December 2008 Archives

Forging SSL Certificates

We already knew that MD5 is a broken hash function. Now researchers have successfully forged MD5-signed certificates:

Molnar, Appelbaum, and Sotirov joined forces with the European MD5 research team in mid-2008, along with Swiss cryptographer Dag Arne Osvik. They realized that the co-construction technique could be used to simultaneously generate one normal SSL certificate and one forged certificate, which could be used to sign and vouch for any other. They purchased a signature for the legitimate certificate from an established company that was still using MD5 for signing, and then applied the legitimate signature to the forged certificate. Because the legitimate and forged certificates had the same MD5 value, the legitimate signature also marked the forged one as acceptable.

Lots and lots more articles, and the research.

This isn't a big deal. The research is great; it's good work, and I always like to see cryptanalytic attacks used to break real-world security systems. Making that jump is often much harder than cryptographers think.

But SSL doesn't provide much in the way of security, so breaking it doesn't harm security very much. Pretty much no one ever verifies SSL certificates, so there's not much attack value in being able to forge them. And even more generally, the major risks to data on the Internet are at the endpoints -- Trojans and rootkits on users' computers, attacks against databases and servers, etc -- and not in the network.

I'm not losing a whole lot of sleep because of these attacks. But -- come on, people -- no one should be using MD5 anymore.

EDITED TO ADD (12/31): While it is true that browsers do some SSL certificate verification, when they find an invalid certificate they display a warning dialog box which everyone -- me included -- ignores. There are simply too many valid sites out there with bad certificates for that warning to mean anything. This is far too true:

If you're like me and every other user on the planet, you don't give a shit when an SSL certificate doesn't validate. Unfortunately, commons-httpclient was written by some pedantic fucknozzles who have never tried to fetch real-world webpages.

Posted on December 31, 2008 at 1:39 PM66 Comments

NSA Patent on Network Tampering Detection

The NSA has patented a technique to detect network tampering:

The NSA's software does this by measuring the amount of time the network takes to send different types of data from one computer to another and raising a red flag if something takes too long, according to the patent filing.

Other researchers have looked into this problem in the past and proposed a technique called distance bounding, but the NSA patent takes a different tack, comparing different types of data travelling across the network. "The neat thing about this particular patent is that they look at the differences between the network layers," said Tadayoshi Kohno, an assistant professor of computer science at the University of Washington.

The technique could be used for purposes such as detecting a fake phishing Web site that was intercepting data between users and their legitimate banking sites, he said. "This whole problem space has a lot of potential, [although] I don't know if this is going to be the final solution that people end up using."

Posted on December 30, 2008 at 12:07 PM28 Comments

Matthew Alexander on Torture

Alexander is a former Special Operations interrogator who worked in Iraq in 2006. His op-ed is worth reading:

I learned in Iraq that the No. 1 reason foreign fighters flocked there to fight were the abuses carried out at Abu Ghraib and Guantanamo. Our policy of torture was directly and swiftly recruiting fighters for al-Qaeda in Iraq. The large majority of suicide bombings in Iraq are still carried out by these foreigners. They are also involved in most of the attacks on U.S. and coalition forces in Iraq. It's no exaggeration to say that at least half of our losses and casualties in that country have come at the hands of foreigners who joined the fray because of our program of detainee abuse. The number of U.S. soldiers who have died because of our torture policy will never be definitively known, but it is fair to say that it is close to the number of lives lost on Sept. 11, 2001. How anyone can say that torture keeps Americans safe is beyond me -- unless you don't count American soldiers as Americans.

Also, this interview from Harper's:

In Iraq, we lived the "ticking time bomb" scenario every day. Numerous Al Qaeda members that we captured and interrogated were directly involved in coordinating suicide bombing attacks. I remember one distinct case of a Sunni imam who was caught just after having blessed suicide bombers to go on a mission. Had we gotten there just an hour earlier, we could have saved lives. Still, we knew that if we resorted to torture the short term gains would be outweighed by the long term losses. I listened time and time again to foreign fighters, and Sunni Iraqis, state that the number one reason they had decided to pick up arms and join Al Qaeda was the abuses at Abu Ghraib and the authorized torture and abuse at Guantanamo Bay. My team of interrogators knew that we would become Al Qaeda's best recruiters if we resorted to torture. Torture is counterproductive to keeping America safe and it doesn't matter if we do it or if we pass it off to another government. The result is the same. And morally, I believe, there is an even stronger argument. Torture is simply incompatible with American principles. George Washington and Abraham Lincoln both forbade their troops from torturing prisoners of war. They realized, as the recent bipartisan Senate report echoes, that this is about who we are. We cannot become our enemy in trying to defeat him.

EDITED TO ADD (1/13): Yet another interview.

Posted on December 30, 2008 at 6:37 AM73 Comments

Shoplifting on the Rise in Bad Economy

From the New York Times:

Police departments across the country say that shoplifting arrests are 10 percent to 20 percent higher this year than last. The problem is probably even greater than arrest records indicate since shoplifters are often banned from stores rather than arrested.

Much of the increase has come from first-time offenders like Mr. Johnson making rash decisions in a pinch, the authorities say. But the ease with which stolen goods can be sold on the Internet has meant a bigger role for organized crime rings, which also engage in receipt fraud, fake price tagging and gift card schemes, the police and security experts say.

