Schneier on Security
A blog covering security and security technology.
August 2008 Archives
Friday Squid Blogging: Translucent Squid
Another Voting Machine Cartoon
You know your industry has problems when mainstream comic strips make fun of you.
A British Bank Bans a Man's Password
Mr Jetley said he first realised his security password had been changed when a call centre staff member told him his code word did not match with the one on the computer.
Lloyd's claims that they fired the employee responsible for this, but what I want to know is how the employee got a copy of the man's password in the first place. Why isn't it stored only in encrypted form on the bank's computers?
How secure can the bank's computer systems be if employees are allowed to look at and change customer passwords at whim?
Border Gateway Protocol (BGP) Attacks
It's a man-in-the-middle attack. "The Internet's Biggest Security Hole" (the title of that first link) has been that interior relays have always been trusted even though they are not trustworthy.
EDITED TO ADD (9/12): This is worth reading.
The TSA Told You That Liquids Are Dangerous
A plane was forced to land when a passenger had an extreme allergic reaction to a leaking jar of mushroom soup, it was revealed today.
Diebold Finally Admits its Voting Machines Drop Votes
It's unclear if this error is random or systematic. If it's random -- a small percentage of all votes are dropped -- then it is highly unlikely that this affected the outcome of any election. If it's systematic -- a small percentage of votes for a particular candidate are dropped -- then it is much more problematic.
Ohio is trying to sue:
Ohio Secretary of State Jennifer Brunner is seeking to recover millions of dollars her state spent on the touch-screen machines and is urging the state legislature to require optical scanners statewide instead.
In other news, election officials sometimes take voting machines home for the night.
My 2004 essay: "Why Election Technology is Hard."
Virus Infects the Space Station
Doctoring Photographs without Photoshop
It's all about the captions:
...doctored photographs are the least of our worries. If you want to trick someone with a photograph, there are lots of easy ways to do it. You don't need Photoshop. You don't need sophisticated digital photo-manipulation. You don't need a computer. All you need to do is change the caption.
Full Disclosure and the Boston Farecard Hack
In eerily similar cases in the Netherlands and the United States, courts have recently grappled with the computer-security norm of "full disclosure," asking whether researchers should be permitted to disclose details of a fare-card vulnerability that allows people to ride the subway for free.
The "Oyster card" used on the London Tube was at issue in the Dutch case, and a similar fare card used on the Boston "T" was the center of the U.S. case. The Dutch court got it right, and the American court, in Boston, got it wrong from the start -- despite facing an open-and-shut case of First Amendment prior restraint.
The U.S. court has since seen the error of its ways -- but the damage is done. The MIT security researchers who were prepared to discuss their Boston findings at the DefCon security conference were prevented from giving their talk.
The ethics of full disclosure are intimately familiar to those of us in the computer-security field. Before full disclosure became the norm, researchers would quietly disclose vulnerabilities to the vendors -- who would routinely ignore them. Sometimes vendors would even threaten researchers with legal action if they disclosed the vulnerabilities.
Later on, researchers started disclosing the existence of a vulnerability but not the details. Vendors responded by denying the security holes' existence, or calling them just theoretical. It wasn't until full disclosure became the norm that vendors began consistently fixing vulnerabilities quickly. Now that vendors routinely patch vulnerabilities, researchers generally give them advance notice to allow them to patch their systems before the vulnerability is published. But even with this "responsible disclosure" protocol, it's the threat of disclosure that motivates them to patch their systems. Full disclosure is the mechanism by which computer security improves.
Outside of computer security, secrecy is much more the norm. Some security communities, like locksmiths, behave much like medieval guilds, divulging the secrets of their profession only to those within it. These communities hate open research, and have responded with surprising vitriol to researchers who have found serious vulnerabilities in bicycle locks, combination safes, master-key systems and many other security devices.
Researchers have received a similar reaction from other communities more used to secrecy than openness. Researchers -- sometimes young students -- who discovered and published flaws in copyright-protection schemes, voting-machine security and now wireless access cards have all suffered recriminations and sometimes lawsuits for not keeping the vulnerabilities secret. When Christopher Soghoian created a website allowing people to print fake airline boarding passes, he got several unpleasant visits from the FBI.
This preference for secrecy comes from confusing a vulnerability with information about that vulnerability. Using secrecy as a security measure is fundamentally fragile. It assumes that the bad guys don't do their own security research. It assumes that no one else will find the same vulnerability. It assumes that information won't leak out even if the research results are suppressed. These assumptions are all incorrect.
