Crypto-Gram Newsletter

August 15, 2001

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@schneier.com
<http://www.counterpane.com>

A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography.

Back issues are available at <http://www.schneier.com/crypto-gram.html>. To subscribe or unsubscribe, see below.

Copyright (c) 2001 by Counterpane Internet Security, Inc.


In this issue:


Code Red Worm

There has been a lot written about Code Red and its variants in the past month. There are lessons in both the specifics of the original infection, and the general threats these worms exemplify. So, first the trees and then the forest.

The trees: On 19 July 2001, the White House narrowly averted a terrorist attack when security personnel were able to exploit a flaw in a bomb's trigger mechanism and evacuate key personnel to a remote location, causing the bomb to fizzle. The attack was a denial-of-service attack, the target was the White House Web site, and the flaw was in malicious code, but other than that the sensationalist story is basically correct. And this tale of attack and defense in cyberspace contains security lessons for us all.

In June, eEye Digital Security discovered a serious vulnerability in Microsoft's Information Internet Server (IIS) that would allow a hacker to take control of the victim's computer. Microsoft hastily patched the software to eliminate the vulnerability, as they are generally good about doing these days.

By now, everyone realizes that it is impossible for system administrators to keep their patches up to date, so it came as no surprise that hacker tools developed to exploit the vulnerability were able to break into unpatched systems. The Code Red worm exploited this vulnerability. This worm, estimated to have affected over 300,000 computers in the first week, spread automatically without any user intervention (no attachments to open).

Even during the first week there were several variants of the original worm, and most early articles underestimated its virulence -- both in terms of what it does and how well it succeeded. When the original Code Red infected a computer, it defaced any Web site on the server with the words: "Welcome to http://www.worm.com! Hacked by Chinese!" (One variant only defaced the site for ten hours.) Simultaneously, the worm attacked 99 hosts at a time, as quickly as possible. The original variant spread slowly, both because the Web site defacement called attention to itself, and because it had a buggy random number generator. (It's important to use a different seed each time.) A corrected variant, with a correct random number generator and no defacement, spread at a much faster rate. Peak infection rates were estimated at 6,000 hosts a minute.

So far, this is a normal, if virulent, worm. But there was an additional feature. The Code Red worm was programmed to flood www.whitehouse.gov in a massively coordinated distributed denial-of-service attack at 8:00 PM on July 19. The attack failed because of some programming errors in the worm. One, the attack was against a specific IP address, and not a URL. So whitehouse.gov moved from one IP address to another to avoid the attack. And two, the worm was programmed to check for a valid connection before flooding its target. With whitehouse.gov at a different IP address, there was no valid connection. No connection, no flooding.

The worm was programmed to continue to spread until July 20, and try to attack the former IP address of whitehouse.gov until July 28. Then, on August 1, it was to go back to spreading. At least some variants are still spreading today, albeit at a much slower rate than many of the Internet doomsayers predicted.

At first glance, this looked to be a politically motivated attack: hactivism, as it has come to be called. The worm's defacement message implied that it was Chinese, and it was programmed to attack only English-language versions of Windows NT or 2000. If it encountered a foreign version, it went into hibernation, neither spreading nor attacking the White House. But it's hard to know for sure; many random hackers take on mantles of political activism because it gives them a cool cover story. Honestly, I don't believe the political connection.

The White House got lucky. The next worm writer won't make the same programming mistakes. The White House could have alerted their ISP and the upstream network nodes to block the offending packets, but only because they knew what the attack looked like and had enough warning. We can't count on that next time, either.

Since the original Code Red attack, there have been several new (and nastier) variants of the worm discovered, predictions of the entire Internet clogging, admonitions for system administrators to patch their IIS systems to prevent the worm's spreading, and reams of columnists trying to make sense of it all. The result, predictably, is apathy. A CNN online poll showed that 84% of Americans were no longer worried about Code Red. Cry wolf too often, and the public just stops listening.

Now, the forest: The truth is that we all got lucky. Code Red could have been much worse. It had full control of every machine it took over; it could have been programmed to do anything the author imagined, including dropping the entire Internet. It could have spread faster and smarter. It could have exploited several vulnerabilities, and not just one. It could have been stealthier. It could have been polymorphic. Code Red II installs a back door in infected computers. Code Red III is further improved. What will Code Red IV do? What will Code Red XXVII do?