[...]

Shoplifters also seem to be getting bolder, according to industry surveys.

Thieves often put stolen items in bags lined with aluminum foil to avoid detection by the storefront alarms. Others work in teams, with a decoy who tries to look suspicious to draw out undercover security agents and attract the attention of security cameras, the police said.

"We're definitely seeing more sprinters," said an undercover security guard at Macy's near Oakland, Calif., referring to shoplifters who make a run for the door.

A previous post listed the most frequently shoplifted items: small, expensive things with a long shelf life.

EDITED TO ADD (1/13): Maybe shoplifting isn't on the rise after all.

Posted on December 29, 2008 at 2:52 PM24 Comments

Gunpowder Is Okay to Bring on an Airplane

Putting it in a clear plastic baggie magically makes it safe:

Mind you, I had packed the stuff safely. It was in three separate jars: one of charcoal, one of sulphur, and one of saltpetre (potassium nitrate). Each jar was labeled: Charcoal, Sulphur, Saltpetre. I had also thoroughly wet down each powder with tap water. No ignition was possible. As a good citizen, I had packed the resulting pastes into a quart-sized "3-1-1" plastic bag, along with my shampoo and hand cream. This bag I took out of my messenger bag and put on top of my bin of belongings, turned so that the labels were easy for the TSA inspector to read.

Posted on December 29, 2008 at 7:05 AM121 Comments

Friday Squid Blogging: Vandals Wreck Giant Squid Collection

Sad squid news.

...vandals got in by taking advantage of a temporary door, smashed windows and broke display cases containing male and female giant squids each measuring ten metres long as well as skeletons of whales, tortoises, marine birds and fossils.

Where was the security?

Posted on December 26, 2008 at 4:41 PM12 Comments

CCTV Cameras Going Unmonitored

This is not surprising at all; when money is scarce, these sorts of things go unfunded. Perhaps the biggest surprise is that people thought the cameras were ever monitored -- generally, they're not.

Posted on December 26, 2008 at 7:09 AM18 Comments

U.S. COMSEC History from 1973

Just declassified, this document -- A History of U.S. Communications Security (Volumes I and II); the David G. Boak Lectures, National Security Agency (NSA), 1973 -- is definitely worth reading. The first sections are highly redacted, but the remainder is fascinating.

Posted on December 24, 2008 at 11:03 AM16 Comments

Comparing the Security of Electronic Slot Machines and Electronic Voting Machines

From the Washington Post.

Other important differences:

  • Slot machine are used every day, 24 hours a day. Electronic voting machines are used, at most, twice a year -- often less frequently.

  • Slot machines involve money. Electronic voting machines involve something much more abstract.

  • Slot machine accuracy is a non-partisan issue. For some reason I can't fathom, electronic voting machine accuracy is seen as a political issue.

Posted on December 24, 2008 at 6:02 AM46 Comments

DHS Reality Show

On ABC:

Every day the men and women of the Department of Homeland Security patrol more than 100,000 miles of America's borders. This territory includes airports, seaports, land borders, international mail centers, the open seas, mountains, deserts and even cyberspace. Now viewers will get an unprecedented look at the work of these men and women while they use the newest technology to safeguard our country and enforce our laws, in "Homeland Security USA," which debuts with the episode "This is Your Car on Drugs," TUESDAY, JANUARY 6 (8:00-9:00 p.m., ET) on ABC.

Sure it's propaganda, but the agency can use the image boost.

Posted on December 23, 2008 at 1:10 PM33 Comments

Voice Prints

Seems that it's hard:

"There is no such thing as a voice print," he said. "It's a very very dangerous term. There is no single feature of a voice that is indelible that works like a fingerprint does."

Many different factors influence how people speak at any particular time and place.

"If you're tired or if you have a cold or if you're speaking on a phone against traffic in the background you do all sorts of things to the voice, which make it phonetically very different from time to time," said Foukles, who also works as a freelance consultant for a private forensic speech science laboratory.

"The features of speech and language are such that you can't use them as a marker of identity to identify one person and exclude all other people under normal circumstances. People's voices overlap."

Posted on December 23, 2008 at 7:25 AM41 Comments

Registry of Cell Phone Owners

In Mexico:

Also Tuesday, the Senate voted to create a registry of cell phone owners to combat kidnappings and extortions in which gangs often use untraceable mobile phones to make ransom demands.

Telecoms would be required to ask purchasers of cell phones or phone memory chips for their names, addresses and fingerprints, and to turn that information over to investigators if requested.

At present, unregulated vendors sell phones and chips for cash from streetside stands. It is unclear how such vendors would be made to comply with the new law.

How easy is it to steal a cell phone? I'm generally not impressed with security measures, especially expensive ones, that merely result in the bad guys changing their tactics.

Posted on December 22, 2008 at 12:01 PM42 Comments

Food in Defense of a Crime

Last year, throwing hot coffee in the face of a store clerk was a new robbery tactic. Now, we have a Pizza Hut delivery man throwing a hot pie in the face of a would-be (armed) mugger.

