Schneier on Security
A blog covering security and security technology.
January 2012 Archives
I don't even know where to begin.
Some errors in forensic science may be the result of the biases of the examiners:
Though they cannot prove it, Dr Dror and Dr Hampikian suspect the difference in contextual information given to the examiners was the cause of the different results. The original pair may have subliminally interpreted ambiguous information in a way helpful to the prosecution, even though they did not consciously realise what they were doing.
According to my publisher, the book was printed last week and the warehouse is shipping orders to booksellers today. Amazon is likely to start shipping books on Thursday. (Yes, Amazon's webpage claims that the book will be published on February 21, 2012, but they'll ship copies as soon as they get them -- this ain't Harry Potter.) The Kindle edition is already shipping.
Those of you who ordered signed copies from me are likely going to have to wait a couple more weeks. My copies will arrive from the publisher eventually; then I will sign them and ship them on to you.
At the end of February, I'll be at the RSA Conference in San Francisco. In addition to my other speaking events, Davi Ottenheimer will interview me about the book at something called The Author's Studio. I'll be doing two one-hour book signings at the conference bookstore. And, and this is the best news of all, HP has bought 1,000 copies of the book and will be giving them away at their booth. I'll be doing a couple of signings there as well.
Does this story make sense to anyone?
The Department of Homeland Security flagged him as a potential threat when he posted an excited tweet to his pals about his forthcoming trip to Hollywood which read: 'Free this week, for quick gossip/prep before I go and destroy America'.
There just as to be more than this story. The DHS isn't monitoring the Tweets of random British tourists -- they just can't be.
EDITED TO ADD (1/30): According to DHS documents received by EPIC, the DHS monitors the Internet, including social media.
In February 2011, the Department of Homeland Security announced that the agency planned to implement a program that would monitor media content, including social media data. The proposed initiatives would gather information from "online forums, blogs, public websites, and messages boards" and disseminate information to "federal, state, local, and foreign government and private sector partners." The program would be executed, in part, by individuals who established fictitious usernames and passwords to create covert social media profiles to spy on other users. The agency stated it would store personal information for up to five years.
Still, I have trouble believing that this is what happened. For this to work General Dynamics would have had to monitor Twitter for key words. ("Destroy America" is certainly a good key word to search for.) Then, they would have to find out the real name associated with the Twitter account -- unlike Facebook or Google+, Twitter doesn't have real name information -- so the TSA could cross-index that name with the airline's passenger manifests. Then the TSA has to get all this information into the INS computers, so that the border control agent knows to detain him. Sure, it sounds straightforward, but getting all those computers to talk to each other that fast isn't easy. There has to be more going on here.
EDITED TO ADD (1/30): One reader points out that this story is from the Daily Mail, and that it's prudent to wait for some more reputable news source to report the story.
EDITED TO ADD (1/30): There's another story from The Register, but they're just using the Daily Mail.
EDITED TO ADD (1/30): The FBI is looking for someone to build them a system that can monitor social networks.
The information comes from a document released on 19 January looking for companies who might want to build a monitoring system for the FBI. It spells out what the bureau wants from such a system and invites potential contractors to reply by 10 February.
EDITED TO ADD (1/30): New reports are saying that customs was tipped off about the two people, and their detention was not a result of data mining:
"Based on information provided by the LAX Port Authority Infoline -- a suspicious activity tipline -- CBP conducted a secondary interview of two subjects presenting for entry into the United States," says the spokesperson, who notes that the CBP "denies entry to thousands of individuals" each year. "Information gathered during this interview revealed that both individuals were inadmissible to the United States and were returned to their country of residence."
This makes a lot more sense to me.
This was pretty good, I thought:
However, it may be difficult to write military doctrine for many aspects of cyberconflict that are truly revolutionary. Here are no fewer than 10 to consider:
Interesting article from the New York Times on password sharing as a show of affection.