I have long said that the Internet is too complex to secure. One of the reasons is that it is too complex to understand. The swath of erroneous predictions about Code Red's effects illustrates this: we don't know how the Internet really works. We know how it should work, but we are constantly surprised. It's no wonder we can't adequately secure the Internet.

The hundreds of thousands of infected networks could have had better security, but I have long argued that expecting users to keep their patches current is blaming the victim. Even so, I would have expected most people to install *this* patch. But as late as 1 August, after Code Red had been in the headlines for weeks, the best estimates show that only 50% of IIS systems had been patched. Even Microsoft, the company that continually admonishes us all to install patches quickly, was infected by Code Red in unpatched systems.

The Internet moves too fast for static defenses. You can't install every possible patch, and you don't know beforehand which ones are going to be important. New viruses and worms appear all the time, and you don't know beforehand which ones are the ones to worry about. If we are going to make security work on the Internet, we need to think differently. I have put my effort into detection and response, instead of protection, because detection and response can be resilient. I have put my effort into people instead of software because people can be resilient.

But even if you can secure your particular network, what about the millions of other networks out there that aren't secure? One of the great security lessons of the past few years is that we're all connected. The security of your network depends on the security of others, and you have no control over their security.

We shouldn't lose sight of who is really to blame for this problem. It's not the system administrators who didn't install the patch in time, or the firewall and IDS vendors whose products didn't catch the problem. It's the authors of the worm and its variants, eEye for publicizing the vulnerability, and especially Microsoft for selling a product with this security problem. You can argue that eEye did the right thing by publicizing this vulnerability, but I personally am getting a little tired of them adding weapons to hackers' arsenals. I support full disclosure and believe that it has done a lot to improve security, but eEye is going too far. As for Microsoft, you can argue that the marketplace won't pay for secure and reliable software, but the fact remains that this is a software problem. If software companies were held liable for systematic problems in its products, just like other industries (remember Firestone tires), we'd see a whole lot less of this kind of thing.

There are two other lessons of Code Red that I haven't seen talked about. One: Code Red's infection mechanism causes insecure computers to identify themselves to the Internet, and this feature can be profitably exploited. My network is regularly probed by Code Red-infected computers, trying to infect me. I can easily generate a list of those computers and their IP addresses. This is a list of computers vulnerable to the particular IIS exploit that Code Red uses. If I wanted to, I could attack every computer on that list and install whatever Trojan or back door I wanted. I don't have to scan the network; vulnerable computers are continuously coming to me and identifying themselves. How many hackers are piggybacking on Code Red in this manner?

Two: Code Red's collateral damage illustrates the dangers of relying on HTTP as the Internet's communications medium. Cisco has admitted that DSL routers with older firmware were susceptible to a denial-of-service attack when attacked by Code Red. HP print servers and 3Com LANmodems also seem to have been similarly affected, and it is likely that other network infrastructure hardware fell over as well. These devices were not specifically targeted by Code Red. Instead, their Web interface couldn't handle the Code Red attack. There has been an enormous proliferation of random devices with a Web interface: listening on Port 80. This is a large single-point-of-failure that Code Red has illustrated, and no one seems to be talking about.

Hacking is a way of life on the Internet. Remember a few years ago, when defacing a Web site made the newspaper? Remember two years ago, when distributed denial-of-service attacks and credit card thefts made the newspaper? Or last year, when fast-spreading worms and viruses made the newspaper? Now these all go unreported because they are so common. Code Red ushers in a new form of attack: a preprogrammed worm that unleashes a distributed attack against a predetermined target. After a couple of dozen Code Red variants and other worms designed along similar lines, we'll think of them too as business as usual on the Internet. And oddly enough, the Internet will survive.

Code Red Worm (the news story as it unfolded):
<http://news.cnet.com/news/0-1003-200-6604515.html>
<http://news.cnet.com/news/0-1003-202-6616583.html>
<http://news.cnet.com/news/0-1003-202-6617292.html>
<http://news.cnet.com/news/0-1003-202-6625470.html>
<http://news.cnet.com/news/0-1003-200-6792918.html>
<http://news.cnet.com/news/0-1003-200-6814221.html>

Advisories:
<http://www.cert.org/advisories/CA-2001-19.html>
<http://www.cert.org/advisories/CA-2001-23.html>
<http://www.ciac.org/ciac/bulletins/l-117.shtml>

Good commentary:
<http://www.time.com/time/columnist/taylor/article/...>

Code Red hype:
<http://www.theregister.co.uk/content/55/20908.html>

Even Microsoft can't keep its patches up to date:
<http://www.eastsidejournal.com/sited/story/html/60582>
<http://www.theregister.co.uk/content/4/20937.html>

