Schneier on Security
A blog covering security and security technology.
« I Was on Inventing the Future |
| Another Essay about Liars and Outliers »
February 22, 2013
Friday Squid Blogging: Land Squids
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on February 22, 2013 at 4:38 PM
• 36 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The FreedomBox (http://freedomboxfoundation.org/) isn't mentioned anywhere on this site so I thought I'd post a link given the demographic of users.
Basically, the ultimate goal it seems is to make personal communication distributed among personal servers and use encrypted channels for communications. By moving personal data away from centralized webmail providers, we all stand to gain.
22 Al Qaeda instructions on not getting killed by drone strikes.
Most involve some sort of hiding, but they also advocate using Russian equipment to detect or jam the drones communications.
The HTC vulnerabilities are not news. The lack enforcement of consumer protection laws and rather mild penalties are of more interest to me.
HTC Settles Privacy Case Over Flaws in Phones:
“The company didn’t design its products with security in mind,” Lesley Fair, a senior lawyer in the commission’s Bureau of Consumer Protection, wrote in a blog post. “HTC didn’t test the software on its mobile devices for potential security vulnerabilities, didn’t follow commonly accepted secure coding practices and didn’t even respond when warned about the flaws in its devices.”
@Godel - al Qaeda's 22 tips for evading drones
Interestingly, the AP-hosted PDF of the 22 drone-evasion techniques has the original Arabic pages as well as the translation + article:
It's fascinating that this came from Mali -- this is brand-new from the current "front lines" such as they are.
The Daily WTF featured an item on some less-than-secure doors. It appears the doors are activated by RFID from the outside, but motion from the inside, meaning they can be inadvertently subverted.
Scroll down to the "Featured Comments" to find out how these doors can be opened from the outside without an RFID badge.
@ Petrea Mitchell
Nice. A local company I recently visited tried to mix usability and security. They opted for people outside to either buzz the receptionist or enter a PIN on a keypad. People on inside just had to press a button. This was very usable. The company knew who was coming and going. Visitors could let themselves out with a button press in view of the receptionist. Hopefully, intruders who knew the code would be deterred by the receptionist's presence.
Now the bad news. For aesthetic value, the door and wall was made of glass. The button that opens the door was several inches from the glass, at a glance I saw no motion sensors outside, and the glass didn't appear rigged to alarm upon being cracked. There was also several millimeters of space in the door frame and at the bottom. There was also a locked, employees-only steel door that was presumably for maintenance by the building owner. It was close to the drywall and ceiling covers of the glass. The place wasn't staffed 24/7 and there were no cameras. I'd say there were a range of possible attacks ranging in noise, skill level and possible targets.
The company also had a two floors. One was accessible to the public. One required a code in the elevator to get to. When I got there, the receptionist was gone (to employee's surprise too). Lunch, maybe. The employee that acted as my guide helpfully entered the elevator and door codes within my sight, while bragging about the access control company's good work.
So much for all of my clever attack planning in the 2nd paragraph. It's easier to just wait for a lunch break, go to the "secure" floor, enter the door code and do some "maintenance" on the property. ;)
@ Petrea Mitchel,
It appears the doors are activated by RFID from the outside, but motion from the inside...
Ha, ha, ha, I haven't even read the article and I find that very amusing.
It reminds me of the old "spoof the alarm till they turn it of trick".
All you need to do is either find an opening like a letter box or ventilator, or drill a very small hole through. Unfold and straiten out a wire coat hanger and push it in and move it till the alarm goes off. When it does pull the coat hanger out and retire to some stratigic point. Wait for sufficient time for the keyholder to turn up talk to the poliice and go home then repeat.
At some point human nature takes over and the alarm stays turned off, then bring your truck around "jimmy the door" and load up...
You'ld be surprised at just how many people fall for this even having done "Practical Security 101"...
my guide helpfully entered the..codes..
--As a matter of respect I always look away while someone's keying a code; and I find it very awkward to tell someone to look away while I key a code (implying I don't trust you). I'm assuming you wouldn't actually use the immorally gotten code?