"It's a sign of trust," Tiffany Carandang, a high school senior in San Francisco, said of the decision she and her boyfriend made several months ago to share passwords for e-mail and Facebook. "I have nothing to hide from him, and he has nothing to hide from me."
Ethnologist danah boyd discusses what's happening:
For Meixing, sharing her password with her boyfriend is a way of being connected. But it's precisely these kinds of narratives that have prompted all sorts of horror by adults over the last week since that NYTimes article came out. I can't count the number of people who have gasped "How could they!?!" at me. For this reason, I feel the need to pick up on an issue that the NYTimes let out.
Much more in her post.
Related: a profile of danah boyd.
Readers of this blog will know that I like the works of Max Abrahms, and regularly blog them. He has a new paper (full paper behind paywall) in Defence and Peace Economics, 22:6 (2011), 583–94, "Does Terrorism Really Work? Evolution in the Conventional Wisdom since 9/11":
The basic narrative of bargaining theory predicts that, all else equal, anarchy favors concessions to challengers who demonstrate the will and ability to escalate against defenders. For this reason, post-9/11 political science research explained terrorism as rational strategic behavior for non-state challengers to induce government compliance given their constraints. Over the past decade, however, empirical research has consistently found that neither escalating to terrorism nor with terrorism helps non-state actors to achieve their demands. In fact, escalating to terrorism or with terrorism increases the odds that target countries will dig in their political heels, depriving the nonstate challengers of their given preferences. These empirical findings across disciplines, methodologies, as well as salient global events raise important research questions, with implications for counterterrorism strategy.
EDITED TO ADD (2/14): The paper.
EDITED TO ADD (1/26): It seems I was wrong when I said that the ruling forces the police to get a warrant before placing a GPS tracking device on a car. The ruling is much more complicated and nuanced.
The NSF is funding research on giving organizations information-security risk ratings, similar to credit ratings for individuals:
Existing risk management techniques are based on annual audits and only provide a snapshot of a partner's security posture. However, new vulnerabilities are discovered everyday and the industry needs a solution that enables a business to continuously monitor changing risk posture of all its partners and proactively manage assumed risks. The Phase II research objective is to build a scalable fully-automated ratings system. The research will focus on identifying and incorporating new data sources, improving the statistical properties of the ratings model, and making the ratings predictive of future behavior.
I have no idea if this is snake oil or if it actually works, but note that this is a Phase II award. There was already a Phase I award, and the NSF must have liked the results from that.
Turns out you can create unique signatures from plant DNA. The idea is to spray this stuff on military components in order to verify authentic items and detect counterfeits, similar to SmartWater. It's a good idea in theory, but my guess is that the security is not going to center around counterfeiting the plant DNA, but rather in subverting the systems that apply, detect, and verify the chemicals.
DARPA is funding research into new forms of biometrics that authenticate people as they use their computer: things like keystroke patterns, eye movements, mouse behavior, reading speed, and surfing and e-mail response behavior. The idea -- and I think this is a good one -- is that the computer can continuously authenticate people, and not just authenticate them once when they first start using their computers.
I remember reading a science fiction story about a computer worm that searched for people this way: going from computer to computer, trying to identify a specific individual.
Funny news video on Facebook and the CIA.
Beginning Sunday evening, the robbers intentionally set off the gallery's alarm system several times without entering the building, according to police.
Tomorrow, from 8 am to 8 pm EST, this site, Schneier on Security, is going on strike to protest SOPA and PIPA. In doing so, I'll be joining Wikipedia (in English), BoingBoing, WordPress, and many others.
Good operational security guide to Tor.
Thankfully, this doesn't happen very often:
A US man who had been convicted on a second-degree murder charge will get a new trial after a computer virus destroyed transcripts of court proceedings.
This is a first:
...the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.
The PCI standards are probably the biggest non-government security standard. It'll be interesting to see how this turns out.
