September 2007 Archives

Friday Squid Blogging: A Moaning Baby Giant Squid

From 1000 Days Non-Stop at Sea:

Last evening we were lying down on the pilothouse bunk discussing some technical problems we were having, when we heard the fishing line go out. " That's not a fish." I said. The line went out too slowly and we were only going 2.5 knots, hardly fish catching speed. Reid went to reel in the line like he usually does in the evenings. Two minutes later he says, "There's a fish! Bring me my headlamp." I felt around for the headlamp in the darkness of the pilothouse and rush outside with it in hand. By this time, he knows it's not a regular fish. "Shine the light right here!" he says while using both hands to reel in the line. I point the light in that direction. Something Big was coming out of the water moaning a low pitched wailing sound. Fish don't moan. They squeak every now and then, but they don't moan. I had no idea what it could be. Reid didn't know either and many thoughts ran through our heads as to what we might be pulling in. Was it a mammal? A mermaid? An alien? We strained our eyes to see. There were some stars out, but no moon had risen to provide any light, so the water was a gurgling blackness that was easier to hear than see. I wasn't sure exactly where to direct the light, but that low wailing sound was freaking me out. Picture pulling in a big heavy unknown Thing from the deep dark ocean at night and it's crying. It hit the deck with a heavy squishy sound. It was hard to see anything in the darkness. I finally figured out where to put the light. We see a whole bunch of tentacles curling and waving and a round body about four inches in diameter and the continued moaning. We both realize at the same time it was a squid about four feet long, though its whole body wasn't onboard yet. Now I've had calamari. They're usually about five inches long, an inch in diameter, and cut into four pieces. This was not calamari. It was dark, who knew how high and far that thing could jump in an effort to get away. I didn't want it in my lap, so I kept backing away on the yoga platform, until I realized I had to keep shining the light on the thing, still eerily moaning, so I crawled forward again. I swear I was so terrified. Somehow, it freed itself from the line and splashed back into the water. I don't know who was more grateful that it got away, me or the squid. I calmed down a bit after it went back into the water. Reid was disappointed at the time, but later he admitted, "I don't know what I would have done with a huge squid this time of day." On my part, I'll try not to think of those long moaning sounds too much.

Posted on September 28, 2007 at 4:59 PM17 Comments

Can Smuggling in the U.S.

The U.S. has a patchwork of deposit laws on soft drink bottles and cans. Most states have no deposit, but some states -- Michigan, for example -- have deposits. The cans are the same, so you can make ten cents by buying a can in one state and then returning it for the deposit in Michigan.

Ten people have been arrested for making more than $500,000 doing this:

They ran grocery stores such as Save Plus Superstore in Pontiac, The Larosa Market In Sylvan Lake and Value Foods in Ypsilanti, police also raided The Farmer John, Savemart Food Center and the Americana foods, all three in Detroit.

Investigators alleged that millions of non-redeemable out-of-state cans were collected, crushed, packaged in plastic bags and sold at a discount to merchants who then redeemed them.

Bulk redemption payments from the state are based on weight.

Nice arbitrage scam.

Posted on September 28, 2007 at 10:15 AM79 Comments

Mathematicians vs. Cryptographers

Neal Koblitz publishes what is, honestly, a rant about the cryptography field. The interesting part to me is when he talks about the uneasy relationship between mathematicians and cryptographers. Cryptographers, he says, toss the term "provable security" around much too often, publish inconsequential papers far too often, and are generally sloppy about their research.

I can't say I disagree with any of that. Cryptographers come either from mathematics or computer science. The former -- like Koblitz -- are far more rigorous than the latter, but the latter tend to come up with much more practical systems.

EDITED TO ADD (9/28): Rebuttals by Oded Goldreich, Hugo Krawczyk, Jonathan Katz, Luca Trevisan, and Boaz Barak.

EDITED TO ADD (10/6): Kevin McCurley comments.

Posted on September 27, 2007 at 3:38 PM53 Comments

NASA Using 1960s Cryptanalysis Techniques

Well, sort of.

This paper from the Goddard Space Center, "NiCd Space Battery Test Data Analysis Project, Phase 2 Quarterly Report, 1 Jan. - 30 Apr. 1967," uses "cryptanalytic techniques" -- some sort of tri-gram frequency analysis, I think -- to ferret out hidden clues about battery failures.

It's hard to imagine non-NSA cryptography in the U.S. from the 1960s. Basically, it was all alphabetic stuff. Even rotor machines were highly classified, and absolutely nothing was being done in binary.

Posted on September 27, 2007 at 6:14 AM9 Comments

The Technology of Homeland Security

Reuters has an article on future security technologies. I've already talked about automatic license-plate-capture cameras and aerial surveillance (drones and satellites), but there's some new stuff:

Resembling the seed of a silver maple tree, the single-winged device would pack a tiny two-stage rocket thruster along with telemetry, communications, navigation, imaging sensors and a power source.

The nano air vehicle, or NAV, is designed to carry interchangeable payload modules -- the size of an aspirin tablet. It could be used for chemical and biological detection or finding a "needle in a haystack," according to Ned Allen, chief scientist at Lockheed's fabled Skunk Works research arm.

Released in organized swarms to fly low over a disaster area, the NAV sensors could detect human body heat and signs of breathing, Allen said.

And this:

Airport screening is another area that could be transformed within 10 years, using scanning wizardry to pinpoint a suspected security threat through biometrics -- based on one or more physical or behavioral traits.

"We can read fingerprints from about five meters...all 10 prints," said Bruce Walker, vice president of homeland security for Northrop Grumman Corp (NOC.N). "We can also do an iris scan at the same distance."

For a while I've been saying that this whole national ID debate will be irrelevant soon. In the future you won't have to show ID; they'll already know who you are.

Posted on September 26, 2007 at 6:13 AM44 Comments

Chlorine and Cholera in Iraq

Excellent blog post:

So cholera has now reached Baghdad. That's not much of a surprise given the utter breakdown of infrastructure. But there's a reason the cholera is picking up speed now. From the NYT:

"We are suffering from a shortage of chlorine, which is sometimes zero," Dr. Ameer said in an interview on Al Hurra, an American-financed television network in the Middle East. "Chlorine is essential to disinfect the water."

