February 15, 2008
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at <http://www.schneier.com/crypto-gram-0802.html>. These same essays appear in the "Schneier on Security" blog: <http://www.schneier.com/blog>. An RSS feed is available.
In this issue:
If there's a debate that sums up post-9/11 politics, it's security versus privacy. Which is more important? How much privacy are you willing to give up for security? Can we even afford privacy in this age of insecurity? Security versus privacy: It's the battle of the century, or at least its first decade.
In a Jan. 21 "New Yorker" article, Director of National Intelligence Michael McConnell discusses a proposed plan to monitor all -- that's right, *all* -- Internet communications for security purposes, an idea so extreme that the word "Orwellian" feels too mild.
The article contains this passage: "In order for cyberspace to be policed, Internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer or Web search. 'Google has records that could help in a cyber-investigation,' he said. Giorgio warned me, 'We have a saying in this business: "Privacy and security are a zero-sum game."'"
I'm sure they have that saying in their business. And it's precisely why, when people in their business are in charge of government, it becomes a police state. If privacy and security really were a zero-sum game, we would have seen mass immigration into the former East Germany and modern-day China. While it's true that police states like those have less street crime, no one argues that their citizens are fundamentally more secure.
We've been told we have to trade off security and privacy so often -- in debates on security versus privacy, writing contests, polls, reasoned essays and political rhetoric -- that most of us don't even question the fundamental dichotomy.
But it's a false one.
Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it's based on identity, and there are limitations to that sort of approach.
Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back, and -- possibly -- sky marshals. Everything else -- all the security measures that affect privacy -- is just security theater and a waste of effort.
By the same token, many of the anti-privacy "security" measures we're seeing -- national ID cards, warrantless eavesdropping, massive data mining, and so on -- do little to improve, and in some cases harm, security. And government claims of their success are either wrong, or against fake threats.
The debate isn't security versus privacy. It's liberty versus control.
You can see it in comments by government officials: "Privacy no longer can mean anonymity," says Donald Kerr, principal deputy director of national intelligence. "Instead, it should mean that government and businesses properly safeguard people's private communications and financial information." Did you catch that? You're expected to give up control of your privacy to others, who -- presumably -- get to decide how much of it you deserve. That's what loss of liberty looks like.
It should be no surprise that people choose security over privacy: 51 to 29 percent in a recent poll. Even if you don't subscribe to Maslow's hierarchy of needs, it's obvious that security is more important. Security is vital to survival, not just of people but of every living thing. Privacy is unique to humans, but it's a social need. It's vital to personal dignity, to family life, to society -- to what makes us uniquely human -- but not to survival.
If you set up the false dichotomy, of course people will choose security over privacy -- especially if you scare them first. But it's still a false dichotomy. There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." It's also true that those who would give up privacy for security are likely to end up with neither.
Trading off security and privacy:
Donald Kerr's comments:
This essay originally appeared on Wired.com.
MySpace has reached an agreement with the attorneys general of 49 states -- Texas sat out -- to protect children from sexual predators on the site.
The attorneys general are all congratulating themselves, as is MySpace -- and there's a lot of commentary out there. To me, this all seems like much ado about nothing.
The measures won't do anything to stop child predators on MySpace. But on the other hand, there isn't really any problem with child predators -- just a tiny handful of highly publicized stories -- on MySpace. It's just security theater against a movie-plot threat. But we humans have a well-established cognitive bias that overestimates threats against our children, so it all makes sense.
There have been stories previously but this time it looks like it will actually happen. From MSNBC: "The technology is intended to stop a missile attack by detecting heat given off from the rocket, then firing a laser beam that jams the missile's guidance system."
I have several feelings about this. One, it's security theater against a movie-plot threat. Two, given that that's true, attaching an empty box to the belly of the plane and writing "Laser Anti-Missile System" on it would be just as effective a deterrent at a fraction of the cost. And three, how do we know that's not what they're doing?
Blog entry URL:
Social-engineering bank robberies in the DC area:
This is a good article on a new trend in corporate spying: companies like Wal-Mart and Sears have resorted to covert surveillance of employees, partners, journalists, and even Internet users to protect itself from "global threats."
A 14-year-old modified a TV remote control to switch trains on tracks in the Polish city of Lodz. The lesson here is that security by obscurity, combined with physical security of the equipment, wasn't enough. This kid jumped whatever fences there were, and reverse-engineered the IR control protocol. Then he was able to play "trains" with real trains.