Yet another story that combines squid and security.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Long (but well-written and interesting) story of someone whose Gmail account was hacked and erased, and eventually restored. Many interesting lessons about the security of largely support-free cloud services.
It's a policy debate that's been going on since the crypto wars of the early 1990s. The FBI, NSA, and other agencies continue to claim they're losing their ability to engage in surveillance: that it's "going dark." Whether the cause of the problem is encrypted e-mail, digital telephony, or Skype, the bad guys use it to communicate, so we need to pass laws like CALEA to force these services to be made insecure, so that the government can eavesdrop.
The counter-argument is the "Golden Age of Surveillance" -- that the massive increase of online data and Internet communications systems gives the government a far greater ability to eavesdrop on our lives. They can get your e-mail from Google, regardless of whether you use encryption. They can install an eavesdropping program on your computer, regardless of whether you use Skype. They can monitor your Facebook conversations, and learn thing that just weren't online a decade ago. Today we all carry devices that tract our locations 24/7: our cell phones.
In this essay, CDT fellows (and law professors) challenge the "going dark" metaphor and make the case for "the golden age of surveillance." Yes, wiretapping is harder; but so many other types of surveillance are easier.
A simple test can help the reader decide between the "going dark" and "golden age of surveillance" hypotheses. Suppose the agencies had a choice of a 1990-era package or a 2011-era package. The first package would include the wiretap authorities as they existed pre-encryption, but would lack the new techniques for location tracking, confederate identification, access to multiple databases, and data mining. The second package would match current capabilities: some encryption-related obstacles, but increased use of wiretaps, as well as the capabilities for location tracking, confederate tracking and data mining. The second package is clearly superior -- the new surveillance tools assist a vast range of investigations, whereas wiretaps apply only to a small subset of key investigations. The new tools are used far more frequently and provide granular data to assist investigators.
A longer and more detailed version of the same argument can be found in "Encryption and Globalization," forthcoming in the Columbia Science and Technology Law Review.
I have a love/hate relationship with the Cato Institute. Most of their analysis I strongly disagree with, but some of it I equally strongly agree with. Last September 11 -- the tenth anniversary of 9/11 -- Cato's David Rittgers published "Abolish the Department of Homeland Security":
DHS has too many subdivisions in too many disparate fields to operate effectively. Agencies with responsibilities for counterfeiting investigations, border security, disaster preparedness, federal law enforcement training, biological warfare defense, and computer incident response find themselves under the same cabinet official. This arrangement has not enhanced the government's competence. Americans are not safer because the head of DHS is simultaneously responsible for airport security and governmental efforts to counter potential flu epidemics.
I agree with that. In fact, in 2003, when the country was debating a single organization that would be responsible for most (not all, since the Justice Department, the State Department, and the Department of Defense were too powerful to lose any pieces of themselves) of the country's counterterrorism efforts, I wrote:
Our nation may actually be less secure if the Department of Homeland Security eventually takes over the responsibilities of existing agencies. The last thing we want is for the Department of Energy, the Department of Commerce, and the Department of State to say: "Security; that's the responsibility of the DHS."
Back to the Cato report:
The Department of Homeland Security should be abolished and its components reorganized into more practical groupings. The agencies tasked with immigration, border security, and customs enforcement belong under the same oversight agency, which could appropriately be called the Border Security Administration. The Transportation Security Administration and Federal Air Marshals Service should be abolished, and the federal government should end support for fusion centers. The remaining DHS organizations should return to their former parent agencies.
Hard to argue with most of that, although abolishing the TSA isn't a good idea. Airport security should be rolled back to pre-9/11 levels, but someone is going to have to be in charge of it. Putting the airlines in charge of it doesn't make sense; their incentives are going to be passenger service rather than security. Some government agency either has to hire the screeners and staff the checkpoints, or make and enforce rules for contractor-staffed checkpoints to follow.
Last November, the U.S. Congressional Republicans published a report very critical of the TSA: "A Decade Later: A Call for TSA Reform."
