Schneier on Security
A blog covering security and security technology.
May 2006 Archives
From a list of 100,000 passwords for a German dating site, we learn that 123456 works 1.4% of the time and that 2.5% of all passwords begin with 1234.
About the Intelligence and Security Committee:
Parliamentary oversight of SIS, GCHQ and the Security Service is provided by the Intelligence and Security Committee (ISC), established by the Intelligence Services Act 1994. The Committee examines the expenditure, administration and policy of the three Agencies. It operates within the ‘ring of secrecy’ and has wide access to the range of Agency activities and to highly classified information. Its crossparty membership of nine from both Houses is appointed by the Prime Minister after consultation with the Leader of the Opposition. The Committee is required to report annually to the Prime Minister on its work. These reports, after any deletions of sensitive material, are placed before Parliament by the Prime Minister. The Committee also provides ad hoc reports to the Prime Minister from time to time. The Chairman of the Intelligence and Security Committee is the Right Honourable Paul Murphy. The Committee is supported by a Clerk and secretariat in the Cabinet Office and can employ an investigator to pursue specific matters in greater detail.
They have released the "Intelligence and Security Committee Report into the London Terrorist Attacks on 7 July 2005," and the UK government has issued a response.
In the long term, corporate data mining efforts are more of a privacy risk than government data mining efforts. And here's an off-the-shelf product from IBM:
IBM Entity Analytic Solutions (EAS) is unique identity disambiguation software that provides public sector organizations or commercial enterprises with the ability to recognize and mitigate the incidence of fraud, threat and risk. This IBM EAS offering provides insight on demand, and in context, on "who is who," "who knows who," and "anonymously."
The security risks of Windows' hidden features.
As every man goes through life he fills in a number of forms for the record, each containing a number of questions . .. There are thus hundreds of little threads radiating from every man, millions of threads in all. If these threads were suddenly to become visible, the whole sky would look like a spider's web, and if they materialized as rubber bands, buses; trams and even people would all lose the ability to move, and the wind would be unable to carry torn-up newspapers or autumn leaves along the streets of the city. They are not visible, they are not material, but every man is constantly aware of their existence.... Each man, permanently aware of his own invisible threads, naturally develops a respect for the people who manipulate the threads.
From Charlie Stross: "A report on the state of the National Identity Register, May 2016."
The movie plots keep coming and coming. Here's my nomination for dumb movie plot of this week:
Skies 'now terrorist's dream'
Under the present system, a terrorist can locate the position of an aircraft by looking up. And if a terrorist is smart enough to perform this intelligence-gathering exercise near an airport, he can locate the position of aircraft that are low to the ground, and easier to shoot at with missiles. Why are we worrying about telling terrorists where all the high-altitude hard-to-hit planes are?
Now I can invent a movie plot that has the terrorists needing to shoot down a particular plane because this or that famous personage is on it, but that's a bit much.
On-the-fly encryption with plausible deniability.
Asimov's Three Laws of Robotics are a security device, protecting humans from robots:
1) A robot may not harm a human being, or, through inaction, allow a human being to come to harm.
In an interesting blog post, Greg London wonders if we also need explicit limitations on those laws: a Robotic Bill of Rights. Here are his suggestions:
First amendment: A robot will act as an agent representing its owner's best interests.
I haven't thought enough about this to know if these seven amendments are both necessary and sufficient, but it's a fascinating topic of discussion.
This essay makes the case that there no way to safely report a computer vulnerability.
The first reason is that whenever you do something "unnecessary," such as reporting a vulnerability, police wonder why, and how you found out. Police also wonders if you found one vulnerability, could you have found more and not reported them? Who did you disclose that information to? Did you get into the web site, and do anything there that you shouldn’t have? It’s normal for the police to think that way. They have to. Unfortunately, it makes it very uninteresting to report any problems.
Interesting essay, and interesting comments. And here's an article on the essay.
Remember, full disclosure is the best tool we have to improve security. It's an old argument, and I wrote about it way back in 2001. If people can't report security vulnerabilities, then vendors won't fix them.
EDITED TO ADD (5/26): Robert Lemos on "Ethics and the Eric McCarty Case."
You too can spy on the Internet, just like the NSA.