So why is there is a shortage? Because insurgents have laced a few bombs with chlorine and the U.S. and Iraq have responded by making it darn hard to import the stuff. From the AP:

[A World Health Organization representative in Iraq] also said some 100,000 tons of chlorine were being held up at Iraq's border with Jordan, apparently because of fears the chemical could be used in explosives. She urged authorities to release it for use in decontaminating water supplies.

I understand why Iraq would put restrictions on dangerous chemicals. And I'm sure nobody intended for the restrictions to be so burdensome that they'd effectively cut off Iraq's clean water supply. But that's what looks to have happened. What makes it all the more tragic is that chlorine -- for all the hype and worry -- is actually a very ineffective booster for bombs. Of the roughly dozen chlorine-laced bombings in Iraq, it appears the chlorine has killed exactly nobody.

In other words, the biggest damage from chlorine bombs -- as with so many terrorist attacks -- has come from overreaction to it. Fear operates as a "force multiplier" for terrorists, and in this case has helped them cut off Iraq's clean water. Pretty impressive feat for some bombs that turned out to be close to duds.

I couldn't have said it better. In this case, the security countermeasure is worse than the threat. Same thing could be said about a lot of the terrorism countermeasures in the U.S.

Another article on the topic.

Posted on September 25, 2007 at 12:23 PM33 Comments

Eavesdropping on a Fiber Optic Cable

It's easy to eavesdrop on a copper cable; fiber optic cable is much harder. Here's how to eavesdrop on a fiber optic cable: total hardware cost less than $1,000.

Posted on September 25, 2007 at 6:42 AM34 Comments

Idiotic Cryptography Reporting

Oh, this is funny:

A team of researchers and engineers at a UK division of Franco-German aerospace giant EADS has developed what it believes is the world's first hacker-proof encryption technology for the internet.

[...]

Gordon Duncan, the division's government and commercial sales manager, said he was convinced that sensitive data could now be sent across the world without fear of it being spied on by hackers. "All the computer technology in the world cannot break it," he said yesterday.

At the heart of the system is the lightning speed with which the "keys" needed to enter the computer systems can be scrambled and re-formatted. Just when a hacker thinks he or she has broken the code, the code changes. "There is nothing to compare with it," said Mr Duncan.

EADS is in talks with the Pentagon about supplying the US military with the system, although some American defence companies are also working on what they believe will be fool-proof encryption systems.

Snake oil, absolute snake oil.

EDITED TO ADD (9/26): Steve Bellovin, who knows what he's talking about, writes:

Actually, it's not snake oil, it's very solid -- till it got to Marketing. The folks at EADS built a high-assurance, Type I (or the British equivalent) IP encryptor -- a HAIPE, in NSA-speak. Their enemy isn't "hackers", it's the PLA and the KGB++. See this and this.

Of course, Marketing did get hold of it.

David Lacey makes the same point here.

Posted on September 24, 2007 at 1:58 PM57 Comments

Psychoecology and the DHS

Weird:

The Department of Homeland Security (DHS) has gone to many strange places in its search for ways to identify terrorists before they attack, but perhaps none stranger than this lab on the outskirts of Russia's capital. The institute has for years served as the center of an obscure field of human behavior study -- dubbed psychoecology -- that traces it roots back to Soviet-era mind control research.

[...]

SSRM Tek is presented to a subject as an innocent computer game that flashes subliminal images across the screen -- like pictures of Osama bin Laden or the World Trade Center. The "player" -- a traveler at an airport screening line, for example -- presses a button in response to the images, without consciously registering what he or she is looking at. The terrorist's response to the scrambled image involuntarily differs from the innocent person's, according to the theory.

Posted on September 24, 2007 at 7:34 AM43 Comments

Friday Squid Blogging: Whale Eating Giant Squid

Caught on film, first time ever:

"We looked hard and saw a tentacle of a squid hanging from its mouth and there were other pieces of squid stuck to the whale’s body. It made a number of brusque movements on its side in the water to free the tentacle to eat it – and there we were filming and photographing it all."

He reckoned the squid could have been some five metres long, a comparatively modest size for the species. Examples have been found which reach 20 metres in length and weigh in at a thousand kilos!

Posted on September 21, 2007 at 4:05 PM9 Comments

Mysterious Refrigerators in Toronto

Imagine if this happened in Boston?

Empty fridges suddenly popped up in the financial district, causing puzzled looks from passersby.

[...]

Security personnel weren't impressed.

When security got wind of the stunt, they arranged to have the fridges scooped up.

By 3 p.m., they were all gone.

No word on who the "security personnel" were. Police? Building guards? Canadian secret agents?

If this were Boston, there would have been a media frenzy, ridiculous statements by public officials, and prosecutions of those responsible.

EDITED TO ADD (10/11): Press release.

Posted on September 21, 2007 at 12:34 PM37 Comments

Woman Arrested at Airport with Fake Bomb

Anyone know what's going on?

Star Simpson, 19, had a computer circuit board, wiring and a putty that later turned out to be Play-Doh in plain view over a black hooded sweat shirt she was wearing, said State Police Maj. Scott Pare, the commanding officer at the airport.

[...]

She was arrested about 8 a.m. outside Terminal C, home to United Airlines, Jet Blue and other carriers.

A Massachusetts Port Authority staffer manning an information booth in the terminal became suspicious when Simpson - wearing the device - approached to ask about an incoming flight, Pare said. Simpson then walked outside, and the information booth attendant notified a nearby trooper.

The trooper, joined by others with submachine guns, confronted her at a traffic island in front of the terminal.

Geez. She's lucky to be alive. What in the world was she thinking?

EDITED TO ADD (9/21): Okay, clearly we need a lot more information:

The woman later told police the circuit board with lights on it was a work of art.

And this:

"She claims that it was just art and she was proud of the art and wanted to display it. I am not sure why she had the Play-Doh in her hands. She could not explain that," Pare said.

I have to admit that I would trust the authorities more if it weren't Boston.

EDITED TO ADD (9/21): Here's a picture. I'm leaning towards stupid police overreaction right now.

EDITED TO ADD (9/21): Okay, she made it for MIT's career day:

"She said that it was a piece of art and she wanted to stand out on career day," Pare said at a news conference.

Definitely stupid police overreaction.

Refuse to be terrorized, people!