Posted on December 22, 2008 at 6:16 AM29 Comments

Schneier on 60 Minutes

I'm on 60 Minutes today. If you're a new reader who has just found me from that show, welcome. Here are links to some of my previous writings about airplane security:

Airport Pasta-Sauce Interdiction Considered Harmful
The TSA's Useless Photo ID Rules
Airline Security a Waste of Cash
Airplane Security and Metal Knives

I also interviewed Kip Hawley last year.

This page contains all my essays and op eds.

Everyone, consider this the thread to discuss the show.

I'm particularly croggled by this quote from the CBS page:

"...it's why the TSA was created: to never forget," Hawley tells Stahl.

This quote summarizes nicely a lot about what's wrong with the TSA. They focus much too much on the specifics of the tactics that have been used, and not enough on the broad threat.

EDITED TO ADD (12/23): Here's the segment.

Posted on December 21, 2008 at 4:00 PM128 Comments

"Nut Allergy" Fear and Overreaction

Good article:

Professor Nicolas Christakis, a professor of medical sociology at Harvard Medical School, told the BMJ there was "a gross over-reaction to the magnitude of the threat" posed by food allergies, and particularly nut allergies.

In the US, serious allergic reactions to foods cause just 2,000 of more than 30 million hospitalisations a year and comparatively few deaths -- 150 a year from all food allergies combined.

In the UK there are around 10 deaths each year from food allergies.

Professor Christakis said the issue was not whether nut allergies existed or whether they could occasionally be serious. Nor was the issue whether reasonable preventative steps should be made for the few children who had documented serious allergies, he argued.

"The issue is what accounts for the extreme responses to nut allergies."

He said the number of US schools declaring themselves to be entirely "nut free" -- banning staples like peanut butter, homemade baked goods and any foods without detailed ingredient labels -- was rising, despite clear evidence that such restrictions were unnecessary.

"School entrances have signs admonishing visitors to wash their hands before entry to avoid [nut] contamination."

He said these responses were extreme and had many of the hallmarks of mass psychogenic illness (MPI), previously known as epidemic hysteria.

Sound familiar?

Posted on December 19, 2008 at 6:56 AM109 Comments

Schneier on 60 Minutes

I'll be on 60 Minutes this Sunday. I honestly don't know how it will look; it wasn't my best interview.

EDITED TO ADD (12/23): Here's the segment.

Posted on December 18, 2008 at 2:21 PM44 Comments

Bypassing Airport Checkpoints

From a reader:

I always get a giggle from reading about TSA security procedures, because of what I go through during my occasional job at an airport. I repair commercial kitchen cooking equipment -- restaurants etc. On occasion I have to go to restaurants inside a nearby airport terminal to repair equipment, sometimes needing a return trip with parts.

So here's the scene. I park inside the parking garage area in my company truck. I carry my 30 pound toolbox and a large cardboard box, about 2 1/2 feet long with parts for a broiler to be repaired. I go to a restaurant outside the security zone and pick up an "escort", typically a kid of maybe 25 years old. I obviously can't go through the TSA checkpoint, as they'd have absolute conniptions about my tools and large parts. So, without ever having to show ID, or even looking at what I may have in the large cardboard box or my large metal toolbox, the escort takes me down an elevator, out onto the tarmac, past waiting planes pulled up to the terminal, back inside the terminal building and coming out on the other side of the TSA checkpoint, then off to the restaurant to be repaired. Then, when I'm done, they escort my out the normal way, past the TSA screening area, with my toolbox and large cardboard box in hand. No one bats an eye as to what might have transpired or how my stuff magically appeared on the "secure" side and is now leaving right in front of them

And people wonder why I call it all security theater?

Posted on December 18, 2008 at 10:19 AM79 Comments

James Bamford Interview on the NSA

Worth reading. One excerpt:

The problem is that NSA was never designed for what it's doing. It was designed after World War II to prevent another surprise attack from another nation-state, particularly the Soviet Union. And from 1945 or '46 until 1990 or '91, that's what its mission was. That's what every piece of equipment, that's what every person recruited to the agency, was supposed to do, practically — find out when and where and if the Russians were about to launch a nuclear attack. That's what it spent 50 years being built for. And then all of a sudden the Soviet Union is not around anymore, and NSA's got a new mission, and part of that is going after terrorists. And it's just not a good fit. They missed the first World Trade Center bombing, they missed the attack on the U.S.S. Cole, they missed the attack on the U.S. embassies in Africa, they missed 9/11. There's this string of failures because this agency was not really designed to do this. In the movies, they'd be catching terrorists all the time. But this isn't the movies, this is reality.

The big difference here is that when they were focused on the Soviet Union, the Soviets communicated over dedicated lines. The army communicated over army channels, the navy communicated over navy channels, the diplomats communicated over foreign-office channels. These were all particular channels, particular frequencies, you knew where they were; the main problem was breaking encrypted communications. [The NSA] had listening posts ringing the Soviet Union, they had Russian linguists that were being pumped out from all these schools around the U.S.

Then the Cold War ends and everything changes. Now instead of a huge country that communicated all the time, you have individuals who hop from Kuala Lampur to Nairobi or whatever, from continent to continent, from day to day. They don't communicate [electronically] all the time — they communicate by meetings. [The NSA was] tapping Bin Laden's phone for three years and never picked up on any of these terrorist incidents. And the [electronic] communications you do have are not on dedicated channels, they're mixed in with the world communication network. First you've got to find out how to extract that from it, then you've got to find people who can understand the language, and then you've got to figure out the word code. You can't use a Cray supercomputer to figure out if somebody's saying they're going to have a wedding next week whether it's really going to be a wedding or a bombing.