Imagine physical security people don't want to look here. Well-planned/timed $50mil heist. Complete w/ fake police lights and confidence, showing that if someone gets desperate enough, you're screwed against teams like this. Unless investigators back track w/ satellites, in which case the team better keep moving.
"I'm assuming you wouldn't actually use the immorally gotten code?"
Immorally gotten? That's funny. There's nothing immoral about observing your surroundings or seeing what people do right in front of you. Now, the line is using the code in a way that harms (or potentially can harm) the company. That's the line I try not to cross with my knowledge. In any case, I neither remember nor have a record of it. I also told them I saw a few issues and offered to consult for them on inexpensive solutions to major security problems. I certainly didn't have to. ;)
Re Airport hit
Thanks for the link. It made for a nice read. They should have actually considered a threat like this. The reason I say so is that bank robbery has a history of blitzkreig attacks w/ weapons, inside information, anti-police tactics, stealthy entry, and clever exits. This is a very-high-value target that will be in a static position in a site with plenty of attack options. People coming at it with guns is almost an obvious possibility. Police sirens & automatics are an improvement on that. I'm honestly shocked this hasn't happened before.
Note: When determining a potential theft effort, it helps to look into what value the stolen asset has to thieves. One of my rules of thumb is that (a) if it's worth over $100,000k and (b) it's easily sold, then someone will be tempted to steal it. From there, they'll want to reduce their risk & get a certain rate of return. So, they'll always be willing to spend up to some fraction of the asset's value to steal it. So, if I'm looking at $50 million in diamonds, I'm thinking a million-plus dollar theft effort might be justifiable. Some guns, battle-hardened thugs, guns and dollies don't cost a million dollars. ;)
Of course, it's not really relevant to the case I mentioned. Each company must consider what kinds of people will target them, the value of their assets, and what measures are reasonable. The diamond traders have high value assets that are easy to hide and sell, even for street crooks. There's plenty of risk and attacker diversity for them. The company I visited mainly had computers, phones, business critical data, some intellectual property, and maybe links to partners with more valuables. Their main risks are theft of devices, espionage by competitors, hackers, and possibly insider issues. Using best practices in risk mitigation for burglarly and hacking is enough far as business justifications go. Insider threat isn't a big deal for them, so limited to user carelessness-type issues. That leaves espionage, which requires further analysis.
So, without much thought or effort, they can improve their security stance quite a bit. The threat model would mainly be opportunistic local and remote attackers. Those are most likely to cause this company harm. Targeted attacks by sophisticated people, like the airport hit, are another matter entirely. However, I don't see much reason that they'd be targetted specifically at the moment.
There's nothing immoral...
--Well what if you know a friend or colleague is about to enter a passcode, do you look right at their screen or keyboard b/c you're "being aware"? Anyway, you answered my question, thanks.
Impersonating police officers wouldn't be hard, anyone can make a flashing red & blue LED, and my dad has the type that I think are used for squad car lights now that are so bright they temporarily blind you; it's amazing how bright they can get (and how small), with only ≈3 watts. These diamond thieves obviously had some inside intel, so how did they get it is the question.
The PBS series NOVA, “Rise of the Drones,” recently aired a segment detailing the capabilities of a powerful aerial surveillance system known as ARGUS-IS.
Scary: this system includes 1.8 gigapixel resolution video cameras, allowing a drone above a medium-sized city to record every street, house, tree, car, building, empty lot, outhouse, birdhouse, and doghouse in high resolution. Also demonstrated was a system for storing and easily accessing pieces of the video, i.e. "show me this address at this time range". They system also detects movement and draws boxes around any person / vehicle, tracing threads by noting where they go.
With such high resolution, simply watching where a person travels to as they go about their day is enough to identify most people.