The Dutch RFID public transit card, which has already cost the government $2B -- no, that's not a typo -- has been hacked even before it has been deployed. By some students. My guess is the system was designed by people who don't understand security, and therefore thought it was easy.
More on SmartWater:
Combined taser and MP3 player. Not a joke, apparently.
I have absolutely no doubt that there will be security flaws in remotely controllable thermostats, allowing hackers to seize control of them. Do this on a too-hot day, and you might even cause a large blackout.
A gun slips through a TSA airport checkpoint, and when the owner reports the mistake, he's arrested. What's that supposed to teach?
Continuing battles in the War on the Unexpected:
An update on cameras in the New York City subways:
The ethics of autonomous military robots:
Remember the "cyberwar" in Estonia last year? When asked about it, I generally say that it's unclear that it wasn't just kids playing politics. The reality is even more mundane: "...the attacker...isn't a member of the Russian military, nor is he an embittered cyber warrior in Putin's secret service. He doesn't even live in Russia. He's an [20-year-old] ethnic Russian who lives in Estonia, who was pissed off over that whole statue thing."
Two Ethiopian cabin cleaners were found hiding in the ceiling of an aircraft after it landed at Dulles. Presumably they were allowed on the plane at Addis Abbaba, but no one checked to make sure they got off.
Interesting article on terrorist tradecraft:
Data as pollution:
Does the FBI know the identity of the Storm worm writers?
"Psychology Today" on risk assessment and why we're so bad at it:
A leaked document shows the UK government has plans to coerce its citizens into a national ID database.
Detecting nuclear weapons using the cell phone network. I'm not convinced it's a good idea to deploy such a system, but I like the idea of piggy-backing a nationwide sensor network on top of our already existing cell phone infrastructure.
Think Illegal Downloading Is Free?
I have mixed feelings about the NSA monitoring U.S. government Internet traffic, but in general I think it's a good idea.
The DHS is paying for open source software to be scanned for security bugs, and then fixing them. They find, on average, one security flaw per 1,000 lines of code. And when the flaw is fixed, everyone's security improves.
"The Top 5 VoIP Security Threats of 2008": a nice little list of things to worry about.
Criminals are using cloned trucks to bypass security:
Here's someone who puts on a red shirt and pretends to be a Target employee so he can steal stuff:
Why does anyone think that heavily armed officers on New York City subways is a good idea? What does it accomplish besides intimidating innocent commuters?
Recently the Associated Press obtained hundreds of pages of documents related to the 2006 "Cyber Storm" exercise. Most interesting is the part where the participants attacked the game computers and pissed the referees off.
"The Onion" on Terror: "We must all do whatever we can to preserve America by refocusing our priorities back on the contemplation of lethal threats -- invisible nightmarish forces plotting to destroy us in a number of horrific ways. It is only through the vigilance and determination of every patriot that we can maintain the sense of total dread vital to the prolonged existence of a thriving, quivering America."
Interesting speculation from Nicholas Weaver on how the MPAA might enforce copyright on the Internet:
U.S. Customs seizing laptops at the border: if you travel abroad, this is important:
Canon has filed a patent on embedding an iris scan of the photographer in the metadata of photographs, presumably secured with a digital signature.
Cryptographer Stefan Brands has a new company, Credentica, that allows people to disclose personal information while maintaining privacy and minimizing the threat of identity theft.
HotPlug allows you to seize and move a computer without losing power.
DHS in "The Onion." Funny.
Buying an iPhone isn't the same as buying a car or a toaster. Your iPhone comes with a complicated list of rules about what you can and can't do with it. You can't install unapproved third-party applications on it. You can't unlock it and use it with the cell phone carrier of your choice. And Apple is serious about these rules: a software update released in September 2007 erased unauthorized software and -- in some cases -- rendered unlocked phones unusable.
"Bricked" is the term, and Apple isn't the least bit apologetic about it.
Computer companies want more control over the products they sell you, and they're resorting to increasingly draconian security measures to get that control. The reasons are economic.
Control allows a company to limit competition for ancillary products. With Mac computers, anyone can sell software that does anything. But Apple gets to decide who can sell what on the iPhone. It can foster competition when it wants, and reserve itself a monopoly position when it wants. And it can dictate terms to any company that wants to sell iPhone software and accessories.
