Bruce Schneier

 
 

Schneier on Security

A blog covering security and security technology.

Recent Comments

May 10, 2008 04:43 PM

Why?


May 10, 2008 03:22 PM

I enjoyed the talk, and it's good to see how these ideas are evolving from _Beyond_Fear_. Three comments:

a) Metrics are often agenda-oriented, and the selection of metrics is a very common example of preferring data that matches one's model to data that matches reality. The TSA measures the number of items intercepted, and interprets more=good. Given that they are virtually all Type I errors, the measure is really the number of mistakes they make per day, more=bad. Their agenda favors "liquid bottles eliminated" as a metric rather than "dangerous liquid bottles eliminated" as a result.

b) Singular events are less data than common events, and they have a standard deviation of zero, so they seem easier to understand. Moreover, even analysts with good data slant it to their agenda. If you doctor wants to lower your cholesterol he says "Folks with high cholesterol are 3.5 times more likely to have a heart attack than those with normal cholesterol" rather than
"Folks with high cholesterol have a 0.7% chance per year of having a heart attack, and that is 0.5% more than those with normal cholesterol." I just can't get behind almost all metrics that I see published, the facts just aren't there.

c) Do you think computer security can have a good degree of overlap? To get the model close to reality, you suggest users need more information. Yet everyone in the industry, from the vulnerability causers to the anti-vulnerability product salesmen, want to spread dis-information. It is not the case that over enough time we get it right. Darwin's theory of evolution was new in 1900, a big dispute in 1925, in all the science text books of 1960, and the topic of increasing debate today. If 120 years isn't long enough for a model with lots of validation data, things can look bleak. Medical models only have to be adopted by the small number of folks with a license to practice medicine. Computer models might need to be understood by everybody with a computer. That's a much larger, and much less informed, population.


May 10, 2008 01:03 PM

Re: The curtian
"... a placebo product designed to keep the burglars at bay, without making you feel imprisoned in your own home."

As if the government needs any assistance in making them feel like prisoners.


May 10, 2008 11:34 AM

See the related "Snuggly the Security Bear": http://www.motherjones.com/commentary/fiore/2006/05/snuggly.html


May 10, 2008 10:13 AM

Bruce Schneier's conclusions are correct, even though some of the arguments may need corrections/refinements. In 2003, I chaired SPIE's Fluctuations and Noise Symposium and arranged a public debate entitled "Dreams versus Reality: Plenary Debate Session on Quantum Computing". That was in June. In September, DARPA, the largest defense sponsor of quantum computing shut down the whole program. The debate can be read here:

http://arxiv.org/pdf/quant-ph/0310130

Quantum computers need the whole logic circuitry located within the quantum coherence volume. That poses the greatest technical problem at building it. But the problem with running a quantum computer is similarly serious: heat. According to optimistic calculations, a general purpose quantum computer would dissipate at least 1000 times more heat than a classical computer with the same performance.

Speed, error rate and heat form a triangle of interrelated aspects. This is the fundamental killer of Moore's law, too. Here is some more info from back around 2003:

http://www.ece.tamu.edu/%7Enoise/research_files/research_dissip.htm

Last Thursday, we had a seminar by a leading researcher at IBM and the seminar was focused on the very final stage of Moore's law, where we presently are. He said all the resources are running out to continue Moore's law with reasonable error rate, energy dissipation and costs.

Laszlo Kish


May 10, 2008 05:52 AM

@ Mike,

It is not just,

"The missing piece of information is crime rates..."

The real question is "proportinality".

For instance if I put a machine gun nest in you town square and man it 24x7 with persons who will shot anything and everything that moves then you would expect "street crime" in the fire zone to be close to zero from that point onwards.

But what of the cost of doing it not just the direct cost for the nest and it's man power. What about the indirect cost of loss of utility of your town square and the increase in trafic and inconveniance in adjacent areas?

Are the two costs proportianate with the reduction in street crime in the fire zone?

Further do people seriously believe that the criminals will become law abiding citizens or that they will just migrate their illegal activities to some place where there is not a machine gun nest?

The few "long term independent follow up" studies carried out on public place CCTV instalations that I have seen have all show that,

1) Initialy "planed" crime (pick pocket / mugging) drops in the area, unplaned (drunken behaviour etc) tends to remain the same.

2) That pland crime rises in adjacent areas in proportion to the drop.

3) After a relatively short period the pland crime rate starts to rise again in the CCTV covered area, unless rapid response techneiques are deployed.

4) unless the CCTV covered area is of very high value the operation costs soon out weigh the benifits.

5) comparison with other measures such as closing "bolt holes". better street lighting and regular police foot patrols show that CCTV is less effective in both costs and longterm results.