... many of our public spaces are now under 24/7 video surveillance—often by cameras owned and operated by the police. But even in our most pessimistic moments, I don’t think we thought that every street, empty lot, garden, and field would be subject to video monitoring anytime soon. But that is precisely what this technology could enable. We’ve speculated about self-organizing swarms of drones being used to blanket entire cities with surveillance, but this technology makes it clear that nothing that complicated is required.
$100,000 k is an awful lot.
@Petrea Mitchell, @Clive Robinson
I don't think the motion sensor on the inside sets an alarm, but instead it unlocks the door. So, if you are inside, you can walk up to the door and it will just open for you, but if you are outside you have to take action to open it (enter a keypad code, present an RFID badge, or wave at the receptionist). So, there is no need to "cry wolf" until the alarm is turned off. The wire Clive described (or my alternate idea: push the body of a balloon under the door, inflate it through the opening that hasn't yet been pushed through, and then release the inflated balloon so that it flies around the inside of the room to trigger the motion sensor).
"$100k is an aweful lot"
Yes. Many crooks will do a crime for a lot less, too.
"Well what if you know a friend or colleague is about to enter a passcode, do you look right at their screen or keyboard b/c you're "being aware"? Anyway, you answered my question, thanks."
Friends or colleagues != random companies I visit. I look away for secret entry probably 80%+ of the time. Honestly, though, it just annoys me that people expect it. This essentially means that stranger's voluntary action is required for secure operation. That makes plenty of sense, yeah? So, sometimes I don't care or I observe them for curiosity. It's very easy to put one's body between the pin pad and other person's eyes. Safe entry of the secret is their responsibility and it's easy. If they rely on me to do it, then that says something about them and not me.
I'll also note there's a parellel to checking ID for credit cards. There are people who show their ID with every credit card purchase to "be safe." The ID requirement only helps if it's almost universally required by merchants. (Let's ignore that it still has risks.) If it's a mandatory part of credit card operation, then it's a security measure. If it's voluntary for untrusted individuals, then it's security theater because the crooks won't volunteer their dishonesty. Honest individuals looking away from secret entry doesn't provide security against crooks in most scenarios. It's usually theater. Why? Do you think the crooks are going to look away? If not, then why must they to ensure security of the access control method? Is that real security?
@ Nick P,
. I'm honestly shocked this hasn't happened before
We had the Brinks-MAT robbery in the UK which was back then at some 26million GBP actualy larger than this dimond hiest ( http://en.wikipedia.org/wiki/Brink's-MAT_robbery ) It also, out of interest gave rise to "fake gold bullion" made of tungstan which is a crime that currently in the bullion trade "few dare speak" about because they don't want "to kill the golden goose". Basically tungstan fake bars keep turning up in bullion stores, and like the bank in Brinks-MAT the banks involved have bad paperwork records.
Some people connected with the bullion industry think that anything upto half the "new bullion" that has appeared due to the economic down turn may actually be tungstan fakes, due to the way the bullion system works (as an 'owner' you never get to examin the gold you buy just the bank issued gold certificate...). It might also be the reason why a country decided to pull it's very large gold reserves out of the UK and other bullion repositories...
Another UK raid (that went wrong) was for the De-Beers diamond exhibition at the Millenium dome ( http://en.wikipedia.org/wiki/Millennium_Dome_raid ). Known as the "Dome Raiders" attack (yes journalists have poor judgment) after the Tomb Raiders game, it was a ram raid style robbery with a JCB digger and nail guns with a James Bond style speedboat get away planned. Officially the total values of the diamonds that could have been stolen has not been released but just one of the stones was worth in excess of 200Million GBP at the time. And security was at best non-existant compared to the value...
The thing about high value raids especialy for cash is they are a thing that is moving into the past due in part to inflation...
Look at the Great Train Robbery of 1963 the value of the haul 2.8million at the time was immense but now look at an individuals "take" of 150,000GBP from it, in to days money, you'ld be lucky to buy a one bedroom flat for that. At the time the robbers bought a farm before hand to have a safe place to count and hide out. But when you look into the raid you will see that they had to move over 120 heavy mail sacks into a truck to do it, and actually left some behind.
