Schneier on Security
A blog covering security and security technology.
September 2007 Archives
Friday Squid Blogging: A Moaning Baby Giant Squid
Last evening we were lying down on the pilothouse bunk discussing some technical problems we were having, when we heard the fishing line go out. " That's not a fish." I said. The line went out too slowly and we were only going 2.5 knots, hardly fish catching speed. Reid went to reel in the line like he usually does in the evenings. Two minutes later he says, "There's a fish! Bring me my headlamp." I felt around for the headlamp in the darkness of the pilothouse and rush outside with it in hand. By this time, he knows it's not a regular fish. "Shine the light right here!" he says while using both hands to reel in the line. I point the light in that direction. Something Big was coming out of the water moaning a low pitched wailing sound. Fish don't moan. They squeak every now and then, but they don't moan. I had no idea what it could be. Reid didn't know either and many thoughts ran through our heads as to what we might be pulling in. Was it a mammal? A mermaid? An alien? We strained our eyes to see. There were some stars out, but no moon had risen to provide any light, so the water was a gurgling blackness that was easier to hear than see. I wasn't sure exactly where to direct the light, but that low wailing sound was freaking me out. Picture pulling in a big heavy unknown Thing from the deep dark ocean at night and it's crying. It hit the deck with a heavy squishy sound. It was hard to see anything in the darkness. I finally figured out where to put the light. We see a whole bunch of tentacles curling and waving and a round body about four inches in diameter and the continued moaning. We both realize at the same time it was a squid about four feet long, though its whole body wasn't onboard yet. Now I've had calamari. They're usually about five inches long, an inch in diameter, and cut into four pieces. This was not calamari. It was dark, who knew how high and far that thing could jump in an effort to get away. I didn't want it in my lap, so I kept backing away on the yoga platform, until I realized I had to keep shining the light on the thing, still eerily moaning, so I crawled forward again. I swear I was so terrified. Somehow, it freed itself from the line and splashed back into the water. I don't know who was more grateful that it got away, me or the squid. I calmed down a bit after it went back into the water. Reid was disappointed at the time, but later he admitted, "I don't know what I would have done with a huge squid this time of day." On my part, I'll try not to think of those long moaning sounds too much.
Can Smuggling in the U.S.
The U.S. has a patchwork of deposit laws on soft drink bottles and cans. Most states have no deposit, but some states -- Michigan, for example -- have deposits. The cans are the same, so you can make ten cents by buying a can in one state and then returning it for the deposit in Michigan.
Ten people have been arrested for making more than $500,000 doing this:
They ran grocery stores such as Save Plus Superstore in Pontiac, The Larosa Market In Sylvan Lake and Value Foods in Ypsilanti, police also raided The Farmer John, Savemart Food Center and the Americana foods, all three in Detroit.
Nice arbitrage scam.
Oracle 11g Password Algorithm Revealed
It's based on SHA-1.
Mathematicians vs. Cryptographers
Neal Koblitz publishes what is, honestly, a rant about the cryptography field. The interesting part to me is when he talks about the uneasy relationship between mathematicians and cryptographers. Cryptographers, he says, toss the term "provable security" around much too often, publish inconsequential papers far too often, and are generally sloppy about their research.
I can't say I disagree with any of that. Cryptographers come either from mathematics or computer science. The former -- like Koblitz -- are far more rigorous than the latter, but the latter tend to come up with much more practical systems.
EDITED TO ADD (10/6): Kevin McCurley comments.
NASA Using 1960s Cryptanalysis Techniques
Well, sort of.
This paper from the Goddard Space Center, "NiCd Space Battery Test Data Analysis Project, Phase 2 Quarterly Report, 1 Jan. - 30 Apr. 1967," uses "cryptanalytic techniques" -- some sort of tri-gram frequency analysis, I think -- to ferret out hidden clues about battery failures.
It's hard to imagine non-NSA cryptography in the U.S. from the 1960s. Basically, it was all alphabetic stuff. Even rotor machines were highly classified, and absolutely nothing was being done in binary.
Security Considerations in Prison Food
The corn dogs don't have sticks in them.
The Technology of Homeland Security
Reuters has an article on future security technologies. I've already talked about automatic license-plate-capture cameras and aerial surveillance (drones and satellites), but there's some new stuff:
Resembling the seed of a silver maple tree, the single-winged device would pack a tiny two-stage rocket thruster along with telemetry, communications, navigation, imaging sensors and a power source.