The problem isn't the researchers; it's the products themselves. Companies will only design security as good as what their customers know to ask for. Full disclosure helps customers evaluate the security of the products they buy, and educates them in how to ask for better security. The Dutch court got it exactly right when it wrote: "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."
In a world of forced secrecy, vendors make inflated claims about their products, vulnerabilities don't get fixed, and customers are no wiser. Security research is stifled, and security technology doesn't improve. The only beneficiaries are the bad guys.
If you'll forgive the analogy, the ethics of full disclosure parallel the ethics of not paying kidnapping ransoms. We all know why we don't pay kidnappers: It encourages more kidnappings. Yet in every kidnapping case, there's someone -- a spouse, a parent, an employer -- with a good reason why, in this one case, we should make an exception.
The reason we want researchers to publish vulnerabilities is because that's how security improves. But in every case there's someone -- the Massachusetts Bay Transit Authority, the locksmiths, an election machine manufacturer -- who argues that, in this one case, we should make an exception.
We shouldn't. The benefits of responsibly publishing attacks greatly outweigh the potential harm. Disclosure encourages companies to build security properly rather than relying on shoddy design and secrecy, and discourages them from promising security based on their ability to threaten researchers. It's how we learn about security, and how we improve future security.
This essay previously appeared on Wired.com.
EDITED TO ADD (8/26): Matt Blaze has a good essay on the topic.
EDITD TO ADD (9/12): A good legal analysis.
Red Light Cameras Don't Work
Interesting: the solution to one problem causes another.
"The rigorous studies clearly show red-light cameras don't work," said lead author Barbara Langland-Orban, professor and chair of health policy and management at the USF College of Public Health. "Instead, they increase crashes and injuries as drivers attempt to abruptly stop at camera intersections."
And, of course, the agenda of the government is to increase revenue due to fines:
A 2001 paper by the Office of the Majority Leader of the U.S. House of Representatives reported that red-light cameras are "a hidden tax levied on motorists." The report came to the same conclusions that all of the other valid studies have, that red-light cameras are associated with increased crashes and that the timings at yellow lights are often set too short to increase tickets for red-light running. That's right, the state actually tampers with the yellow light settings to make them shorter, and more likely to turn red as you're driving through them.
Friday Squid Blogging: Giant Squids on Exhibit at the Smithsonian
Starting September 27th: a 36-foot-long, 330-lb female and a 20-foot-long, 100-lb male.
Monitoring P2P Networks
Abstract -- We reverse engineer copyright enforcement in the popular BitTorrent file sharing network and find that a common approach for identifying infringing users is not conclusive. We describe simple techniques for implicating arbitrary network endpoints in illegal content sharing and demonstrate the effectiveness of these techniques experimentally, attracting real DMCA complaints for nonsense devices, e.g., IP printers and a wireless access point. We then step back and evaluate the challenges and possible future directions for pervasive monitoring in P2P file sharing networks.
Webpage on the research.
MI5 on Terrorist Profiling
There's no profile:
MI5 has concluded that there is no easy way to identify those who become involved in terrorism in Britain, according to a classified internal research document on radicalisation seen by the Guardian.
They break planes:
Citing sources within the aviation industry, ABC News reports an overzealous TSA employee attempted to gain access to the parked aircraft by climbing up the fuselage... reportedly using the Total Air Temperature (TAT) probes mounted to the planes' noses as handholds.
They harass innocents:
James Robinson is a retired Air National Guard brigadier general and a commercial pilot for a major airline who flies passenger planes around the country.
It's easy to sneak by them:
The third-grader has been on the watch list since he was 5 years old. Asked whether he is a terrorist, he said, "I don't know."
And here's how to sneak lockpicks past them.
EDITED TO ADD (8/21): Ha ha ha ha:
Even though its inspector's actions caused nine American Eagle planes to be grounded in Chicago this week, the Transporatation Security Administration says it may pursue action against the airline for security lapses.
And a step in the right direction:
A federal appeals court ruled this week that individuals who are blocked from commercial flights by the federal no-fly list can challenge their detention in federal court.
Nice Article on Personal Surveillance
Nice article on personal surveillance from the London Review of Books.