And that's the problem whilst the same amount of money is moved around, inflation has reduced it's value immensely but not it's weight, you just cann't shift the stuff quickly enough to make it realy worth while.
Whilst there are one or two silly people who attempt "stick up raids" for cash on Bank Delivery vehicles in the UK there is no real money in it. Assuming you could carry it all which is doubtful for a number of reasons you'ld be lucky to clear the UK minimum wage for a year as your share of the takings and would be looking at 5-25 in jail in the very likely case that you would be caught.
However some commodities such as diamonds, platinum and gold have kept their value for weight and these are what are now beeing targeted but they are no where close to being as commonly moved as money, hence the fall in the number of "armoured car raids".
Now the usuall thing about protecting these commodities from theft is to make them "to heavy to carry" and thus to slow to move in respect of police response times.
Thus any criminal with half a brain is going to plan around when the commodities are not loaded down by 10 tones or more of reinforced hardend steel. Likewise the security and insurance firms are going to either remove or minimise the possability.
The usual way to remove the possability is to transfer the goods in a secure area where in effect you take your safes inside another safe and make the transfer. The way to minimise is to reduce the time the goods are outside of a safe and this usually hasss side effects...
The problem with aircraft is they are light weight by design and can as has been shown on television several times be ripped open in seconds by modern cutting tools. As they have no weight their only security value is they are difficult to get at when in the air, so the insurance company transfers the high value goods literaly just before take off and this is actualy the major problem.
What these raiders knew as Bruce and most of the readers of this blog know, airport security is at best a bit of a joke (But don't tell the TSA they are known not to have a sense of humour ;)
The perimeter of your average airport is measured in miles not yards so fencing is more for show than security. Guards are likewise expensive so spread very thin on the ground (anb likely as not on close to minimum wages). Even the provision of secure loading facilities is not good for a whole host of reasons which brings us again to the major problem...
Which is that the aircraft is "mixed load", it's not dedicated to just carrying the high value load or just freight it frequently has passengers...
And the reason it's a problem is it's no big secret to find these planes that are carrying these high value loads because of the knock on effects of the security precautions (catch 22).
Basicaly the passengers are put on board first and at the last moment the high value load is put on as this takes time the passengers see a delay in their departure from the gate and the pilot will make some excuse over the intercom to cover this vehical suddenly appearing and another lugage container etc being put on. Likewise when the plane lands it often does not go direct to the gate but waits to be met and the high value load to be removed, again the pilot will put out some excuse over the air.
Now there is a problem with this first off a halfway suspicious passenger who flies regularly will realise something odd is going on. But due to the problem of fixed flight time slots it is known quite a long time in advance for regular high value loads as the checkin and gate closing time has to be adjusted accordingly so these things are obvious to those with eyes to see. ie not just passengers but terminal cleaning staff, duty free shop staff, airline staff, ground maintanence etc etc. Potentialy even those who might analyse flight data for various reasons.
Now once you know what you are looking at the next step backwards is to connect the regular high value load flight to what the high value load is. This is the part where you might need some inside knowledge but in general a smart person could work it out without having to be an insider.
However in general the criminals work the other way, that is they know high value cargo is moved from point A to point B they have to work out how. A little observation on their behalf would tell them how often and when. A little further thought and surveillance will give them the information required to know it's by aircraft and a look at the regular flight details will give them the rest.
They can then sit at the airport for a few weeks and observe which flights have early gate closing times and at the other end which flights have delayed arivales at the gate.
They might even take one or two of the flights to confirm it...
At one time the insurance companies used to use the "flag carrier" of the destination airport where ever possible because the flag carrier is usually given prefrence in many ways at their home airport not just in ground facilities but landing slots gates and other airport facilities (it's worth knowing this as a passenger as it usually means your flight will get prefrence at landing even in bad weather so your flight delays will be minimised).
Nowing this would also make a criminals task easier as it provides other information about where in the airport the loading and unloading of high value goods will be done.
