Schneier on Security
A blog covering security and security technology.
« More Erosion of Police Oversight in the U.S. |
| Security Cartoon »
December 16, 2005
Computer Crime Hype
I guess this is the season for sensationalist hype of computer crime: first CNN, and then USA Today (drug users and Internet crime, for a double-scary story).
Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four.
Posted on December 16, 2005 at 3:15 PM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Well, one thing I've learned from CNN is that Bruce has mispelled his blog.
It should be:
Schn3i3r 0n S3curity
In Europe, the Four Horsemen are terrorists, organized crime, pedophiles and neo-nazis. Works very well, too. In fact, works good enough to scare the European Parliament into accepting a bill that mandates a gigantic surveillance infrastructure. I suppose the public is either scared as well or, as usually, not interested in anything except the latest celebrity "news". Maybe it's just me, but I didn't see more than a sidenote in any national news outlet (if it's mentioned at all), and much less any kind of public outrage. Pretty disturbing.
I thought the biggest scare was kids (=terrorists and organized crime) downloading music and movies.
The assault against privacy is never ending.
Hmm, Bruce's "Internet Horsemen" have better irony, in that each of the four represents a crime that requires physical contact with a victim and/or a customer.
"Bruce's 'Internet Horsemen' have better irony, in that each of the four represents a crime that requires physical contact with a victim and/or a customer."
The biggest threats have always been in places where the real world and the Internet intersect.
"I thought the biggest scare was kids (=terrorists and organized crime) downloading music and movies."
Depends on who you are, doesn't it?
i would regard a thief of my identity as an evil doppelganger sucking my life force, and only one of us would survive.
Sure, fear sells! What is the best way to turn off any critical thinking than scaring people? You just need a few seemingly plausible threats.
Companies seem to be catching on ... How about this thinggy called "OnStar"? If you listen to their commercials, it sounds like you are invariably going to DIE in your car unless you get "OnStar".
Which coincidently can spy on you, by listening to the conversations by the means of the installed microphone. But, surely, "The Big Brother" always has YOUR best interests in his mind!
I especially enjoyed the CNN poll on what I think is the biggest online threat:
Oh, yeah! That porn's always trying to get my personal information and hack my PC...
OnStar has always scared me. I have always figured that whoever figures out how to hack OnStar will have a great time tracking people, stealing cars, etc.
I don't mind having a GPS receiver in my car, or a physical switch-on transceiver, but having something that automagically goes on worries me a lot, especially when it's tied into the locks on the car.
"This is the Internet."
(free access to lots of information)
"This is the Internet after smoking ice."
(spamm, phishing, pharming, pr0n, Nigeria-419)
onstar is a way creepy thing, i've seen the commercials, you get in some kind of trouble or lock yourself out of your car and this omniscient benevolent babysitter comes to your rescue.
if you need a babysitter while you're driving, you shouldn't be driving at all.
onstar is just the tip of the iceberg. there are also onboard diagnostic devices hooked up to the airbags in most new cars which record speed, braking, etc. and are available for later inspection by anybody who can get a court order.
the state of oregon formed a special commission to study a new tax on miles driven in oregon by oregonians. it would require a gps in every oregon-registered vehicle and the commission explained that this would inform the state when we'd left its borders so that we would no longer be taxed for those miles. yes, hacking this would be child's play. yes, i like to be all alone sometimes with nobody knowing where i am and i'm willing to execute drastic measures to achieve this, but worst of all.....
the tourists from california, they would be able to drive on the same roads i do and not be taxed! the oregon public services infrastructure is on life support in many areas, no sales tax, laughable property tax, only a vicious 9% income tax. my answer is to soak the tourists, not exempt them.
Why is this "sensationalist hype"?
My friend wants to roll his mileage back on his lease, I knopw that this is wrong but many dealers still do this. He is worried about his On-Star GPS, does this keep track of this. He did get a insurance break because of it but if he is ever in a accedent he is worried that they may pull other driving info from his past like how fast he drives on a certian road ect. Does anyone have any answers to this. It seems like it is a voilation of your rights?
wHO WILL STOP THE us GOVT. attemps at jailing all its citizens ?