A Security Assessment of the Internet Protocol
Mental Illness and Murder
Contrary to popular belief, homicide due to mental illness is declining, at least in England and Wales:
The rate of total homicide and the rate of homicide due to mental disorder rose steadily until the mid-1970s. From then there was a reversal in the rate of homicides attributed to mental disorder, which declined to historically low levels, while other homicides continued to rise.
Remember this the next time you read a newspaper article about how scared everyone is because some patients escaped from a mental institution:
We are convinced by the media that people with serious mental illnesses make a significant contribution to murders, and we formulate our approach as a society to tens of thousands of people on the basis of the actions of about 20. Once again, the decisions we make, the attitudes we have, and the prejudices we express are all entirely rational, when analysed in terms of the flawed information we are fed, only half chewed, from the mouths of morons.
Adi Shamir's Cube Attacks
At this moment, Adi Shamir is giving an invited talk at the Crypto 2008 conference about a new type of cryptanalytic attack called "cube attacks." He claims very broad applicability to stream and block ciphers.
My personal joke -- at least I hope it's a joke -- is that he's going to break every NIST hash submission without ever seeing any of them. (Note: The attack, at least at this point, doesn't apply to hash functions.)
EDITED TO ADD (8/19): AES is immune to this attack -- the degree of the algebraic polynomial is too high -- and all the block ciphers we use have a higher degree. But, in general, anything that can be described with a low-degree polynomial equation is vulnerable: that's pretty much every LFSR scheme.
EDITED TO ADD (8/19): The typo that amused you all below has been fixed. And this attack doesn't apply to any block cipher -- DES, AES, Blowfish, Twofish, anything else -- in common use; their degree is much too high. It doesn't apply to hash functions at all, at least not yet -- but again, the degree of all the common ones is much too high. I will post a link to the paper when it becomes available; I assume Adi will post it soon. (The paper was rejected from Asiacrypt, demonstrating yet again that the conference review process is broken.)
EDITED TO ADD (8/19): Adi's coauthor is Itai Dinur. Their plan is to submit the paper to Eurocrypt 2009. They will publish it as soon as they can, depending on the Eurocrypt rules about prepublication.
EDITED TO ADD (9/14): The paper is online.
Cyberattack Against Georgia Preceded Real Attack
This is interesting:
Exactly who was behind the cyberattack is not known. The Georgian government blamed Russia for the attacks, but the Russian government said it was not involved. In the end, Georgia, with a population of just 4.6 million and a relative latecomer to the Internet, saw little effect beyond inaccessibility to many of its government Web sites, which limited the government's ability to spread its message online and to connect with sympathizers around the world during the fighting with Russia.
Welcome to 21st century warfare.
"It costs about 4 cents per machine," Mr. Woodcock said. "You could fund an entire cyberwarfare campaign for the cost of replacing a tank tread, so you would be foolish not to."
The Continuing Cheapening of the Word "Terrorism"
Illegally diverting water is terrorism:
South Australian Premier Mike Rann says the diversion of water from the Paroo River in Queensland is an act of terrorism during a water crisis.
Anonymously threatening people with messages on playing cards, like the Joker in The Dark Knight, is terrorism:
Giles County deputies arrest two county teenagers they say made terroristic threats to people on playing cards.
EDITED TO ADD (8/26): In the UK, walking on a bicycle path is terrorism.
Air Force Suspends Cyber-Command
The provisional, 8,000-man Cyber Command has been ordered to stop all activities, just weeks before it was supposed to be declared operational.
Friday Squid Blogging: Talking Squids in Outer Space
An index of fiction.
The site was inspired by Margaret Atwood's infamous comment that Oryx and Crake isn't really science fiction, because science fiction is "talking squids in outer space." This prompted a hunt for science fiction which actually did feature talking squids in outer space.
XKCD on Voting Machine Security
This comment is absolutely correct.
UK Police Seize War on Terror Board Game
They said -- and it's almost too stupid to believe -- that:
the balaclava "could be used to conceal someone's identity or could be used in the course of a criminal act".
Don't they realize that balaclavas are for sale everywhere in the UK? Or that scarves, hoods, handkerchiefs, and dark glasses could also be used to conceal someone's identity?
The game sounds like it could be fun, though:
Each player starts as an empire filled with good intentions and a determination to liberate the world from terrorists and from each other.
Kids with Cell Phones in Emergencies
In the middle of a sensationalist article about risks to children and how giving them cell phones can help, there's at least one person who gets it.