Now assuming that the insurance companies know this and that in all probability for this theft it has been exploited they will in all probability make some changes to what they do (if they can).
But have a think about what can they change...
Now another thought as I saiid an aircraft is fragile and this attack happened at the take off end. How long before we see one at the landing end where in all likelyhood the aircraft etc is in a more open and vulnerable place...
@ Clive Robinson
Good examples. There was one that I take issue with.
"Look at the Great Train Robbery of 1963 the value of the haul 2.8million at the time was immense but now look at an individuals "take" of 150,000GBP from it, in to days money, you'ld be lucky to buy a one bedroom flat for that."
The value of the take depends on the people involved and where you live. In my area, you can get a nice house, a well (no water bills) and a nice vehicle for that amount of money. Alternatively, you can finance a long-term small business (or buy one). There are long time drug dealers out here that make about $50k/yr with relatively low risk. They'd kill for 150,000GBP. Literally.
"At the time the robbers bought a farm before hand to have a safe place to count and hide out. But when you look into the raid you will see that they had to move over 120 heavy mail sacks into a truck to do it, and actually left some behind.
And that's the problem whilst the same amount of money is moved around, inflation has reduced it's value immensely but not it's weight, you just cann't shift the stuff quickly enough to make it realy worth while."
That's an interesting point. The weight of the money or assets to be moved can be an issue. We had a crook in the US nicknamed Bad Luck Brown. One night he decided to steal a bunch of batteries from an automotive store. Moving the batteries involved climbing through a window. He was out of shape and (i think) drunk. He underestimated how much time and energy it takes to move a bunch of heavy batteries. Many hours later, he had them loaded and was ready to go. His car won't start: dead battery. He's so mentally exhausted from moving the loot (and still drunk) that he starts yelling about the situation. He's arrested. Had he realized how much trouble the weight issue would be, he might have made different plans. (Of course, knowing him, he probably would act just as stupid.)
"And that's the problem whilst the same amount of money is moved around, inflation has reduced it's value immensely but not it's weight, you just cann't shift the stuff quickly enough to make it realy worth while."
Well, maybe you don't move it: you convert it into something easy to move. There's boundless possibilities. One major wirefraud went like this: (1) con bank into moving $10 mil into a Swiss account; (2) turn it into $8mil worth of diamonds via Russian agency; (3) hide diamonds in belt on way back. So, converting into something like diamonds is a possibility. Also, if a dirty financial organization is available, you could pull something similar giving them the raw cash and taking something of equal/lesser value from them. This might be a bank account w/ debit card, a certificate of deposit, etc. These are very easy to move and can even be digitized to a degree to make movement almost free until the final move of the hard asset.
"The problem with aircraft is they are light weight by design and can as has been shown on television several times be ripped open in seconds by modern cutting tools. As they have no weight their only security value is they are difficult to get at when in the air, so the insurance company transfers the high value goods literaly just before take off and this is actualy the major problem."
I can imagine even easier ways of getting in them or preventing takeoff. However, I think for my own legal safety I'm not posting them.
"Now another thought as I saiid an aircraft is fragile and this attack happened at the take off end. How long before we see one at the landing end where in all likelihood the aircraft etc is in a more open and vulnerable place..."
Good security analysis of airport-related movement of high value cargo. The last point is nice too. An attack on someone who is landing has the extra advantage that the staff might be fatigued or have their guard down a bit.
@ Nick P,
I can imagine even easier ways of getting in them or preventing takeoff. However, I think for my own legal safety I'm not posting them.
Yup they are not that difficult, for a mind that can think sideways };)
But seriously aircraft whilst designed to be good at what they do are not designed to be flying castles etc. Importantly they are designed to be in the air 18x350 hours a year so ease of access for maintanence is a very high priority in the design, and where there is ease of access then there are routes for ingress to systems etc.
Well, maybe you don't move it: you convert it into something easy to move.
