Schneier on Security
A blog covering security and security technology.
May 2007 Archives
Cool science and engineering, but definitely a movie-plot threat.
If you encounter an aggressive lion, stare him down. But not a leopard; avoid his gaze at all costs. In both cases, back away slowly; don't run. If you stumble on a pack of hyenas, run and climb a tree; hyenas can't climb trees. But don't do that if you're being chased by an elephant; he'll just knock the tree down. Stand still until he forgets about you.
I spent the last few days on safari in a South African game park, and this was just some of the security advice we were all given. What's interesting about this advice is how well-defined it is. The defenses might not be terribly effective -- you still might get eaten, gored or trampled -- but they're your best hope. Doing something else isn't advised, because animals do the same things over and over again. These are security countermeasures against specific tactics.
Lions and leopards learn tactics that work for them, and I was taught tactics to defend myself. Humans are intelligent, and that means we are more adaptable than animals. But we're also, generally speaking, lazy and stupid; and, like a lion or hyena, we will repeat tactics that work. Pickpockets use the same tricks over and over again. So do phishers, and school shooters. If improvised explosive devices didn't work often enough, Iraqi insurgents would do something else.
So security against people generally focuses on tactics as well.
A friend of mine recently asked me where she should hide her jewelry in her apartment, so that burglars wouldn't find it. Burglars tend to look in the same places all the time -- dresser tops, night tables, dresser drawers, bathroom counters -- so hiding valuables somewhere else is more likely to be effective, especially against a burglar who is pressed for time. Leave decoy cash and jewelry in an obvious place so a burglar will think he's found your stash and then leave. Again, there's no guarantee of success, but it's your best hope.
The key to these countermeasures is to find the pattern: the common attack tactic that is worth defending against. That takes data. A single instance of an attack that didn't work -- liquid bombs, shoe bombs -- or one instance that did -- 9/11 -- is not a pattern. Implementing defensive tactics against them is the same as my safari guide saying: "We've only ever heard of one tourist encountering a lion. He stared it down and survived. Another tourist tried the same thing with a leopard, and he got eaten. So when you see a lion...." The advice I was given was based on thousands of years of collective wisdom from people encountering African animals again and again.
Compare this with the Transportation Security Administration's approach. With every unique threat, TSA implements a countermeasure with no basis to say that it helps, or that the threat will ever recur.
Furthermore, human attackers can adapt more quickly than lions. A lion won't learn that he should ignore people who stare him down, and eat them anyway. But people will learn. Burglars now know the common "secret" places people hide their valuables -- the toilet, cereal boxes, the refrigerator and freezer, the medicine cabinet, under the bed -- and look there. I told my friend to find a different secret place, and to put decoy valuables in a more obvious place.
This is the arms race of security. Common attack tactics result in common countermeasures. Eventually, those countermeasures will be evaded and new attack tactics developed. These, in turn, require new countermeasures. You can easily see this in the constant arms race that is credit card fraud, ATM fraud or automobile theft.
The result of these tactic-specific security countermeasures is to make the attacker go elsewhere. For the most part, the attacker doesn't particularly care about the target. Lions don't care who or what they eat; to a lion, you're just a conveniently packaged bag of protein. Burglars don't care which house they rob, and terrorists don't care who they kill. If your countermeasure makes the lion attack an impala instead of you, or if your burglar alarm makes the burglar rob the house next door instead of yours, that's a win for you.
Tactics matter less if the attacker is after you personally. If, for example, you have a priceless painting hanging in your living room and the burglar knows it, he's not going to rob the house next door instead -- even if you have a burglar alarm. He's going to figure out how to defeat your system. Or he'll stop you at gunpoint and force you to open the door. Or he'll pose as an air-conditioner repairman. What matters is the target, and a good attacker will consider a variety of tactics to reach his target.
This approach requires a different kind of countermeasure, but it's still well-understood in the security world. For people, it's what alarm companies, insurance companies and bodyguards specialize in. President Bush needs a different level of protection against targeted attacks than Bill Gates does, and I need a different level of protection than either of them. It would be foolish of me to hire bodyguards in case someone was targeting me for robbery or kidnapping. Yes, I would be more secure, but it's not a good security trade-off.
Al-Qaida terrorism is different yet again. The goal is to terrorize. It doesn't care about the target, but it doesn't have any pattern of tactic, either. Given that, the best way to spend our counterterrorism dollar is on intelligence, investigation and emergency response. And to refuse to be terrorized.
These measures are effective because they don't assume any particular tactic, and they don't assume any particular target. We should only apply specific countermeasures when the cost-benefit ratio makes sense (reinforcing airplane cockpit doors) or when a specific tactic is repeatedly observed (lions attacking people who don't stare them down). Otherwise, general countermeasures are far more effective a defense.