This increases Apple's bottom line. But the primary benefit of all this control for Apple is that it increases lock-in. "Lock-in" is an economic term for the difficulty of switching to a competing product. For some products -- cola, for example -- there's no lock-in. I can drink a Coke today and a Pepsi tomorrow: no big deal. But for other products, it's harder.
Switching word processors, for example, requires installing a new application, learning a new interface and a new set of commands, converting all the files (which may not convert cleanly) and custom software (which will certainly require rewriting), and possibly even buying new hardware. If Coke stops satisfying me for even a moment, I'll switch: something Coke learned the hard way in 1985 when it changed the formula and started marketing New Coke. But my word processor has to really piss me off for a good long time before I'll even consider going through all that work and expense.
Lock-in isn't new. It's why all gaming-console manufacturers make sure that their game cartridges don't work on any other console, and how they can price the consoles at a loss and make the profit up by selling games. It's why Microsoft never wants to open up its file formats so other applications can read them. It's why music purchased from Apple for your iPod won't work on other brands of music players. It's why every U.S. cell phone company fought against phone number portability. It's why Facebook sues any company that tries to scrape its data and put it on a competing website. It explains airline frequent flyer programs, supermarket affinity cards and the new My Coke Rewards program.
With enough lock-in, a company can protect its market share even as it reduces customer service, raises prices, refuses to innovate and otherwise abuses its customer base. It should be no surprise that this sounds like pretty much every experience you've had with IT companies: once the industry discovered lock-in, everyone started figuring out how to get as much of it as they can.
Economists Carl Shapiro and Hal Varian even proved that the value of a software company is the total lock-in. Here's the logic: Assume, for example, that you have 100 people in a company using MS Office at a cost of $500 each. If it cost the company less than $50,000 to switch to Open Office, they would. If it cost the company more than $50,000, Microsoft would increase its prices.
Mostly, companies increase their lock-in through security mechanisms. Sometimes patents preserve lock-in, but more often it's copy protection, digital rights management (DRM), code signing or other security mechanisms. These security features aren't what we normally think of as security: They don't protect us from some outside threat, they protect the companies from *us*.
Microsoft has been planning this sort of control-based security mechanism for years. First called Palladium and now NGSCB (Next-Generation Secure Computing Base), the idea is to build a control-based security system into the computing hardware. The details are complicated, but the results range from only allowing a computer to boot from an authorized copy of the OS to prohibiting the user from accessing "unauthorized" files or running unauthorized software. The competitive benefits to Microsoft are enormous,
Of course, that's not how Microsoft advertises NGSCB. The company has positioned it as a security measure, protecting users from worms, Trojans and other malware. But control does not equal security; and this sort of control-based security is very difficult to get right, and sometimes makes us more vulnerable to other threats. Perhaps this is why Microsoft is quietly killing NGSCB -- we've gotten BitLocker, and we might get some other security features down the line -- despite the huge investment hardware manufacturers made when incorporating special security hardware into their motherboards.
Earlier in this issue of Crypto-Gram, I talked about the security-versus-privacy debate, and how it's actually a debate about liberty versus control. Here we see the same dynamic, but in a commercial setting. By confusing control and security, companies are able to force control measures that work against our interests by convincing us they are doing it for our own safety.
As for Apple and the iPhone, I don't know what they're going to do. On the one hand, there's this analyst report that claims there are over a million unlocked iPhones, costing Apple between $300 million and $400 million in revenue. On the other hand, Apple is planning to release a software development kit this month, reversing its earlier restriction and allowing third-party vendors to write iPhone applications. Apple will attempt to keep control through a secret application key that will be required by all "official" third-party applications, but of course it's already been leaked.
And the security arms race goes on...
Shapiro and Varian's book:
This essay previously appeared on Wired.com.
The CIA unleashed a big one at a SANS conference: "On Wednesday, in New Orleans, US Central Intelligence Agency senior analyst Tom Donahue told a gathering of 300 US, UK, Swedish, and Dutch government officials and engineers and security managers from electric, water, oil & gas and other critical industry asset owners from all across North America, that 'We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.'
"According to Mr. Donahue, the CIA actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure."
I'll bet. There's nothing like a vague unsubstantiated rumor to forestall reasoned discussion. But, of course, everyone is writing about it anyway.