EDITED TO ADD (9/21): A better photo.

EDITED TO ADD (9/22): More news. I now have complete symathy for the student, and none for the police. I wonder if anyone wore their DefCon badge to the Las Vegas airport this year.

EDITED TO ADD (9/26): Really good information here:

Last week was Career Week at MIT. As usually happens during such events, the students turned out in high numbers to speak with company representatives and examine the "free" items that are handed out to students who visit certain booths. Star Simpson, an Electrical Engineering and Computer Science major who enjoys playing around with electronics, wore a bulky handmade nametag to the event. It consisted of a breadboard, LEDs in the shape of a star (for her name), some wires, and a nine-volt battery. She taped it to her sweatshirt to keep it in place, possibly hoping that the company representatives would better be able to remember a student with a flashing nametag.

She also, as is custom, acquired a number of neat little items from the vendors there. I've seen some of what was available - bleach pens for clothing, large foam 'pills' that you could squeeze as a method of stress relief, small containers of Play-Doh. She picked up a canister of Play-Doh and placed it in her pocket.

Some time after this - I don't know how long, sorry - she went to the Logan Airport to meet a friend of hers. I can easily see her losing track of time and being too rushed to put her sweatshirt away before leaving. Or perhaps she forgot the breadboard entirely - just as someone with a bandaged wrist will soon ignore its presence. Or perhaps she thought no one would care -- she is from MIT, after all, and the culture here does not regard breadboards as weapons of mass destruction. Or perhaps she thought that it wouldn't matter, since she knew that she would not be going through the security checkpoint.

And the authories are going to make her pay for their mistake.

Posted on September 21, 2007 at 12:20 PM222 Comments

More on the German Terrorist Plot

This article is a detailed writeup of the actual investigation. While it seems that intercepted emails were instrumental at several points during the investigation, the article doesn't explain whether the intercepts were the result of some of the wholesale eavesdropping programs or specifically obtained for this case.

The US intelligence agencies, the NSA and CIA, provided the most important information: copies of messages between German Islamists and their contacts in Pakistan. Three people in Germany were apparently the ones maintaining contact. The first was a man with the pseudonym "Muaz," who investigators suspected was Islamist Attila S., 22. The second was a man named "Zafer," from the town of Neunkirchen, who they believed was Zafer S., an old friend of Daniel S., one of the three men arrested last week. According to his father, Hizir S., Zafer is currently attending a language course in Istanbul. The third name that kept reappearing in the emails the NSA intercepted was "Abdul Malik," a.k.a. Fritz Gelowicz, who prosecutors believe was the ringleader of the German cell, a man Deputy Secretary Hanning calls "cold-blooded and full of hate."

[...]

While at the Pakistani camp in the spring of 2006, Adem Y. and Gelowicz probably discussed ways to secretly deliver messages from Pakistan to Germany. They used a Yahoo mailbox, but instead of sending messages directly, they would store them in a draft folder through which their fellow Islamists could then access the messages. But it turned out that the method they hit upon had long been known as an al-Qaida ploy. The CIA, NSA and BKA had no trouble monitoring the group's communications. Two men who went by the aliases "Sule" or "Suley" and "Jaf" kept up the contact from the IJU side.

This is also interesting, given the many discussions on this blog and elsewhere about stopping people watching and photographing potential terrorist targets:

Early in the evening of Dec. 31, 2006, a car containing several passengers drove silently past the Hutier Barracks in Lamboy, a section of the western German city of Hanau. Hanau is known as the home of a major US military base, where thousands of US soldiers live and routinely look forward to celebrating New Year's Eve in their home away from home. The BfV's observation team later noted that the car drove back and forth in front of the barracks several times. When German agents finally stopped the car, they discovered that the passengers were Fritz Gelowicz, Attila S. from the southern city of Ulm, Ayhan T. from Langen near Frankfurt and Dana B., a German of Iranian descent from Frankfurt who, when asked what he and the others were doing there, claimed that they had just wanted to see "how the Americans celebrate New Year's Eve."

Posted on September 21, 2007 at 4:00 AM15 Comments

London's Security Cameras Don't Help

Interesting article. London's 10,000 security cameras don't reduce crime:

A comparison of the number of cameras in each London borough with the proportion of crimes solved there found that police are no more likely to catch offenders in areas with hundreds of cameras than in those with hardly any.

In fact, four out of five of the boroughs with the most cameras have a record of solving crime that is below average.

EDITED TO ADD (10/11): This is a follow-up to a 2005 article.

Posted on September 20, 2007 at 2:03 PM35 Comments

Anonymity and the Tor Network

As the name implies, Alcoholics Anonymous meetings are anonymous. You don't have to sign anything, show ID or even reveal your real name. But the meetings are not private. Anyone is free to attend. And anyone is free to recognize you: by your face, by your voice, by the stories you tell. Anonymity is not the same as privacy.

That's obvious and uninteresting, but many of us seem to forget it when we're on a computer. We think "it's secure," and forget that secure can mean many different things.

Tor is a free tool that allows people to use the internet anonymously. Basically, by joining Tor you join a network of computers around the world that pass internet traffic randomly amongst each other before sending it out to wherever it is going. Imagine a tight huddle of people passing letters around. Once in a while a letter leaves the huddle, sent off to some destination. If you can't see what's going on inside the huddle, you can't tell who sent what letter based on watching letters leave the huddle.

I've left out a lot of details, but that's basically how Tor works. It's called "onion routing," and it was first developed at the Naval Research Laboratory. The communications between Tor nodes are encrypted in a layered protocol -- hence the onion analogy -- but the traffic that leaves the Tor network is in the clear. It has to be.

If you want your Tor traffic to be private, you need to encrypt it. If you want it to be authenticated, you need to sign it as well. The Tor website even says:

Yes, the guy running the exit node can read the bytes that come in and out there. Tor anonymizes the origin of your traffic, and it makes sure to encrypt everything inside the Tor network, but it does not magically encrypt all traffic throughout the internet.

Tor anonymizes, nothing more.

Dan Egerstad is a Swedish security researcher; he ran five Tor nodes. Last month, he posted a list of 100 e-mail credentials -- server IP addresses, e-mail accounts and the corresponding passwords -- for
embassies and government ministries
around the globe, all obtained by sniffing exit traffic for usernames and passwords of e-mail servers.