This report is an examination and critical analysis of the development, evolution, and current status and performance of TSA ten years after its creation. Since its inception, TSA has lost its focus on transportation security. Instead, it has grown into an enormous, inflexible and distracted bureaucracy, more concerned with human resource management and consolidating power, and acting reactively instead of proactively. As discussed more fully in the Recommendations section on page 18, TSA must realign its responsibilities as a federal regulator and focus on analyzing intelligence, setting screening and security standards based on risk, auditing passenger and baggage screening operations, and ensuring compliance with national screening standards.
In a related link, there's a response to a petition to abolish the TSA. The response is by TSA administrator John Pistole, so it's not the most objective piece of writing on the topic, and doesn't actually respond to the petition:
Why TSA Exists.
Pistole just assumes that what his organization is doing is important, and never even mentions how much it costs or whether it's worth it.
EDITED TO ADD (1/13): The cupcake lady says the TSA is lying.
EDITED TO ADD (1/17): A bakery creates a TSA-compliant cupcake.
The counterterrorism community has spent years trying to determine why so many people are engaged in online jihadi communities in such a meaningful way. After all, the life of an online administrator for a hard-line Islamist forum is not as exciting as one might expect. You don't get paid, and you spend most of your time posting links and videos, commenting on other people's links and videos, and then commenting on other people's comments. So why do people like Abumubarak spend weeks and months and years of their time doing it? Explanations from scholars have ranged from the inherently compulsive and violent quality of Islam to the psychology of terrorists.
Apple has a patent on splitting a key between a portable device and its power supply.
The EFF has published a good guide.
John Mueller has been collecting them:
Some 116 of these Very People were surveyed in 2006 by Foreign Policy magazine in a joint project with the Center for America Progress. The magazine stressed that its survey drew from the "highest echelons of America’s foreign policy establishment" and included the occasional secretary of state and national security adviser, as well as top military commanders, seasoned members of the intelligence community, and academics and journalists of the most "distinguished" nature. Over three-quarters of them had been in government service, 41 percent for over ten years. The musings of this group, it was proposed, could provide "definitive conclusions" about the global war on terror.
I've never heard this particular quote before, and find it particularly profound:
In 2004, Russell Seitz plausibly proposed that "9/11 could join the Trojan Horse and Pearl Harbor among stratagems so uniquely surprising that their very success precludes their repetition"....
More predictions here.
Hackers stole some source code to Symantec's products. We don't know what was stolen or how recent the code is -- the company is, of course, minimizing the story -- but it's hard to get worked up about this. Yes, maybe the bad guys will comb the code looking for vulnerabilities, and maybe there's some smoking gun that proves Symantec's involvement in something sinister, but most likely Symantec's biggest problem is public embarrassment.
Have you wondered what $1.2 billion in airport security gets you? The TSA has compiled its own "Top 10 Good Catches of 2011":
10) Snakes, turtles, and birds were found at Miami (MIA) and Los Angeles (LAX). I’m just happy there weren’t any lions, tigers, and bears…
That's right; not a single terrorist on the list. Mostly forgetful, and entirely innocent, people. Note that they fail to point out that the firearms and knives would have been just as easily caught by pre-9/11 screening procedures. And that the C4 -- their #1 "good catch" -- was on the return flight; they missed it the first time. So only 1 for 2 on that one.
And the TSA decided not to mention its stupidest confiscations:
TSA confiscates a butter knife from an airline pilot. TSA confiscates a teenage girl's purse with an embroidered handgun design. TSA confiscates a 4-inch plastic rifle from a GI Joe action doll on the grounds that it’s a "replica weapon." TSA confiscates a liquid-filled baby rattle from airline pilot’s infant daughter. TSA confiscates a plastic "Star Wars" lightsaber from a toddler.
In related news, here's a rebuttal of the the Vanity Fair article about the TSA and airline security that featured me. I agree with the two points at the end of the post; I just don't think it changes any of my analysis.