SANS's Alan Paller is happy to add details. From Forbes.com: "In the past two years, hackers have in fact successfully penetrated and extorted multiple utility companies that use SCADA systems, says Alan Paller, director of the SANS Institute, an organization that hosts a crisis center for hacked companies. 'Hundreds of millions of dollars have been extorted, and possibly more. It's difficult to know, because they pay to keep it a secret,' Paller says. 'This kind of extortion is the biggest untold story of the cybercrime industry.'"
And to up the fear factor. "Information Week": "The prospect of cyberattacks crippling multicity regions appears to have prompted the government to make this information public. The issue 'went from "we should be concerned about to this" to "this is something we should fix now, "' said Paller. 'That's why, I think, the government decided to disclose this.'"
More rumor from ibls.com: "An attendee of the meeting said that the attack was not well-known through the industry and came as a surprise to many there. Said the person who asked to remain anonymous, 'There were apparently a couple of incidents where extortionists cut off power to several cities using some sort of attack on the power grid, and it does not appear to be a physical attack.'"
And more hyperbole from someone in the industry in "The Washington Post": "Over the past year to 18 months, there has been 'a huge increase in focused attacks on our national infrastructure networks, . . . and they have been coming from outside the United States,' said Ralph Logan, principal of the Logan Group, a cybersecurity firm.
"It is difficult to track the sources of such attacks, because they are usually made by people who have disguised themselves by worming into three or four other computer networks, Logan said. He said he thinks the attacks were launched from computers belonging to foreign governments or militaries, not terrorist groups."
I'm more than a bit skeptical here. To be sure -- fake staged attacks aside -- there are serious risks to SCADA systems (Ganesh Devarajan gave a talk at DefCon this year about some potential attack vectors), although at this point I think they're more a future threat than present danger. But this CIA tidbit tells us nothing about how the attacks happened. Were they against SCADA systems? Were they against general-purpose computers, maybe Windows machines? Insiders may have been involved, so was this a computer security vulnerability at all? We have no idea.
Cyber-extortion is certainly on the rise; we see it at Counterpane. Primarily it's against fringe industries -- online gambling, online gaming, online porn -- operating offshore in countries like Bermuda and the Cayman Islands. It is going mainstream, but this is the first I've heard of it targeting power companies. Certainly possible, but is that part of the CIA rumor or was it tacked on afterwards?
And Wikipedia has a list of power outages. Which ones were hacker caused? Some details would be nice.
I'd like a little bit more information before I start panicking.
Quote from SANS:
Fake staged SCADA attack:
Wikipedia list of power outages:
An interview with Schneier:
Schneier gave the keynote talk at Linux.conf.au.
Mujahideen Secrets 2 is a new version of an encryption tool, ostensibly written to help Al Qaeda members encrypt secrets as they communicate on the Internet.
A bunch of sites have covered this story, and a couple of security researchers are quoted in the various articles. But quotes like this from "Computerworld" make you wonder if they have any idea what they're talking about: "Mujahideen Secrets 2 is a very compelling piece of software, from an encryption perspective, according to Henry. He said the new tool is easy to use and provides 2,048-bit encryption, an improvement over the 256-bit AES encryption supported in the original version."
No one has explained why a terrorist would use this instead of PGP -- perhaps they simply don't trust anything coming from a U.S. company. But honestly, this isn't a big deal at all: strong encryption software has been around for over fifteen years now, either cheap or free. And the NSA probably breaks most of the stuff by guessing the password, anyway. Unless the whole program is an NSA plant, that is.
My question: the articles claim that the program uses several encryption algorithms, including RSA and AES. Does it use Blowfish or Twofish?
Me on password guessing:
The TSA is checking IDs more carefully, looking for forgeries: "More than 40 passengers have been arrested since June in cases when TSA screeners spotted altered passports, fraudulent visas and resident ID cards, and forged driver's licenses. Many of them were arrested on immigration charges. " ID checks have nothing to do with airport security. And even if they did, anyone can fly on a fake ID. And enforcing immigration laws is not what the TSA does.
Read this from the TSA's website: "We screen every passenger; we screen every bag so that your memories are from where you went, not how you got there. We're here to help your travel plans be smooth and stress free. Please take a moment to become familiar with some of our security measures. Doing so now will help save you time once you arrive at the airport. " I know they don't mean it that way, but doesn't it sound like it's saying "We know it doesn't help, but it might make you feel better"?