The list contains mostly third-world embassies: Kazakhstan, Uzbekistan, Tajikistan, India, Iran, Mongolia -- but there's a Japanese embassy on the list, as well as the UK Visa Application Center in Nepal, the Russian Embassy in Sweden, the Office of the Dalai Lama and several Hong Kong Human Rights Groups. And this is just the tip of the iceberg; Egerstad sniffed more than 1,000 corporate accounts this way, too. Scary stuff, indeed.

Presumably, most of these organizations are using Tor to hide their network traffic from their host countries' spies. But because anyone can join the Tor network, Tor users necessarily pass their traffic to organizations they might not trust: various intelligence agencies, hacker groups, criminal organizations and so on.

It's simply inconceivable that Egerstad is the first person to do this sort of eavesdropping; Len Sassaman published a paper on this attack earlier this year. The price you pay for anonymity is exposing your traffic to shady people.

We don't really know whether the Tor users were the accounts' legitimate owners, or if they were hackers who had broken into the accounts by other means and were now using Tor to avoid being caught. But certainly most of these users didn't realize that anonymity doesn't mean privacy. The fact that most of the accounts listed by Egerstad were from small nations is no surprise; that's where you'd expect weaker security practices.

True anonymity is hard. Just as you could be recognized at an AA meeting, you can be recognized on the internet as well. There's a lot of research on breaking anonymity in general -- and Tor specifically -- but sometimes it doesn't even take much. Last year, AOL made 20,000 anonymous search queries public as a research tool. It wasn't very hard to identify people from the data.

A research project called Dark Web, funded by the National Science Foundation, even tried to identify anonymous writers by their style:

One of the tools developed by Dark Web is a technique called Writeprint, which automatically extracts thousands of multilingual, structural, and semantic features to determine who is creating "anonymous" content online. Writeprint can look at a posting on an online bulletin board, for example, and compare it with writings found elsewhere on the Internet. By analyzing these certain features, it can determine with more than 95 percent accuracy if the author has produced other content in the past.

And if your name or other identifying information is in just one of those writings, you can be identified.

Like all security tools, Tor is used by both good guys and bad guys. And perversely, the very fact that something is on the Tor network means that someone -- for some reason -- wants to hide the fact he's doing it.

As long as Tor is a magnet for "interesting" traffic, Tor will also be a magnet for those who want to eavesdrop on that traffic -- especially because more than 90 percent of Tor users don't encrypt.

This essay previously appeared on Wired.com.

Posted on September 20, 2007 at 5:38 AM66 Comments

Insider Terrorist Attack

Pakistani Army officer as suicide bomber:

According to reliable sources in the local police, a Pashtun army officer belonging to the elite Special Services Group, whose younger sister was reportedly among the 300 girls killed during the Pakistan Army's commando raid on the Lal Masjid in Islamabad between July 10 and 13, blew himself up during dinner at the SSG's headquarters mess at Tarbela Ghazi, 100 km south of Islamabad, on the night of September 13, killing 19 other officers.

There probably isn't any practicable way to prevent these sorts of attacks by trusted insiders.

Posted on September 19, 2007 at 1:24 PM45 Comments

The Multics Operating System

Multics was an operating system from the 1960s, and had better security than a lot of operating systems today. This article from 2002 talks about Multics security, and the lessons learned that are still relevant today.

Posted on September 19, 2007 at 5:44 AM47 Comments

Leaked MediaDefender E-mails

This story is poised to become a bigger deal:

Peer-to-peer (P2P) poisoning company MediaDefender suffered an embarrassing leak this weekend, when almost 700MB of internal company e-mail was distributed on the Internet via BitTorrent. The e-mails reveal many aspects of MediaDefender's elaborate P2P disruption strategies, illuminate previously undisclosed details about the MiiVi scandal, and bring to light details regarding MediaDefender's collaboration with the New York Attorney General's office on a secret law enforcement project. We have been reviewing the data for days and will have multiple reports on the topic.

More info here.

And now, phone calls were leaked. Here's a teaser -- Ben Grodsky of Media Defender talking to the New York State General Attorney's office:

Ben Grodsky: "Yeah it seems...I mean, from our telephone call yesterday it seems that uhm... we all pretty much came to the conclusion that probably was ehm... caught in the email transmission because the attacker, I guess what you call, the Swedish IP, the attacker uhm... knew the login and the IP address and port uhm... but they weren't able to get in because we had changed the password on our end, you know, following our normal security protocols uhm... when we are making secure transactions like these on the first login we'll change the password so, obviously, well not obviously but, it seems that, most likely scenario is that, at some point that email was ehm... intercepted.

You know just because it is,.. probably it was going through the public Internet and there wasn't any sort of encryption key used to ehm... protect the data in that email."

Ben Grodsky: "...if you guys are comfortable just communicating with us by phone, anything that is really really sensitive we can just communicate in this fashion..."

Ben Grodsky: "OK [confused, taking notes]. So, you are gonna disable password authentication and enable public key?"

Ben Grodsky: "...that part has... has not been compromised in any way. I mean, the communications between our offices in Santa Monica and our data centers have not been compromised in any way and all those communications to NY, to your offices, are secured. The only part that was compromised was...was the email communications about these things."

Ben Grodsky: "...All we can say for sure Media Defender's mail server has not been hacked or compromised..."

[Answering to the question "What kind of IDS you guys are running?"]
Ben Grodsky: "Ehm...I don't know. Let me look into that."

EDITED TO ADD (9/20): Media Defender’s source code is now available on P2P networks. Actually, I’m feeling sorry for them.

Posted on September 18, 2007 at 12:03 PM32 Comments

European Parliament Moves to Undo Airplane Liquid Ban

The Norwegian Ministry of Transportation asked the EU to lift the liquid ban on airplanes.

This ban is annoying for the travellers and a large cost for society, and we need to examine if the benefits are in relation to the cost.

And the European Parliament agreed:

The House adopted a resolution with 464 votes in favour, 158 against and 70 abstentions on the restrictions imposed by the EU on liquids that passengers can take on board aeroplanes. MEPs call upon the Commission to review urgently and -- if no further conclusive facts are brought forward -- to repeal Regulation (EC) No 1546/2006 (introduction of liquids onto aircraft). The particular amendment on the possible repeal was adopted with 382 votes in favour, 298 against and 15 abstentions.