(And while we're on the topic, you really should read about the equipment the NSA installed at the AT&T switches. Wow.)
Edit > Paste Special > Unformatted Text
Ira Winkler on why the NSA spying hurts security.
Reuters quoted a Pentagon official, Dan Devlin, as saying, "What we have seen is that any video game that comes out... (al Qaeda will) modify it and change the game for their needs."
Winning my award for dumb movie-plot threat of the week, here's someone who thinks that counterfeit electronics are a terrorist tool:
Counterfeit Electronics as Weapons of Mass Disruption?
EDITED TO ADD (6/2): Here's another article:
"Many attacks of this kind would have two components. One would alter the process control system to produce a defective product. The other would alter the quality control system so that the defect wouldn't easily be detected," Borg says. "Imagine, say, a life-saving drug being produced and distributed with the wrong level of active ingredients. This could gradually result in large numbers of deaths or disabilities. Yet it might take months before someone figured out what was going on." The result, he says, would be panic, people afraid to visit hospitals and health services facing huge lawsuits.
The simplest reason is that we're all connected. Not in the Haight-Ashbury/Timothy Leary/late-period Beatles kind of way, but in the sense of the Kevin Bacon game. The sociologist Stanley Milgram made this clear in the 1960's when he took pairs of people unknown to each other, separated by a continent, and asked one of the pair to send a package to the other -- but only by passing the package to a person he knew, who could then send the package only to someone he knew, and so on. On average, it took only six mailings -- the famous six degrees of separation -- for the package to reach its intended destination.
(This, by him, is also worth reading.)
They want to do security themselves at Newark Airport, as they already do at four other U.S. airports.
No other airline has such an arrangement with U.S. officials, authorities acknowledged. At the four other airports, El Al has installed its own security software at bomb-detection machines, which authorities said is more sensitive than that used by American carriers.
Blue Security was an Israeli company that fought spam with spam:
Eran Reshef had an idea in the battle against spam e-mail that seemed to be working: he fought spam with spam. Today, he'll give up the fight.
Last week Blue Security gave up:
Wednesday, Blue Security said it had to give up because it couldn't sustain the fight against spammers. "Several leading spammers viewed [us] as a strategic threat to their spam business," Eran Reshef, Blue Security chief executive wrote in the message posted to the company's site.
Here's how it works: Select TSA employees will be trained to identify suspicious individuals who raise red flags by exhibiting unusual or anxious behavior, which can be as simple as changes in mannerisms, excessive sweating on a cool day, or changes in the pitch of a person's voice. Racial or ethnic factors are not a criterion for singling out people, TSA officials say. Those who are identified as suspicious will be examined more thoroughly; for some, the agency will bring in local police to conduct face-to-face interviews and perhaps run the person's name against national criminal databases and determine whether any threat exists. If such inquiries turn up other issues countries with terrorist connections, police officers can pursue the questioning or alert Federal counterterrorism agents. And of course the full retinue of baggage x-rays, magnetometers and other checks for weapons will continue.
This quote sums up nicely why Diebold should not be trusted to secure election machines:
David Bear, a spokesman for Diebold Election Systems, said the potential risk existed because the company's technicians had intentionally built the machines in such a way that election officials would be able to update their systems in years ahead.
If you can't get the threat model right, you can't hope to secure the system.
Trying to avoid a failure of imagination in its uncharted new role, the agency has even called in screenwriters from Hollywood to help sketch terrorism situations.
Anyone who's watched Hollywood's output in recent years knows that screenwriters aren't the most creative bunch of people on the planet. And anyway, they can have all of these ideas for free.
Started by Victor Hugo:
Hugo turned away from social/political issues in his next novel, Les Travailleurs de la Mer (Toilers of the Sea), published in 1866. Nonetheless, the book was well received, perhaps due to the previous success of Les Misérables. Dedicated to the channel island of Guernsey where he spent 15 years of exile, Hugo's depiction of Man's battle with the sea and the horrible creatures lurking beneath its depths spawned an unusual fad in Paris: Squids. From squid dishes and exhibitions, to squid hats and parties, Parisiennes became fascinated by these unusual sea creatures, which at the time were still considered by many to be mythical.