Since the 1999 Columbine High School shootings and the 9/11 terrorist attacks, many parents feel better having a way to contact their children. But hundreds of students on cell phones during an emergency can cause problems for responders.
We are just naturally inclined to make irrational security decisions when it comes to our children.
Data Mining to Detect Pump-and-Dump Scams
I don't know any of the details, but this seems like a good use of data mining:
Mr Tancredi said Verisign's fraud detection kit would help "decrease the time between the attack being launched and the brokerage being able to respond".
This is a good use of data mining because, as I said previously:
Data mining works best when there's a well-defined profile you're searching for, a reasonable number of attacks per year, and a low cost of false alarms.
Another news article here.
The Risk of Anthrax
Some reality to counter the hype.
The Bottom Line
UK National Risk Register
The UK has made public its previously classified National Risk Register.
The National Risk Register is intended to capture the range of emergencies that might have a major impact on all, or significant parts of, the UK. It provides a national picture of the risks we face, and is designed to complement Community Risk Registers, already produced and published locally by emergency planners. The driver for this work is the Civil Contingencies Act 2004, which also defines what we mean by emergencies, and what responsibilities are placed on emergency responders in order to prepare for them. Further information about the Act can be found on the UK Resilience website.
Seems like the greatest threat to national security is a flu pandemic.
Flying Without ID
Seems like the procedure has changed:
Mr. Peters nodded, and then looked down at the sheet which I had filled out and signed. “I’m going to have to make some calls to verify your identity.”
This only works if you've lost your ID, not if you refuse to show it.
Memo to the Next President
Obama has a cyber security plan.
It's basically what you would expect: Appoint a national cyber security advisor, invest in math and science education, establish standards for critical infrastructure, spend money on enforcement, establish national standards for securing personal data and data-breach disclosure, and work with industry and academia to develop a bunch of needed technologies.
I could comment on the plan, but with security the devil is always in the details -- and, of course, at this point there are few details. But since he brought up the topic -- McCain supposedly is "working on the issues" as well -- I have three pieces of policy advice for the next president, whoever he is. They're too detailed for campaign speeches or even position papers, but they're essential for improving information security in our society. Actually, they apply to national security in general. And they're things only government can do.
One, use your immense buying power to improve the security of commercial products and services. One property of technological products is that most of the cost is in the development of the product rather than the production. Think software: The first copy costs millions, but the second copy is free.
You have to secure your own government networks, military and civilian. You have to buy computers for all your government employees. Consolidate those contracts, and start putting explicit security requirements into the RFPs. You have the buying power to get your vendors to make serious security improvements in the products and services they sell to the government, and then we all benefit because they'll include those improvements in the same products and services they sell to the rest of us. We're all safer if information technology is more secure, even though the bad guys can use it, too.
Two, legislate results and not methodologies. There are a lot of areas in security where you need to pass laws, where the security externalities are such that the market fails to provide adequate security. For example, software companies who sell insecure products are exploiting an externality just as much as chemical plants that dump waste into the river. But a bad law is worse than no law. A law requiring companies to secure personal data is good; a law specifying what technologies they should use to do so is not. Mandating software liabilities for software failures is good, detailing how is not. Legislate for the results you want and implement the appropriate penalties; let the market figure out how -- that's what markets are good at.
Three, broadly invest in research. Basic research is risky; it doesn't always pay off. That's why companies have stopped funding it. Bell Labs is gone because nobody could afford it after the AT&T breakup, but the root cause was a desire for higher efficiency and short-term profitability -- not unreasonable in an unregulated business. Government research can be used to balance that by funding long-term research.
Spread those research dollars wide. Lately, most research money has been redirected through DARPA to near-term military-related projects; that's not good. Keep the earmark-happy Congress from dictating how the money is spent. Let the NSF, NIH and other funding agencies decide how to spend the money and don't try to micromanage. Give the national laboratories lots of freedom, too. Yes, some research will sound silly to a layman. But you can't predict what will be useful for what, and if funding is really peer-reviewed, the average results will be much better. Compared to corporate tax breaks and other subsidies, this is chump change.
If our research capability is to remain vibrant, we need more science and math students with decent elementary and high school preparation. The declining interest is partly from the perception that scientists don't get rich like lawyers and dentists and stockbrokers, but also because science isn't valued in a country full of creationists. One way the president can help is by trusting scientific advisers and not overruling them for political reasons.