This essay originally appeared on Wired.com.
EDITED TO ADD (6/14): Learning behavior in tigers.
This is a surreal story of someone who was chained up for hours for trying to spend $2 bills. Clerks at Best Buy thought the bills were counterfeit, and had him arrested.
The most surreal quote of the article is the last sentence:
Commenting on the incident, Baltimore County police spokesman Bill Toohey told the Sun: "It's a sign that we're all a little nervous in the post-9/11 world."
What in the world do the terrorist attacks of 9/11 have to do with counterfeiting? How does being "a little nervous in the post-9/11 world" have anything to do with this incident? Counterfeiting is not terrorism; it isn't even a little bit like terrorism.
EDITED TO ADD (5/30): The story is from 2005.
Last November, the Data Privacy and Integrity Advisory Committee of the Department of Homeland Security recommended against putting RFID chips in identity cards. DHS ignored them, and went ahead with the project anyway. Now, the Smart Card Alliance is criticizing the DHS's RFID program for cross-border identification, basically saying that it is making the very mistakes the Data Privacy and Integrity Advisory Committee warned about.
I thought terrorism is why we have a DHS, but they've been preoccupied with other things:
Of the 814,073 people charged by DHS in immigration courts during the past three years, 12 faced charges of terrorism, TRAC said.
TRAC is a great group, and I recommend wandering around their site if you're interested in what the U.S. government is actually doing.
Details from TheRegister.
Insider attacks are hard to defend against. One of the most important defenses is a good audit trail, so that when something happens you can figure out who did it.
A water sink toy designed to simulate a squid.
An apparatus for gutting squid.
A method for detection of a monovalent cation, using a photoprotein derived from squid.
I was interviewed by ITSecurity.
IPOWER declined a phone interview for this story. But the company acknowledged in an e-mail that "over the past three months our servers were targeted. We take this situation very seriously and a diligent cleanup effort has been underway for many months already. We saw the StopBadware report on the day it came out and went to download the list to sweep it as quickly as possible. By looking at the list, it was evident that our cleanup efforts were already helping significantly. By the time we downloaded the list, there were already over a few thousand accounts less than what they claimed in their report."
And an interesting point:
An Internet service provider or Web host can take action within 48 hours if it receives a "takedown notice," under the Digital Millennium Copyright Act. The law protects network owners from copyright infringement liability, provided they take steps to promptly remove the infringing content. Yet ISPs and Web hosts often leave sites undisturbed for months that cooperate in stealing financial data and consumer identities.
Yet another step in the militarization of the police:
The machines, which are flown by remote control or using pre-programmed GPS navigation systems, are silent and can be fitted with night-vision cameras.
As if there aren't enough cameras already in the UK.
This is a joke, right?
A TSA behavior detection team at a Florida airport helped catch a passenger allegedly impersonating a member of the military on May 10 as he went through the security checkpoint.
We spend billions on airport security, and we have so little to show for it that the TSA has to make a big deal about the crime of impersonating a member of the military?
From the U.S. GAO: "Aviation Security: Efforts to Strengthen International Prescreening are Under Way, but Planning and Implementations Remain," May 2007.
What GAO Found
Good article on image spam:
A year ago, fewer than five out of 100 e-mails were image spam, according to Doug Bowers of Symantec. Today, up to 40 percent are. Meanwhile, image spam is the reason spam traffic overall doubled in 2006, according to antispam company Borderware. It is expected to keep rising.
Definitely look at the interactive graphics page.
Their argument is rooted, ironically, in the Digital Millenium Copyright Act that U.S. lawmakers approved in 1998. The Alluc.org kids, as well as the operators of most sites that let users upload content, argue that they're not violating copyright law if they're not the ones putting it up and if they take it down at the copyright holder's request. It's the same argument Google is making in its YouTube case.
We have a new factoring record: 307 digits. It's a special number -- 2^1039 - 1 -- but the techniques can be generalized:
Is the writing on the wall for 1024-bit encryption" "The answer to that question is an unqualified yes," says Lenstra. For the moment the standard is still secure, because it is much more difficult to factor a number made up of two huge prime numbers, such as an RSA number, than it is to factor a number like this one that has a special mathematical form. But the clock is definitely ticking. "Last time, it took nine years for us to generalize from a special to a non-special hard-to factor number (155 digits). I won't make predictions, but let's just say it might be a good idea to stay tuned."
I hope RSA applications would have moved away from 1024-bit security years ago, but for those who haven't yet: wake up.
EDITED TO ADD (5/21): That's 1023 bits. (I should have said that.)
London is running a dirty-bomb drill. Mostly a movie-plot threat, but these sorts of drills are useful, regardless of the scenario.