Last week, revelation of yet another NSA surveillance effort against the American people has rekindled the privacy debate. Those in favor of these programs have trotted out the same rhetorical question we hear every time privacy advocates oppose ID checks, video cameras, massive databases, data mining, and other wholesale surveillance measures: "If you aren't doing anything wrong, what do you have to hide?"
Some clever answers: "If I'm not doing anything wrong, then you have no cause to watch me." "Because the government gets to define what's wrong, and they keep changing the definition." "Because you might do something wrong with my information." My problem with quips like these -- as right as they are -- is that they accept the premise that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.
Two proverbs say it best: Quis custodiet custodes ipsos? ("Who watches the watchers?") and "Absolute power corrupts absolutely."
Cardinal Richelieu understood the value of surveillance when he famously said, "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." Watch someone long enough, and you'll find something to arrest -- or just blackmail -- with. Privacy is important because without it, surveillance information will be abused: to peep, to sell to marketers and to spy on political enemies -- whoever they happen to be at the time.
Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance.
We do nothing wrong when we make love or go to the bathroom. We are not deliberately hiding anything when we seek out private places for reflection or conversation. We keep private journals, sing in the privacy of the shower, and write letters to secret lovers and then burn them. Privacy is a basic human need.
A future in which privacy would face constant assault was so alien to the framers of the Constitution that it never occurred to them to call out privacy as an explicit right. Privacy was inherent to the nobility of their being and their cause. Of course being watched in your own home was unreasonable. Watching at all was an act so unseemly as to be inconceivable among gentlemen in their day. You watched convicted criminals, not free citizens. You ruled your own home. It's intrinsic to the concept of liberty.
For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that -- either now or in the uncertain future -- patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable.
How many of us have paused during conversation in the past four-and-a-half years, suddenly aware that we might be eavesdropped on? Probably it was a phone conversation, although maybe it was an e-mail or instant-message exchange or a conversation in a public place. Maybe the topic was terrorism, or politics, or Islam. We stop suddenly, momentarily afraid that our words might be taken out of context, then we laugh at our paranoia and go on. But our demeanor has changed, and our words are subtly altered.
This is the loss of freedom we face when our privacy is taken from us. This is life in former East Germany, or life in Saddam Hussein's Iraq. And it's our future as we allow an ever-intrusive eye into our personal, private lives.
Too many wrongly characterize the debate as "security versus privacy." The real choice is liberty versus control. Tyranny, whether it arises under threat of foreign physical attack or under constant domestic authoritative scrutiny, is still tyranny. Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that's why we should champion privacy even when we have nothing to hide.
A version of this essay originally appeared on Wired.com.
EDITED TO ADD (5/24): Daniel Solove comments.
New report from the GAO: "GAO-06-385 - The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information," March 2006:
Federal agencies report using 56 different sensitive but unclassified designations (16 of which belong to one agency) to protect sensitive information--from law or drug enforcement information to controlled nuclear information--and agencies that account for a large percentage of the homeland security budget reported using most of these designations. There are no governmentwide policies or procedures that describe the basis on which agencies should use most of these sensitive but unclassified designations, explain what the different designations mean across agencies, or ensure that they will be used consistently from one agency to another. In this absence, each agency determines what designations to apply to the sensitive but unclassified information it develops or shares. For example, one agency uses the Protected Critical Infrastructure Information designation, which has statutorily prescribed criteria for applying, sharing and protecting the information, whereas 13 agencies designate information For Official Use Only, which does not have similarly prescribed criteria. Sometimes agencies used different labels and handling requirements for similar information and, conversely, similar labels and requirements for very different kinds of information. More than half of the agencies reported encountering challenges in sharing such information. For example, DHS said that sensitive but unclassified information disseminated to its state and local partners had, on occasion, been posted to public Internet sites or otherwise compromised, potentially revealing possible vulnerabilities to business competitors.
Here's the list:
Table 2: Sensitive but Unclassified Designations in Use at Selected Federal Agencies
I've already written about SSI (Sensitive Security Information).
Really good advice, step by step.
The National Institute of Standards and Technology has released a document detailing how federal agencies should manage security logs: NIST Special Publication 800-92: Guide to Computer Security Log Management.
The Bundesamt für Sicherheit in der Informationstechnik, or Federal Office for Information Security, or BSI, is Germany's equivalent of the NSA. They have an English-language website that has a number of English-language security publications.