Security is a trade-off; makes sense to me.

EDITED TO ADD (10/11): Unfortunately the European Parliament is powerless; their decisions are regularly ignored. In this case, the European Commission has the real power.

Posted on September 18, 2007 at 6:32 AM34 Comments

Microsoft Updates Both XP and Vista Without User Permission or Notification

The details are still fuzzy, but if this is true, it's a huge deal.

Not that Microsoft can do this; that's just stupid company stuff. But what's to stop anyone else from using Microsoft's stealth remote install capability to put anything onto anyone's computer? How long before some smart hacker exploits this, and then writes a program that will allow all the dumb hackers to do it?

When you build a capability like this into your system, you decrease your overall security.

Posted on September 17, 2007 at 6:12 AM60 Comments

Friday Squid Blogging: Squid Controlled Evolution of Sonar in Whales and Dolphins

Maybe:

Behind the sailor's lore of fearsome battles between sperm whale and giant squid lies a deep question of evolution: How did these leviathans develop the underwater sonar needed to chase and catch squid in the inky depths?

Now, two evolutionary biologists at the University of California, Berkeley, claim that, just as bats developed sonar to chase flying insects through the darkness, dolphins and other toothed whales also developed sonar to chase schools of squid swimming at night at the surface.

Because squid migrate to deeper, darker waters during the day, however, toothed whales eventually perfected an exquisite echolocation system that allows them to follow the squid down to that "refrigerator in the deep, where food is available day or night, 24/7," said evolutionary biologist David Lindberg, UC Berkeley professor of integrative biology and coauthor of a new paper on the evolution of echolocation in toothed whales published online July 23 in advance of its publication in the European journal Lethaia.

Posted on September 14, 2007 at 4:24 PM7 Comments

Home Users: A Public Health Problem?

To the average home user, security is an intractable problem. Microsoft has made great strides improving the security of their operating system "out of the box," but there are still a dizzying array of rules, options, and choices that users have to make. How should they configure their anti-virus program? What sort of backup regime should they employ? What are the best settings for their wireless network? And so on and so on and so on.

How is it possible that we in the computer industry have created such a shoddy product? How have we foisted on people a product that is so difficult to use securely, that requires so many add-on products?

It's even worse than that. We have sold the average computer user a bill of goods. In our race for an ever-increasing market, we have convinced every person that he needs a computer. We have provided application after application -- IM, peer-to-peer file sharing, eBay, Facebook -- to make computers both useful and enjoyable to the home user. At the same time, we've made them so hard to maintain that only a trained sysadmin can do it.

And then we wonder why home users have such problems with their buggy systems, why they can't seem to do even the simplest administrative tasks, and why their computers aren't secure. They're not secure because home users don't know how to secure them.

At work, I have an entire IT department I can call on if I have a problem. They filter my net connection so that I don't see spam, and most attacks are blocked before they even get to my computer. They tell me which updates to install on my system and when. And they're available to help me recover if something untoward does happen to my system. Home users have none of this support. They're on their own.

This problem isn't simply going to go away as computers get smarter and users get savvier. The next generation of computers will be vulnerable to all sorts of different attacks, and the next generation of attack tools will fool users in all sorts of different ways. The security arms race isn't going away any time soon, but it will be fought with ever more complex weapons.

This isn't simply an academic problem; it's a public health problem. In the hyper-connected world of the Internet, everyone's security depends in part on everyone else's. As long as there are insecure computers out there, hackers will use them to eavesdrop on network traffic, send spam, and attack other computers. We are all more secure if all those home computers attached to the Internet via DSL or cable modems are protected against attack. The only question is: what's the best way to get there?

I wonder about those who say "educate the users." Have they tried? Have they ever met an actual user? It's unrealistic to expect home users to be responsible for their own security. They don't have the expertise, and they're not going to learn. And it's not just user actions we need to worry about; these computers are insecure right out of the box.

The only possible way to solve this problem is to force the ISPs to become IT departments. There's no reason why they can't provide home users with the same level of support my IT department provides me with. There's no reason why they can't provide "clean pipe" service to the home. Yes, it will cost home users more. Yes, it will require changes in the law to make this mandatory. But what's the alternative?

In 1991, Walter S. Mossberg debuted his "Personal Technology" column in The Wall Street Journal with the words: "Personal computers are just too hard to use, and it isn't your fault." Sixteen years later, the statement is still true­ -- and doubly true when it comes to computer security.

If we want home users to be secure, we need to design computers and networks that are secure out of the box, without any work by the end users. There simply isn't any other way.

This essay is the first half of a point/counterpoint with Marcus Ranum in the September issue of Information Security. You can read his reply here.

Posted on September 14, 2007 at 2:01 PM87 Comments

Chinese National Firewall Isn't All that Effective

Interesting research:

The study, carried out by graduate student Earl Barr and colleagues in the computer science department of UC Davis and the University of New Mexico, exploited the workings of the Chinese firewall to investigate its effectiveness.

Unlike many other nations Chinese authorities do not simply block webpages that discuss banned subjects such as the Tiananmen Square massacre.

Instead the technology deployed by the Chinese government scans data flowing across its section of the net for banned words or web addresses.

When the filtering system spots a banned term it sends instructions to the source server and destination PC to stop the flow of data.

Mr Barr and colleagues manipulated this to see how far inside China's net, messages containing banned terms could reach before the shut down instructions were sent.

The team used words taken from the Chinese version of Wikipedia to load the data streams then despatched into China's network. If a data stream was stopped a technique known as "latent semantic analysis" was used to find related words to see if they too were blocked.

The researchers found that the blocking did not happen at the edge of China's network but often was done when the packets of loaded data had penetrated deep inside.

Blocked were terms related to the Falun Gong movement, Tiananmen Square protest groups, Nazi Germany and democracy.

On about 28% of the paths into China's net tested by the researchers, blocking failed altogether suggesting that web users would browse unencumbered at least some of the time.

Filtering and blocking was "particularly erratic" when lots of China's web users were online, said the researchers.

Another article.