Minutemen ? The corrupt CIA ?the US Army ?
Will we be liberated by moslems ?
Well I for one, like our new privacy invading overlords! (Until I can get a decent connection then I am getting me some sweet Vidalia Onion Routers and I will be on my anonymous way! I'd do it now but dial-up + TOR = Even lower speeds...)
His eyes were dark grey as he scanned the late afternoon sunlight.
As if you could find it now..
he leaned back, and said " Listen. You bought the sneakers with the RFID that Wal-Mart
specified to be implanted in the soles for stocking and store security purposes, and then
you paid with a Visa card. The chip in your purchase will respond to a backscatter sensor
from over 30 feet away with a 54 digit Identifier. Therefore your shoes would give a good
investigator your Identification through your local wal-Mart's computer records with a single query.
The number won't change, and will respond to any compatible RFID sensor you come close to.
Therefore, if you are looking for that "privacy and security", I suggest that you actually
microwave your sneakers for at least three seconds on high, and you better throw your
Target brand sweater in after that.- and check your wallet too. "
I was aghast. He continued,
"Where ever you've gone today; you're leaving a record you can't see."
Enabling TorButton first... Here's a scenario that could be in a book:
"Seargant, what's the last online information we have of the ship's captain?"
"Sir, last we knew he was downloading the Tor bundle and using Firefox. We haven't been able to track him online since."
"How long ago was that?"
"Five years ago, sir.…"
Sorry if this is just too newb, but can you tell me how to get my ISP from invading my privacy? My address menu always displays something from them called Security Check, and it lists a secure URL for them. This happens whether I'm using Vista Firefox or Ubuntu Firefox. Can I block them from my system or will that prevent me from getting online? Does Tor provide security from them?
I also have questions about the ability of my employer (a hospital) to monitor my email, even though I never access it from work, nor do they pay for my account. They do, however, have a business agreement with the telecommunications company that also happens to be my ISP. I have remained steadfast in my refusing to accept a discounted phone bill through my employer's connection, because I assume that will legitimize their scrutiny.
Governments have had a symbiotic relationship with Telcos since the 1940's
As well as media services and all licensed broadcasters. (Hence licensing Laws)
The licensing agreements provide the government and its agencies to obtain any information they choose about anyone who uses their service. Under the pretense of privacy for the client. That is lie #55.
The best privacy is not letting the government or its agencies know your business. Period.
Hi - I have an ex who I hope has forgotten my existence. I also some times post on blogs about my religion and how politics affects it. I was upset to find out that you can type in my name and get a map to my house.
When I tried to fix this myself, I ended up entering my email address, and now it is available on line too. Can this be fixed? I just want peace. Thank you.
@ hiding under the couch,
"Can this be fixed? I just want peace."
Do you want the short answer or the long answer?
The short answer :- is after you type any of your details into an internet connected machine you might as well assume you have broadcast them to the world forever, so no there is nothing you can do about what you have already typed.
The Long answer :- Is to disasociate the various parts of your life from each other and treat them in the same way you do "old school friends", "past friends", "ex girlfriends", "current work colleagues", "past work colleagues", "past church life", "current church life", etc etc.
That is treat the various non-core parts of your life as seperate roles, that each has an independent identity from each other that is fully disposable at a moments notice.
Outside of your "core life" each role has it's own nickname email address, VoIP & mobile number, disposable pre-charge payment card and even postal address as required.
For your core life (tax banking etc) do not use the Internet or anything other than good old fashioned "snail mail". Effectivly use two seperate PC's one for offline "core life" activities the other for "role based personas".
Be paranoid and assume they are out to get you as they genuinaly are. The more details an entity can build up about you the more valuable the information becomes not just to identity fraudsters but marketers and others you have had good reason to break ties with.
Never ever use your "core-life" real address telephone number etc on line ever. Organisations you have supplied those details to never do business with online.
