 50 Comments • View Blog Reactions Bulletproof Backpacks for SchoolchildrenWe've seen calls for transparent backpacks. Here's a call for bulletproof backpacks, which -- I presume -- go hand in hand with bulletproof textbooks. With this kind of thinking, we'll have the school shooting problem licked in no time! Posted on August 13, 2007 at 03:13 PM • 55 Comments • View Blog Reactions Paid Informants in Muslim CommunitiesThis is a good article about the use of paid informants in Muslim communities, and how they are both creating potential terrorists where none existed before and sowing mistrust among people. Defense lawyers in a number of other terrorism suspect cases accused informants of solely seeking financial boon by creating so-called terrorists that did not exist. Posted on August 13, 2007 at 12:50 PM • 29 Comments • View Blog Reactions House of Lords on Computer SecurityThe Science and Technology Committee of the UK House of Lords has issued a report (pdf here) on "Personal Internet Security." It's 121 pages long. Richard Clayton, who helped the committee, has a good summary of the report on his blog. Among other things, the Lords recommend various consumer notification standards, a data-breach disclosure law, and a liability regime for software. Another summary lists:
If that sounds like a lot of the things I've been saying for years, there's a reason for that. Earlier this year, I testified before the committee (transcript here), where I recommended some of these things. (Sadly, I didn't get to wear a powdered wig.) This report is a long way from anything even closely resembling a law, but it's a start. Clayton writes: The Select Committee reports are the result of in-depth study of particular topics, by people who reached the top of their professions (who are therefore quick learners, even if they start by knowing little of the topic), and their careful reasoning and endorsement of convincing expert views, carries considerable weight. The Government is obliged to formally respond, and there will, at some point, be a few hours of debate on the report in the House of Lords. If you're interested, the entire body of evidence the committee considered is here (pdf version here). I don't recommend reading it; it's absolutely huge, and a lot of it is corporate drivel. EDITED TO ADD (8/13): I have written about software liabilities before, here and here. EDITED TO ADD (8/22): Good article here: They agreed 'wholeheartedly' with security guru, and successful author, Bruce Schneier, that the activities of 'legitimate researchers' trying to 'break things to learn to think like the bad guys' should not be criminalized in forthcoming UK legislation, and they supported the pressing need for a data breach reporting law; in drafting such a law, the UK government could learn from lessons learnt in the US states that have such laws. Such a law should cover the banks, and other sectors, and not simply apply to "communication providers" — a proposal presently under consideration by the EU Commission, which the peers clearly believed would be ineffective in creating incentives to improve security across the board. Posted on August 13, 2007 at 06:35 AM • 21 Comments • View Blog Reactions Friday Squid Blogging: Pretty SquidHistioteuthis heteropsis, from the other Friday squid blogging. Posted on August 10, 2007 at 04:47 PM • 3 Comments • View Blog Reactions Friday Squid Blogging: Fisherman InkedWow. I must remember never to piss a squid off. Posted on August 10, 2007 at 03:35 PM • 7 Comments • View Blog Reactions Security Problem Excuse BingoVery funny, from Matt Blaze and Jutta Degener. Posted on August 10, 2007 at 01:58 PM • 11 Comments • View Blog Reactions Airport Security BreachOne of the problems with airport security checkpoints is that the system is a single point of failure. If someone slips through, the only way to regain security is for the entire airport to be emptied and everyone searched again. This happens rarely, but when it does, it can close an airport for hours. It happened today at the Charlotte airport. One sentence struck me: Passengers on another 15 planes that took off after the breach will have to go through screening again when they reach their destinations, the TSA said. It's understandable why the TSA would want to screen everybody once someone evades security: that person could give his contraband to someone else. And since the entire airport system is a single secure area -- once you go through security at one airport, you are considered to be inside security at all airports -- it makes sense for those passengers to be screened if they're changing planes. But it must feel weird to have to go through screening after flying, before being able to leave the airport. Posted on August 10, 2007 at 11:12 AM • 37 Comments • View Blog Reactions Police Data Mining Done RightIt's nice to find an example of the police using data mining correctly: not as security theater, but more as a business-intelligence