I'm sure this is a good idea, but I wonder when the first case of cheating-by-rootkit will occur.
I would like to bring your attention to two conferences. The Workshop on Economics and Information Security is now in its fifth year. The next one will be held on June 26-28 in Cambridge (England, not Massachusetts). The paper selections have been announced, and it looks like a great conference.
The The Workshop on the Economics of Securing the Information Infrastructure will be held on October 23-24 in Washington, DC. This is a new workshop, and papers are still being solicited.
WEIS is currently my favorite security conference. I think that economics has a lot to teach computer security, and it is very interesting to get economists, lawyers, and computer security experts in the same room talking about issues.
I am on the program committee for both WEIS and WESII.
While privacy remains a major concern for people around the world, a majority of consumers would share personal data if they knew the information was securely protected and if sharing it would make their lives easier, according to Unisys' Global Study on the Public's Perceptions about Identity Management.
The submission deadline was the end of April, and I had hoped to have picked winners by now. But there are just too many entrants to wade through.
I'll announce winners by the next Crypto-Gram; that's June 15.
(If any of you want to suggest a winner, please list your choices here.)
From the Federation of American Scientists:
A new study published by the CIA Center for the Study of Intelligence calls for a fundamental reconceptualization of the process of intelligence analysis in order to overcome the "pathologies" that have rendered it increasingly dysfunctional.
It's an interesting report. Unfortunately, the PDF on the website is scanned, so it's hard to copy and paste sections into this blog.
This is the line that's done best for me on the radio: "The NSA would like to remind everyone to call their mothers this Sunday. They need to calibrate their system."
Here's a cat in a squid hat.
Interesting first-person account of someone on the U.S. Terrorist Watch List:
To sum up, if you run afoul of the nation's "national security" apparatus, you're completely on your own. There are no firm rules, no case law, no real appeals processes, no normal array of Constitutional rights, no lawyers to help, and generally none of the other things that we as American citizens expect to be able to fall back on when we've been (justly or unjustly) identified by the government as wrong-doers.
Another in our series on the security problems of trusting people in uniform:
A thief disguised as a security guard Tuesday duped the unsuspecting staff of a top Italian art gallery into giving him more than 200,000 euros ($253,100), local media reported.
This is a big deal:
Elections officials in several states are scrambling to understand and limit the risk from a "dangerous" security hole found in Diebold Election Systems Inc.'s ATM-like touch-screen voting machines.
The immediate solution to this problem isn't a patch. What that article refers to is election officials ensuring that they are running the "trusted" build of the software done at the federal labs and stored at the NSRL, just in case someone installed something bad in the meantime.
EDITED TO ADD (5/11): The redacted report is available.
There's other NSA news today: USA Today is reporting that the NSA is collecting a massive traffic-analysis database on Americans' phone calls. This looks like yet another piece of Echelon technology turned against Americans.
The NSA's domestic program, as described by sources, is far more expansive than what the White House has acknowledged. Last year, Bush said he had authorized the NSA to eavesdrop — without warrants — on international calls and international e-mails of people suspected of having links to terrorists when one party to the communication is in the USA. Warrants have also not been used in the NSA's efforts to create a national call database.
Note that this database does not just contain phone calls that either originate or terminate outside the U.S. This database is mostly domestic calls: calls we all make everyday.
AT&T, Verizon, and BellSouth are all providing this information to the NSA. Only Quest has refused.
According to sources familiar with the events, Qwest's CEO at the time, Joe Nacchio, was deeply troubled by the NSA's assertion that Qwest didn't need a court order — or approval under FISA — to proceed. Adding to the tension, Qwest was unclear about who, exactly, would have access to its customers' information and how that information might be used.
We should also assume that the cellphone companies received the same pressure, and probably caved.
This is important to every American, not just those with something to hide. Matthew Yglesias explains why:
It's important to link this up to the broader chain. One thing the Bush administration says it can do with this meta-data is to start tapping your calls and listening in, without getting a warrant from anyone. Having listened in on your calls, the administration asserts that if it doesn't like what it hears, it has the authority to detain you indefinitely without trial or charges, torture you until you confess or implicate others, extradite you to a Third World country to be tortured, ship you to a secret prison facility in Eastern Europe, or all of the above. If, having kidnapped and tortured you, the administration determines you were innocent after all, you'll be dumped without papers somewhere in Albania left to fend for yourself.