Monetary transactions should be by cash, that is don't transfere money from your core-life bank account to pay bills or pre-charge a payment card. Never use a role based persona across roles, that is if you are fred123 don't use the VoIP number for jim234. Likewise don't use mobile phones (even with different SIMs) for different roles. Old mobile phones can be bought for next to nothing. Never ever down grade your core or role phones down to another role. When you want to get a new mobile clean up the old one take out the SIM and any Memory card and flog it via the offline second hand market. Always buy role based phones on that personas pre pay card.
All this is because at some point the data sets will cross over and it will be corelated (you cannot anonymise data with any level of utility sufficiently to prevent re-identification).
Oh and to clear up your current state, it's time to move your core life away from where you live (if you can) and offline permanently.
Two PC's sounds expensive but actually it's not. You have one good quality machine for your core life and another older machine with no hard disk plenty of RAM and a memory stick for each persona. Run the system of a CD-ROM (not re-writable) based OS. If you cannot hack Unix then look at how to put MS onto CD-ROM there are toolkits out there, but I'd advise against it MS puts lots of machine based metadata into OS and user files including network card MAC addressess and CPU ID tags etc etc.
Have a hunt around on the Internet (from a cafe etc) for various advice documents for NGO's working in hostile countries they go into various uses of anonymous services like TOR and re-mailers etc. DON'T put the document onto your hard drive, print it out and then securly delet it from a USB memory stick.
If you think this sounds paranoid a few years ago it would have been, these days it's being moderatly cautious, in a couple of years time you and many others will wish you had and a few after that it will be normal behaviour for most sensible people.
If you're going to run a HD-less computer, and use OS's to run from CD-ROM: I just tried Slax Linux out. It has a really small footprint, only needs a small amount of RAM and you can build a custom one (add modules) on their website. But their Firefox can't run Youtube videos unless you tell it to disallow a certain ad script that runs on Youtube.
Which of these does Stuxnet fit into?
I like Bruce's beard...he looks very furryin it.
"If you think this sounds paranoid a few years ago it would have been, these days it's being moderatly cautious, in a couple of years time you and many others will wish you had and a few after that it will be normal behaviour for most sensible people.
Posted by: Clive Robinson at December 26, 2009 10:47 AM"
You, sir, are a prophet.
You, sir, are a prophet
It is kind of you to say so, sadly though the reality is more a "prophet of doom", due to the all to predictable nature of those given both power and wealth, who also chose not to acknowledge the harm they do. Harm not just to society but also as a consequence of their actions to themselves and their loved ones (assuming they have any).
Seems to me that frightening criminals from engaging in their activities online is counterproductive for law enforcement in that the perps will be forced to develop ever-subtler and more secure means of communication to evade the snoops, leaving the rest of us vulnerable to all sorts of snooping we are prohibited from knowing about. Take Al Qaeda for example. They shifted to communicating via live carriers when they realized their cell phones were being monitored.
@ Mark Harder,
Seems to me that frightening criminals from engaging in their activities online is counterproductive for law enforcement in that the perps...
It depends on the viewpoint, contrary to what most people think, LEAs are not paid to just catch criminals. In todays "cost efficient policing" it's all about numbers which in the main means "get the low hanging fruit" as this provides best numbers for seniors to wave around at politicos etc.
There are exceptions which are crimes that are newsworthy for some reason. When one of these types of crime happens LEA seniors apply resorces disproportionate to the norm in order to control public opinion as dictated by politicos and journalists.
Thus as you would expect the types of criminal that will be targeted under normal circumstances will be those that are not particularly clever/knowledgeable or just don't care if they are caught for whatever reason.
But there is a secondary effect which is for the LEAs and others to talk up crimes and make them appear to be much worse than they realy are.
There are several reasons for this and it's all to do with the "numbers".
As has been said often there is a calculation performed as to the value of the crime compared to the resources applied. Put simply there is a bar or hurdle, if the value of the crime is below the bar then the crime gets minimal resources, if it's above the first bar then it clears that hurdle and gets an increased level of resources. So onwards up the scale of bars/hurdles.
If an investigating officer can show quickly that a new crime is in someway linked to other similar crimes then the aggregated value is used to decide if more resources are required.
So the individual LEOs have an incentive to link crimes together to get the resources to ensure some crimes actually get investigated.