Posted on September 14, 2007 at 7:52 AM15 Comments

Spying in Football

The New England Patriots, one of the two or three best teams in the last five years, have been accused of stealing signals from the other team.

The "Game Operations Manual" states that "no video recording devices of any kind are permitted to be in use in the coaches' booth, on the field, or in the locker room during the game." The manual states that "all video shooting locations must be enclosed on all sides with a roof overhead." NFL security officials confiscated a camera and videotape from a New England video assistant on the Patriots' sideline when it was suspected he was recording the Jets' defensive signals. Taping any signals is prohibited. The toughest part usually is finding evidence to support an allegation.

I remember when the NFL changed the rules to allow a radio link from the quarterback's helmet to the sidelines. A smart team could not only eavesdrop on the other team, but selectively jam the signal when it would be most critical. The rules said that if one team's radio link didn't work, the other team had to turn its off, but that's a minor consideration if you know it's coming.

Funny parody.

EDITED TO ADD (9/15): The team and coach both have been fined.

And this is a really good conversation on the topic.

EDITED TO ADD (9/18): Ed Felten comments.

Posted on September 13, 2007 at 7:10 AM45 Comments

Four-Year-Old Girl Asked to Remove her Hoodie for Vague "Security" Reasons

In the UK:

Ms Lewis, 36, said: "I was having a game of bingo while the little one was on the 2p machine with my dad Desmond.

"She had her hood up on her cardigan, a young lad came across and asked her to take her hood down because of security."

She asked to speak to a supervisor and pointed out that, as other people were wearing baseball and beanie caps, they should also be made to remove them.

Ms Lewis said: "The manager told me I was being unreasonable, that I was making a scene and that my daughter was not going to be emotionally scarred because of the incident.

"I complained that she was being victimised and that she was four-year-old child."

Posted on September 12, 2007 at 2:26 PM53 Comments

Light and Crime

A New Yorker article on light pollution has a paragraph on light and crime:

Much so-called security lighting is designed with little thought for how eyes -- or criminals -- operate. Marcus Felson, a professor at the School of Criminal Justice at Rutgers University, has concluded that lighting is effective in preventing crime mainly if it enables people to notice criminal activity as it's taking place, and if it doesn't help criminals to see what they're doing. Bright, unshielded floodlights -- one of the most common types of outdoor security lighting in the country -- often fail on both counts, as do all-night lights installed on isolated structures or on parts of buildings that can't be observed by passersby (such as back doors). A burglar who is forced to use a flashlight, or whose movement triggers a security light controlled by an infrared motion sensor, is much more likely to be spotted than one whose presence is masked by the blinding glare of a poorly placed metal halide "wall pack." In the early seventies, the public-school system in San Antonio, Texas, began leaving many of its school buildings, parking lots, and other property dark at night and found that the no-lights policy not only reduced energy costs but also dramatically cut vandalism.

Posted on September 12, 2007 at 6:23 AM66 Comments

1624 Cryptography Book Up for Auction

Lot 1102

Rare 17th Century work on Cryptography

Title: Cryptomenytices et cryptographiae libri IX. In quibus & planissima Steganographiae à Johanne Trithemio, abbate Spanheymensi & Herbipolensi, admirandi ingenij viro, magicè & aenigmaticè olim conscriptae, enodatio traditur. Inspersis ubiquè authoris ac aliorum, non contemnendis inventis...

Author: Selenus, Gustavus [pseud. of August, Duke of Braunschweig-Luneburg]

Auction on September 13. Estimated price $5,000-$8,000.

EDITED TO ADD (9/13): A partial English translation.

Posted on September 11, 2007 at 12:21 PM14 Comments

Lousy Electronic Stamp Security in Germany

More and more, we're seeing electronic postage stamps: stamps you can print directly onto envelopes from your printer. This story from Germany illustrates some of the problems when security collides with convenience.

Posted on September 11, 2007 at 7:23 AM19 Comments

How to Get Free Food at a Fast-Food Drive-In

It's easy. Find a fast-food restaurant with two drive-through windows: one where you order and pay, and the other where you receive your food. This won't work at the more-common U.S. configuration: a microphone where you order, and a single window where you both pay for and receive your food. The video demonstrates the attack at a McDonald's in -- I assume -- France.

Wait until there is someone behind you and someone in front of you. Don't order anything at the first window. Tell the clerk that you forgot your money and didn't order anything. Then drive to the second window, and take the food that the person behind you ordered.

It's a clever exploit. Basically, it's a synchronization attack. By exploiting the limited information flow between the two windows, you can insert yourself into the pay-receive queue.

It's relatively easy to fix. The restaurant could give the customer a numbered token upon ordering and paying, which he would redeem at the next window for his food. Or the second window could demand to see the receipt. Or the two windows could talk to each other more, maybe by putting information about the car and driver into the computer. But, of course, these security solutions reduce the system's optimization.

So if not a lot of people do this, the vulnerability will remain open.

EDITED TO ADD (9/20): The video has been removed from YouTube. It's available here.

Posted on September 10, 2007 at 6:27 AM94 Comments

Friday Squid Blogging: Vampyroteuthis infernalis

Amazing pictures.

Note that it lives at 2000-3000 feet below sea level, in no light and almost no dissolved oxygen. On the other hand, it's only a foot long.

Posted on September 7, 2007 at 4:50 PM8 Comments

The No-Fly List Catches an Actual Terrorist

Or, at the very least, someone who has consorted with terrorists.

It had to happen sooner or later; even a broken clock is right twice a day.

Posted on September 7, 2007 at 1:41 PM26 Comments

Federal Judge Strikes Down National-Security-Letter Provision of Patriot Act

Article, ACLU press release, some legal commentary, and actual decision.

From the article:

The ACLU had challenged the law on behalf of an Internet service provider, complaining that the law allowed the FBI to demand records without the kind of court supervision required for other government searches. Under the law, investigators can issue so-called national security letters to entities like Internet service providers and phone companies and demand customers' phone and Internet records.

In his ruling, Marrero said much more was at stake than questions about the national security letters.

He said Congress, in the original USA Patriot Act and less so in a 2005 revision, had essentially tried to legislate how the judiciary must review challenges to the law. If done to other bills, they ultimately could all "be styled to make the validation of the law foolproof."