I agree with this:
As ever, plain old explosives are the big worry. As for chemicals, compare the effects of the Tokyo subway gas attack (10 terrorists, five attacks each involving 1kg of hard-to-get sarin nerve gas, 12 dead total) with a typical backpack-bomb attack (London 7/7: four terrorists, four simple home made devices, 52 dead). Only a stupid attacker would bother with chemicals. Real pros like the IRA, for instance, never have.
Although with a dirty bomb, the media-inspired panic would certainly be a huge factor.
Don't say that I didn't warn you:
If you are sitting next to someone who irritates you on a plane or train...
If you try it, post what happened in comments.
Literal CYA security.
They explain how their attack on the 802.11 wireless security protocol works.
Everyone had a reaction to the horrific events of the Virginia Tech shootings. Some of those reactions were rational. Others were not.
A high school student was suspended for customizing a first-person shooter game with a map of his school. A contractor was fired from his government job for talking about a gun, and then visited by the police when he created a comic about the incident. A dean at Yale banned realistic stage weapons from the university theaters -- a policy that was reversed within a day. And some teachers terrorized a sixth-grade class by staging a fake gunman attack, without telling them that it was a drill.
These things all happened, even though shootings like this are incredibly rare; even though -- for all the press -- less than one percent (.pdf) of homicides and suicides of children ages 5 to 19 occur in schools. In fact, these overreactions occurred, not despite these facts, but because of them.
The Virginia Tech massacre is precisely the sort of event we humans tend to overreact to. Our brains aren't very good at probability and risk analysis, especially when it comes to rare occurrences. We tend to exaggerate spectacular, strange and rare events, and downplay ordinary, familiar and common ones. There's a lot of research in the psychological community about how the brain responds to risk -- some of it I have already written about -- but the gist is this: Our brains are much better at processing the simple risks we've had to deal with throughout most of our species' existence, and much poorer at evaluating the complex risks society forces us to face today.
Novelty plus dread equals overreaction.
We can see the effects of this all the time. We fear being murdered, kidnapped, raped and assaulted by strangers, when it's far more likely that the perpetrator of such offenses is a relative or a friend. We worry about airplane crashes and rampaging shooters instead of automobile crashes and domestic violence -- both far more common.
In the United States, dogs, snakes, bees and pigs each kill more people per year (.pdf) than sharks. In fact, dogs kill more humans than any animal except for other humans. Sharks are more dangerous than dogs, yes, but we're far more likely to encounter dogs than sharks.
Our greatest recent overreaction to a rare event was our response to the terrorist attacks of 9/11. I remember then-Attorney General John Ashcroft giving a speech in Minnesota -- where I live -- in 2003, and claiming that the fact there were no new terrorist attacks since 9/11 was proof that his policies were working. I thought: "There were no terrorist attacks in the two years preceding 9/11, and you didn't have any policies. What does that prove?"
What it proves is that terrorist attacks are very rare, and maybe our reaction wasn't worth the enormous expense, loss of liberty, attacks on our Constitution and damage to our credibility on the world stage. Still, overreacting was the natural thing for us to do. Yes, it's security theater, but it makes us feel safer.
People tend to base risk analysis more on personal story than on data, despite the old joke that "the plural of anecdote is not data." If a friend gets mugged in a foreign country, that story is more likely to affect how safe you feel traveling to that country than abstract crime statistics.
We give storytellers we have a relationship with more credibility than strangers, and stories that are close to us more weight than stories from foreign lands. In other words, proximity of relationship affects our risk assessment. And who is everyone's major storyteller these days? Television. (Nassim Nicholas Taleb's great book, The Black Swan: The Impact of the Highly Improbable, discusses this.)
Consider the reaction to another event from last month: professional baseball player Josh Hancock got drunk and died in a car crash. As a result, several baseball teams are banning alcohol in their clubhouses after games. Aside from this being a ridiculous reaction to an incredibly rare event (2,430 baseball games per season, 35 people per clubhouse, two clubhouses per game. And how often has this happened?), it makes no sense as a solution. Hancock didn't get drunk in the clubhouse; he got drunk at a bar. But Major League Baseball needs to be seen as doing something, even if that something doesn't make sense -- even if that something actually increases risk by forcing players to drink at bars instead of at the clubhouse, where there's more control over the practice.
I tell people that if it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." It's when something isn't in the news, when it's so common that it's no longer news -- car crashes, domestic violence -- that you should start worrying.
But that's not the way we think. Psychologist Scott Plous said it well in The Psychology of Judgment and Decision Making: "In very general terms: (1) The more available an event is, the more frequent or probable it will seem; (2) the more vivid a piece of information is, the more easily recalled and convincing it will be; and (3) the more salient something is, the more likely it will be to appear causal."