It also means that it changes their own individual targets so that catching one individual who has committed lots of litttle crimes is worth a lot more than catching criminals that do infrequent crimes.
A side effect of this is to "load up" a criminal. That is if a criminal is caught for one crime, their value is small to an officers individual targets. However connect the criminal with a lot of crimes and suddenly they become quite valuable to the individual officers, as the officers individual targets are related to crimes committed not criminals convicted. But there is a quirk in the system in that criminals get to do prison sentances concurrantly not consecutively. Thus the time served is realy only related to the most serious crime. So deppending on the jurisdiction the officer has either the discretion to talk to the judge to get the sentance for that crime reduced or the officer can use a plea barganing route to reduce the severity of the crime. Thus perversly it's sometimes to a criminals advantage to plead guilty to lots of minnor crimes they have not committed as it reduces their actuall time served for a more serious crime they have committed...
It's win-win for the officer and criminal, it's also win-win for the LEA and politicos because it makes the clear up rate look good. But society loses because the real criminal for those crimes goes unpunished.
Whilst you can argue away "loading up" as a necessary evil of LEAs having to do impossible "efficiency" increases it however turns the LEAs into criminals themselves (knowingly presennting false information to a court is perjury).
Once they have crossed that line the next line is easier to cross which is "fitting up". This is where the LEA has a newsworthy or politicaly sensitive crime to deal with where results are required. What the LEOs on the case do is arrrest an individual who looks most likely then build a case to make them guilty. That is the LEOs only look for information to associate the arrested person to the crime, not for evidence that dissociates the arrested person with the crime. Whilst this might start as a "group think" issue for a small team that is under preasure, it can quickly get worse with the witholding of evidence from the defence or worse still from destroying evidence that would clear the person to the very deliberate fraud of fabrication of evidence against the person to ensure conviction.
But of more recent times there is a new game in town of inventing crimes and arresting suspects prior to the supposed crime and prosecuting them for "conspiracy to comit..." or similar. We have seen this with Terrorist cases and it will spread out to other areas with time. In essence it's a 'he says she says' argument that gave rise to the notion of "thought crime".
But "thought crime" has actually been around with us for hundreds if not thousands of years one way or another. Most notably with the sayings attributed to Cardinal Richelieu,
If one would give me six lines written by the hand of the most honest man, I would find something within them to have him hanged.
However another saying attributed to the Cardinal,
Harshness towards individuals who flout the laws and commands of state is for the public good; no greater crime against the public interest is possible than to show leniency to those who violate it.
Can be seen as the basis not just for excusing all the above behaviours but in actually fostering new crimes.
What we are seeing is new laws being put on the statute books that are now so broad in definition that it is difficult to see how a normal person can defend themselves against being found guilty.
So now all an LEA has to do to meet it's numbers is randomly select people to be classified as criminals and then have them convicted.
Which brings me back to your point,
... in that the perps will be forced to develop ever-subtler and more secure means of communication to evade the snoops, leaving the rest of us vulnerable to all sorts of snooping we are prohibited from knowing about.
In the UK this has certainly been the case. People have been accused of being terrorists but have not been allowed to see the evidence against them as it would reveal "methods and sources" of the security forces. Because some judges have told the prosecution "put up or shut up" some alledged terrorists have been put in a kind of limbo wheere they have been arressted charged and detained but have not been brought to trial or deported from the country. A case brought to the European Court of Human Rights (ECHR) declared this policy to be illegal thus the alledged terrorists were released under what is in effect "house arrest". No doubt there will be further submissions to the ECHR over time, but the UK government appears determined to continue the cat and mouse game, if for no other reason that of Political Face Saving.
is the Four Horsemen of the Information Apocalypse a problem ?
no, it is only that money for them will not be for you - with your agreement - it is your citizen agreement.
who can profit it ?
only very rich person are the winners in the both cases :
1 ) yes, i agree - your agreement will protect them and only them better
2 ) no, i beware, i disagree - money will go in another pockets but yours.
So, it is a false problem, only entertainment - just a little time of fun to take your money for my standing -
because i need hide it until i spend it.
i love to be a good us-citizen, it is so ...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.