tool: When Munroe took over as chief two years ago, his department was drowning in crime and data. Police had a mass of data from 911 calls and crime reports; what they didn’t have was a way to connect the dots and see a pattern of behaviour. Posted on August 10, 2007 at 06:51 AM • 35 Comments • View Blog Reactions The New U.S. Wiretapping Law and SecurityLast week, Congress gave President Bush new wiretapping powers. I was going to write an essay on the security implications of this, but Susan Landau beat me to it: To avoid wiretapping every communication, NSA will need to build massive automatic surveillance capabilities into telephone switches. Here things get tricky: Once such infrastructure is in place, others could use it to intercept communications. More about the Greek wiretapping scandal. And I would be remiss if I didn't mention the excellent book by Whitfield Diffie and Susan Landau on the subject: Privacy on the Line: The Politics of Wiretapping and Encryption. Posted on August 09, 2007 at 03:29 PM • 46 Comments • View Blog Reactions New York Times Movie-Plot Threat ContestMy contest idea (first and second) has gone mainstream: Hearing about these rules got me thinking about what I would do to maximize terror if I were a terrorist with limited resources. I’d start by thinking about what really inspires fear. One thing that scares people is the thought that they could be a victim of an attack. With that in mind, I’d want to do something that everybody thinks might be directed at them, even if the individual probability of harm is very low. Humans tend to overestimate small probabilities, so the fear generated by an act of terrorism is greatly disproportionate to the actual risk. Far more interesting than the suggested attacks are the commenters who accuse him of helping the terrorists. Not that I'm surprised; there were people who accused me of helping the terrorists. But while it's one thing for this kind of thing to happen in my blog, it's another for it to happen in a mainstream blog on The New York Times website. EDITED TO ADD (8/9): Sadly, he had to explain himself. Posted on August 09, 2007 at 12:48 PM • 29 Comments • View Blog Reactions AssuranceOver the past several months, the state of California conducted the most comprehensive security review yet of electronic voting machines. People I consider to be security experts analyzed machines from three different manufacturers, performing both a red-team attack analysis and a detailed source code review. Serious flaws were discovered in all machines and, as a result, the machines were all decertified for use in California elections. The reports are worth reading, as is much of the blog commentary on the topic. The reviewers were given an unrealistic timetable and had trouble getting needed documentation. The fact that major security vulnerabilities were found in all machines is a testament to how poorly they were designed, not to the thoroughness of the analysis. Yet California Secretary of State Debra Bowen has conditionally recertified the machines for use, as long as the makers fix the discovered vulnerabilities and adhere to a lengthy list of security requirements designed to limit future security breaches and failures. While this is a good effort, it has security completely backward. It begins with a presumption of security: If there are no known vulnerabilities, the system must be secure. If there is a vulnerability, then once it's fixed, the system is again secure. How anyone comes to this presumption is a mystery to me. Is there any version of any operating system anywhere where the last security bug was found and fixed? Is there a major piece of software anywhere that has been, and continues to be, vulnerability-free? Yet again and again we react with surprise when a system has a vulnerability. Last weekend at the hacker convention DefCon, I saw new attacks against supervisory control and data acquisition (SCADA) systems -- those are embedded control systems found in infrastructure systems like fuel pipelines and power transmission facilities -- electronic badge-entry systems, MySpace, and the high-security locks used in places like the White House. I will guarantee you that the manufacturers of these systems all claimed they were secure, and that their customers believed them. Earlier this month, the government disclosed that the computer system of the US-Visit border control system is full of security holes. Weaknesses existed in all control areas and computing device types reviewed, the report said. How exactly is this different from any large government database? I'm not surprised that the system is so insecure; I'm surprised that anyone is surprised. We've been assured again and again that RFID passports are secure. When researcher Lukas Grunwald successfully cloned one last year at DefCon, we were told there was little risk. This year, Grunwald revealed that he could use a cloned passport chip to sabotage passport