So, when faced with a very available and highly vivid event like 9/11 or the Virginia Tech shootings, we overreact. And when faced with all the salient related events, we assume causality. We pass the Patriot Act. We think if we give guns out to students, or maybe make it harder for students to get guns, we'll have solved the problem. We don't let our children go to playgrounds unsupervised. We stay out of the ocean because we read about a shark attack somewhere.
It's our brains again. We need to "do something," even if that something doesn't make sense; even if it is ineffective. And we need to do something directly related to the details of the actual event. So instead of implementing effective, but more general, security measures to reduce the risk of terrorism, we ban box cutters on airplanes. And we look back on the Virginia Tech massacre with 20-20 hindsight and recriminate ourselves about the things we should have done.
Lastly, our brains need to find someone or something to blame. (Jon Stewart has an excellent bit on the Virginia Tech scapegoat search, and media coverage in general.) But sometimes there is no scapegoat to be found; sometimes we did everything right, but just got unlucky. We simply can't prevent a lone nutcase from shooting people at random; there's no security measure that would work.
As circular as it sounds, rare events are rare primarily because they don't occur very often, and not because of any preventive security measures. And implementing security measures to make these rare events even rarer is like the joke about the guy who stomps around his house to keep the elephants away.
"Elephants? There are no elephants in this neighborhood," says a neighbor.
"See how well it works!"
If you want to do something that makes security sense, figure out what's common among a bunch of rare events, and concentrate your countermeasures there. Focus on the general risk of terrorism, and not the specific threat of airplane bombings using liquid explosives. Focus on the general risk of troubled young adults, and not the specific threat of a lone gunman wandering around a college campus. Ignore the movie-plot threats, and concentrate on the real risks.
This essay originally appeared on Wired.com, my 42nd essay on that site.
EDITED TO ADD (6/5): Archiloque has translated this essay into French.
EDITED TO ADD (6/14): The British academic risk researcher Prof. John Adams wrote an insightful essay on this topic called "What Kills You Matters -- Not Numbers."
Subscribe online here.
In the April 2007 issue of Queue, Dan Geer writes about security trade-offs, monoculture, and genetic diversity in honeybees:
Security people are never in charge unless an acute embarrassment has occurred. Otherwise, their advice is tempered by "economic reality," which is to say that security is means, not an end. This is as it should be. Since means are about tradeoffs, security is about tradeoffs, but you already knew that.
In an effort to prevent terrorism, parts of the mobile phone network will be disabled when President Bush visits Australia. I've written about this kind of thing before; it's a perfect example of security theater: a countermeasure that works if you happen to guess the specific details of the plot correctly, and completely useless otherwise.
On the plus side, it's only a small area that's blocked:
It is expected mobile phone calls will drop out in an area the size of a football field as the helicopter passes overhead.
EDITED TO ADD (5/19): Slashdot thread.
EDITED TO ADD (5/20): The Register article.
I've written about the death of ephemeral conversation, the rise of wholesale surveillance, and the electronic audit trail that now follows us through life. Viktor Mayer-Schönberger, a professor in Harvard's JFK School of Government, has noticed this too, and believes that computers need to forget.
Why would we want our machines to "forget"? Mayer-Schönberger suggests that we are creating a Benthamist panopticon by archiving so many bits of knowledge for so long. The accumulated weight of stored Google searches, thousands of family photographs, millions of books, credit bureau information, air travel reservations, massive government databases, archived e-mail, etc., can actually be a detriment to speech and action, he argues.
For years the police have entered homes and offices, hauled away filing cabinets full of records, and searched them back at the police station for evidence. In Fourth Amendment terms, these actions are entry, seizure, and search, respectively, and usually require the police to obtain a warrant. Modern-day police can avoid some of these messy steps with the help of technology: They have tools that duplicate stored records and collect evidence of behavior, all from a distance and without the need for physical entry. These tools generate huge amounts of data that may be searched immediately or stored indefinitely for later analysis. Meanwhile, it is unclear whether the Fourth Amendment’s restrictions apply to these technologies: Are the acts of duplication and collection themselves seizure? Before the data are analyzed, has a search occurred?
It's called "Just Doesn't Look Right":
In the casino business, or any other, we tend to become complacent, and we stop paying attention to the little things. But a really sharp observer will still be shocked awake at some little unexplained thing: the five o'clock shadow on the woman sitting opposite the big-money player, or too many people watching that game, or the fellow who keeps looking directly at the cameras. The guy who looks as though he slept under an overpass carrying a new shopping bag from Nieman-Marcus, the two players on a table game whose arms were held against their chests, the bulge under that character's jacket and the man wearing an overcoat on an August day in Las Vegas.
There are security experts who insist penetration testing is essential for network security, and you have no hope of being secure unless you do it regularly. And there are contrarian security experts who tell you penetration testing is a waste of time; you might as well throw your money away. Both of these views are wrong. The reality of penetration testing is more complicated and nuanced.