Yup we used to call that sort of thing "White Collar crime" and you would have thought it was the way of the future, and "Blue Collar Crime" would go down.
And that's the interseting thing Blue Collar whilst nolonger turning over Armored Cars and other cash grab crimes have (in the UK) "diversified into commodities" where you would have thought "Nagh there's no money to be made here", such as stealing manhole covers and pulling up telephone cables, power lines and other service pipes (we mainly have utilities under the road in urban UK).
One reason is the price of copper and other scrap metals and the ease by which it's turned into cash.
I guess blue collar crime is going to stay with us as long as there is what is seen as either easy or low risk pickings to be made.
But you have to wonder at the mentality behind it. Not being funny 50K USD in your pocket each year is not bad money I could live quite comfortably on it in London which is supposadly the worlds fourth most expensive city to live in. If some one who is getting that in a fairly low risk way thinks it's worth killing for what is currently 4.5years (US-UK~0.6618 currently) of their low risk income knowing their is a fairly high chance they will get caught and get a genuine life or death sentence, you have to wonder what their mentality is...
As for Mr Brown, well what can I say I guess every nation has one or two of them, they are the criminal equivalent of Darwin Award winners...
@ Nick P,
This is hilarious because the Microsoft guy was so arrogant in the past.
I like it. Can't be too arrogant in this business. Besides, ever notice that "arrogance" and "ignorance" seem close?
@ Nick P,
With respect to the M$ guy yeah, it's not fun when as you say in the US you get to "Eat your own dog..." 
Over in the UK we used to have an expression about eating "Humble Pie" not that I ever expect anyone senior in a Dog eat Dog Corporate to be humble.
One thing I did notice though was,
Bejtlich replied, "Our best guys are better than APT1 for sure. But our best guys are probably the same as their best guys, who are the same as the Russian's or the Israeli's best guys."
Is this an accidental slip of what Bejtlich thinks is the next business model after "Selling Zero Days to Gov Cyber-weapons"?
i.e. with saying 'our best guys are probably the same as their best guys' does he think that they are? a hacking collective who will go "Contracting Out for Government Hacking" 
Even if not it's an interesting business idea };)
Mind you I'm actually glad to see in this report Russia and Israel get mentioned as APT countries not just the usual "China APT" rhetoric.
 I'll leave it to others to select which GI/GO ;) Mind you he probably earns enough to drink the "Civit Cat Expresso" so is used to the taste of GO being dark and earthy with that little animal je ne sais quo.
 Actualy if you read enough of the Stuxnet reports you see some people believe that's what many actually may have happened with the US/Israel, they shared "bought in tallent".
You mentioned the 1.8Giga pixel camera of the BAE Systems package, well it appears you are not the only person to notice,
It appears it does have some limitations in that the sensor is a "synthetic" made from under 400 5mega pixel sensors and to get the coverage it needs to be at 17,500ft (~3miles) up which means that clouds and atmospheric disturbance will be an issue. A quick calc  gives about a 5inch by 4inch square per pixel which is actually not enough to count heads in a crowd.
Now the question is then platform stability and image stabilization are there algorithms that will pull out more detail realtime or with post processing on the stored data...
 Assume each 5mega pixel sensor is 2000x2500 pixels and a 20x20 array giving 40,000x50,000 pixel array take 17500ft/40000 = 5.25inch and 50000 gives 4.2inch for a total of 22 squ inches which is about the size of the top of an average adults head.
It appears that the action taken against Aaron was not because he had broken any laws but a political action from the very top of the hill to maintain the status quoe for those holders of IP rights in effect stolen by force majeure because of the way over time they have manipulated the market to make such theft de facto.
Of course it should be said that these IP rights holders only maintain their grip through what most would regard as bribes to elected representatives to vote in ways that are not in the voters interests. Such is the greatest success of "representational democracy" it is neither democratic or representational of the electors or their interests.
I guess the only question is how many more are to be sacrificed on the alter of coruption that is the Federal system under various likewise tainted administrations.
THanks I am very glad to find this website.