readers. Government officials are again downplaying the significance of this result, although Grunwald speculates that this or another similar vulnerability could be used to take over passport readers and force them to accept fraudulent passports. Anyone care to guess who's more likely to be right? It's all backward. Insecurity is the norm. If any system -- whether a voting machine, operating system, database, badge-entry system, RFID passport system, etc. -- is ever built completely vulnerability-free, it'll be the first time in the history of mankind. It's not a good bet. Once you stop thinking about security backward, you immediately understand why the current software security paradigm of patching doesn't make us any more secure. If vulnerabilities are so common, finding a few doesn't materially reduce the quantity remaining. A system with 100 patched vulnerabilities isn't more secure than a system with 10, nor is it less secure. A patched buffer overflow doesn't mean that there's one less way attackers can get into your system; it means that your design process was so lousy that it permitted buffer overflows, and there are probably thousands more lurking in your code. Diebold Election Systems has patched a certain vulnerability in its voting-machine software twice, and each patch contained another vulnerability. Don't tell me it's my job to find another vulnerability in the third patch; it's Diebold's job to convince me it has finally learned how to patch vulnerabilities properly. Several years ago, former National Security Agency technical director Brian Snow began talking about the concept of "assurance" in security. Snow, who spent 35 years at the NSA building systems at security levels far higher than anything the commercial world deals with, told audiences that the agency couldn't use modern commercial systems with their backward security thinking. Assurance was his antidote: Assurances are confidence-building activities demonstrating that: Basically, demonstrate that your system is secure, because I'm just not going to believe you otherwise. Assurance is less about developing new security techniques than about using the ones we have. It's all the things described in books like Building Secure Software, Software Security and Writing Secure Code. It's some of what Microsoft is trying to do with its Security Development Lifecycle (SDL). It's the Department of Homeland Security's Build Security In program. It's what every aircraft manufacturer goes through before it puts a piece of software in a critical role on an aircraft. It's what the NSA demands before it purchases a piece of security equipment. As an industry, we know how to provide security assurance in software and systems; we just tend not to bother. And most of the time, we don't care. Commercial software, as insecure as it is, is good enough for most purposes. And while backward security is more expensive over the life cycle of the software, it's cheaper where it counts: at the beginning. Most software companies are short-term smart to ignore the cost of never-ending patching, even though it's long-term dumb. Assurance is expensive, in terms of money and time for both the process and the documentation. But the NSA needs assurance for critical military systems; Boeing needs it for its avionics. And the government needs it more and more: for voting machines, for databases entrusted with our personal information, for electronic passports, for communications systems, for the computers and systems controlling our critical infrastructure. Assurance requirements should be common in IT contracts, not rare. It's time we stopped thinking backward and pretending that computers are secure until proven otherwise. This essay originally appeared on Wired.com. Posted on August 09, 2007 at 08:19 AM • 37 Comments • View Blog Reactions Gun-Shaped Laptop BatterySeems like bad design: My laptop bag has scared TSA security personnel at several airports recently, requiring manual bag inspections each time. And when it happened again this week I finally figured out what it is that was freaking them out when the bag went through the x-ray machine -- it's the spare laptop battery I always carry. This would never be an issue if the battery were inside the laptop, but the spare battery (depending on how it is laying in the back) can catch attention. But, TSA issues aside, look at the shape of the battery. You just have to wonder -- what on earth was IBM thinking? The answer, of course, is obvious: it never occured to them. Posted on August 08, 2007 at 02:12 PM • 30 Comments • View Blog Reactions Another Biometric: Vein PatternsIn fact, vein recognition technology has one fundamental advantage over finger print systems: vein patterns in fingers and palms are biometric characteristics that are not left behind unintentionally in every-day activities. In tests conducted by heise, even extreme close-ups of a palm taken with a digital camera, whose RAW format