Judicial oversight is a security system, and unchecked military and police power is a security threat.
Computers are integral to everything NSA does, yet it is not uncommon for the agency's unstable computer system to freeze for hours, unlike the previous system, which had a backup mechanism that enabled analysts to continue their work, said Matthew Aid, a former NSA analyst and congressional intelligence staff member.
Five stories from Wired.
In related news, IBM thinks it has a solution to the RFID privacy problem:
The so-called Clipped Tag has a notched antenna that consumers can tear off, much like the end of a ketchup packet. Removing this panel drastically reduces the readable range of the device, from about 30 feet to less than 2 inches, according to IBM.
According to the specs of the new Nintendo Wii (their new game machine), "Wii can communicate with the Internet even when the power is turned off." Nintendo accentuates the positive: "This WiiConnect24 service delivers a new surprise or game update, even if users do not play with Wii," while ignoring the possibility that Nintendo can deactivate a game if they choose to do so, or that someone else can deliver a different -- not so wanted -- surprise.
We all know that, but what's interesting here is that Nintendo is changing the meaning of the word "off." We are all conditioned to believe that "off" means off, and therefore safe. But in Nintendo's case, "off" really means something like "on standby." If users expect the Nintendo Wii to be truly off, they need to pull the power plug -- assuming there isn't a battery foiling that tactic. Maybe they need to pull both the power plug and the Ethernet cable. Unless they have a wireless network at home.
Maybe there is no way to turn the Nintendo Wii off.
There's a serious security problem here, made worse by a bad user interface. "Off" should mean off.
Reporter finds an old British Airways boarding pass, and proceeds to use it to find everything else about the person:
We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.
Notice the economic pressures:
"The problem here is that a commercial organisation is being given the task of collecting data on behalf of a foreign government, for which it gets no financial reward, and which offers no business benefit in return," says Laurie. "Naturally, in such a case, they will seek to minimise their costs, which they do by handing the problem off to the passengers themselves. This has the neat side-effect of also handing off liability for data errors."
This one really pegs the movie-plot threat hype-meter:
The technology for remote-controlled light aircraft is now highly advanced, widely available -- and, experts say, virtually unstoppable.
According to the BBC:
Petrol giant Shell has suspended chip-and-pin payments in 600 UK petrol stations after more than £1m was siphoned out of customers' accounts.
This is just sad:
"These Pin pads are supposed to be tamper resistant, they are supposed to shut down, so that has obviously failed," said Apacs spokeswoman Sandra Quinn.
That spokesperson simply can't conceive of the fact that those "relevant industry standards" were written by those trying to sell the technology, and might possibly not be enough to ensure security.
EDITED TO ADD (5/8): Arrests have been made. And details emerge:
The scam works by criminals implanting devices into chip and pin machines which can copy a bank card's magnetic strip and record a person's pin number.
This is a common attack, one that I talk about in Beyond Fear: falling back to a less secure system. The attackers made use of the fact that there is a less secure system that is running parallel to the chip-and-pin system. Clever.
From the ACLU:
In 2003, the United States and the European Union reached an agreement under which the EU would share Passenger Name Record (PNR) data with the U.S., despite the lack of privacy laws in the United States adequate to ensure Europeans' privacy. In return, DHS agreed that the passenger data would not be used for any purpose other than preventing acts of terrorism or other serious crimes. It is now clear that DHS did not abide by that agreement.
Watch the video "Gavin and his toys."
"Or we might lose the entire camera if it gets eaten by a giant squid."
The rapper MC Plus+ has written a song about cryptography, "Alice and Bob." It mentions DES, AES, Blowfish, RSA, SHA-1, and more. And me!
EDITED TO ADD (5/8): An article about "geeksta rap."
While automakers and locksmiths are supposed to be the only groups that know where and how security information is stored in a car, the information eventually falls into the wrong hands.
An improv group in New York dressed similarly to Best Buy employees and went into a store, secretly video taping the results.
My favorite part:
Security guards and managers started talking to each other frantically on their walkie-talkies and headsets. "Thomas Crown Affair! Thomas Crown Affair!," one employee shouted. They were worried that were using our fake uniforms to stage some type of elaborate heist. "I want every available employee out on the floor RIGHT NOW!"