Which brings me onto the real problem with the CCTV studies,

@ Heads in The Sand,

"Is there such a dearth in studies"

Short term no longterm yes, and the short term studies tend to be sponsored by those with vested interests the longterm not.

This is a very real problem, as well as,

Short term studies tend to only study the effects in the covered area almost immediatly after the systems are installed and operational and there is a willingness by the local police force to rapid respond the area. They also tend to highlight the "successes" (planed crime) not the others.

The very few independent long term studies tend to cover not just the CCTV covered area but quite a widespread uncovered area around it. Further these studies carry on long after the initial "good will" by authorities have worn off and the preasures of rising crime in adjacent areas refocus the police efforts away from the CCTV covered area.

What we need is more independent longterm wide area studies, unfortunatly these tend to be expensive to conduct and there are very very few sources of funding available for them.

As has been observed,

"Lying with statistics is only moderatly more difficult than lying without them",

"There are lies, dam lies and statistics",

"The truth is rarely palitable"

And

"Quick fixes invariably fail with time".


May 10, 2008 05:46 AM

I seem to recall barbed wire in South Africa being made to resemble ivy or some such plant, so I wouldn't be too surprised if this was genuine. There might at least be a market for this kind of thing, though maybe a bit less campy...


May 10, 2008 05:12 AM

That page is temporarily unavailable, meanwhile, wired.com has a great article on colossal squid:

http://www.wired.com/science/discoveries/multimedia/2008/05/gallery_squid_autopsy


May 10, 2008 03:05 AM

Security cameras are similar to gun control: both have negligible success targeting criminals. But, just try to get useless laws repealed or stop the spending on ineffective camera systems, and the bureaucracy reacts with more. It takes a truly intelligent government to admit a mistake and try something that works.


May 10, 2008 02:01 AM

@ Vicki

"If the chain is selling, I suspect it's for kinky sex"

How do you define "kinky sex"?

And please don't say "you know it when you see it" 8)

What's the words to the old Ray Charles song, "Take these chains from my heart and set me free..."


May 10, 2008 01:25 AM

@ Anon...,

"Have you ever been to Seattle"

Washington State is probably the only part of the US I would consider "flying into" these days.

In my now (post 9/11) very limited experiance most other US airports appear to have a plague of sub "cave dwelling" primates running the "shop front". Putting not just the normal staff but passengers as well at some considerable discomfort, apparently just for their own amusment.

More worryingly is various press reports that sugest that these sub "cave dwelling" primates actualy get given more than twice the amount some of the bods flying the planes in and out of the airports earn!

Go figure that one...


May 10, 2008 12:31 AM

Toothpaste test strips - I think it is unlikely to ever be a reliable device, and it sounds good enough to buy.


May 10, 2008 12:09 AM

Ironically enough, having FDE on your laptop is probably a good way to get it confiscated by US Customs when you're trying to come into the country.

cjs@cynic.net


May 9, 2008 11:57 PM

I think it's about time that modern art met modern "security." Two things that take themselves too seriously, most of the time. Unfortunately, "security" more so....

cjs@cynic.net


May 9, 2008 11:15 PM

Weedless and linkless versions available.


May 9, 2008 08:38 PM

@Joe Deegan

Have you ever been to Seattle? Have you ever been on one of those ferries? The car-carrying capacity really is amazing, especially if you've never seen anything like it before.

And frankly, Seattle and the Puget Sound area is one of the few places in the US where such large ferries are common.


May 9, 2008 08:19 PM

airlines myanmar Yangon Yangon bankok myanmar


May 9, 2008 06:03 PM

when is the pantomime version being released?

i would make the trip to london for that, especially if you get patrick stewart to play a part.


May 9, 2008 05:59 PM

hey, this is a fun friday game.

here's the missing detail:

_DARGS=/cabelas/en/common/catalog/item-link.jsp_A&_DAV=SEARCH_RESULTS_NYR&id=0012212113670a&navCount=10&podId=0012212&parentId=&masterpathid=&navAction=push&catalogCode=IJ&rid=&parentType=&indexId=cat600178&hasJS=true

if you add that, then the link would work.

alternatively, just click on this:

http://www.cabelas.com/cabelas/en/templates/product/standard-item.jsp?_DARGS=/cabelas/en/common/catalog/item-link.jsp_A&_DAV=SEARCH_RESULTS_NYR&id=0012212113670a&navCount=10&podId=0012212&parentId=&masterpathid=&navAction=push&catalogCode=IJ&rid=&parentType=&indexId=cat600178&hasJS=true

and then click on the original post link, and you should see the squid kit magically appear but ymmv.

smells like IBM to me.