Oh, and get rid of those post-9/11 restrictions on student visas that are causing so many top students to do their graduate work in Canada, Europe and Asia instead of in the United States. Those restrictions will hurt us immensely in the long run.
Those are the three big ones; the rest is in the details. And it's the details that matter. There are lots of serious issues that you're going to have to tackle: data privacy, data sharing, data mining, government eavesdropping, government databases, use of Social Security numbers as identifiers, and so on. It's not enough to get the broad policy goals right. You can have good intentions and enact a good law, and have the whole thing completely gutted by two sentences sneaked in during rulemaking by some lobbyist.
Security is both subtle and complex, and -- unfortunately -- doesn't readily lend itself to normal legislative processes. You're used to finding consensus, but security by consensus rarely works. On the internet, security standards are much worse when they're developed by a consensus body, and much better when someone just does them. This doesn't always work -- a lot of crap security has come from companies that have "just done it" -- but nothing but mediocre standards come from consensus bodies. The point is that you won't get good security without pissing someone off: The information broker industry, the voting machine industry, the telcos. The normal legislative process makes it hard to get security right, which is why I don't have much optimism about what you can get done.
And if you're going to appoint a cyber security czar, you have to give him actual budgetary authority. Otherwise he won't be able to get anything done, either.
This essay originally appeared on Wired.com.
Bypassing Microsoft Vista's Memory Protection
This is huge:
Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.
EDITED TO ADD (8/11): Here's commentary that says this isn't such a big deal after all. I'm not convinced; I think this will turn out to be a bigger problem than that.
Amber Alerts As Security Theater
Since its birth 12 years ago after a fatal kidnapping in Texas, Amber Alert has quickly become one of the best-known tools in the national law enforcement arsenal. The warnings are familiar to anyone who watches cable TV news, especially during the summer, when the drumbeat of abduction stories seems to increase. Last year, 227 alerts were issued nationwide, each galvanizing interest in the local community and flooding police with tips. While the particulars of the state systems differ, the goal is the same: to disperse news of a kidnapping as widely and quickly as possible, in the hope that someone will spot the kidnapper before a child is harmed.
Friday Squid Blogging: Squid Fables
Are the Chinese Olympics a Trap?
The Onion reminds us that we can never be too careful.
DMCA Does Not Apply to U.S. Government
According to a recent court ruling, we are all subject to the provisions of the DMCA, but the government is not:
The Court of Federal Claims that first heard the case threw it out, and the new Appellate ruling upholds that decision. The reasoning behind the decisions focuses on the US government's sovereign immunity, which the court describes thusly: "The United States, as [a] sovereign, 'is immune from suit save as it consents to be sued . . . and the terms of its consent to be sued in any court define that court's jurisdiction to entertain the suit.'"
UK Electronic Passport Cloned
The headline says it all: "'Fakeproof' e-passport is cloned in minutes."
Does this surprise anyone? This is what I wrote about electronic passports two years ago in The Washington Post:
The other security mechanisms are also vulnerable, and several security researchers have already discovered flaws. One found that he could identify individual chips via unique characteristics of the radio transmissions. Another successfully cloned a chip. The State Department called this a "meaningless stunt," pointing out that the researcher could not read or change the data. But the researcher spent only two weeks trying; the security of your passport has to be strong enough to last 10 years.
Indictments Against Largest ID Theft Ring Ever
It was really big news yesterday, but I don't think it's that much of a big deal. These crimes are still easy to commit and it's still too hard to catch the criminals. Catching one gang, even a large one, isn't going to make us any safer.
If we want to mitigate identity theft, we have to make it harder for people to get credit, make transactions, and generally do financial business remotely:
The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. This is what's been in the news recently: ChoicePoint, LexisNexis, Bank of America, and so on. But data privacy is more than just fraud. Whether it is the books we take out of the library, the websites we visit, or the contents of our text messages, most of us have personal data on third-party computers that we don't want made public. The posting of Paris Hilton's phone book on the Internet is a celebrity example of this.
I am, however, impressed that we managed to pull together the police forces from several countries to prosecute this case.
Hacking Mifare Transport Cards
London's Oyster card has been cracked, and the final details will become public in October. NXP Semiconductors, the Philips spin-off that makes the system, lost a court battle to prevent the researchers from publishing. People might be able to use this information to ride for free, but the sky won't be falling. And the publication of this serious vulnerability actually makes us all safer in the long run.