can be filtered systematically to emphasize the near-infrared range, were unable to deliver a clear reproduction of the line pattern. With the transluminance method used by Hitachi it is practically impossible to read out the pattern unnoticed with today's technology. Another side effect of near-infrared imaging also has relevance to security: vein patterns of inanimate bodily parts become useless after few minutes, due to the increasing deoxidisation of the tissue. Even if someone manages to obtain a person's vein pattern, there is no known method for creating a functioning dummy, as is the case for finger prints, where this can be achieved even with home-made tools, as demonstrated by the german computer magazine c't. As in the case with vendors of finger print systems, Hitachi and Fujitsu do not disclose information on liveness detection methods used in their products. This is all interesting. I don't know about the details of the technology, but the discussions of false positives, false negatives, and forgeability are the right ones to have. Remember, though, that while biometrics are an effective security technology, they're not a panacea. Posted on August 08, 2007 at 07:02 AM • 31 Comments • View Blog Reactions Brennan Center Releases Report on Post Election AuditsYet another good report on elections: this one on post-election audits: "Post-Election Audits: Restoring Trust in Elections." Posted on August 07, 2007 at 12:11 PM • 6 Comments • View Blog Reactions Asking for PasswordsHow do you get a password out of an IRS agent? Just ask: Sixty-one of the 102 people who got the test calls, including managers and a contractor, complied with a request that the employee provide his or her user name and temporarily change his or her password to one the caller suggested, according to the Treasury Inspector General for Tax Administration, an office that does oversight of Internal Revenue Service. Wow. At the very least, I would have expected to have to give them chocolate. Posted on August 07, 2007 at 06:53 AM • 33 Comments • View Blog Reactions Details on the UK Liquid Terrorist PlotU.S. Homeland Security Secretary Michael Chertoff is releasing details about last summer's liquid-bomb plot: Sources tell ABC News that after studying the plot, government officials have concluded that without the tip to British authorities, the suspects could have likely smuggled the bomb components onboard using sports drinks. There has been a lot of speculation since last year about the plausibility of the plot, with most chemists falling on the "unrealistic" side. I'm still skeptical, especially because the liquid ban doesn't actually ban liquids. If they're so dangerous, why can anyone take 12 ounces of any liquid on any plane at any time? That's the real question, which TSA Administrator Kip Hawley deftly didn't answer in my conversation with him last week. (I brought it on a plane again yesterday: an opaque 12-ounce bottle labeled "saline," emptied and filled with another liquid, and then resealed. I held it up to the TSA official and made sure it was okay. It was.) Another quote: One official who briefed ABC News said explosives and security experts who examined the plot were "stunned at the extent that the suspects had gamed the system to exploit its weaknesses." Well, yeah. That's the game you're stuck playing. From my conversation with Hawley (that's me talking): But you're playing a game you can't win. You ban guns and bombs, so the terrorists use box cutters. You ban small blades and knitting needles, and they hide explosives in their shoes. You screen shoes, so they invent a liquid explosive. You restrict liquids, and they're going to do something else. The terrorists are going to look at what you're confiscating, and they're going to design a plot to bypass your security. Stop focusing on the tactics; focus on the broad threats. Posted on August 06, 2007 at 11:34 PM • 71 Comments • View Blog Reactions Security-Theater Cameras Coming to New YorkIn this otherwise lopsided article about security cameras, this one quote stands out: But Steve Swain, who served for years with the London Metropolitan Police and its counter-terror operations, doubts the power of cameras to deter crime. Did you get that? Swain doesn't believe that cameras deter crime, but he wants cities to spend millions on them so that the terrorists "can see that you've got some measures in place." Anyone have any idea why we're better off doing this than other things that may actually deter crime and terrorism? Posted on August 06, 2007 at 03:23 PM • 37 Comments • View Blog Reactions British Report on E-VotingIn even more voting news, the UK Electoral Commission released a report on the 2007 e-voting and e-counting pilots. The results are none too good: The Commission’s criticism of e-counting and e-voting was scathing; concerning the latter saying that the “security risk involved was significant and unacceptable.