May 9, 2008 05:50 PM

oooh, bad retail experience.

standard-item.jsp needs more input.

perhaps this is link you wanted?

http://www.cabelas.com/cabelas/en/common/search/search-results1.jsp?QueryText=squid


May 9, 2008 05:47 PM

Kenny your "hack attempt detection" has turned a mere XSS attack into a very obvious invitation for an SQL injection attack: Database error: Invalid SQL: INSERT INTO hackattempt SET remote_ip ='xxx.xxx.xxx.xxx', fulluri = '/join/?UFirstName=Click%20me...


May 9, 2008 05:45 PM

For a brief second i read it as squid 'phishing' lures...
"hmm a website with cut/paste phishing letters... interesting"


May 9, 2008 05:43 PM

I think Banksy did it better...


May 9, 2008 05:05 PM

If the chain is selling, I suspect it's for kinky sex, not for "keep this building/location secure."


May 9, 2008 05:04 PM

It`s very interesting post, thank you.


May 9, 2008 05:00 PM

@Anonymous

Your right. I think I should have been more precise in my wording.

It would appear that reality needs a PR firm...


May 9, 2008 04:21 PM

This is perfectly possible - I've tried followus.co.uk myself (for tracking my 11 year daughter, should she ever go missing on the way back from school).

It's done by measuring the time from the handset to the towers, with obviously one tower giving a ring of locations, two towers giving two intersecting points, and three or more should be enough to identify the point to within _up_to_ 100m. The best I got, in the rather rurial area I live in, was around 2 miles away :-( but at least it did show the handset wasn't far, and it would have shown if it was 300 miles away, so 2 miles isn't so bad I guess.

Detecting the location of people, without their knowledge, is a EU privacy violation, so all these sites *must* have controls to prevent this, like sending initial and periodic confirmation text messages.

Fundamentally, the access to the data is sold by the phone companies, so if they violate the rights of the handset holder, the tracker company, the phone company , and the person illegally tracking someone may all be culpable. The regulator, OFCOM, have already got these companies to tighten up on handset-holder authorisation, and it very likely that abuse of these services will be looked upon as poor governance by the phone company, who it can fine, and ultimately revoke their license.

Technically, it looks like Vodaphone have the best location capabilty, e.g. they retain location data when/where a handset is turned off, so even if the phone is turned off, out of signal or destroyed, at least you know when & where is was at that point. (Other phone companies made have caught up now, technology being, well, 'technology')

@sparky - IMSIs are's usually used with basestations in europe, temporary IMSIs (TIMSIs) are automatically generated and used after initial power-up handshake. Part of this is to make it difficult to join phone data with a phone number through sniffing - you would need to sniff the initial IMSI/TIMSI handshake, and continuously monitor for TIMISI change.


May 9, 2008 04:20 PM

Will check back later...

"The page you requested is currently unavailable.

"This page is being updated right now. It will become available again when the update is complete."


May 9, 2008 04:20 PM

@John

> We now know this (right?), but
> continue to ... buy into the "perception"
> of imminent danger.

I think the "we" who knows and the "we" who buys are different groups altogether.


May 9, 2008 04:17 PM

The point is... If the Air Marshals can't get off the list, who can?

I know one who is on the list and travels by his middle name now to avoid getting hassled.

Couldn't a terrorist do the same?


May 9, 2008 04:13 PM

@Bob

>someone pressed replay.

You're onto the secret. Bruce has built robotic replicas of himself for mundane tasks, like to give lectures and post to blogs, so he's free to play "find the prime number" with his little ones.


May 9, 2008 04:09 PM

Sorry, the last bit I wanted to say didn't make it when I pasted in the text. Here it is:

What I am trying to say as it relates to the current discussion on security is:

1) We were sold on the idea of giving up certain things in the interest of security in days following 9/11 and then subjected to a long period of having our perception of reality manipulated to maintain the perception of imminent threat.

2) We now know this (right?), but continue to, by and large, buy into the "perception" of imminent danger.

Even as this is has been shown to be in based only in fantasy as compared to the true reality of our individual security and the threat models and modes as they exist in the real world.

Are the powers that be that good? Have they really made the population willing co-conspirators in this manipulation of reality? What does this mean as we as a nation move to unwind the policies of the current authorities moving forward?


May 9, 2008 04:02 PM

Funny, Bruce uses exactly the same sentences
and expressions he did in his talk a while ago
in Australia ... as if someone pressed replay.


May 9, 2008 03:50 PM

I would like to comment about your talk on security. But I don't feel secure enough to do so (who said paranoia was a bad thing?).


May 9, 2008 03:41 PM

I generally enjoyed watching your lecture. I would however like to comment on an unannounced change in approach made during the talk and also my thought that something was missing.