So that's the challenge facing the people there. So even though I'm critical about them for missing these things, I also try in the book to give an explanation as to why this is. It's certainly not because the people are incompetent. It's because the world has changed.

I think the problem is more serious than people realize. I talked to the people at Fort Gordon [in Georgia], which is the main listening post for the Middle East and North Africa. What was shocking to me was the people who were there were saying they didn't have anybody [at the time] who spoke Pashtun. We're at war in Afghanistan and the main language of the Taliban is Pashtun.

The answer here is to change our foreign policy so that we don't have to depend on agencies like NSA to try to protect the country. You try to protect the country by having reasonable policies so that we won't have to worry about terrorism so much. It's just getting harder and harder to find them.

Also worth reading is his new book.

Posted on December 18, 2008 at 6:42 AM30 Comments

Brazilian Logging Firms Hire Hackers to Modify Logging Limits

Interesting:

Some Brazilian states used a computerised allocation system to levy how much timber can be logged in each area. However, logging firms attempted to subvert these controls by hiring hackers to break systems and increase the companies' allocations.

Greenpeace reckons these types of computer swindles were responsible for the excess export of 1.7 million cubic metres of timber (or enough for 780 Olympic-sized swimming pools, as the group helpfully points out) before police broke up the scam last year. Brazilian authorities are suing logging firms for 2 billion reais (US$833m).

Posted on December 17, 2008 at 11:52 AM18 Comments

Ed Felten on TSA Behavioral Screening

Good comment:

Now suppose that TSA head Kip Hawley came to you and asked you to submit voluntarily to a pat-down search the next time you travel. And suppose you knew, with complete certainty, that if you agreed to the search, this would magically give the TSA a 0.1% chance of stopping a deadly crime. You'd agree to the search, wouldn't you? Any reasonable person would accept the search to save (by assumption) at least 0.001 lives. This hypothetical TSA program is reasonable, even though it only has a 0.1% arrest rate. (I'm assuming here that an attack would cost only one life. Attacks that killed more people would justify searches with an even smaller arrest rate.)

So the commentators' critique is weak -- but of course this doesn't mean the TSA program should be seen as a success. The article says that the arrests the system generates are mostly for drug charges or carrying a false ID. Should a false-ID arrest be considered a success for the system? Certainly we don't want to condone the use of false ID, but I'd bet most of these people are just trying to save money by flying on a ticket in another person's name -- which hardly makes them Public Enemy Number One. Is it really worth doing hundreds of searches to catch one such person? Are those searches really the best use of TSA screeners' time? Probably not.

Right. It's not just about the hit rate. It's the cost vs. benefit: cost in taxpayer money, passenger time, TSA screener attention, fundamental liberties, etc.

Posted on December 17, 2008 at 6:38 AM53 Comments

Arming New York City Police with Machine Guns

I have mixed feelings about this:

The NYPD wants all 1,000 Police Academy recruits trained to use M4 automatic machine guns - which are now carried only by the 400 cops in its elite Emergency Service Unit - in time for the holiday celebration in Times Square.

On the one hand, deploying these weapons seems like a bad idea. On the other hand, training is almost never a bad thing.

Oh, and in case you were worried:

There is no intelligence Times Square will be a target on New Year's Eve. The area will be on high alert, but has been so for every year since the millennium.

Posted on December 16, 2008 at 3:43 PM88 Comments

Buying Fake Nintendo Consoles Helps Terrorists

Really:

Speaking to the BBC, HMRC spokesperson Clare Merrills warned that faulty counterfeit consoles could be unsafe.

"You might find you plug it in and the adaptor sets on fire or the wires start to melt and stick out," she warned.

"When you buy these goods, you're not funding our economy, you're actually funding criminals in these far off places and it could be linked to terrorism," she added.

Why be rational, when you can stoke fear instead?

EDITED TO ADD (1/13): How to spot a fake Nintendo console.

Posted on December 16, 2008 at 10:47 AM34 Comments

Snipers

Really interesting article on snipers:

It might be because there's another side to snipers and sniping after all. In particular, even though a sniper will often be personally responsible for huge numbers of deaths -- body counts in the hundreds for an individual shooter are far from unheard of -- as a class snipers kill relatively few people compared to the effects they achieve. Furthermore, when a sniper kills someone, it is almost always a person they meant to kill, not just someone standing around in the wrong place and time. These are not things that most branches of the military can say.

But, for a well-trained military sniper at least, "collateral damage" -- the accidental killing and injuring of bystanders and unintended targets -- is almost nonexistent. Mistakes do occur, but compared to a platoon of regular soldiers armed with automatic weapons, rockets, grenades etc a sniper is delicacy itself. Compared to crew-served and vehicle weapons, artillery, tanks, air support or missile strikes, a sniper is not just surgically precise but almost magically so. Yet he (or sometimes she) is reviled as the next thing to a murderer, while the mainstream mass slaughter people are seen as relatively normal.