â€? They recommend against further trials until the problems identified are resolved. Quality assurance and planning were found to be inadequate, predominantly stemming from insufficient timescales. In the case of the six e-counting trials, three were abandoned, two were delayed, leaving only one that could be classed as a success. Poor transparency and value for money are also cited as problems. More worryingly, the Commission identify a failure to learn from the lessons of previous pilot programmes. Posted on August 06, 2007 at 10:21 AM • 8 Comments • View Blog Reactions Florida E-Voting StudyFlorida just recently released another study of the Diebold voting The most interesting issues are (1) Diebold's apparent "find- then-patch" approach to computer security, and (2) Diebold's lousy use of cryptography. Among the findings:
Avi Rubin has a nice overall summary, too: So, Diebold is doing some things better than they did before when they had absolutely no security, but they have yet to do them right. Anyone taking any of our cryptography classes at Johns Hopkins, for example, would do a better job applying cryptography. If you read the SAIT report, this theme repeats throughout. Right. These are classic examples of problems that can arise if (1) you "roll your own" crypto and/or (2) employ "find and patch" rather than a principled approach to security. It all makes me wonder what new problems will arise from future security patches. The good news is that Florida has decided not to certify the TSX at this time. They may try to certify a revised version of the OS (optical scan) system. Posted on August 06, 2007 at 06:34 AM • 42 Comments • View Blog Reactions Friday Squid Blogging: Squid Fountain PenReview and article (pdf, pp. 3-5). EDITED TO ADD (8/8): It costs $3000. Yikes. Posted on August 03, 2007 at 04:44 PM • 5 Comments • View Blog Reactions Podcast Interview with MeI was interviewed for "The Command Line" podcast. Posted on August 03, 2007 at 03:05 PM • 2 Comments • View Blog Reactions More on the California Voting Machine ReviewThis is a follow-on to this post. What's new is that the source code reviews are now available. I haven't had the chance to review the reports. Matt Blaze has a good summary on his blog: We found significant, deeply-rooted security weaknesses in all three vendors' software. Our newly-released source code analyses address many of the supposed shortcomings of the red team studies, which have been (quite unfairly, I think) criticized as being "unrealistic". It should now be clear that the red teams were successful not because they somehow "cheated," but rather because the built-in security mechanisms they were up against simply don't work properly. Reliably protecting these systems under operational conditions will likely be very hard. I just read Matt Bishop's description of the miserable schedule and support that the California Secretary of State's office gave to the voting-machine review effort: The major problem with this study is time. Although the study did not start until mid-June, the end date was set at July 20, and the Secretary of States said that under no circumstandes would it be extended. Matt Blaze, who led the team that reviewed the Sequoia code, had similar things to say: Reviewing that much code in less than two months was, to say the least, a huge undertaking. We spent our first week (while we were waiting for the code to arrive) setting up infrastructure, including a Trac Wiki on the internal network that proved invaluable for keeping everyone up to speed as we dug deeper and deeper into the system. By the end of the project, we were literally working around the clock. It seems that we have a new problem to worry about: the Secretary of State has no clue how to get a decent security review done. Perversely, it was good luck that the voting machines tested were so horribly bad that the reviewers found vulnerabilities despite a ridiculous schedule -- one month simply isn't reasonable -- and egregious foot-dragging by vendors in providing needed materials. Next time, we might not be so lucky. If one vendor sees he can avoid embarrassment by stalling delivery of his most vulnerable source code for four weeks, we might end up with the Secretary of State declaring that the system survived vigorous testing and therefore is secure. Given that refusing cooperation incurred no penalty in this series of tests, we can expect vendors to work that angle more energetically in the future. The Secretary of State's own web page gives top billing to the need "to restore the public's confidence in the integrity of the electoral process," while the actual security of the machines is relegated to second place. We need real security evaluations, not feel-good fake tests. I wish this were more the former than the latter. EDITED TO ADD (8/4): California Secretary of State Bowen's certification decisions are online. She has totally decertified the ES&S Inkavote Plus system, used in L.A. County, because of ES&S |