Since the people did not actually try to impersonate Best Buy employees, could they be charged with any crime?
When technology serves its owners, it is liberating. When it is designed to serve others, over the owner's objection, it is oppressive. There's a battle raging on your computer right now -- one that pits you against worms and viruses, Trojans, spyware, automatic update features and digital rights management technologies. It's the battle to determine who owns your computer.
You own your computer, of course. You bought it. You paid for it. But how much control do you really have over what happens on your machine? Technically you might have bought the hardware and software, but you have less control over what it's doing behind the scenes.
Using the hacker sense of the term, your computer is "owned" by other people.
It used to be that only malicious hackers were trying to own your computers. Whether through worms, viruses, Trojans or other means, they would try to install some kind of remote-control program onto your system. Then they'd use your computers to sniff passwords, make fraudulent bank transactions, send spam, initiate phishing attacks and so on. Estimates are that somewhere between hundreds of thousands and millions of computers are members of remotely controlled "bot" networks. Owned.
Now, things are not so simple. There are all sorts of interests vying for control of your computer. There are media companies that want to control what you can do with the music and videos they sell you. There are companies that use software as a conduit to collect marketing information, deliver advertising or do whatever it is their real owners require. And there are software companies that are trying to make money by pleasing not only their customers, but other companies they ally themselves with. All these companies want to own your computer.
Adware, software-as-a-service and Google Desktop search are all examples of some other company trying to own your computer. And Trusted Computing will only make the problem worse.
There is an inherent insecurity to technologies that try to own people's computers: They allow individuals other than the computers' legitimate owners to enforce policy on those machines. These systems invite attackers to assume the role of the third party and turn a user's device against him.
Remember the Sony story: The most insecure feature in that DRM system was a cloaking mechanism that gave the rootkit control over whether you could see it executing or spot its files on your hard disk. By taking ownership away from you, it reduced your security.
If left to grow, these external control systems will fundamentally change your relationship with your computer. They will make your computer much less useful by letting corporations limit what you can do with it. They will make your computer much less reliable because you will no longer have control of what is running on your machine, what it does, and how the various software components interact. At the extreme, they will transform your computer into a glorified boob tube.
You can fight back against this trend by only using software that respects your boundaries. Boycott companies that don't honestly serve their customers, that don't disclose their alliances, that treat users like marketing assets. Use open-source software -- software created and owned by users, with no hidden agendas, no secret alliances and no back-room marketing deals.
Just because computers were a liberating force in the past doesn't mean they will be in the future. There is enormous political and economic power behind the idea that you shouldn't truly own your computer or your software, despite having paid for it.
This essay originally appeared on Wired.com.
EDITED TO ADD (5/5): Commentary. It seems that some of my examples were not very good. I'll come up with other ones for the Crypto-Gram version.
Convicted felon Michael Crooker is suing Compaq (now HP) for false advertising. He bought a computer promised to be secure, but the FBI got his data anyway:
He bought it in September 2002, expressly because it had a feature called DriveLock, which freezes up the hard drive if you don't have the proper password.
I think this is great. It's about time that computer companies were held liable for their advertising claims.
But his lawsuit against HP may be a long shot. Crooker appears to face strong counterarguments to his claim that HP is guilty of breach of contract, especially if the FBI made the company provide a backdoor.
My final quote in the article:
"Unfortunately, this probably isn't a great case," Schneier said. "Here's a man who's not going to get much sympathy. You want a defendant who bought the Compaq computer, and then, you know, his competitor, or a rogue employee, or someone who broke into his office, got the data. That's a much more sympathetic defendant."
Here's an assault weapon that passes through X-ray machine scanners.
A newspaper promotion for Tom Cruise's "Mission: Impossible III" movie was off to an explosive start when a California arson squad blew up a news rack, thinking it contained a bomb.
You just can't make this stuff up.
BitLocker Drive Encryption is a new security feature in Windows Vista, designed to work with the Trusted Platform Module (TPM). Basically, it encrypts the C drive with a computer-generated key. In its basic mode, an attacker can still access the data on the drive by guessing the user's password, but would not be able to get at the drive by booting the disk up using another operating system, or removing the drive and attaching it to another computer.