Penetration testing is a broad term. It might mean breaking into a network to demonstrate you can. It might mean trying to break into a network to document vulnerabilities. It might involve a remote attack, physical penetration of a data center or social engineering attacks. It might use commercial or proprietary vulnerability scanning tools, or rely on skilled white-hat hackers. It might just evaluate software version numbers and patch levels, and make inferences about vulnerabilities.
It's going to be expensive, and you'll get a thick report when the testing is done.
And that's the real problem. You really don't want a thick report documenting all the ways your network is insecure. You don't have the budget to fix them all, so the document will sit around waiting to make someone look bad. Or, even worse, it'll be discovered in a breach lawsuit. Do you really want an opposing attorney to ask you to explain why you paid to document the security holes in your network, and then didn't fix them? Probably the safest thing you can do with the report, after you read it, is shred it.
Given enough time and money, a pen test will find vulnerabilities; there's no point in proving it. And if you're not going to fix all the uncovered vulnerabilities, there's no point uncovering them. But there is a way to do penetration testing usefully. For years I've been saying security consists of protection, detection and response--and you need all three to have good security. Before you can do a good job with any of these, you have to assess your security. And done right, penetration testing is a key component of a security assessment.
I like to restrict penetration testing to the most commonly exploited critical vulnerabilities, like those found on the SANS Top 20 list. If you have any of those vulnerabilities, you really need to fix them.
If you think about it, penetration testing is an odd business. Is there an analogue to it anywhere else in security? Sure, militaries run these exercises all the time, but how about in business? Do we hire burglars to try to break into our warehouses? Do we attempt to commit fraud against ourselves? No, we don't.
Penetration testing has become big business because systems are so complicated and poorly understood. We know about burglars and kidnapping and fraud, but we don't know about computer criminals. We don't know what's dangerous today, and what will be dangerous tomorrow. So we hire penetration testers in the belief they can explain it.
There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you're going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I'm going to save you a lot of money by giving you this free penetration test: You're vulnerable.
Now, go do something useful about it.
This essay appeared in the March issue of Information Security, as the first half of a point/counterpoint with Marcus Ranum. Here's his half.
Personal information protection is an economic problem, not a security problem. And the problem can be easily explained: The organizations we trust to protect our personal information do not suffer when information gets exposed. On the other hand, individuals who suffer when personal information is exposed don't have the capability to protect that information.
There are actually two problems here: Personal information is easy to steal, and it's valuable once stolen. We can't solve one problem without solving the other. The solutions aren't easy, and you're not going to like them.
First, fix the economic problem. Credit card companies make more money extending easy credit and making it trivial for customers to use their cards than they lose from fraud. They won't improve their security as long as you (and not they) are the one who suffers from identity theft. It's the same for banks and brokerages: As long as you're the one who suffers when your account is hacked, they don't have any incentive to fix the problem. And data brokers like ChoicePoint are worse; they don't suffer if they reveal your information. You don't have a business relationship with them; you can't even switch to a competitor in disgust.
Credit card security works as well as it does because the 1968 Truth in Lending Law limits consumer liability for fraud to $50. If the credit card companies could pass fraud losses on to the consumers, they would be spending far less money to stop those losses. But once Congress forced them to suffer the costs of fraud, they invented all sorts of security measures--real-time transaction verification, expert systems patrolling the transaction database and so on--to prevent fraud. The lesson is clear: Make the party in the best position to mitigate the risk responsible for the risk. What this will do is enable the capitalist innovation engine. Once it's in the financial interest of financial institutions to protect us from identity theft, they will.
Second, stop using personal information to authenticate people. Watch how credit cards work. Notice that the store clerk barely looks at your signature, or how you can use credit cards remotely where no one can check your signature. The credit card industry learned decades ago that authenticating people has only limited value. Instead, they put most of their effort into authenticating the transaction, and they're much more secure because of it.
This won't solve the problem of securing our personal information, but it will greatly reduce the threat. Once the information is no longer of value, you only have to worry about securing the information from voyeurs rather than the more common--and more financially motivated--fraudsters.
And third, fix the other economic problem: Organizations that expose our personal information aren't hurt by that exposure. We need a comprehensive privacy law that gives individuals ownership of their personal information and allows them to take action against organizations that don't care for it properly.
"Passwords" like credit card numbers and mother's maiden name used to work, but we've forever left the world where our privacy comes from the obscurity of our personal information and the difficulty others have in accessing it. We need to abandon security systems that are based on obscurity and difficulty, and build legal protections to take over where technological advances have left us exposed.
This essay appeared in the January issue of Information Security, as the second half of a point/counterpoint with Marcus Ranum. Here's his half.
An actual Google Adwords campaign.