And why is it news when a test breaches TSA security?
"Confessions of a TSA Agent": there is some speculation that this is a hoax.
First paragraph: "Terrorists increasingly favor using women as suicide bombers to thwart security and draw attention to their causes, a new FBI-Department of Homeland Security assessment concludes."
Photo caption: "Female suicide bombers can use devices to make them appear pregnant, a security assessment says."
Second paragraph: "The assessment said the agencies 'have no specific, credible intelligence indicating that terrorist organizations intend to utilize female suicide bombers against targets in the homeland.'"
Does the DHS think we're idiots or something?
Many people say that allowing illegal aliens to obtain state driver's licenses helps them and encourages them to remain illegally in this country. Michigan Attorney General Mike Cox late last year issued an opinion that licenses could be issued only to legal state residents, calling it "one more tool in our initiative to bolster Michigan's border and document security."
In reality, we are a much more secure nation if we do issue driver's licenses and/or state IDs to every resident who applies, regardless of immigration status. Issuing them doesn't make us any less secure, and refusing puts us at risk.
The state driver's license databases are the only comprehensive databases of U.S. residents. They're more complete, and contain more information -- including photographs and, in some cases, fingerprints -- than the IRS database, the Social Security database, or state birth certificate databases. As such, they are an invaluable police tool -- for investigating crimes, tracking down suspects, and proving guilt.
Removing the 8 million-15 million illegal immigrants from these databases would only make law enforcement harder. Of course, the unlicensed won't pack up and leave. They will drive without licenses, increasing insurance premiums for everyone. They will use fake IDs, buy real IDs from crooked DMV employees -- as several of the 9/11 terrorists did -- forge "breeder documents" to get real IDs (another 9/11 terrorist trick), or resort to identity theft. These millions of people will continue to live and work in this country, invisible to any government database and therefore the police.
Assuming that denying licenses to illegals will make them leave is head-in-the-sand thinking.
Of course, even an attempt to deny licenses to illegal immigrants puts DMV clerks in the impossible position of verifying immigration status. This is expensive and time-consuming; furthermore, it won't work. The law is complicated, and it can take hours to verify someone's status only to get it wrong. Paperwork can be easy to forge, far easier than driver's licenses, meaning many illegal immigrants will get these licenses that now "prove" immigrant status.
Even more legal immigrants will be mistakenly denied licenses, resulting in lawsuits and additional government expense.
Some states have considered a tiered license system, one that explicitly lists immigration status on the licenses. Of course, this won't work either. Illegal immigrants are far more likely to take their chances being caught than admit their immigration status to the DMV.
We are all safer if everyone in society trusts and respects law enforcement. A society where illegal immigrants are afraid to talk to police because of fear of deportation is a society where fewer people come forward to report crimes, aid police investigations, and testify as witnesses.
And finally, denying driver's licenses to illegal immigrants will not protect us from terrorism. Contrary to popular belief, a driver's license is not required to board a plane. You can use any government-issued photo ID, including a foreign passport. And if you're willing to undergo secondary screening, you can board a plane without an ID at all. This is probably how anybody on the "no fly" list gets around these days.
A 2003 American Association of Motor Vehicle Administrators report concludes: "Digital images from driver's licenses have significantly aided law enforcement agencies charged with homeland security. The 19 (9/11) terrorists obtained driver licenses from several states, and federal authorities relied heavily on these images for the identification of the individuals responsible."
Whether it's the DHS trying to protect the nation from terrorism, or local, state and national law enforcement trying to protect the nation from crime, we are all safer if we encourage every adult in America to get a driver's license.
This op-ed originally appeared in the Detroit Free Press.
There are hundreds of comments -- many of them interesting -- on these topics on my blog. Search for the story you want to comment on, and join in.
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish and Twofish algorithms. He is founder and CTO of BT Counterpane, and is a member of the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.
BT Counterpane is the world's leading protector of networked information - the inventor of outsourced security monitoring and the foremost authority on effective mitigation of emerging IT threats. BT Counterpane protects networks for Fortune 1000 companies and governments world-wide. See <http://www.counterpane.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT or BT Counterpane.
Copyright (c) 2008 by Bruce Schneier.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.