So first the change:

You first presented your framework of threat reality, feeling, and model as one of the threat, the limbic (or mid brain) response to that threat, and the attenuation of that response in the prefrontal cortex. All good. Then you switched to the concept of feeling being one of an old, "comfortable" model (my words, not yours) being equated with feeling and a "new" model being associated with intellectual attenuation. I don't disagree with the differing approaches but think you should have announced your change in "the diagram".

Now my thought on something being missing:

You didn't talk in any substantive way about the immediacy of a threat; be it a real threat or one cobbled up by an external actor attempting to elicit a predetermined response. The research in both cognitive (or evolutionary, for that mater) psychology and neural science has show that the more immediate the perception of a threat the less able we (humans) are able to attenuate our threat response. Simple and I think obvious. This fact has been used by all sorts of folks in applications ranging from marketing to the extraction of information from an adversary.

The threat of a bus bearing down on me as I enter a cross walk and my response to that threat is not easily manipulated by messing with my intellectual "model" of reality.

On the other hand the threat of dying from cancer is much less immediate and my response to that threat can be manipulated in subtle ways over a long period of time.

Example:

If I want you to tell me something I can hook up the wires and batteries and you will blurt out the truth with little or no attenuation.

Alternatively I can over a period of time manipulate you sense of right and wrong and/or manipulate your value system to make you want to tell me what I need to know (or buy my product). The first is fast and works a lot of the time but your enemy (or skeptic) remains an enemy. The second way is slow but I can almost always get what I need and in the end I have an a true believer in my version of reality.

It could be viewed like this: in the first case I sold you on the need to not feel the pain. In the second case I used targeted marketing to manipulate your perception of reality.


May 9, 2008 03:27 PM

I'm calling satire on this. Reluctantly so, though - I wish it were real. :)


May 9, 2008 03:16 PM

Come on, all you ppl who think this is a 'security'-matter (i.e. spreading a wide web to catch random CP or to create a 'terrorist connection tree'):
It is of course nothing of the sort. If they do find something criminal it's a bonus, but the real purpose is just to 'up' the level of insecurity in the population and to normalize the act of being stopped and checked for [your favourite delinquency]... warm-up for a full on police state. (yeah, I know: you think you're already in a police state... just you wait. Just you wait...)


May 9, 2008 02:32 PM

"in fact, one very large company routinely listens in on its employees' company issued phones - without their knowledge "

These laws vary from state to state in the US, but I believe that every state requires that either the caller or the callee must be informed that a call is being monitored/recorded. So either the employees sogned something saying they understand that the company will do this, or when they call someone that someone would get a message ("to improve the quality of service, this call may be monitored or recorded") which the employee would get asked about in short order.

I don't think there's a legal way for a company to listen in on a company-issued cellphone without the employee knowing.


May 9, 2008 02:31 PM

Hello people,

I just found this blog and wanth to share it with you:
http://iron-man-info.blogspot.com

here you can find: Trailers, Wallpapers, Images of Iron man, and watch movie online for free.

Enjoy!
Cheers

Jane.


May 9, 2008 02:27 PM

@Russell Coker

"US government is both increasing computer security for everyone AND saving the US taxpayer money!"

Well, no. The fact that the US Government spends less money, by using Red Hat Linux, in this particular area on this particular project does not "save" the US taxpayer any money.

Any appropriated wealth "saved", will be spent by Government officials in some other way. It's not as if the saved wealth is returned to the taxpayers, nor is it the case that the taxpayers' "bill" next year will be reduced because of this year's "savings".

The best that can be said of using Red Hat in this case is that the Government spent less money on the project than it otherwise would have. The taxpayer will see no net benefit; his cost remains the same. And he still has no choice of whether to pay. Taxes are not voluntary.


May 9, 2008 02:21 PM

This is the message I just got visiting passwordsafe.com:

An appropriate representation of the requested resource / could not be found on this server.

I guess their webserver needs checking out too.


May 9, 2008 02:20 PM

Hello people,

I just found this blog and wanth to share it with you:
http://iron-man-info.blogspot.com

here you can find: Trailers, Wallpapers, Images of Iron man, and watch movie online for free.

Enjoy!
Cheers

Jane.


May 9, 2008 02:09 PM

Hello people,

I just found this blog and wanth to share it with you:
http://iron-man-info.blogspot.com

here you can find: Trailers, Wallpapers, Images of Iron man, and watch movie online for free.

Enjoy!
Cheers

Jane.


May 9, 2008 02:08 PM

@Clive Robinson: "Thirdly if the security bods jump on one set of people (photographa) they have to accept that their response is going to be effectivly recorded and will hopefully moderate their behaviour appropriatly."