Consider the team who put a strike jet into the air: a couple of aircrew, technicians, armourers, planners, their supporting cooks and medics and security and supply people. Perhaps fifty or sixty people, then, who together send up a plane which can deliver a huge load of bombs at least twice a day. Almost every week in Afghanistan and Iraq right now, such bombs are dropped. The nature of heavy ordnance being what it is, these bombs kill and maim not just their targets (assuming there is a correctly-located target) but everyone else around. Civilian deaths in air strikes are becoming a massive issue for NATO and coalition troops in Afghanistan.

Those sixty people, in a busy week, could easily put hundreds of tons of munitions into a battlefield -- an amount of destructive power approaching that of a small nuclear weapon. This kind of firepower can and will kill many times more people than sixty snipers could in the same time span - and many of the dead will typically be innocent bystanders, often including children and the elderly. Such things are happening, on longer timescales, as this article is written. Furthermore, all these bomber people -- even the aircrew -- run significantly less personal risk than snipers do.

But nobody thinks of a bomb armourer, or a "fighter" pilot", or a base cook as a cowardly assassin. Their efforts are at least as deadly per capita, they run less personal risks, but they're just doing their jobs. And let's not forget everyone else: artillerymen, tank crews, machine gunners. Nobody particularly loathes them, or considers them cowardly assassins.

Posted on December 16, 2008 at 6:25 AM64 Comments

How to Steal the Empire State Building

A reporter managed to file legal papers, transferring ownership of the Empire State Building to himself. Yes, it's a stunt:

The office of the city register, upon receipt of the phony documents prepared by the newspaper, transferred ownership of the 102-story building from Empire State Land Associates to Nelots Properties, LLC. Nelots is "stolen" spelled backward.

To further enhance the absurdity of the heist, included on the bogus paperwork were original "King Kong" star Fay Wray as witness and Willie Sutton, the notorious bank robber, as the notary.

Still, this sort of thing has been used to commit fraud in the past, and will continue to be a source of fraud in the future. The problem is that there isn't enough integrity checking to ensure that the person who is "selling" the real estate is actually the person who owns it.

Posted on December 15, 2008 at 12:23 PM23 Comments

Killing Robot Being Tested by Lockheed Martin

Wow:

The frightening, but fascinatingly cool hovering robot - MKV (Multiple Kill Vehicle), is designed to shoot down enemy ballistic missiles.

A video released by the Missile Defense Agency (MDA) shows the MKV being tested at the National Hover Test Facility at Edwards Air Force Base, in California.

Inside a large steel cage, Lockheed's MKV lifts off the ground, moves left and right, rapidly firing as flames shoot out of its bottom and sides. This description doesn't do it any justice really, you have to see the video yourself.

During the test, the MKV is shown to lift off under its own propulsion, and remains stationary, using it’s on board retro-rockets. The potential of this drone is nothing short of science-fiction.

When watching the video, you can’t help but be reminded of post-apocalyptic killing machines, seen in such films as The Terminator and The Matrix.

Okay, people. Now is the time to start discussing the rules of war for autonomous robots. Now, when it's still theoretical.

Posted on December 15, 2008 at 6:07 AM60 Comments

Jim Harper Responds to My Comments on Fingerprinting Foreigners at the Border

Good comments:

Anyway, turning someone away from the border is a trivial security against terrorism because terrorists are fungible. Turning away a known terrorist merely inconveniences a terrorist group, which just has to recruit someone different. The 9/11 attacks were conducted for the most part by people who had no known record of terrorism and who arrived on visas granted to them by the State Department. Biometric border security would have prevented none of them entering.

(Another option is physical avoidance of the border -- crossing into the United States from Canada or Mexico at an uncontrolled part of the border. I know of no instance of this occurring (successfully), but it could. And, most importantly, there's no cost-effective way to prevent it.)

In summary, border biometrics have some benefit! They are at best a mild inconvenience to terrorists -- an inconvenience that the 9/11 attacks mostly anticipated. But that's not zero benefit! It's just negligible benefit.

Posted on December 12, 2008 at 6:21 AM41 Comments

More SHA-3 News

NIST has published all 51 first-round candidates in its hash algorithm competition. (Presumably the other submissions -- we heard they received 64 -- were rejected because they weren't complete.) You can download the submission package from the NIST page. The SHA-3 Zoo is still the best source for up-to-date cryptanalysis information.

Various people have been trying to benchmark the performance of the candidates, but -- of course -- results depend on what metrics you choose.

And there's news about Skein's performance. And two Java implementations. (Does anyone want to do an implementation of Threefish?) In general, the Skein website is the place to go for up-to-date Skein information.

Posted on December 11, 2008 at 1:16 PM24 Comments

Remote-Controlled Thermostats

People just don't understand security:

Mr. Somsel, in an interview Thursday, said he had done further research and was concerned that the radio signal — or the Internet instructions that would be sent, in an emergency, from utilities' central control stations to the broadcasters sending the FM signal — could be hacked into.

That is not possible, said Nicole Tam, a spokeswoman for P.G.& E. who works with the pilot program in Stockton. Radio pages "are encrypted and encoded," Ms. Tam said.

I wonder what she'll think when someone hacks the system?