Airport screening is another area that could be transformed within 10 years, using scanning wizardry to pinpoint a suspected security threat through biometrics -- based on one or more physical or behavioral traits.
For a while I've been saying that this whole national ID debate will be irrelevant soon. In the future you won't have to show ID; they'll already know who you are.
Chlorine and Cholera in Iraq
Excellent blog post:
So cholera has now reached Baghdad. That's not much of a surprise given the utter breakdown of infrastructure. But there's a reason the cholera is picking up speed now. From the NYT:"We are suffering from a shortage of chlorine, which is sometimes zero," Dr. Ameer said in an interview on Al Hurra, an American-financed television network in the Middle East. "Chlorine is essential to disinfect the water."[A World Health Organization representative in Iraq] also said some 100,000 tons of chlorine were being held up at Iraq's border with Jordan, apparently because of fears the chemical could be used in explosives. She urged authorities to release it for use in decontaminating water supplies.
I couldn't have said it better. In this case, the security countermeasure is worse than the threat. Same thing could be said about a lot of the terrorism countermeasures in the U.S.
Another article on the topic.
Eavesdropping on a Fiber Optic Cable
It's easy to eavesdrop on a copper cable; fiber optic cable is much harder. Here's how to eavesdrop on a fiber optic cable: total hardware cost less than $1,000.
Idiotic Cryptography Reporting
Oh, this is funny:
A team of researchers and engineers at a UK division of Franco-German aerospace giant EADS has developed what it believes is the world's first hacker-proof encryption technology for the internet.
Snake oil, absolute snake oil.
EDITED TO ADD (9/26): Steve Bellovin, who knows what he's talking about, writes:
Actually, it's not snake oil, it's very solid -- till it got to Marketing. The folks at EADS built a high-assurance, Type I (or the British equivalent) IP encryptor -- a HAIPE, in NSA-speak. Their enemy isn't "hackers", it's the PLA and the KGB++. See this and this.
David Lacey makes the same point here.
Psychoecology and the DHS
The Department of Homeland Security (DHS) has gone to many strange places in its search for ways to identify terrorists before they attack, but perhaps none stranger than this lab on the outskirts of Russia's capital. The institute has for years served as the center of an obscure field of human behavior study -- dubbed psychoecology -- that traces it roots back to Soviet-era mind control research.
Homeland Security Blanket
Pretty, and more than a bit silly.
Friday Squid Blogging: Whale Eating Giant Squid
Caught on film, first time ever:
"We looked hard and saw a tentacle of a squid hanging from its mouth and there were other pieces of squid stuck to the whale’s body. It made a number of brusque movements on its side in the water to free the tentacle to eat it – and there we were filming and photographing it all."
Mysterious Refrigerators in Toronto
Imagine if this happened in Boston?
Empty fridges suddenly popped up in the financial district, causing puzzled looks from passersby.
No word on who the "security personnel" were. Police? Building guards? Canadian secret agents?
If this were Boston, there would have been a media frenzy, ridiculous statements by public officials, and prosecutions of those responsible.
EDITED TO ADD (10/11): Press release.
Woman Arrested at Airport with Fake Bomb
Anyone know what's going on?
Star Simpson, 19, had a computer circuit board, wiring and a putty that later turned out to be Play-Doh in plain view over a black hooded sweat shirt she was wearing, said State Police Maj. Scott Pare, the commanding officer at the airport.
Geez. She's lucky to be alive. What in the world was she thinking?
EDITED TO ADD (9/21): Okay, clearly we need a lot more information:
The woman later told police the circuit board with lights on it was a work of art.
"She claims that it was just art and she was proud of the art and wanted to display it. I am not sure why she had the Play-Doh in her hands. She could not explain that," Pare said.
I have to admit that I would trust the authorities more if it weren't Boston.
EDITED TO ADD (9/21): Here's a picture. I'm leaning towards stupid police overreaction right now.
EDITED TO ADD (9/21): Okay, she made it for MIT's career day:
"She said that it was a piece of art and she wanted to stand out on career day," Pare said at a news conference.
Definitely stupid police overreaction.
Refuse to be terrorized, people!
EDITED TO ADD (9/21): A better photo.