EDITED TO ADD (5/19): Slashdot thread.
Actually, it looks kind of dorky.
This sounds like bullshit to me:
Small, egg-shaped and promising 'divine' vibrations, a UK sex toy has been deemed a threat to Cyprus's national security. According to the company Ann Summers, the Love Bug 2 has been banned because the Cypriot military is concerned its electronic waves would disrupt the army's radio frequencies. Operated by a remote control with a range of six metres, it is described by Ann Summers as 'deceptively powerful'. The company said: "The Love Bug 2 is available in Cyprus but we have had to put a warning out urging Cypriots not to use it."
Big Brother isn't what he used to be. George Orwell extrapolated his totalitarian state from the 1940s. Today's information society looks nothing like Orwell's world, and watching and intimidating a population today isn't anything like what Winston Smith experienced.
Data collection in 1984 was deliberate; today's is inadvertent. In the information society, we generate data naturally. In Orwell's world, people were naturally anonymous; today, we leave digital footprints everywhere.
1984's police state was centralized; today's is decentralized. Your phone company knows who you talk to, your credit card company knows where you shop and Netflix knows what you watch. Your ISP can read your email, your cell phone can track your movements and your supermarket can monitor your purchasing patterns. There's no single government entity bringing this together, but there doesn't have to be. As Neal Stephenson said, the threat is no longer Big Brother, but instead thousands of Little Brothers.
1984's Big Brother was run by the state; today's Big Brother is market driven. Data brokers like ChoicePoint and credit bureaus like Experian aren't trying to build a police state; they're just trying to turn a profit. Of course these companies will take advantage of a national ID; they'd be stupid not to. And the correlations, data mining and precise categorizing they can do is why the U.S. government buys commercial data from them.
1984-style police states required lots of people. East Germany employed one informant for every 66 citizens. Today, there's no reason to have anyone watch anyone else; computers can do the work of people.
1984-style police states were expensive. Today, data storage is constantly getting cheaper. If some data is too expensive to save today, it'll be affordable in a few years.
And finally, the police state of 1984 was deliberately constructed, while today's is naturally emergent. There's no reason to postulate a malicious police force and a government trying to subvert our freedoms. Computerized processes naturally throw off personalized data; companies save it for marketing purposes, and even the most well-intentioned law enforcement agency will make use of it.
Of course, Orwell's Big Brother had a ruthless efficiency that's hard to imagine in a government today. But that completely misses the point. A sloppy and inefficient police state is no reason to cheer; watch the movie Brazil and see how scary it can be. You can also see hints of what it might look like in our completely dysfunctional "no-fly" list and useless projects to secretly categorize people according to potential terrorist risk. Police states are inherently inefficient. There's no reason to assume today's will be any more effective.
The fear isn't an Orwellian government deliberately creating the ultimate totalitarian state, although with the U.S.'s programs of phone-record surveillance, illegal wiretapping, massive data mining, a national ID card no one wants and Patriot Act abuses, one can make that case. It's that we're doing it ourselves, as a natural byproduct of the information society.We're building the computer infrastructure that makes it easy for governments, corporations, criminal organizations and even teenage hackers to record everything we do, and -- yes -- even change our votes. And we will continue to do so unless we pass laws regulating the creation, use, protection, resale and disposal of personal data. It's precisely the attitude that trivializes the problem that creates it.
Singapore is setting up a $98M research center for quantum computation.
Great news, but what in the world does this quote mean?
Professor Artur Ekert, Director, Research Centre of Excellence, said: "At the moment, you can buy quantum cryptography systems, you can use it in some simple applications but somehow you have to trust companies that sell it to you or you have to test the equipment.
Here's a great description of an anti-spam doorbell from 1933. A visitor had to deposit a dime into a slot to make the doorbell ring. If the homeowner appreciated the visit, he would return the dime. Otherwise, the dime became the cost of disturbing the homeowner.
This kind of system has been proposed for e-mail as well: the sender has to pay the receiver -- or someone else in the system -- a nominal amount for each e-mail sent. This money is returned if the e-mail is wanted, and forfeited if it is spam. The result would be to raise the cost of sending spam to the point where it is uneconomical.
I think it's worth comparing the two systems -- the doorbell system and the e-mail system -- to demonstrate why it won't work for spam.
The doorbell system fails for three reasons: the percentage of annoying visitors is small enough to make the system largely unnecessary, visitors don't generally have dimes on them (presumably fixable if the system becomes ubiquitous), and it's too easy to successfully bypass the system by knocking (not true for an apartment building).
The anti-spam system doesn't suffer from the first two problems: spam is an enormous percentage of total e-mail, and an automated accounting system makes the financial mechanics easy. But the anti-spam system is too easy to bypass, and it's too easy to hack. And once you set up a financial system, you're simply inviting hacks.