Posted on December 11, 2008 at 6:55 AM82 Comments

Audit

As the first digital president, Barack Obama is learning the hard way how difficult it can be to maintain privacy in the information age. Earlier this year, his passport file was snooped by contract workers in the State Department. In October, someone at Immigration and Customs Enforcement leaked information about his aunt's immigration status. And in November, Verizon employees peeked at his cell phone records.

What these three incidents illustrate is not that computerized databases are vulnerable to hacking -- we already knew that, and anyway the perpetrators all had legitimate access to the systems they used -- but how important audit is as a security measure.

When we think about security, we commonly think about preventive measures: locks to keep burglars out of our homes, bank safes to keep thieves from our money, and airport screeners to keep guns and bombs off airplanes. We might also think of detection and response measures: alarms that go off when burglars pick our locks or dynamite open bank safes, sky marshals on airplanes who respond when a hijacker manages to sneak a gun through airport security. But audit, figuring out who did what after the fact, is often far more important than any of those other three.

Most security against crime comes from audit. Of course we use locks and alarms, but we don't wear bulletproof vests. The police provide for our safety by investigating crimes after the fact and prosecuting the guilty: that's audit.

Audit helps ensure that people don't abuse positions of trust. The cash register, for example, is basically an audit system. Cashiers have to handle the store's money. To ensure they don't skim from the till, the cash register keeps an audit trail of every transaction. The store owner can look at the register totals at the end of the day and make sure the amount of money in the register is the amount that should be there.

The same idea secures us from police abuse, too. The police have enormous power, including the ability to intrude into very intimate aspects of our life in order to solve crimes and keep the peace. This is generally a good thing, but to ensure that the police don't abuse this power, we put in place systems of audit like the warrant process.

The whole NSA warrantless eavesdropping scandal was about this. Some misleadingly painted it as allowing the government to eavesdrop on foreign terrorists, but the government always had that authority. What the government wanted was to not have to submit a warrant, even after the fact, to a secret FISA court. What they wanted was to not be subject to audit.

That would be an incredibly bad idea. Law enforcement systems that don't have good audit features designed in, or are exempt from this sort of audit-based oversight, are much more prone to abuse by those in power -- because they can abuse the system without the risk of getting caught. Audit is essential as the NSA increases its domestic spying. And large police databases, like the FBI Next Generation Identification System, need to have strong audit features built in.

For computerized database systems like that -- systems entrusted with other people's information -- audit is a very important security mechanism. Hospitals need to keep databases of very personal health information, and doctors and nurses need to be able to access that information quickly and easily. A good audit record of who accessed what when is the best way to ensure that those trusted with our medical information don't abuse that trust. It's the same with IRS records, credit reports, police databases, telephone records – anything personal that someone might want to peek at during the course of his job.

Which brings us back to President Obama. In each of those three examples, someone in a position of trust inappropriately accessed personal information. The difference between how they played out is due to differences in audit. The State Department's audit worked best; they had alarm systems in place that alerted superiors when Obama's passport files were accessed and who accessed them. Verizon's audit mechanisms worked less well; they discovered the inappropriate account access and have narrowed the culprits down to a few people. Audit at Immigration and Customs Enforcement was far less effective; they still don't know who accessed the information.

Large databases filled with personal information, whether managed by governments or corporations, are an essential aspect of the information age. And they each need to be accessed, for legitimate purposes, by thousands or tens of thousands of people. The only way to ensure those people don't abuse the power they're entrusted with is through audit. Without it, we will simply never know who's peeking at what.

This essay first appeared on the Wall Street Journal website.

Posted on December 10, 2008 at 2:21 PM39 Comments

Disguised USB Drive

This is a 2 Gig USB drive disguised as a piece of frayed cable. You'll still want to encrypt it, of course, but it is likely to be missed if your bags are searched at customs, the police raid your house, or you lose it.

Posted on December 10, 2008 at 7:02 AM42 Comments

Who Worries About Terrorism?

The paper, "Terrorism-Related Fear and Avoidance Behavior in a Multiethnic Urban Population," is for subscribers only.

Abstract

Objectives. We sought to determine whether groups traditionally most vulnerable to disasters would be more likely than would be others to perceive population-level risk as high (as measured by the estimated color-coded alert level) would worry more about terrorism, and would avoid activities because of terrorism concerns.

Methods. We conducted a random digit dial survey of the Los Angeles County population October 2004 through January 2005 in 6 languages. We asked respondents what color alert level the country was under, how often they worry about terrorist attacks, and how often they avoid activities because of terrorism. Multivariate regression modeled correlates of worry and avoidance, including mental illness, disability, demographic factors, and estimated color-coded alert level.

Results. Persons who are mentally ill, those who are disabled, African Americans, Latinos, Chinese Americans, Korean Americans, and non-US citizens were more likely to perceive population-level risk as high, as measured by the estimated color-coded alert level. These groups also reported more worry and avoidance behaviors because of concerns about terrorism.

Conclusions. Vulnerable populations experience a disproportionate burden of the psychosocial impact of terrorism threats and our national response. Further studies should investigate the specific behaviors affected and further elucidate disparities in the disaster burden associated with terrorism and terrorism policies.