EDITED TO ADD (9/22): More news. I now have complete symathy for the student, and none for the police. I wonder if anyone wore their DefCon badge to the Las Vegas airport this year.
EDITED TO ADD (9/26): Really good information here:
Last week was Career Week at MIT. As usually happens during such events, the students turned out in high numbers to speak with company representatives and examine the "free" items that are handed out to students who visit certain booths. Star Simpson, an Electrical Engineering and Computer Science major who enjoys playing around with electronics, wore a bulky handmade nametag to the event. It consisted of a breadboard, LEDs in the shape of a star (for her name), some wires, and a nine-volt battery. She taped it to her sweatshirt to keep it in place, possibly hoping that the company representatives would better be able to remember a student with a flashing nametag.
And the authories are going to make her pay for their mistake.
More on the German Terrorist Plot
This article is a detailed writeup of the actual investigation. While it seems that intercepted emails where instrumental at several points during the investigation, the article doesn't explain whether the intercepts were the result of some of the wholesale eavesdropping programs or specifically obtained for this case.
The US intelligence agencies, the NSA and CIA, provided the most important information: copies of messages between German Islamists and their contacts in Pakistan. Three people in Germany were apparently the ones maintaining contact. The first was a man with the pseudonym "Muaz," who investigators suspected was Islamist Attila S., 22. The second was a man named "Zafer," from the town of Neunkirchen, who they believed was Zafer S., an old friend of Daniel S., one of the three men arrested last week. According to his father, Hizir S., Zafer is currently attending a language course in Istanbul. The third name that kept reappearing in the emails the NSA intercepted was "Abdul Malik," a.k.a. Fritz Gelowicz, who prosecutors believe was the ringleader of the German cell, a man Deputy Secretary Hanning calls "cold-blooded and full of hate."
This is also interesting, given the many discussions on this blog and elsewhere about stopping people watching and photographing potential terrorist targets:
Early in the evening of Dec. 31, 2006, a car containing several passengers drove silently past the Hutier Barracks in Lamboy, a section of the western German city of Hanau. Hanau is known as the home of a major US military base, where thousands of US soldiers live and routinely look forward to celebrating New Year's Eve in their home away from home. The BfV's observation team later noted that the car drove back and forth in front of the barracks several times. When German agents finally stopped the car, they discovered that the passengers were Fritz Gelowicz, Attila S. from the southern city of Ulm, Ayhan T. from Langen near Frankfurt and Dana B., a German of Iranian descent from Frankfurt who, when asked what he and the others were doing there, claimed that they had just wanted to see "how the Americans celebrate New Year's Eve."
London's Security Cameras Don't Help
Interesting article. London's 10,000 security cameras don't reduce crime:
A comparison of the number of cameras in each London borough with the proportion of crimes solved there found that police are no more likely to catch offenders in areas with hundreds of cameras than in those with hardly any.
EDITED TO ADD (10/11): This is a follow-up to a 2005 article.
Anonymity and the Tor Network
As the name implies, Alcoholics Anonymous meetings are anonymous. You don't have to sign anything, show ID or even reveal your real name. But the meetings are not private. Anyone is free to attend. And anyone is free to recognize you: by your face, by your voice, by the stories you tell. Anonymity is not the same as privacy.
That's obvious and uninteresting, but many of us seem to forget it when we're on a computer. We think "it's secure," and forget that secure can mean many different things.
Tor is a free tool that allows people to use the internet anonymously. Basically, by joining Tor you join a network of computers around the world that pass internet traffic randomly amongst each other before sending it out to wherever it is going. Imagine a tight huddle of people passing letters around. Once in a while a letter leaves the huddle, sent off to some destination. If you can't see what's going on inside the huddle, you can't tell who sent what letter based on watching letters leave the huddle.
I've left out a lot of details, but that's basically how Tor works. It's called "onion routing," and it was first developed at the Naval Research Laboratory. The communications between Tor nodes are encrypted in a layered protocol -- hence the onion analogy -- but the traffic that leaves the Tor network is in the clear. It has to be.
If you want your Tor traffic to be private, you need to encrypt it. If you want it to be authenticated, you need to sign it as well. The Tor website even says:
Yes, the guy running the exit node can read the bytes that come in and out there. Tor anonymizes the origin of your traffic, and it makes sure to encrypt everything inside the Tor network, but it does not magically encrypt all traffic throughout the internet.
Tor anonymizes, nothing more.