Noting that the courthouse where he resides is several blocks from the fallen World Trade Center, the judge said the Constitution was designed so that the dangers of any given moment could never justify discarding fundamental individual liberties.

He said when "the judiciary lowers its guard on the Constitution, it opens the door to far-reaching invasions of liberty."

Regarding the national security letters, he said, Congress crossed its boundaries so dramatically that to let the law stand might turn an innocent legislative step into "the legislative equivalent of breaking and entering, with an ominous free pass to the hijacking of constitutional values."

He said the ruling does not mean the FBI must obtain the approval of a court prior to ordering records be turned over, but rather must justify to a court the need for secrecy if the orders will last longer than a reasonable and brief period of time.

Note that judge immediately stayed his decision, pending appeal.

EDITED TO ADD (9/9): More legal commentary.

Posted on September 7, 2007 at 10:05 AM17 Comments

APEC Conference in Sydney Social Engineered

The APEC conference is a big deal in Australia right now, and the security is serious. They've blocked off a major part of Sydney, implemented special APEC laws allowing extra search powers for the police, and even given everyone in Sydney the day off -- just to keep people away.

Yesterday, a TV comedy team succeeded in driving a fake motorcade with Canadian flags right through all the security barriers and weren't stopped until right outside President Bush's hotel. Inside their motorcade was someone dressed up as Osama Bin Laden.

Excellent.

Most excellent:

The ABC later released a statement saying the team had no intention of entering a restricted zone and had been wearing mock "insecurity passes" that stated the convoy was a joke.

"It was a piece testing APEC security and the motorcade looked pretty authentic," the Chaser source said.

"They approached the green zone, and they just waved them through ­ much to their amazement, because the sketch was meant to stop there with them being rejected.

"They were then waved through into the red zone, but rather than go all the way through they made the call to turn around."

"Apparently that was the first time the police realised it was not authentic and they swooped in and arrested everybody."

Eight members of the comedy team, including the film crew, were arrested, as well as three hire car drivers.

The fake motorcade ­ three cars and a motorcycle escort ­had Canadian identification.

"We just thought Canada would be a country the cops wouldn't scrutinise too closely," said Chaser performer Chris Taylor.

Another article.

I've written about these large-scale social engineering pranks before (although at this point I doubt that the Super Bowl prank was real). The trick: look like you fit in.

I've also written about the Australian comedy group before. They're from a television show called The Chaser's War on Everyhing, and they've tested security cameras and Trojan horses. And interviewed ignorant Americans.

And APEC security is over-the-top stupid:

On the same day police won a court battle to stop protesters marching down George Street through the APEC security zone, it emerged yesterday that at least one cafe near George Bush's hotel has been ordered by police not to set outdoor tables with silverware, lest it fall into the wrong hands.

And office workers in Bridge Street's AMP tower have been told to stay away from the windows, draw the blinds and not to look at helicopters.

EDITED TO ADD (9/7): Video of the motorcade and the arrests. Photo of the fake security pass.

Great video from The Chasers on APEC and security, including some very funny footage about what normal people are willing to do and have done to them in the name of security.

Posted on September 7, 2007 at 1:53 AM63 Comments

Cows Get Photo IDs in India

You can't make this stuff up.

Authorities say crime syndicates find it easy to tamper with branding or tattooing of the cattle -- hence the idea for photo identity cards which should be difficult to falsify.

Valid for two years, each laminated cattle ID card displays the picture of the animal and its owner. It also carries vital information about the animal, such as its colour, height, sex and length of horns.

It carries the owner's name and address and sometimes other details about the animal -- like one "horn missing" or "half tail lost".

Does anyone really think this will improve security?

Posted on September 6, 2007 at 1:51 PM42 Comments

Terrorist Plot Foiled in Germany

Score one for the good guys.

EDITED TO ADD (9/7): The more I read about this, the more obvious it is that intelligence and investigation is what caught these guys, and not any wholesale eavesdropping or data mining programs.

EDITED TO ADD (9/18): This article is a detailed writeup of the actual investigation. While it seems that intercepted emails were instrumental at several points during the investigation, the article doesn't explain whether the intercepts were the result of some of the wholesale eavesdropping programs or specifically obtained for this case.

Posted on September 6, 2007 at 11:57 AM46 Comments

Basketball Referees and Single Points of Failure

Sports referees are supposed to be fair and impartial. They're not supposed to favor one team over another. And they're most certainly not supposed to have a financial interest in the outcome of a game.

Tim Donaghy, referee for the National Basketball Association, has been accused of both betting on basketball games and fixing games for the mob. He has confessed to far less -- gambling in general, and selling inside information on players, referees and coaches to a big-time professional gambler named James "Sheep" Battista. But the investigation continues, and the whole scandal is an enormous black eye for the sport. Fans like to think that the game is fair and that the winning team really is the winning team.

The details of the story are fascinating and well worth reading. But what interests me more are its general lessons about risk and audit.

What sorts of systems -- IT, financial, NBA games or whatever -- are most at risk of being manipulated? The ones where the smallest change can have the greatest impact, and the ones where trusted insiders can make that change.

Of all major sports, basketball is the most vulnerable to manipulation. There are only five players on the court per team, fewer than in other professional team sports; thus, a single player can have a much greater effect on a basketball game than he can in the other sports. Star players like Michael Jordan, Kobe Bryant and LeBron James can carry an entire team on their shoulders. Even baseball great Alex Rodriguez can't do that.

Because individual players matter so much, a single referee can affect a basketball game more than he can in any other sport. Referees call fouls. Contact occurs on nearly every play, any of which could be called as a foul. They're called "touch fouls," and they are mostly, but not always, ignored. The refs get to decide which ones to call.

Even more drastically, a ref can put a star player in foul trouble immediately -- and cause the coach to bench him longer throughout the game -- if he wants the other side to win. He can set the pace of the game, low-scoring or high-scoring, based on how he calls fouls. He can decide to invalidate a basket by calling an offensive foul on the play, or give a team the potential for some extra points by calling a defensive foul. There's no formal instant replay. There's no second opinion. A ref's word is law -- there are only three of them -- and a crooked ref has enormous power to control the game.

It's not just that basketball referees are single points of failure, it's that they're both trusted insiders and single points of catastrophic failure.