This is certainly related. As people search for health-related information on the Internet, a common result of their newfound "knowledge" is more stress and anxiety, which can manifest itself in new symptoms.

Posted on December 9, 2008 at 12:58 PM27 Comments

Flying While Armed

Two years ago, all it took to bypass airport security was filling out a form:

Grant was flying from Boston to San Diego on Jan. 1, 2007, when he approached an American Airlines ticket counter at Logan International Airport and flashed a badge he carries as a part-time assistant harbor master in Chatham, according to federal prosecutors.

Grant, a medical supplies salesman, also filled out a "flying while armed" form and wrote that he worked for the Department of Homeland Security, prosecutors said.

[...]

He allegedly did the same on his return trip to Boston three days later.

But this time, according to court documents, he was invited into the cockpit, was told the identity of the two air marshals on the flight, and was informed who else on the plane was armed, which raises security concerns.

Since then, the TSA has made changes in procedure.

At the airport, law enforcers now need advance permission to fly armed.

"We have added substantial layers of security to this process," said TSA spokesman George Naccara.

The case took almost two years to come to light so federal authorities could tighten airport security and prevent similar incidents, said Christina DiIorio-Sterling, a spokeswoman for the U.S. attorney's office.

"The flying public can be assured that this has led to a change of procedures to ensure that credentials are properly vetted," said Ann Davis, a spokeswoman for the Transportation Security Administration.

Posted on December 9, 2008 at 7:22 AM48 Comments

Mumbai Terrorists Used Google Earth, Boats, Food

The Mumbai terrorists used Google Earth to help plan their attacks. This is bothering some people:

Google Earth has previously come in for criticism in India, including from the country's former president, A.P.J. Abdul Kalam.

Kalam warned in a 2005 lecture that the easy availability online of detailed maps of countries from services such as Google Earth could be misused by terrorists.

Of course the terrorists used Google Earth. They also used boats, and ate at restaurants. Don't even get me started about the fact that they breathed air and drank water.

A Google spokeswoman said in an e-mail today that Google Earth's imagery is available through commercial and public sources. Google Earth has also been used by aid agencies for relief operations, which outweighs abusive uses, she said.

That's true for all aspects of human infrastructure. Yes, the bad guys use it: bank robbers use cars to get away, drug smugglers use radios to communicate, child pornographers use e-mail. But the good guys use it, too, and the good uses far outweigh the bad uses.

Posted on December 8, 2008 at 2:20 PM47 Comments

Tourist Scams

Interesting list of tourist scams:

I have only heard of this happening in Spain on the Costa del Sol, but it could happen anywhere. This scam depends on you paying a restaurant/bar bill in cash, usually with a €50 note. The waiter will take your payment, then return shortly after, apologetically telling you that the note is a fake and that you need to pay again. He will return the "fake" bill to you, and any change you're due. Of course, you gave him a REAL note, he gave you a FAKE note, and you gave him a second real note, so you paid €100 for a €50 meal. What I do now is write unobtrusively on all large notes I get, so I can challenge them if it happens to me.

Posted on December 8, 2008 at 6:54 AM76 Comments

Protecting Yourself from Hotel Terrorism

I stand by what I said:

Also, my personal security guru, Bruce Schneier, says it's foolish even to worry about hotel safety, because the chances of something happening on any particular night in any particular hotel are vanishingly small. The taxi ride to the hotel is invariably more dangerous than the hotel itself.

But if you tend to stay in targeted hotels, the advice is pretty good.

Posted on December 5, 2008 at 12:54 PM33 Comments

Prisoner Escapes by Mailing Himself Out of Jail

So maybe this isn't an obvious tactic, and maybe large packages coming into a prison are searched more thoroughly than large packages leaving a prison -- but you'd expect prison guards to pay attention to anything large enough for a person to fit into.

At the end of his shift, the inmate climbed into a cardboard box and was taken out of prison by express courier. His whereabouts are still unknown.

I am remembering the tour of Alcatraz I took some years ago, and I think the tour guide talked about someone who tried to escape in a laundry cart. So maybe this isn't such a new idea after all.

EDITED TO ADD (12/12): He was recaptured.

EDITED TO ADD (12/13): In 1977 Nazi war criminal Herbert Kappler was smuggled out of a hospital, concealed in a large suitcase.

Posted on December 5, 2008 at 7:01 AM35 Comments

Credit Card with One-Time Password Generator

This is a nifty little device: a credit card with an onboard one-time password generator. The idea is that the user enters his PIN every time he makes an online purchase, and enters the one-time code on the screen into the webform. The article doesn't say if the code is time-based or just sequence-based, but in either case the credit card company will be able to verify it remotely.

The idea is that this cuts down on card-not-present credit card fraud.

The efficacy of this countermeasure depends a lot on how much these new credit cards cost versus the amount of this type of fraud that happens, but in general it seems like a really good idea. Certainly better than that three-digit code printed on the back of cards these days.

According to the article, Visa will be testing this card in 2009 in the UK.

EDITED TO ADD (12/6): Several commenters point out that banks in the Netherlands have had a similar system for years.

Posted on December 4, 2008 at 6:17 AM71 Comments

Who Falls for those Nigerian 419 Scams Anyway?

This is the story of a woman who sent the scammers $400K:

She wiped out her husband's retirement account, mortgaged the house and took a lien out on the family car. Both were already paid for.