Dan Egerstad is a Swedish security researcher; he ran five Tor nodes. Last month, he posted a list of 100 e-mail credentials -- server IP addresses, e-mail accounts and the corresponding passwords -- for
The list contains mostly third-world embassies: Kazakhstan, Uzbekistan, Tajikistan, India, Iran, Mongolia -- but there's a Japanese embassy on the list, as well as the UK Visa Application Center in Nepal, the Russian Embassy in Sweden, the Office of the Dalai Lama and several Hong Kong Human Rights Groups. And this is just the tip of the iceberg; Egerstad sniffed more than 1,000 corporate accounts this way, too. Scary stuff, indeed.
Presumably, most of these organizations are using Tor to hide their network traffic from their host countries' spies. But because anyone can join the Tor network, Tor users necessarily pass their traffic to organizations they might not trust: various intelligence agencies, hacker groups, criminal organizations and so on.
It's simply inconceivable that Egerstad is the first person to do this sort of eavesdropping; Len Sassaman published a paper on this attack earlier this year. The price you pay for anonymity is exposing your traffic to shady people.
We don't really know whether the Tor users were the accounts' legitimate owners, or if they were hackers who had broken into the accounts by other means and were now using Tor to avoid being caught. But certainly most of these users didn't realize that anonymity doesn't mean privacy. The fact that most of the accounts listed by Egerstad were from small nations is no surprise; that's where you'd expect weaker security practices.
True anonymity is hard. Just as you could be recognized at an AA meeting, you can be recognized on the internet as well. There's a lot of research on breaking anonymity in general -- and Tor specifically -- but sometimes it doesn't even take much. Last year, AOL made 20,000 anonymous search queries public as a research tool. It wasn't very hard to identify people from the data.
A research project called Dark Web, funded by the National Science Foundation, even tried to identify anonymous writers by their style:
One of the tools developed by Dark Web is a technique called Writeprint, which automatically extracts thousands of multilingual, structural, and semantic features to determine who is creating "anonymous" content online. Writeprint can look at a posting on an online bulletin board, for example, and compare it with writings found elsewhere on the Internet. By analyzing these certain features, it can determine with more than 95 percent accuracy if the author has produced other content in the past.
And if your name or other identifying information is in just one of those writings, you can be identified.
Like all security tools, Tor is used by both good guys and bad guys. And perversely, the very fact that something is on the Tor network means that someone -- for some reason -- wants to hide the fact he's doing it.
This essay previously appeared on Wired.com.
Insider Terrorist Attack
Pakistani Army officer as suicide bomber:
According to reliable sources in the local police, a Pashtun army officer belonging to the elite Special Services Group, whose younger sister was reportedly among the 300 girls killed during the Pakistan Army's commando raid on the Lal Masjid in Islamabad between July 10 and 13, blew himself up during dinner at the SSG's headquarters mess at Tarbela Ghazi, 100 km south of Islamabad, on the night of September 13, killing 19 other officers.
There probably isn't any practicable way to prevent these sorts of attacks by trusted insiders.
The Multics Operating System
Multics was an operating system from the 1960s, and had better security than a lot of operating systems today. This article from 2002 talks about Multics security, and the lessons learned that are still relevant today.
Spying in Women's World Cup Soccer
Leaked MediaDefender E-mails
This story is poised to become a bigger deal:
Peer-to-peer (P2P) poisoning company MediaDefender suffered an embarrassing leak this weekend, when almost 700MB of internal company e-mail was distributed on the Internet via BitTorrent. The e-mails reveal many aspects of MediaDefender's elaborate P2P disruption strategies, illuminate previously undisclosed details about the MiiVi scandal, and bring to light details regarding MediaDefender's collaboration with the New York Attorney General's office on a secret law enforcement project. We have been reviewing the data for days and will have multiple reports on the topic.
More info here.
And now, phone calls were leaked. Here's a teaser -- Ben Grodsky of Media Defender talking to the New York State General Attorney's office:
Ben Grodsky: "Yeah it seems...I mean, from our telephone call yesterday it seems that uhm... we all pretty much came to the conclusion that probably was ehm... caught in the email transmission because the attacker, I guess what you call, the Swedish IP, the attacker uhm... knew the login and the IP address and port uhm... but they weren't able to get in because we had changed the password on our end, you know, following our normal security protocols uhm... when we are making secure transactions like these on the first login we'll change the password so, obviously, well not obviously but, it seems that, most likely scenario is that, at some point that email was ehm... intercepted.