For Bruce and others a question / recomendation.
Have you read,
Dr Robert Altemeyer of Canada's Manitoba University book,
If so what did you think of it?
If not you can download the PDF with the authors blessings (and reasoning given in the books intro) from,
I'm about half way through and find it written in an enjoyable and easy to read way (and yes that applies to the extensive chapter foot notes as well).
I also find the case the author is trying to make to be well presented (so far).
@ Clive Robinson,
Dr Robert Altemeyer of Canada's Manitoba University book...
Just downloaded it. I like his style, seems to be a good book to read...
@ Clive Robinson -- Off Off topic:
A while back I said:
PS: I dont know how to inject that I think light is not the fastest thing without getting a warning from the moderator. If only I can relate that to security :(
To which you responded:
Fianaly a parting thought William Shakespear wrote a lot of sonets etc which can be used as transportation for mems, one of which is "But soft what light through yonder window breaks..."
http://www.enotes.com/shakespeare-quotes/...Such use as mems was used in clasified adds during Victorian times along with simple codes and ciphers for Victorian Romeos and their Juliets to communicate supposadly secretly. Charles Babbage and friends used to break such codes etc and place faux replies such that the participants new they had been uncovered but without knowing by whom.
To which I responded:
“What doth gravity out of his bed at midnight? -King Henry IV. Part I. Act ii.
I am not sure whether you didn't get my message, or if you got it, but I did not understand your reply!!! Seems this method of "communicating secretly" was not very effective during Victorian times ;)
If I remember correctly it was at a time shortly after I had explained something a little to graphicaly to you (about the mores of a young woman in an office) that had caused a yellow card. So I chose "to fight another day" which is what Falstaff chose to do.
The quote you gave is an incompleate statment from Prince Henry's servant Falstaff. The first part which you gave refers to a Nobleman sent from Henry's fathers court on businesss with significant gravitas. The second part of the quote is,
"Shall I give him your answer?"
Which Henry had allready given which was to "pay him off, to go away and return to the queen".
Falstaff then leaves the stage and Prince Henry then immediatly questions others to find that Falstaff has been deceitful to him about mortal combat and forced others to be likewise, which starts another plot line in the story.
So as people find out with Shakespear not all is as it seems and there are many meanings hidden in almost every line, which is why he was often used as a homophonic mem. And with such context is key, which is possably why it was used by lovers and such who had previous "out of channel" contact and thus knew the context and thus thought of it as being secure (original "security through obscurity). However as Babbage and friends proved often it was not secure by inserting false messages.
 Shakespear was known to have named his charecters with crude humour some more obvious such as "Bottom" in Mid Summer Nights Dream partly because he made an ass of himself. Similar with Falstaff which was more clever in that it had homophonic meanings possibly for a higher class audience , one that he was unwisely deceitful to his master as "False Staff" or "fool staff", and another due to the fact that "Falstaff" is pronounced in the same way as "Full-Staff" implying with innuendo that he was a "stout stick" or in more modern parlance making a "dick" of himself.
 Historical evidence gives rise to a generally belief in some circles that Shakespeare originally named the character not Falstaff but "John Oldcastle" (a real person from history). And that Lord Cobham (Henry Brooke ) then Lord Chancellor and butt of much Elizabethan satirical humour, who was a descendant of the historical John Oldcastle treated it as a personal slight and complained, forcing Shakespeare to change the name. There would have been little real sympathy for Lord Cobham thus the reason for the homophonic name with so many meanings was a way for Shakespeare to "thumb the nose" at him, especialy by that time it would have been "court gossip". Shakespeare further rubbed salt in the wound with a line in the play where Prince Henry refers to Falstaff as "my old lad of the castle".
 In some respects history had the last laugh on Henry Brooke after Elizabeth's death he and his "Popeish" friends and family betrayed each other over their various treasonous plots and were either executed or imprisoned in the tower and died ignoble deaths, striped of their lands, titles, honours wealth and any good name that they might have had.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.