Here's the story. Every Oyster card has a radio-frequency identification chip that communicates with readers mounted on the ticket barrier. That chip, the "Mifare Classic" chip, is used in hundreds of other transport systems as well — Boston, Los Angeles, Brisbane, Amsterdam, Taipei, Shanghai, Rio de Janeiro — and as an access pass in thousands of companies, schools, hospitals, and government buildings around Britain and the rest of the world.
The security of Mifare Classic is terrible. This is not an exaggeration; it's kindergarten cryptography. Anyone with any security experience would be embarrassed to put his name to the design. NXP attempted to deal with this embarrassment by keeping the design secret.
The group that broke Mifare Classic is from Radboud University Nijmegen in the Netherlands. They demonstrated the attack by riding the Underground for free, and by breaking into a building. Their two papers (one is already online) will be published at two conferences this autumn.
The second paper is the one that NXP sued over. They called disclosure of the attack "irresponsible," warned that it will cause "immense damages," and claimed that it "will jeopardize the security of assets protected with systems incorporating the Mifare IC." The Dutch court would have none of it: "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."
Exactly right. More generally, the notion that secrecy supports security is inherently flawed. Whenever you see an organization claiming that design secrecy is necessary for security — in ID cards, in voting machines, in airport security — it invariably means that its security is lousy and it has no choice but to hide it. Any competent cryptographer would have designed Mifare's security with an open and public design.
Secrecy is fragile. Mifare's security was based on the belief that no one would discover how it worked; that's why NXP had to muzzle the Dutch researchers. But that's just wrong. Reverse-engineering isn't hard. Other researchers had already exposed Mifare's lousy security. A Chinese company even sells a compatible chip. Is there any doubt that the bad guys already know about this, or will soon enough?
Publication of this attack might be expensive for NXP and its customers, but it's good for security overall. Companies will only design security as good as their customers know to ask for. NXP's security was so bad because customers didn't know how to evaluate security: either they don't know what questions to ask, or didn't know enough to distrust the marketing answers they were given. This court ruling encourages companies to build security properly rather than relying on shoddy design and secrecy, and discourages them from promising security based on their ability to threaten researchers.
It's unclear how this break will affect Transport for London. Cloning takes only a few seconds, and the thief only has to brush up against someone carrying a legitimate Oyster card. But it requires an RFID reader and a small piece of software which, while feasible for a techie, are too complicated for the average fare dodger. The police are likely to quickly arrest anyone who tries to sell cloned cards on any scale. TfL promises to turn off any cloned cards within 24 hours, but that will hurt the innocent victim who had his card cloned more than the thief.
The vulnerability is far more serious to the companies that use Mifare Classic as an access pass. It would be very interesting to know how NXP presented the system's security to them.
And while these attacks only pertain to the Mifare Classic chip, it makes me suspicious of the entire product line. NXP sells a more secure chip and has another on the way, but given the number of basic cryptography mistakes NXP made with Mifare Classic, one has to wonder whether the "more secure" versions will be sufficiently so.
This essay originally appeared in the Guardian.
Security Idiocy Story
From the Dilbert blog:
They then said that I could not fill it out -- my manager had to. I told them that my manager doesn't work in the building, nor does anyone in my management chain. This posed a problem for the crack security team. At last, they formulated a brilliant solution to the problem. They told me that if I had grocery bag in my office I could put the laptop in it and everything would be okay . Of course, I don't have grocery bags in my office. Who would? I did have a windbreaker, however. So I went up to my office, wrapped up the laptop in my windbreaker, and went back down.
People put in charge of implementing a security policy are more concerned with following the letter of the policy than they are about improving security. So even if what they do makes no sense -- and they know it makes no sense -- they have to do it in order to follow "policy."
They're all here:
Via a Freedom of Information Act request (which involved paying $700 and waiting almost 4 years), The Memory Hole has obtained blank copies of most forms used by the National Security Agency.
Most are not very interesting, but I agree with Russ Kick:
They range from the exotic to the pedestrian, but even the most prosaic form shines some light into the workings of No Such Agency.
Laptop with Trusted Traveler Identities Stolen
Stealing databases of personal information is never good, but this doesn't make a bit of difference to airport security. I've already written about the Clear program: it's a $100-a-year program that lets you cut the security line, and nothing more. Clear members are no more trusted than anyone else.