EDITED TO ADD (9/20): Media Defender’s source code is now available on P2P networks. Actually, I’m feeling sorry for them.
European Parliament Moves to Undo Airplane Liquid Ban
This ban is annoying for the travellers and a large cost for society, and we need to examine if the benefits are in relation to the cost.
And the European Parliament agreed:
The House adopted a resolution with 464 votes in favour, 158 against and 70 abstentions on the restrictions imposed by the EU on liquids that passengers can take on board aeroplanes. MEPs call upon the Commission to review urgently and -- if no further conclusive facts are brought forward -- to repeal Regulation (EC) No 1546/2006 (introduction of liquids onto aircraft). The particular amendment on the possible repeal was adopted with 382 votes in favour, 298 against and 15 abstentions.
Security is a trade-off; makes sense to me.
EDITED TO ADD (10/11): Unfortunately the European Parliament is powerless; their decisions are regularly ignored. In this case, the European Commission has the real power.
Formula One Racing Spying Scandal
Microsoft Updates Both XP and Vista Without User Permission or Notification
The details are still fuzzy, but if this is true, it's a huge deal.
Note that Microsoft can do this; that's just stupid company stuff. But what's to stop anyone else from using Microsoft's stealth remote install capability to put anything onto anyone's computer? How long before some smart hacker exploits this, and then writes a program that will allow all the dumb hackers to do it?
When you build a capability like this into your system, you decrease your overall security.
Friday Squid Blogging: Squid Controlled Evolution of Sonar in Whales and Dolphins
Behind the sailor's lore of fearsome battles between sperm whale and giant squid lies a deep question of evolution: How did these leviathans develop the underwater sonar needed to chase and catch squid in the inky depths?
Home Users: A Public Health Problem?
To the average home user, security is an intractable problem. Microsoft has made great strides improving the security of their operating system "out of the box," but there are still a dizzying array of rules, options, and choices that users have to make. How should they configure their anti-virus program? What sort of backup regime should they employ? What are the best settings for their wireless network? And so on and so on and so on.
How is it possible that we in the computer industry have created such a shoddy product? How have we foisted on people a product that is so difficult to use securely, that requires so many add-on products?
It's even worse than that. We have sold the average computer user a bill of goods. In our race for an ever-increasing market, we have convinced every person that he needs a computer. We have provided application after application -- IM, peer-to-peer file sharing, eBay, Facebook -- to make computers both useful and enjoyable to the home user. At the same time, we've made them so hard to maintain that only a trained sysadmin can do it.
And then we wonder why home users have such problems with their buggy systems, why they can't seem to do even the simplest administrative tasks, and why their computers aren't secure. They're not secure because home users don't know how to secure them.
At work, I have an entire IT department I can call on if I have a problem. They filter my net connection so that I don't see spam, and most attacks are blocked before they even get to my computer. They tell me which updates to install on my system and when. And they're available to help me recover if something untoward does happen to my system. Home users have none of this support. They're on their own.
This problem isn't simply going to go away as computers get smarter and users get savvier. The next generation of computers will be vulnerable to all sorts of different attacks, and the next generation of attack tools will fool users in all sorts of different ways. The security arms race isn't going away any time soon, but it will be fought with ever more complex weapons.
This isn't simply an academic problem; it's a public health problem. In the hyper-connected world of the Internet, everyone's security depends in part on everyone else's. As long as there are insecure computers out there, hackers will use them to eavesdrop on network traffic, send spam, and attack other computers. We are all more secure if all those home computers attached to the Internet via DSL or cable modems are protected against attack. The only question is: what's the best way to get there?
I wonder about those who say "educate the users." Have they tried? Have they ever met an actual user? It's unrealistic to expect home users to be responsible for their own security. They don't have the expertise, and they're not going to learn. And it's not just user actions we need to worry about; these computers are insecure right out of the box.
The only possible way to solve this problem is to force the ISPs to become IT departments. There's no reason why they can't provide home users with the same level of support my IT department provides me with. There's no reason why they can't provide "clean pipe" service to the home. Yes, it will cost home users more. Yes, it will require changes in the law to make this mandatory. But what's the alternative?