That probably explains why security officials have branded photographers a high-priority enemy in the War On Terror. A photographer can (intentionally or otherwise) document the stupidity and ineffectiveness of so-called "security measures" and thereby cause public embarrassment to those officials. Photographers thus represent a threat even greater than that of terrorists, and thus need to be banned, arrested, and otherwise hassled. And besides, there are a lot more photographers than terrorists, so focusing on that threat gives "security" officials useful practice as well as a quota of Numbers that can prove effectiveness during the long wait between opportunities for actual terrorists to stumble into their dragnets. If we're going to protect the public by simultaneously fighting Wars on Terror, Drugs, and Child Pornography, adding a War On Photographers adds little cost with great benefit (for the "security" officials).


May 9, 2008 02:07 PM

If you are going to have a CCTV, why not tart it up with ears? If the alarm company insists on mounting their ugly looking box where the public can see it, why not decorate it nicely?

The curtains that "look like" a security shutter stand out as different; I would have expected instead that they start with a security shutter, then make it look pleasing, rather than "faking" it.


May 9, 2008 02:06 PM

I presume they are already on the no-flight list now.


May 9, 2008 01:59 PM

Hahaha nice!
http://www.deardad.net/sds-material/P4171057_CCTV-Kl.jpg


May 9, 2008 01:45 PM

I thought it looked like somebody's avant-garde art project, and some poking around, especially under "Press" and "Shop", seems to confirm it.


May 9, 2008 01:42 PM

Oops, wrong URL. Should have been http://www.schneier.com/blog/archives/2008/04/third_annual_mo.html#c261980 Sorry 'bout that.


May 9, 2008 01:40 PM

Bruce,

That being said (my previous post), I still want to thank you for the fun and I look forward to the next contest! :-)

Thanks,
Bono


May 9, 2008 01:37 PM

I was a little disappointed in the finalists. They were all from early April, leaving me wondering if you made up your mind at the beginning of the list and didn't give the rest a chance...

Also, 2 of the 5 finalists break the 150 word count rule.

And I was hoping there would be more of a nod to the outrageous and creative entries.

I would vote for the "Alertness Alert", but it breaks the rules. Oh well. I guess that's okay in your book, so cast my vote for the "Alertness Alert" - mucho paranoia!


May 9, 2008 01:32 PM

I would like to install a door lock to my house that my daughter can use. The problem is that she is with my ex-wife much of the time and my (mentally challenged) daughter is incapable of keeping secrets from her mother ...who is a borderline-personality disordered woman would undoubtedly "borrow" or copy any key I give my daughter (to steal, snoop).
I've considered biometric locks, video surveillance. I do not want to spend thousands, but I will spend hundreds. Any suggestions would be greatly appreciated. Thanks.


May 9, 2008 01:30 PM

I want the chain.... dont ask. :P


May 9, 2008 01:18 PM

They forgot pitbulls and hand grenades.

Check this beauty out - http://www.autoblog.com/2008/05/09/revolving-license-plates-help-chinese-speeders


May 9, 2008 12:59 PM

This can't possibly not be a joke. Butterfly razor wire? Floppy dog ears for CCTVs? No way.


May 9, 2008 12:57 PM

I'm waiting for their latest product - cartoon character suits (a-la Mickey Mouse @ Disneyland and simlar) with Level IIIa and pockets for ceramic Level IV plates, with optional MOLLE-attached MP5/M16/M4 magazines. After all, Disneyland is a terror target.

Actually, I think that is just the "I can make a Martini with it"-level dry British humor that we're missing. Or I could be wrong.


May 9, 2008 12:50 PM

That bobby guy reminds me of William H. Macy for some reason...


May 9, 2008 12:46 PM

sharp glass as warm fuzzy images be kewl. Same with the BBQ wire fencing.


May 9, 2008 12:41 PM

"The Sweet Dreams Security™ razor wire is our most vicious but cute product to date."

Great laughs!


May 9, 2008 12:14 PM

Comic genius.


May 9, 2008 11:27 AM

If choices are limited to these five, it has to be the 'Alertness alert'. The wonderful paradox in the pay-off line: "You can rest easy... because no one else is!" reminds me of the impossible drawings of the famous Dutch graphic artist M.C. Escher.

If this competetion would have been about the most humourous posting I certainly would have voted for the squid shield by Bernie Zenis (http://www.schneier.com/blog/archives/2008/04/third_annual_mo.html#c261190).


May 9, 2008 10:49 AM

Three blog posts about this (from 2006):

http://www.badscience.net/index.php?s=track+girlfriend

from a respected pro-science blogger.


May 9, 2008 10:34 AM

RE: Cell phone eavesdropping -

This has been done for years...in fact, one very large company routinely listens in on its employees' company issued phones - without their knowledge (you can't even tell you've been connected).

