September 15, 2011
by Bruce Schneier
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at <http://www.schneier.com/crypto-gram-1109.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively comment section. An RSS feed is available.
In this issue:
There have been lots of articles and essays related to the tenth anniversary of the 9/11 terrorist attacks. Here's what I think is worth reading:
This ACLU report is really good: "A Call to Courage: Reclaiming Our Liberties Ten Years After 9/11."
Steven Pinker on Terrorism
Nice essay on the danger of too much security:
Joseph Stiglitz on the price of 9/11.
How 9/11 changed surveillance.
The day we lost our privacy and power.
"Let's Cancel 9/11."
"How to Beat Terrorism: Refuse to Be Terrorized" from Wired.
"Ten Things I Want My Children To Learn from 9/11"
The creator of the TSA says it should be dismantled and privatized:
Pat Buchanan on Bush after 9/11:
9/11: Was There an Alternative? by Noam Chomsky
Comments from Al-Jazeera:
The Onion's comment:
I didn't write anything to commemorate the 9/11 anniversary. I couldn't think of anything to say that I haven't said a gazillion times already.
John Mueller and his students analyze the 33 cases of attempted Islamic extremist terrorism in the U.S. since 9/11. So few of them are actually real, and so many of them were created or otherwise facilitated by law enforcement.
The death toll of all these is fourteen: thirteen at Ft. Hood and one in Little Rock. I think it's fair to add to this the 2002 incident at Los Angeles Airport where a lone gunman killed two people at the El Al ticket counter, so that's sixteen deaths in the U.S. to terrorism in the past ten years.
Given the credible estimate that we've spent $1 trillion on anti-terrorism security (this does not include our many foreign wars), that's $62.5 billion per life lost. Is there any other risk that we are even remotely as crazy about?
Note that everyone who died was shot with a gun. No Islamic extremist has been able to successfully detonate a bomb in the U.S. in the past ten years, not even a Molotov cocktail. (In the U.K. there has only been one successful terrorist bombing in the last ten years; the 2005 London Underground attacks.) And almost all of the 33 incidents (34 if you add LAX) have been lone actors, with no ties to al Qaeda.
Looking over the incidents, some of them would make pretty good movie plots. The point of my "movie-plot threat" phrase is not that terrorist attacks are never like that, but that concentrating defensive resources against them is pointless because 1) there are too many of them and 2) it is too easy for the terrorists to change tactics or targets.
I remember the government fear mongering after 9/11. How there were hundreds of sleeper cells in the U.S. How terrorism would become the new normal unless we implemented all sorts of Draconian security measures. You'd think that -- if this were even remotely true -- we would have seen more attempted terrorism in the U.S. over the past decade.
And I think arguments like "the government has secretly stopped lots of plots" don't hold any water. Just look at the list, and remember how the Bush administration would hype even the most tenuous terrorist incident. Stoking fear was the policy. If the government stopped any other plots, they would have made as much of a big deal of them as they did of these 33 incidents.
$1 trillion spent on terrorism security.
To justify the current U.S. spending on homeland security -- not including our various official and unofficial wars -- we'd have to foil 1,667 Times Square-style plots per year.
Here's data on terrorist incidents from 1970 to 2004.
And here's Nate Silver with data showing that the 1970s and 1980s were more dangerous with respect to airplane terrorism than the 2000s.
According to the State Department's recent report, fifteen American private citizens died in terrorist attacks in 2010: thirteen in Afghanistan and one each in Iraq and Uganda. Worldwide, 13,186 people died from terrorism in 2010. These numbers pale even in comparison to things that aren't very risky.
Look at Table 3 on page 16 of this document. The risk of dying in the U.S. from terrorism is substantially less than the risk of drowning in your bathtub, the risk of a home appliance killing you, or the risk of dying in an accident caused by a deer. Remember that more people die every month in automobile crashes than died in 9/11.
In my blog post, I accidentally typed "lives saved" when I meant to type "lives lost." I've corrected that above. We generally have a regulatory safety goal of $1-$10M per life saved. In order for the $100B we have spent per year on counterterrorism to be worth it, it would need to have saved 10,000 lives per year.