In 1991, Walter S. Mossberg debuted his "Personal Technology" column in The Wall Street Journal with the words: "Personal computers are just too hard to use, and it isn't your fault." Sixteen years later, the statement is still true -- and doubly true when it comes to computer security.
If we want home users to be secure, we need to design computers and networks that are secure out of the box, without any work by the end users. There simply isn't any other way.
This essay is the first half of a point/counterpoint with Marcus Ranum in the September issue of Information Security. You can read his reply here.
"Say No to Nightmares"
Original song by Tay Zonday.
New Security Cartoon Site
Chinese National Firewall Isn't All that Effective
The study, carried out by graduate student Earl Barr and colleagues in the computer science department of UC Davis and the University of New Mexico, exploited the workings of the Chinese firewall to investigate its effectiveness.
There's been a lot of hype, but finally there's a good article about the cryptanalysis of the KeeLoq electronic car-door entry system.
Spying in Football
The New England Patriots, one of the two or three best teams in the last five years, have been accused of stealing signals from the other team.
The "Game Operations Manual" states that "no video recording devices of any kind are permitted to be in use in the coaches' booth, on the field, or in the locker room during the game." The manual states that "all video shooting locations must be enclosed on all sides with a roof overhead." NFL security officials confiscated a camera and videotape from a New England video assistant on the Patriots' sideline when it was suspected he was recording the Jets' defensive signals. Taping any signals is prohibited. The toughest part usually is finding evidence to support an allegation.
I remember when the NFL changed the rules to allow a radio link from the quarterback's helmet to the sidelines. A smart team could not only eavesdrop on the other team, but selectively jam the signal when it would be most critical. The rules said that if one team's radio link didn't work, the other team had to turn its off, but that's a minor consideration if you know it's coming.
And this is a really good conversation on the topic.
EDITED TO ADD (9/18): Ed Felten comments.
Four-Year-Old Girl Asked to Remove her Hoodie for Vague "Security" Reasons
Ms Lewis, 36, said: "I was having a game of bingo while the little one was on the 2p machine with my dad Desmond.
Light and Crime
A New Yorker article on light pollution has a paragraph on light and crime:
Much so-called security lighting is designed with little thought for how eyes -- or criminals -- operate. Marcus Felson, a professor at the School of Criminal Justice at Rutgers University, has concluded that lighting is effective in preventing crime mainly if it enables people to notice criminal activity as it's taking place, and if it doesn't help criminals to see what they're doing. Bright, unshielded floodlights -- one of the most common types of outdoor security lighting in the country -- often fail on both counts, as do all-night lights installed on isolated structures or on parts of buildings that can't be observed by passersby (such as back doors). A burglar who is forced to use a flashlight, or whose movement triggers a security light controlled by an infrared motion sensor, is much more likely to be spotted than one whose presence is masked by the blinding glare of a poorly placed metal halide "wall pack." In the early seventies, the public-school system in San Antonio, Texas, began leaving many of its school buildings, parking lots, and other property dark at night and found that the no-lights policy not only reduced energy costs but also dramatically cut vandalism.
1624 Cryptography Book Up for Auction
Rare 17th Century work on Cryptography
Auction on September 13. Estimated price $5,000-$8,000.
EDITED TO ADD (9/13): A partial English translation.
Lousy Electronic Stamp Security in Germany
More and more, we're seeing electronic postage stamps: stamps you can print directly onto envelopes from your printer. This story from Germany illustrates some of the problems when security collides with convenience.
Cory Doctorow on DRM
Cory Doctorow has been writing a biweekly column for The Guardian on DRM and the entertainment industry. He's written three so far, and they're all here.
How to Get Free Food at a Fast-Food Drive-In
It's easy. Find a fast-food restaurant with two drive-through windows: one where you order and pay, and the other where you receive your food. This won't work at the more-common U.S. configuration: a microphone where you order, and a single window where you both pay for and receive your food. The video demonstrates the attack at a McDonald's in -- I assume -- France.
Wait until there is someone behind you and someone in front of you. Don't order anything at the first window. Tell the clerk that you forgot your money and didn't order anything. Then drive to the second window, and take the food that the person behind you ordered.
It's a clever exploit. Basically, it's a synchronization attack. By exploiting the limited information flow between the two windows, you can insert yourself into the pay-receive queue.