Solution? Turn the damn thing off when not in use.


May 9, 2008 10:10 AM

@Sparky: ``I would think this is only borderline-legal''

And your point is?

My answer is the ``John Ashcroft solution[1]'': buy a blister-pack pay-as-you-go phone. So long as you activate it from somewhere other than your own phone, it's anonymous.

(Admittedly, if They want to know whose phone it is, traffic analysis would have you nailed in minutes.)

[1] http://media.www.thevistaonline.com/media/storage/paper962/news/2001/09/26/UndefinedSection/Disposable.Cell.Phones.Available.In.October-2112861.shtml


May 9, 2008 10:02 AM

thanks


May 9, 2008 10:00 AM

power is an end in itself. bureaucrats who live in cubicle habitrails, cut that cheese very thinly and enjoy it by the numbers. FBI is using the 'national security letters with great joy and abandon, the no fly list is just a repubulican harrassment campaign for dissenters.
Every legitimate power the govenment gives itself will be abused and if done with sufficient secrecy, it will go on for a long time on a massive scale. the a generation will live that just routinely accepts that this has been stolen from them before they were born. Serfs.


May 9, 2008 09:57 AM

From Worldtracker's site...
http://www.world-tracker.com/products/lbs/

World-Tracker.com GSM is a service which can give you the peace of mind of knowing where your (love) children, their parents or any other pesky guardians are at any time, without letting them intrude on your day to day 'activity'. It uses the mobile phone network to locate your little 'friends' anywhere in the UK. You can access this information from this website or via text message.

World-tracker. Know where (...they are when you need some.)


Well, near enough.


May 9, 2008 09:56 AM

Hehe, Symbian or Windows Mobile...
... how do I love proprietary OLD devices.

And I will NEVER EVER use a mobile phone with build in GPS/GALILEO


May 9, 2008 09:48 AM

@Sparky.

First of all I worked for two years for a company providing high accuracy location services for embedding into GSM networks

GSM networks support multiple methods for determining the location of a handset - ranging in accuracy from the cell location (accurate to kms down to 100's of m) upto and including GPS enabled on the handset itself. (The technology I worked on was measuring the timing of arrival of base station signals on the handset and using that to determine it's location - google for E-OTD).

One of the initial drivers for high accuracy is for emergency use (E911 in the US, sim elsewhere), and for obvious reasons does not require permission from the end user for the emergency services to locate your handset.

The operators have looked to resell this technology for general use and it is available for 3rd parties to buy from them to build applications round - e.g. the World Tracker here could be based on such a resold service. Obviously opt in/out sholud be applicable.

Dave


May 9, 2008 09:47 AM

@Ruby,

The problem is actually tracing the call originators connection point. It might not actually have a "dialling number" attached to it that is known. And COMCAST may not be able to trace it back further than to the forign network connection to their network.

The easiest solution is to take the call and give the sales droid the run arround and waste their time as much as possible without giving any details.

Fairly soon the droid or the next one will log you as being a time waster, which earns them nothing and at that point you usually get left alone.


May 9, 2008 09:39 AM

comcast dosent care, except that they are in the middle of a big promotion to get people to sign up for their network. A bad news story will damage millions of dollars worth of propaganda. There is a national do not call list in the US. its equally useless, especially if comcast will not tell you where the call originates.


May 9, 2008 09:27 AM

@Ruby: Maybe you could use some guerrilla warfare. Depending on what they are offering you, and your local laws, you could do a few things that cost them money and effort. Where I live (the Netherlands), the law basically says return any item over something like 50 euros (don't know exactly) and get a refund, no questions asked (provided the item is in new condition, packaging intact etc.). This also applies to anything send to you by mail.

You could also refuse to accept anything they have send you, make appointments for a mortage broker or whatever when you're not home, have them go through the trouble of selling you something (probably recorded), where you just mention you are intoxicated (and thus unable to enter into a contract).

If they are offering anything, you should be able to at least get a company name.


May 9, 2008 09:14 AM

Kinda of related to the Telco / Spy thing, Why cant we devise a piece of software to track them??? YAs I know the Gov has all the tools

TO Bruce and all the Tech Guru's on this site: Would like your technical input on how Unknown Number / Unknown Numbers call be traced or HOW they are routed by Telecoms OR even allowed!

Below is my attempt at having COMCAST block a Unknown name / number that keeps calling my NEW Comcast Digital phone number!.

Hello COMCAST —This is rather long but please read

I have been trying to block a company that is calling our home number ( harassing us with unsolicited offers) I have tried using the comcast feature but it is not working as the company is obviously has a auto dialer with a registration of for both the name and number coming across as “Unknown Name & Number”. Can we do something on Comcast part to block this? The company first started calling the day after I got my new digital phone number. I was able to block the 800 service numbers but know they are using the “ Unknown Name Unknown Number” to harass us.