For more than two years, Spears sent tens and hundreds of thousands of dollars. Everyone she knew, including law enforcement officials, her family and bank officials, told her to stop, that it was all a scam. She persisted.

Spears said she kept sending money because the scammers kept telling her that the next payment would be the last one, that the big money was inbound. Spears said she became obsessed with getting paid.

An undercover investigator who worked on the case said greed helped blind Spears to the reality of the situation, which he called the worst example of the scam he's ever seen.

EDITED TO ADD (12/13): More about the story.

Posted on December 3, 2008 at 8:20 AM68 Comments

TSA Aiding Luggage Thieves

In this story about luggage stealing at Los Angeles International Airport, we find this interesting paragraph:

They both say there are organized rings of thieves, who identify valuables in your checked luggage by looking at the TSA x-ray screens, then communicate with baggage handlers by text or cell phone, telling them exactly what to look for.

Someone should investigate the extent to which the TSA's security measures facilitate crime.

Posted on December 2, 2008 at 2:15 PM61 Comments

Communications During Terrorist Attacks are Not Bad

Twitter was a vital source of information in Mumbai:

News on the Bombay attacks is breaking fast on Twitter with hundreds of people using the site to update others with first-hand accounts of the carnage.

The website has a stream of comments on the attacks which is being updated by the second, often by eye-witnesses and people in the city. Although the chatter cannot be verified immediately and often reflects the chaos on the streets, it is becoming the fastest source of information for those seeking unfiltered news from the scene.

But we simply have to be smarter than this:

In the past hour, people using Twitter reported that bombings and attacks were continuing, but none of these could be confirmed. Others gave details on different locations in which hostages were being held.

And this morning, Twitter users said that Indian authorities was asking users to stop updating the site for security reasons.

One person wrote: "Police reckon tweeters giving away strategic info to terrorists via Twitter".

Another link:

I can't stress enough: people can and will use these devices and apps in a terrorist attack, so it is imperative that officials start telling us what kind of information would be relevant from Twitter, Flickr, etc. (and, BTW, what shouldn't be spread: one Twitter user in Mumbai tweeted me that people were sending the exact location of people still in the hotels, and could tip off the terrorists) and that they begin to monitor these networks in disasters, terrorist attacks, etc.

This fear is exactly backwards. During a terrorist attack -- during any crisis situation, actually -- the one thing people can do is exchange information. It helps people, calms people, and actually reduces the thing the terrorists are trying to achieve: terror. Yes, there are specific movie-plot scenarios where certain public pronouncements might help the terrorists, but those are rare. I would much rather err on the side of more information, more openness, and more communication.

Posted on December 1, 2008 at 12:02 PM43 Comments

Lessons from Mumbai

I'm still reading about the Mumbai terrorist attacks, and I expect it'll be a long time before we get a lot of the details. What we know is horrific, and my sympathy goes out to the survivors of the dead (and the injured, who often seem to get ignored as people focus on death tolls). Without discounting the awfulness of the events, I have some initial observations:

  • Low-tech is very effective. Movie-plot threats -- terrorists with crop dusters, terrorists with biological agents, terrorists targeting our water supplies -- might be what people worry about, but a bunch of trained (we don't really know yet what sort of training they had, but it's clear that they had some) men with guns and grenades is all they needed.

  • At the same time, the attacks were surprisingly ineffective. I can't find exact numbers, but it seems there were about 18 terrorists. The latest toll is 195 dead, 235 wounded. That's 11 dead, 13 wounded, per terrorist. As horrible as the reality is, that's much less than you might have thought if you imagined the movie in your head. Reality is different from the movies.

  • Even so, terrorism is rare. If a bunch of men with guns and grenades is all they really need, then why isn't this sort of terrorism more common? Why not in the U.S., where it's easy to get hold of weapons? It's because terrorism is very, very rare.

  • Specific countermeasures don't help against these attacks. None of the high-priced countermeasures that defend against specific tactics and specific targets made, or would have made, any difference: photo ID checks, confiscating liquids at airports, fingerprinting foreigners at the border, bag screening on public transportation, anything. Even metal detectors and threat warnings didn't do any good:

    "If I look at what we had, which all of us complained about, it could not have stopped what took place," he told CNN. "It's ironic that we did have such a warning, and we did have some measures."

    He said people were told to park away from the entrance and had to go through a metal detector. But he said the attackers came through a back entrance.

    "They knew what they were doing, and they did not go through the front. All of our arrangements are in the front," he said.

If there's any lesson in these attacks, it's not to focus too much on the specifics of the attacks. Of course, that's not the way we're programmed to think. We respond to stories, not analysis. I don't mean to be unsympathetic; this tendency is human and these deaths are really tragic. But 18 armed people intent on killing lots of innocents will be able to do just that, and last-line-of-defense countermeasures won't be able to stop them. Intelligence, investigation, and emergency response. We have to find and stop the terrorists before they attack, and deal with the aftermath of the attacks we don't stop. There really is no other way, and I hope that we don't let the tragedy lead us into unwise decisions about how to deal with terrorism.

EDITED TO ADD (12/13): Two interesting essays.

Posted on December 1, 2008 at 8:03 AM149 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..