There are several modes for BitLocker. In the simplest mode, the TPM stores the key and the whole thing happens completely invisibly. The user does nothing differently, and notices nothing different.
The BitLocker key can also be stored on a USB drive. Here, the user has to insert the USB drive into the computer during boot. Then there's a mode that uses a key stored in the TPM and a key stored on a USB drive. And finally, there's a mode that uses a key stored in the TPM and a four-digit PIN that the user types into the computer. This happens early in the boot process, when there's still ASCII text on the screen.
Note that if you configure BitLocker with a USB key or a PIN, password guessing doesn't work. BitLocker doesn't even let you get to a password screen to try.
For most people, basic mode is the best. People will keep their USB key in their computer bag with their laptop, so it won't add much security. But if you can force users to attach it to their keychains -- remember that you only need the key to boot the computer, not to operate the computer -- and convince them to go through the trouble of sticking it in their computer every time they boot, then you'll get a higher level of security.
There is a recovery key: optional but strongly encouraged. It is automatically generated by BitLocker, and it can be sent to some administrator or printed out and stored in some secure location. There are ways for an administrator to set group policy settings mandating this key.
There aren't any back doors for the police, though.
You can get BitLocker to work in systems without a TPM, but it's kludgy. You can only configure it for a USB key. And it only will work on some hardware: because BItLocker starts running before any device drivers are loaded, the BIOS must recognize USB drives in order for BitLocker to work.
Encryption particulars: The default data encryption algorithm is AES-128-CBC with an additional diffuser. The diffuser is designed to protect against ciphertext-manipulation attacks, and is independently keyed from AES-CBC so that it cannot damage the security you get from AES-CBC. Administrators can select the disk encryption algorithm through group policy. Choices are 128-bit AES-CBC plus the diffuser, 256-bit AES-CBC plus the diffuser, 128-bit AES-CBC, and 256-bit AES-CBC. (My advice: stick with the default.) The key management system uses 256-bit keys wherever possible. The only place where a 128-bit key limit is hard-coded is the recovery key, which is 48 digits (including checksums). It's shorter because it has to be typed in manually; typing in 96 digits will piss off a lot of people -- even if it is only for data recovery.
So, does this destroy dual-boot systems? Not really. If you have Vista running, then set up a dual boot system, Bitlocker will consider this sort of change to be an attack and refuse to run. But then you can use the recovery key to boot into Windows, then tell BitLocker to take the current configuration -- with the dual boot code -- as correct. After that, your dual boot system will work just fine, or so I've been told. You still won't be able to share any files on your C drive between operating systems, but you will be able to share files on any other drive.
The problem is that it's impossible to distinguish between a legitimate dual boot system and an attacker trying to use another OS -- whether Linux or another instance of Vista -- to get at the volume.
BitLocker is not a panacea. But it does mitigate a specific but significant risk: the risk of attackers getting at data on drives directly. It allows people to throw away or sell old drives without worry. It allows people to stop worrying about their drives getting lost or stolen. It stops a particular attack against data.
Right now BitLocker is only in the Ultimate and Enterprise editions of Vista. It's a feature that is turned off by default. It is also Microsoft's first TPM application. Presumably it will be enhanced in the future: allowing the encryption of other drives would be a good next step, for example.
EDITED TO ADD (5/3): BitLocker is not a DRM system. However, it is straightforward to turn it into a DRM system. Simply give programs the ability to require that files be stored only on BitLocker-enabled drives, and then only be transferrable to other BitLocker-enabled drives. How easy this would be to implement, and how hard it would be to subvert, depends on the details of the system.
Verizon has announced that is has activated the Access Overload Control (ACCOLC) system, allowing some cell phones to have priority access to the network, even when the network is overloaded.
If you are a first responder with a Verizon phone, please visit the government's WPS Requestor to provide the necessary information to have your handset activated.
Sounds like you're going to have to enter some sort of code into your handset. I wonder how long before someone hacks that system.
Evidence seized in raids on 18 factories and warehouses in China and Taiwan over the past year showed that the counterfeiters had set up what amounted to a parallel NEC brand with links to a network of more than 50 electronics factories in China, Hong Kong and Taiwan.
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..