The 800 numbers that I have blocked are listed below, can you have Comcast investigation division get them/ trace them? Comcast should be able to trace the calls in the teleco routing station to the point from which they call.

800 257 5722
877 450 6649

if you look up these number on the internet it appears they have been frequent violators

http://whocalled.us/list/

http://800notes.com/Phone.aspx/1-800-257-5722

http://whocallsme.com/Phone-Number.aspx/8002575722


COMCAST
Thank you for contacting Comcast Live Chat Support. Please give me one moment to review your information.

COMCAST
I am sorry to hear of what this company is doing.

COMCAST
Have you had a chance to add your number to the do not call list?

Customer
I am doing that, but what about getting the comcast investigation unit involved?

COMCAST
I apologize but our features work on blocking numbers with by the phone number registered under the line or by blocking numbers who have their display blocked. Since the display shows “ Unknown Name Unknown Number” it tells us that their called id information is blank

COMCAST
I would recommend to contact the company to be removed from their contact list as well as adding your name to the Do no call list.

Customer
Again, what about having the investigation unit get involved, it seems crazy that anyone could get a number without an ID. I told them when they first called to remove me.

COMCAST
Please give me just one moment to see if there is anything that we can do on our end.

Customer
ok

COMCAST
I have looked into this for you and I am very sorry but at this time Comcast is unable to address this for you. The only thing that we would advise is for you to enter your number on the states Do no call list and the National one. If after you do this, the calls persist, I would recommend to contact the Federal Trade Commission which the is the Government office that is in charge of making sure that the Do not call registries are followed.


May 9, 2008 09:10 AM

Logged in to World Tracker - no signs of the scary ability to track someone by their cell phones. The service just allows you to _manually_ specify your location, so your friends can see where you are. Seems that Mr. Schneier just copypasted the text from www.geeksaresexy.net.


May 9, 2008 09:10 AM

thankss


May 9, 2008 09:04 AM

The problem is not with people taking pictures.
The problem is not with people reporting people for taking pictures.

The problem is when the cops come and start confiscating cameras and locking people up when there have been no laws violated.

And if they have managed to ramrod a law through the system that makes it unlawful to take pictures of something out in plain sight, thats a problem too (all 3: the stupid law, the people pushing stupid laws to be enacted, and the voters who elect stupid legislators). Because if it is in plain sight then terists will be able to get pictures of it if they want them regardless of whether anyone with a camera is ever seen in the viciinity.


May 9, 2008 09:04 AM

@Dave,

"Not quite as dangerous ..."

You have forgoton that the phone operator can download a patch to your phones software any time they like and frequently do (supposadly it needs to be signed or some such on modern phones...)

Also as a lot of teenagers know downloading a ring tone to a phone is not that difficult either. So 15mins seems a long time I recon with abit of practice it could be done whilst you go get a cup of coffee or comfort stop.

Phone security is at best laughable (have a look on Cryptome's GSM section). Even on modern phones the security model is to protect the phone OS from apps running in the computer OS running on the phone (MS windows / symbian et al).

Importantly phones are going to be used as security tokens in future. So not having propper app to app security is within a year or so be a significant issue.


May 9, 2008 08:48 AM

Hey,

New Indiana Jones gonna be cheerful soon. Do You invent it's gonna be any noble ?

[url=http://www.indianajones.com]Indiana Jones[/url]


May 9, 2008 08:44 AM

@sparky

Damn.. Posted my previous message before finishing!

Location updates (containing cell id and IMSI) are generated as a phone moves between cells. So that can give geography. But this is sent within the core mobile network and therefore would have to be provided by the network operator.


May 9, 2008 08:40 AM

I have to go with the "Jack Hero" device.


May 9, 2008 08:34 AM

@sparky

Your phone can be uniquely identified by either the IMSI (sim), IMEI (phone) or MSISDN (number).


May 9, 2008 08:34 AM

Looking at the FlexiSpy website, it appears that you have to install the software on the victim's phone:

"Can I install FlexiSPY remotely?
No. You need to have the phone physically in your hand for about 15 min. Installation is simple. You simply open up a web page on the mobile and enter your code. The download and install beings automatically"

"How does Remote Listening work ?
The phone with FlexiSPY on it is the target phone. The phone you make spy calls from is the monitor phone. When you call the target phone from the monitor phone, the target phone will answer the call, letting you listen to the phones surroundings. If the phone is busy or a key is pressed, the spy call will be disconnected, and the target will be none the wiser."

Simply put, you have the thing installed on your phone and someone else calls it. Not quite as dangerous as it initially sounds.