It's relatively easy to fix. The restaurant could give the customer a numbered token upon ordering and paying, which he would redeem at the next window for his food. Or the second window could demand to see the receipt. Or the two windows could talk to each other more, maybe by putting information about the car and driver into the computer. But, of course, these security solutions reduce the system's optimization.
So if not a lot of people do this, the vulnerability will remain open.
EDITED TO ADD (9/20): The video has been removed from YouTube. It's available here.
Friday Squid Blogging: Vampyroteuthis infernalis
Note that it lives at 2000-3000 feet below sea level, in no light and almost no dissolved oxygen. On the other hand, it's only a foot long.
The No-Fly List Catches an Actual Terrorist
Or, at the very least, someone who has consorted with terrorists.
It had to happen sooner or later; even a broken clock is right twice a day.
Federal Judge Strikes Down National-Security-Letter Provision of Patriot Act
From the article:
The ACLU had challenged the law on behalf of an Internet service provider, complaining that the law allowed the FBI to demand records without the kind of court supervision required for other government searches. Under the law, investigators can issue so-called national security letters to entities like Internet service providers and phone companies and demand customers' phone and Internet records.
Note that judge immediately stayed his decision, pending appeal.
EDITED TO ADD (9/9): More legal commentary.
APEC Conference in Sydney Social Engineered
The APEC conference is a big deal in Australia right now, and the security is serious. They've blocked off a major part of Sydney, implemented special APEC laws allowing extra search powers for the police, and even given everyone in Sydney the day off -- just to keep people away.
Yesterday, a TV comedy team succeeded in driving a fake motorcade with Canadian flags right through all the security barriers and weren't stopped until right outside President Bush's hotel. Inside their motorcade was someone dressed up as Osama Bin Laden.
The ABC later released a statement saying the team had no intention of entering a restricted zone and had been wearing mock "insecurity passes" that stated the convoy was a joke.
I've written about these large-scale social engineering pranks before (although at this point I doubt that the Super Bowl prank was real). The trick: look like you fit in.
I've also written about the Australian comedy group before. They're from a television show called The Chaser's War on Everyhing, and they've tested security cameras and Trojan horses. And interviewed ignorant Americans.
And APEC security is over-the-top stupid:
On the same day police won a court battle to stop protesters marching down George Street through the APEC security zone, it emerged yesterday that at least one cafe near George Bush's hotel has been ordered by police not to set outdoor tables with silverware, lest it fall into the wrong hands.
Great video from The Chasers on APEC and security, including some very funny footage about what normal people are willing to do and have done to them in the name of security.
Cows Get Photo IDs in India
You can't make this stuff up.
Authorities say crime syndicates find it easy to tamper with branding or tattooing of the cattle -- hence the idea for photo identity cards which should be difficult to falsify.
Does anyone really think this will improve security?
Terrorist Plot Foiled in Germany
EDITED TO ADD (9/7): The more I read about this, the more obvious it is that intelligence and investigation is what caught these guys, and not any wholesale eavesdropping or data mining programs.
EDITED TO ADD (9/18): This article is a detailed writeup of the actual investigation. While it seems that intercepted emails where instrumental at several points during the investigation, the article doesn't explain whether the intercepts were the result of some of the wholesale eavesdropping programs or specifically obtained for this case.
Basketball Referees and Single Points of Failure
Sports referees are supposed to be fair and impartial. They're not supposed to favor one team over another. And they're most certainly not supposed to have a financial interest in the outcome of a game.
Tim Donaghy, referee for the National Basketball Association, has been accused of both betting on basketball games and fixing games for the mob. He has confessed to far less -- gambling in general, and selling inside information on players, referees and coaches to a big-time professional gambler named James "Sheep" Battista. But the investigation continues, and the whole scandal is an enormous black eye for the sport. Fans like to think that the game is fair and that the winning team really is the winning team.
What sorts of systems -- IT, financial, NBA games or whatever -- are most at risk of being manipulated? The ones where the smallest change can have the greatest impact, and the ones where trusted insiders can make that change.
Of all major sports, basketball is the most vulnerable to manipulation. There are only five players on the court per team, fewer than in other professional team sports; thus, a single player can have a much greater effect on a basketball game than he can in the other sports. Star players like Michael Jordan, Kobe Bryant and LeBron James can carry an entire team on their shoulders. Even baseball great Alex Rodriguez can't do that.