This is an interesting article. The authors argue that the whole war-on-terror nonsense is useless -- that's not new -- but that the security establishment knows it doesn't work and abandoned many of the draconian security measures years ago, long before Obama became president. All that's left of the war on terror is political, as lawmakers fund unwanted projects in an effort to be tough on crime.
I wish it were true, but I don't buy it. The war on terror is an enormous cash cow, and law enforcement is spending the money as fast as it can get it. It's also a great stalking horse for increases in police powers, and I see no signs of agencies like the FBI or the TSA not grabbing all the power they can.
The second half of the article is better. The authors argue that openness, not secrecy, improves security
Interesting research on search-redirection attacks and the illicit online prescription drug trade:
New attack on AES:
Any institution delegated with the task of preventing terrorism has a dilemma: they can either do their best to prevent terrorism, or they can do their best to make sure they're not blamed for any terrorist attacks. I've talked about this dilemma for a while now, and it's nice to see some research results that demonstrate its effects.
Long essay on the value of pseudonymity.
How Microsoft develops security patches:
James Fallows has a nice debunking of a movie-plot threat: open airplane cockpit doors during bathroom breaks.
Smartphone keystroke logging using the motion sensor.
The security problems associated with moving $12B in gold from London to Venezuela.
We finally have some details of the RSA attack, even though the company isn't talking. It was a not-very-sophisticated phishing attack.
This Facebook Privacy Guide is actually pretty good.
Social networking sites make it very difficult, if not impossible, to have undercover police officers.
Job opening: TSA Public Affairs Specialist.
There's been a forged Google certificate out in the wild for the past month and a half. Whoever has it -- evidence points to the Iranian government -- can, if they're in the right place, launch man-in-the-middle attacks against Gmail users and read their mail. This isn't Google's mistake; the certificate was issued by a Dutch CA that has nothing to do with Google.
Fidelity National Information Services Inc. (FIS) lost $13M to an ATM theft earlier this year:
Interesting article on outing a CIA agent, and how difficult it is to keep an identity secret in the information age.
I've already written about secret questions, the easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password. Here's a new one, courtesy of the National Archives: "What is your preferred internet password?" I have been told that Priceline has the same one, which implies that this is some third-party login service or toolkit.
Cultural differences in risk tolerance:
Sharing security information and the Prisoner's Dilemma:
Nick Helm won an award for the funniest joke at the Edinburgh Fringe Festival:
Nick Helm: "I needed a password with eight characters so I picked
Note that two other jokes were about security:
Tim Vine: "Crime in multi-storey car parks. That is wrong on so
I'm speaking at the Information Security Forum Annual World Congress, on 19 September in Berlin.
I'm also speaking at the Danish IT Lawyers Conference, on 20 September in Copenhagen.
It looks as if the entire mass of U.S. diplomatic cables that WikiLeaks had is available online somewhere. How this came about is a good illustration of how security can go wrong in ways you don't expect. It seems that the encrypted file WikiLeaks gave to the Guardian got loose in the wild, and then the Guardian published the encryption key in their tell-all book about WikiLeaks.
From pp 138-9 of "WikiLeaks":
Assange wrote down on a scrap of paper:
I think we can all agree that that's a secure encryption key.
Memo to the "Guardian": Publishing encryption keys is almost always a bad idea. Memo to WikiLeaks: Take better care of your encrypted files.
The detailed story.
It's been a long hard year, but the book is almost finished. It's certainly the most difficult book I've ever written, mostly because I've had to learn about academic fields I don't have a lot of experience in. But the book is finally coming together as a coherent whole, and I am optimistic that the results will prove to be worth the effort.
Table of contents:
The old title, "The Dishonest Minority," has been completely expunged from the book. The phrase appears nowhere in the text -- its only existence is in old blog posts about the book.
Lastly, I want to apologize to all my readers for the scant pickings on my blog and in Crypto-Gram. So much of my attention is going into writing my book that I don't have time for much else. I promise to write more essays and blog posts once the book is finished. That's likely to be the December issue of Crypto-Gram. Thank you for your patience.
The manuscript is due in 45 days; publication is still scheduled for mid-February. Right now, it's 88,000 words long, with another 30,000 words in notes and references.
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.
Copyright (c) 2011 by Bruce Schneier.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.