May 9, 2008 08:32 AM

@Sparky: IIRC from the first time I heard about a service like this, they don't "need" a response to the text message at all. It's a (feeble) security measure, an attempt to get the permission of the person being tracked. There's no technical need for it.

And yes, the big question is why network operators are (a) willing, and (b) permitted to provide the information needed to do this.

According to the website it's "only" Orange, Voda and O2. So maybe I'll call up Orange and tell them I'm switching to T-Mobile unless they can exclude my number from ever being tracked by any such service...


May 9, 2008 08:24 AM

And in fact one of the best ways to subvert this is to leave your well known cel phone somewhere convenient as you travel around without it.

Preferably right next to the speaker of a PC that you've been playing "Stack The Cats" on. :D "Stack the Cats" is my favorite low-cost, low-effort way of dealing with a bugged room.

http://www.thefrown.com/?/games/-2/384


May 9, 2008 08:15 AM

The alertness alert is good but its too subjective. Just cos you know someone's heartrate doesn't mean they're alert. I like the DNA Adulterometer, and I'd like to use it at work sometimes!


May 9, 2008 07:58 AM

@lightning / @Brandioch Conner:

I absolutely agree with the points you both make.

Oversight, in and of itself, is a non-trivial problem. As has been pointed out in other discussions on this (and, I suspect, many other similarly-theemed places of discussion), there is the issue of "who watches the watchers".

In our system of government, judicial oversight is the best we have, though judges are, too, political in their appointments.

I suspect that most of us would prefer imperfect oversight to none.


May 9, 2008 07:56 AM

I think that Flexispy needs an app running on the phone ( Symbian or Windows mobile ). Also from the FAQ - "FlexiSPY needs a working Internet connection on your mobile. "

I'm safe with my bottom of the range Nokia then!


May 9, 2008 07:52 AM

I used to live in a SMALL TOWN in SE Michigan, population 2,500. A guy in a blue pick-up truck was seen photographing the local post office. Unfortunately this was about a month after some major terrorist event, can't remember the date.

Those in charge decided to shut down the post office, cordon off the block and put out an ABP for the truck.

Seriously, how would blowing up the Saline, MI post office or tampering with any of its mail pose any legitimate threat to national security? And is it no illegal to photograph public places from public locations?

PittCaleb


May 9, 2008 07:51 AM

DNA adulteratometer


May 9, 2008 07:43 AM

I vote for the SOS device. I could seriously imagine a member of Congress proposing a bill to require these on all cars.


May 9, 2008 07:38 AM

"The service promises to let you “catch cheating wives or cheating husbands” and even “bug meeting rooms.” Its tools use a phone’s microphone to let you hear essentially any conversations within earshot."

this sounds like something out of the old gene hackman movie, "the conversation".


May 9, 2008 07:32 AM

Has anyone tried this? It sounds rather unlikely; first of all, where would they get all that information, from all the different service providers? Secondly, why would they need a reply from the phone? Would that be because they need the phone's internal number (kind of like a MAC address)? Otherwise, if the phone has been moved while turned off, they would lose the "lock" on the position and would have to start over.

I don't know a whole lot about the details of the GSM protocol, but I can imagine they can find the location if they call someone (maybe even if the don't answer, as long as the phone is on).

Also, I would think this is only borderline-legal, if at all. One could argue that the location of their phone is personal information, and, as such, covered by privacy laws.


May 9, 2008 07:22 AM

DNA Adulterator gets my vote. Classic.


May 9, 2008 07:16 AM

@Andre: Off the top of my pointy little head, it seems to me that a "password with holes" is pretty much the same as an ordinary password, of the length requested, but even more prone to human errors in entry....


May 9, 2008 06:26 AM

Joe - not all European countries have car-carrying ferries. I don't think Austria has any, for example.


May 9, 2008 06:15 AM

Strange acting people should be checked out as these guys were. I take a lot of pictures, if questioned I would be happy to explain what I was doing. If I were to run away of hide, wouldn't that be very suspicious?
I think Europe has car carrying ferries so being fascinated by the car carrying capacity of the Ferry sounds pretty lame to me, and referring to them as citizens of a Euro Union country isn't reassuring considering the rioters in France were also citizens of such a country.
So they were checked out and apparently are not terrorists, but assuming everything is OK even when something looks funny, is foolish.
Maybe these same guys would be equally fascinated by the cockpit of a 767, and would enjoy going in and taking some innocent pictures. Then when they get home they could describe to interested parties what the security is like when you attempt to get into the cockpit of a 767

Joe





Powered by Movable Type 3.2. Photo at top by Steve Woit.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT Counterpane.

 
Bruce Schneier