Because individual players matter so much, a single referee can affect a basketball game more than he can in any other sport. Referees call fouls. Contact occurs on nearly every play, any of which could be called as a foul. They're called "touch fouls," and they are mostly, but not always, ignored. The refs get to decide which ones to call.
Even more drastically, a ref can put a star player in foul trouble immediately -- and cause the coach to bench him longer throughout the game -- if he wants the other side to win. He can set the pace of the game, low-scoring or high-scoring, based on how he calls fouls. He can decide to invalidate a basket by calling an offensive foul on the play, or give a team the potential for some extra points by calling a defensive foul. There's no formal instant replay. There's no second opinion. A ref's word is law -- there are only three of them -- and a crooked ref has enormous power to control the game.
It's not just that basketball referees are single points of failure, it's that they're both trusted insiders and single points of catastrophic failure.
These sorts of vulnerabilities exist in many systems. Consider what a terrorist-sympathizing Transportation Security Administration screener could do to airport security. Or what a criminal CFO could embezzle. Or what a dishonest computer-repair technician could do to your computer or network. The same goes for a corrupt judge, police officer, customs inspector, border-control officer, food-safety inspector and so on.
The best way to catch corrupt trusted insiders is through audit. The particular components of a system that have the greatest influence on the performance of that system need to be monitored and audited, even if the probability of compromise is low. It's after the fact, but if the likelihood of detection is high and the penalties (fines, jail time, public disgrace) are severe, it's a pretty strong deterrent. Of course, the counterattack is to target the auditing system. Hackers routinely try to erase audit logs that contain evidence of their intrusions.
Even so, audit is the reason we want open-source code reviews and verifiable paper trails in voting machines; otherwise, a single crooked programmer could single-handedly change an election. It's also why the Securities and Exchange Commission closely monitors trades by brokers: They are in an ideal position to get away with insider trading. The NBA claims it monitors referees for patterns that might indicate abuse; there's still no answer to why it didn't detect Donaghy.
Most companies focus the bulk of their IT-security monitoring on external threats, but they should be paying more attention to internal threats. While a company may inherently trust its employees, those trusted employees have far greater power to affect corporate systems and are often single points of failure. And trusted employees can also be compromised by external elements, as Tom Donaghy was by Battista and possibly the Mafia.
All systems have trusted insiders. All systems have catastrophic points of failure. The key is recognizing them, and building monitoring and audit systems to secure them.
This is my 50th essay for Wired.com.
Police to Monitor Indian Cyber-Cafes
It stops terrorism, you see:
Vijay Mukhi, President of the Foundation for Information Security and Technology says, "The terrorists know that if they use machines at home, they can be caught. Cybercafes therefore give them anonymity."
Is anyone talking about the societal implications of this sort of wholesale surveillance? Not really:
"The question we need to ask ourselves is whether a breach of privacy is more important or the security of the nation. I do not think the above question needs an answer," said Mukhi.
EDITED TO ADD (10/24): This may be a hoax.
"Cyber Crime Toolkits" Hit the News
On the BBC website:
"They are starting to pop up left and right," said Tim Eades from security company Sana, of the sites offering downloadable hacking tools. "It's the classic verticalisation of a market as it starts to mature."
In one sense, there's nothing new here. There have been rootkits and virus construction kits available on the Internet for years. The very definition of a "script kiddie" is someone who uses these tools without really understanding them. What is new is the market: these new tools aren't for wannabe hackers, they're for criminals. And with the new market comes a for-profit business model.
NASA Employees Sue over Background Checks
This is a big deal:
Jet Propulsion Laboratory scientists and engineers sued NASA and the California Institute of Technology on Thursday, challenging extensive new background checks that the space exploration center and other federal agencies began requiring in the wake of the Sept. 11 terror attacks.
Pentagon Hacked by Chinese Military
Not enough details to know what's really going on, though. From the FT:
The Chinese military hacked into a Pentagon computer network in June in the most successful cyber attack on the US defence department, say American officials.
EDITED TO ADD (9/13): Another good commentary.
Do-It-Yourself Laser Spy Microphone
Using Fear to Sell Pens
Uni-Ball is using fear to sell pens.
I admit that check washing is a problem, but I don't like the fear-mongering in the advertisement.
EDITED TO ADD: Here's a Youtube link to the ad that's still good.
Powered by Movable Type. Photo at top by Geoffrey Stone.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.