These sorts of vulnerabilities exist in many systems. Consider what a terrorist-sympathizing Transportation Security Administration screener could do to airport security. Or what a criminal CFO could embezzle. Or what a dishonest computer-repair technician could do to your computer or network. The same goes for a corrupt judge, police officer, customs inspector, border-control officer, food-safety inspector and so on.

The best way to catch corrupt trusted insiders is through audit. The particular components of a system that have the greatest influence on the performance of that system need to be monitored and audited, even if the probability of compromise is low. It's after the fact, but if the likelihood of detection is high and the penalties (fines, jail time, public disgrace) are severe, it's a pretty strong deterrent. Of course, the counterattack is to target the auditing system. Hackers routinely try to erase audit logs that contain evidence of their intrusions.

Even so, audit is the reason we want open-source code reviews and verifiable paper trails in voting machines; otherwise, a single crooked programmer could single-handedly change an election. It's also why the Securities and Exchange Commission closely monitors trades by brokers: They are in an ideal position to get away with insider trading. The NBA claims it monitors referees for patterns that might indicate abuse; there's still no answer to why it didn't detect Donaghy.

Most companies focus the bulk of their IT-security monitoring on external threats, but they should be paying more attention to internal threats. While a company may inherently trust its employees, those trusted employees have far greater power to affect corporate systems and are often single points of failure. And trusted employees can also be compromised by external elements, as Tom Donaghy was by Battista and possibly the Mafia.

All systems have trusted insiders. All systems have catastrophic points of failure. The key is recognizing them, and building monitoring and audit systems to secure them.

This is my 50th essay for Wired.com.

Posted on September 6, 2007 at 4:38 AM23 Comments

Police to Monitor Indian Cyber-Cafes

It stops terrorism, you see:

Vijay Mukhi, President of the Foundation for Information Security and Technology says, "The terrorists know that if they use machines at home, they can be caught. Cybercafes therefore give them anonymity."

"The police needs to install programs that will capture every key stroke at regular interval screen shots, which will be sent back to a server that will log all the data.

The police can then keep track of all communication between terrorists no matter, which part of the world they operate from.This is the only way to patrol the net and this is how the police informer is going to look in the e-age," added Mukhi.

Is anyone talking about the societal implications of this sort of wholesale surveillance? Not really:

"The question we need to ask ourselves is whether a breach of privacy is more important or the security of the nation. I do not think the above question needs an answer," said Mukhi.

"As long as personal computers are not being monitored. If monitoring is restricted to public computers, it is in the interest of security," said National Vice President, People Union for Civil Liberty.

EDITED TO ADD (10/24): This may be a hoax.

Posted on September 5, 2007 at 1:00 PM49 Comments

"Cyber Crime Toolkits" Hit the News

On the BBC website:

"They are starting to pop up left and right," said Tim Eades from security company Sana, of the sites offering downloadable hacking tools. "It's the classic verticalisation of a market as it starts to mature."

Malicious hackers had evolved over the last few years, he said, and were now selling the tools they used to use to the growing numbers of fledgling cyber thieves.

Mr Eades said some hacking groups offer boutique virus writing services that produce malicious programs that security software will not spot. Individual malicious programs cost up to £17 (25 euros), he said.

At the top end of the scale, said Mr Eades, were tools like the notorious MPack which costs up to £500.

The regular updates for the software ensure it uses the latest vulnerabilities to help criminals hijack PCs via booby-trapped webpages. It also includes a statistical package that lets owners know how successful their attack has been and where victims are based.

In one sense, there's nothing new here. There have been rootkits and virus construction kits available on the Internet for years. The very definition of a "script kiddie" is someone who uses these tools without really understanding them. What is new is the market: these new tools aren't for wannabe hackers, they're for criminals. And with the new market comes a for-profit business model.

Posted on September 5, 2007 at 7:10 AM18 Comments

NASA Employees Sue over Background Checks

This is a big deal:

Jet Propulsion Laboratory scientists and engineers sued NASA and the California Institute of Technology on Thursday, challenging extensive new background checks that the space exploration center and other federal agencies began requiring in the wake of the Sept. 11 terror attacks.

[...]

But according to the lawsuit, the Commerce Department and NASA instituted requirements that employees and contractors permit sweeping background checks to qualify for credentials and refusal would mean the loss of their jobs.

NASA calls on employees to permit investigators to delve into medical, financial and past employment records, and to question friends and acquaintances about everything from their finances to sex lives, according to the suit. The requirements apply to everyone from janitors to visiting professors.

The suit claims violations of the U.S. Constitution's 4th Amendment protection against unreasonable search and seizure, 14th Amendment protection against invasion of the right to privacy, the Administrative Procedure Act, the Privacy Act, and rights under the California Constitution.

Those in more sensitive positions are asked to disclose financial records, list foreign trips and give the government permission to view their medical history.

Workers also must sign a waiver giving investigators access to virtually all personal information.

[...]

"Many of the plaintiffs only agreed to work for NASA with the understanding that they would not have to work on classified materials or to undergo any type of security clearance," the suit said.

More details here (check out the "Forum" if you're really interested) and in this article.

Posted on September 4, 2007 at 12:56 PM37 Comments

Pentagon Hacked by Chinese Military

The story seems to have started yesterday in the Financial Times, and is now spreading.

Not enough details to know what's really going on, though. From the FT:

The Chinese military hacked into a Pentagon computer network in June in the most successful cyber attack on the US defence department, say American officials.

The Pentagon acknowledged shutting down part of a computer system serving the office of Robert Gates, defence secretary, but declined to say who it believed was behind the attack.

Current and former officials have told the Financial Times an internal investigation has revealed that the incursion came from the People's Liberation Army.

One senior US official said the Pentagon had pinpointed the exact origins of the attack. Another person familiar with the event said there was a "very high level of confidence...trending towards total certainty" that the PLA was responsible. The defence ministry in Beijing declined to comment on Monday.

EDITED TO ADD (9/13): Another good commentary.

Posted on September 4, 2007 at 10:44 AM32 Comments

Using Fear to Sell Pens

Uni-Ball is using fear to sell pens.

I admit that check washing is a problem, but I don't like the fear-mongering in the advertisement.

EDITED TO ADD: Here's a Youtube link to the ad that's still good.

Posted on September 3, 2007 at 9:42 AM48 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..