Here's a list of all the printers affected.
The author of this article notices that it's often easy to guess a cell phone PIN because of smudge marks on the screen. Those smudge marks indicate the four PIN digits, so an attacker knows that the PIN is one of 24 possible permutations of those digits.
Then he points out that if your PIN has only three different digits -- 1231, for example -- the PIN can be one of 36 different possibilities.
So it's more security, although not much more secure.
The Liars and Outliers webpage is live. On it you can find links to order both paper and e-book copies from a variety of online retailers, and signed copies directly from me. I've also posted the jacket copy, the table of contents, the first chapter, the 15 figures from the book, an image of the full wraparound cover, and all the blurbs for the book.
Last week, I chose 10 winners from the 278 people who entered the drawing for a free galley copy. Those copies have all been mailed, as have copies to potential book reviewers.
Several readers suggested that I auction some copies, and I'm going to do that now. I have two galley copies that I will auction to the two highest bidders. This is a charity auction; the proceeds from one copy will go to EFF and the other to EPIC. Leave bids in the comments below. The auction closes at the end of the day on Wednesday, January 11. (I am deliberately being sloppy about this. I'm happy to let the bidding go if it will raise more money, but eventually I'm going to call things to a close.) So check the comments for the high bidders, and please contribute to these organizations that are doing a lot to keep the Internet -- and the whole information age -- open and free.
EDITED TO ADD (1/5): There's only one auction. The top two bidders will in, and the proceeds will be split between EPIC and EFF. There's no reason to specify an organization in the bidding.
EDITED TO ADD (1/12): The winners are Tom Ehlert and Manasi. Can both of you please contact me.
The papers are old, but they have just been released under FOIA.
The history of coded messages in postage-stamp placement. I wonder how prevalent this actually was. My guess is that it was more a clever idea than an actual signaling system. And I notice that a lot of the code systems don't have a placement that indicates "no message; this is just a stamp."
Alan T. Murray and Tony H. Grubesic, "Critical Infrastructure Protection: The Vulnerability Conundrum," Telematics & Informatics, 29 (February 2012): 5665 (full article behind paywall).
Abstract: Critical infrastructure and key resources (CIKR) refer to a broad array of assets which are essential to the everyday functionality of social, economic, political and cultural systems in the United States. The interruption of CIKR poses significant threats to the continuity of these systems and can result in property damage, human casualties and significant economic losses. In recent years, efforts to both identify and mitigate systemic vulnerabilities through federal, state, local and private infrastructure protection plans have improved the readiness of the United States for disruptive events and terrorist threats. However, strategies that focus on worst-case vulnerability reduction, while potentially effective, do not necessarily ensure the best allocation of protective resources. This vulnerability conundrum presents a significant challenge to advanced disaster planning efforts. The purpose of this paper is to highlight the conundrum in the context of CIKR.
Behzad Zare Moayedi, Mohammad Abdollahi Azgomi, "A Game Theoretic Framework for Evaluation of the Impacts of Hackers Diversity on Security Measures," Reliability Engineering & System Safety, 99 (2012): 45-54 (full article behind paywall).
Abstract: Game theoretical methods offer new insights into quantitative evaluation of dependability and security. Currently, there is a wide range of useful game theoretic approaches to model the behaviour of intelligent agents. However, it is necessary to revise these approaches if there is a community of hackers with significant diversity in their behaviours. In this paper, we introduce a novel approach to extend the basic ideas of applying game theory in stochastic modelling. The proposed method classifies the community of hackers based on two main criteria used widely in hacker classifications, which are motivation and skill. We use Markov chains to model the system and compute the transition rates between the states based on the preferences and the skill distributions of hacker classes. The resulting Markov chains can be solved to obtain the desired security measures. We also present the results of an illustrative example using the proposed approach, which examines the relation between the attributes of the community of hackers and the security measures.
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.