None of this is security. Absolutely none of it.
EDITED TO ADD (8/7): The laptop has been found. Turns out it was never stolen:
The laptop was found Tuesday morning in the same company office where it supposedly had gone missing, said spokeswoman Allison Beer.
Why in the world do these people not use full-disk encryption?
Italians Use Soldiers to Prevent Crime
Soldiers were deployed throughout Italy on Monday to embassies, subway and railway stations, as part of broader government measures to fight violent crime here for which illegal immigrants are broadly blamed.
That reminds me of one of my favorite logical fallacies: "We must do something. This is something. Therefore, we must do it." It does seem largely to be a demonstration of "doing something" by the Berlusconi government. The legitimate police, of course, think it's a terrible idea.
“You need to be specially trained to carry out some kinds of controls,” Nicola Tanzi, the secretary of a trade union that represents Italian police officers. “Soldiers just aren’t qualified.”
Good perspective on Gary McKinnon's extradition to the United States.
Random Killing on a Canadian Greyhound Bus
A grisly slaying on a Greyhound bus has prompted calls for tighter security on Canadian bus lines, despite the company and Canada's transport agency calling the stabbing death a tragic but isolated incident.
"Hearing about this incident really worries me," said Donna Ryder, 56, who was waiting Thursday at the bus depot in Toronto.
Of course, airplane security won't work on buses.
But -- more to the point -- this essay I wrote on overreacting to rare risks applies here:
People tend to base risk analysis more on personal story than on data, despite the old joke that "the plural of anecdote is not data." If a friend gets mugged in a foreign country, that story is more likely to affect how safe you feel traveling to that country than abstract crime statistics.
Which is why Canadians are talking about increasing security on long-haul busses, and not Americans.
EDITED TO ADD (8/4): Look at this headline: "Man beheads girlfriend on Santorini island." Do we need airport-style security measures for Greek islands, too?
EDITED TO ADD (8/5): A surprisingly refreshing editorial:
Here is our suggestion for what ought to be done to upgrade the security of bus transportation after the knife killing of Tim McLean by a fellow Greyhound bus passenger: nothing. Leave the system alone. Mr. McLean could have been murdered equally easily by a random psychopath in a movie theatre or a classroom or a wine bar or a shopping mall -- or on his front lawn, for that matter. Unless all of those venues, too, are to be included in the new post-Portage la Prairie security crackdown, singling out buses makes no sense.
There's a quote attributed to me here:
Well-known author and expert on security, Bruce Schneier, born in 1963, maintains "Terrorists can only take my life. Only my government can take my freedom."
I don't think I've ever said that. It certainly doesn't sound like something I would say. It's not in any of my books. It's not in any of the essays I've written.
So I Googled the quote. Here it is being used as a sig in December 2001, without attribution. The real source must be at least as old as that. The immediate source might be this blog. Possibly, it might come from this comment to my blog, reworded and attributed to me:
Surely the man who trades freedom for security theatre deserves both freedom and security less than the first man!
Anyone have any better theories?
Friday Squid Blogging: Jumbo Squid Photo
Pretty. It was the National Geographic Photo of the Day on June 16th.
U.S. Government Policy for Seizing Laptops at Borders
Amazing. The U.S. government has published its policy: they can take your laptop anywhere they want, for as long as they want, and share the information with anyone they want:
Federal agents may take a traveler's laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed. Also, officials may share copies of the laptop's contents with other agencies and private entities for language translation, data decryption, or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, US Customs and Border Protection and US Immigration and Customs Enforcement.
It's not the policy that's amazing; it's the fact that the government has actually made it public.
Here's the actual policy.
Although honestly, the best thing is probably to keep your encrypted archives on some network drive somewhere, and download what you need after you cross the border.
Suspect in 2001 Anthrax Attacks Kills Self
Fascinating stuff, although this early story leaves me with more questions than answers.
Terrorists Using Open Wireless Networks
When Indian police investigating bomb blasts which killed 42 people traced an email claiming responsibility to a Mumbai apartment, they ordered an immediate raid.
Of course, the terrorists could have sent the e-mail from anywhere. But life is easier if the police don't raid your apartment.
EDITED TO ADD (8/1): My wireless network is still open. But, honestly, the terrorists are more likely to use the open network at the coffee shop up the street and around the corner.
Powered by Movable Type. Photo at top by Geoffrey Stone.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.