The anti-spam system fails because spammers don't have to send e-mail directly -- they can take over innocent computers and send it from them. So it's the people whose computers have been hacked into, victims in their own right, who will end up paying for spam. This risk can be limited by letting people put an upper limit on the money in their accounts, but it is still serious.
And criminals can exploit the system in the other direction, too. They could hack into innocent computers and have them send "spam" to their email addresses, collecting money in the process.
Trying to impose some sort of economic penalty on unwanted e-mail is a good idea, but it won't work unless the endpoints are trusted. And we're nowhere near that trust today.
Sometimes, that strange backpack is a bomb. Not very often, but once in a great while.
Still, I don't think it's possible to solve this by pre-emptively assuming that all strange objects are potential bombs. There are just too many strange objects in the world.
Remember the weird story about radio transmitters found in Canadian coins in order to spy on Americans?
The worried contractors described the coins as "anomalous" and "filled with something man-made that looked like nanotechnology," according to once-classified U.S. government reports and e-mails obtained by the AP.
SRI Lanka's powerful air force has been grounded by single-engined, propeller-driven aircraft adapted by Tamil Tiger guerillas to carry bombs under their wings. The "Flying Tigers" -- the tiny air wing of the brutal LTTE insurgents fighting for a separate Tamil state -- are proving more than a match for Sri Lanka's well-equipped air force.
The researcher claims this is "the first remotely exploitable SCADA security vulnerability," and I think that's correct.
In general, I think the threat of SCADA-based attacks are overblown today, but will become more serious in the coming years.
I've written about the U.S. national ID card -- REAL ID -- extensively (most recently here). The Department of Homeland Security has published draft rules regarding REAL ID, and are requesting comments. Comments are due today, by 5:00 PM Eastern Time. Please, please, please, go to this Privacy Coalition site and submit your comments. The DHS has been making a big deal about the fact that so few people are commenting, and we need to prove them wrong.
This morning the Senate Judiciary Committee held hearings on REAL ID (info -- and eventually a video -- here); I was one of the witnesses who testified.
And lastly, Richard Forno and I wrote this essay for News.com:
In March, the Department of Homeland Security released its long-awaited guidance document regarding national implementation of the Real ID program, as part of its post-9/11 national security initiatives. It is perhaps quite telling that despite bipartisan opposition, Real ID was buried in a 2005 "must-pass" military spending bill and enacted into law without public debate or congressional hearings.
Really. It will make a difference.
EDITED TO ADD (5/8): Status of anti-REAL-ID legislation in the states.
EDITED TO ADD (5/9): Article on the hearing.
This is a very interesting law journal paper:
The Myth of the Superuser: Fear, Risk, and Harm Online
If I have one complaint, it's that Ohm doesn't take into account the effects of the smarter hackers to encapsulate their expertise in easy-to-run software programs, and distribute them to those without the skill. He does mention this at the end, in a section about script kiddies, but I think this is a fundamental difference between hacking skills and other potentially criminal skills.
This is a weird story:
On January 4, 2005 Dr Lee and Ms Day presented their Lotto ticket at the World Square Newsagency Bookshop. A friend took their photo with the ticket before they handed it in and filled in a claim form.
Two teenage boys detonated a stink bomb on a Sydney commuter train, and prompted a counter-terrorism response.
"It would have been terrifying. You're on a train, you hear a loud bang, the logical conclusion that people drew was (that it was) probably a terrorist attack," Mr Owens told reporters.
I agree that it was the conclusion that people drew, but not that it was a logical conclusion.
The main sticking point was Homeland's unwillingness to accept Canada's legal problem with having U.S. authorities take fingerprints of people who approach the border but decide not to cross.
What they are calling Trojan.Kardphisher doesn't do most of the technical things that Trojan horses usually do; it's a pure social engineering attack, aimed at stealing credit card information. In a sense, it's a standalone phishing program.
More info here.
A good one, on cryptography.
Officers were called to Handcross at noon yesterday after a member of the public spotted the box under a bridge over the A23.
I like this comment:
We are working on ways to improve identification of our property to avoid a repeat of the incident.
Might I suggest a sign: "This is not a bomb."
Refuse to be terrorized, people!
We all know that CRT displays radiate like mad, and someone with the right equipment can read tham at a distance. Marcus Kuhn demonstrates how to do the same thing with LCD displays.
Project Honey Pot files a $1B+ lawsuit against spammers.
Last week I attended the Infosecurity Europe conference in London. Like at the RSA Conference in February, the show floor was chockablock full of network, computer and information security companies. As I often do, I mused about what it means for the IT industry that there are thousands of dedicated security products on the market: some good, more lousy, many difficult even to describe. Why aren't IT products and services naturally secure, and what would it mean for the industry if they were?
The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure.
Aftermarket security is actually a very inefficient way to spend our security dollars; it may compensate for insecure IT products, but doesn't help improve their security. Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity -- companies who will lose money if the internet becomes more secure.
Fold security into the underlying products, and the companies marketing those products will have an incentive to invest in security upfront, to avoid having to spend more cash obviating the problems later. Their profits would rise in step with the overall level of security on the internet. Initially we'd still be spending a comparable amount of money per year on security -- on secure development practices, on embedded security and so on -- but some of that money would be going into improving the quality of the IT products we're buying, and would reduce the amount we spend on security in future years.
I know this is a utopian vision that I probably won't see in my lifetime, but the IT services market is pushing us in this direction. As IT becomes more of a utility, users are going to buy a whole lot more services than products. And by nature, services are more about results than technologies. Service customers -- whether home users or multinational corporations -- care less and less about the specifics of security technologies, and increasingly expect their IT to be integrally secure.
Eight years ago, I formed Counterpane Internet Security on the premise that end users (big corporate users, in this case) really don't want to have to deal with network security. They want to fly airplanes, produce pharmaceuticals or do whatever their core business is. They don't want to hire the expertise to monitor their network security, and will gladly farm it out to a company that can do it for them. We provided an array of services that took day-to-day security out of the hands of our customers: security monitoring, security-device management, incident response. Security was something our customers purchased, but they purchased results, not details.
Last year BT bought Counterpane, further embedding network security services into the IT infrastructure. BT has customers that don't want to deal with network management at all; they just want it to work. They want the internet to be like the phone network, or the power grid, or the water system; they want it to be a utility. For these customers, security isn't even something they purchase: It's one small part of a larger IT services deal. It's the same reason IBM bought ISS: to be able to have a more integrated solution to sell to customers.
This is where the IT industry is headed, and when it gets there, there'll be no point in user conferences like Infosec and RSA. They won't go away; they'll simply become industry conferences. If you want to measure progress, look at the demographics of these conferences. A shift toward infrastructure-geared attendees is a measure of success.
Of course, security products won't disappear -- at least, not in my lifetime. There'll still be firewalls, antivirus software and everything else. There'll still be startup companies developing clever and innovative security technologies. But the end user won't care about them. They'll be embedded within the services sold by large IT outsourcing companies like BT, EDS and IBM, or ISPs like EarthLink and Comcast. Or they'll be a check-box item somewhere in the core switch.
IT security is getting harder -- increasing complexity is largely to blame -- and the need for aftermarket security products isn't disappearing anytime soon. But there's no earthly reason why users need to know what an intrusion-detection system with stateful protocol analysis is, or why it's helpful in spotting SQL injection attacks. The whole IT security industry is an accident -- an artifact of how the computer industry developed. As IT fades into the background and becomes just another utility, users will simply expect it to work -- and the details of how it works won't matter.
This was my 41st essay for Wired.com.
EDITED TO ADD (5/3): Commentary.
EDITED TO ADD (5/4): More commentary.
EDITED TO ADD (5/10): More commentary.
Interesting research at Yale:
Dr. Brennan argues that elaborate female duck anatomy evolves as a countermeasure against aggressive males. "Once they choose a male, they're making the best possible choice, and that's the male they want siring their offspring," she said. "They don't want the guy flying in from who knows where. It makes sense that they would develop a defense."
The tampon taser/stun gun is the latest in portable and personal security systems. The beauty of this taser/stun gun, aptly named The Pink Stinger, is its ingenious design and ability to be concealed nicely and unassumingly into any purse for ultimate stealth. The taser's gentle glide zapplicator easily fits in the palm of your hand for incredible comfort and protection and ready for honorable discharge at a moments notice. In addition, its fresh floral scent helps eliminate the smell of fear, not just cover it up.
This product strictly for use in accordance with country or state laws. Need not be female or menstruating to use effectively. Tampon taser/stun gun to be used for security purposes only or in self defense. It is not intended nor recommended for vaginal insertion.
Encrypted phones are big business in Italy as a defense against wiretapping:
What has spurred encryption sales is not so much the legal wiretapping authorized by Italian magistrates -- though information about those calls is also frequently leaked to the press -- but the widespread availability of wiretapping technology over the Internet, which has created a growing pool of amateur eavesdroppers. Those snoops have a ready market in the Italian media for filched celebrity conversations.
There's a class-action lawsuit against TJX by various banks and banking groups:
The suit will argue that TJX failed to protect customer data with adequate security measures, and that the Framingham, Mass.-based retail giant was less than honest about how it handled data.
This case could break new legal ground, and is worth watching closely. (I'm rooting for the plaintiff.)
...the bad guys behind the attack appeared to capitalize on an odd feature of Google's sponsored links. Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google's sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.