Excellent mathematical analyses of the worm:
<http://www.silicondefense.com/cr/>
<http://www.caida.org/analysis/security/code-red/>

Original flaw in IIS:
<http://news.cnet.com/news/0-1003-200-6312870.html>
<http://www.eeye.com/html/Research/Advisories/...>

Editorial on the wisdom of disclosing this vulnerability:
<http://www.theregister.co.uk/content/4/20546.html>

Microsoft's patch:
<http://www.microsoft.com/technet/security/bulletin/...>

Editorial on the dangers of Port 80:
<http://www.zdnet.com/filters/printerfriendly/...>

How others can piggyback on Code Red to attack computers:
<http://braddock.com/cr2.html>


Crypto-Gram Reprints

Vulnerabilities, Publicity, and Virus-Based Fixes:
<http://www.schneier.com/crypto-gram-0008.html#2>

Bluetooth:
<http://www.schneier.com/crypto-gram-0008.html#8>

A Hardware DES Cracker:
<http://www.schneier.com/...>

Biometrics: Truths and Fictions:
<http://www.schneier.com/...>

Back Orifice 2000:
<http://www.schneier.com/...>

Web-Based Encrypted E-Mail:
<http://www.schneier.com/...>


News

Log analysis e-mail list! This list is for system administrators who are building and using a centralized logging infrastructure in their networks. Tina Bird moderates. To subscribe, send an e-mail to:
loganalysis-subscribe@securityfocus.com

The problem of IDS false positives:
<http://www.computerworld.com/cwi/story/...>
My follow-up letter to the editor:
<http://www.computerworld.com/cwi/story/...>

Vendor incompetence as a security problem:
<http://cgi.zdnet.com/slink?118523:8469234>

Russian Mafia is hacking for profit:
<http://www.zdnet.com/intweek/stories/news/...>
This is a big deal. The Soviet Union had some excellent programmers, some of whom are certainly willing to work for organized crime.

The NIT Computer Security Division's ICAT project team is now giving away copies of the its vulnerability database for public use (in Microsoft Access form). The database currently contains 2628 vulnerabilities:
<http://icat.nist.gov>

Hackers are cheating on their SETI@home scores. I've written about this previously: people cheating about the amount of work they do on the SETI@Home project to inflate their standings. This is another article on the same topic, describing an even nastier attack. This is interesting primarily because it shows that there are often non-financial motivations for computer hacking. There's no money involved here; only bragging rights. And look at the effort some people put into cheating.
<http://webserv.vnunet.com/News/1124058>

Good essay on the unfortunate synergies between DMCA and UCITA:
<http://www.osopinion.com/perl/story/12143.html>

The Center for Internet Security is launching a campaign to pressure software companies to improve security and ship software with security features enabled. In a Reuters article, I was quoted as saying: "It will help, but not that much." That comment was printed out of context, and needs clarification. What CIS is doing is trying to establish minimum security standards for various products. Their first attempt is for the Solaris OS: a document detailing the steps necessary to implement a level of security in the operating system, and a program to test how far an existing implementation deviates from that standard. It's free, and versions for Windows and Linux are coming. Near as I can tell, the idea is to establish a security benchmark and then to ratchet it up slowly. Given all of my talk about insurance and risk management, this kind of thing is exactly what we need. By itself it won't improve security, but if insurance companies start writing policies based on compliance, if software companies start touting compliance as a selling point...then it will help a lot. When the CIS first formed, I worried that it would become an "extort-a-standard" body, charging people for a seal of approval. So far there are no signs of them doing that.
<http://www.cisecurity.org/>
<http://www.cisecurity.org/bench_solaris.html>
<http://dailynews.yahoo.com/h/nm/20010720/tc/...>
<http://www.schneier.com/crypto-gram-0101.html#1>

The U.S. government has successfully pressured the Danish government to change its laws, to make searching for copyright violators easier.
<http://www.cluebot.com/article.pl?sid=01/06/26/042210>

Companies don't care about identity theft:
<http://www.washingtonpost.com/wp-dyn/articles/...>

Death to virus writers!
<http://www.zdnet.com/anchordesk/stories/story/...>
The only reason I am listing this article is because of the extreme sentiment. The Internet is a new and strange place to lawmakers. The risks are complex, considerable, and not well-understood. It's easy to overreact. We've seen this overreaction in the prosecutions, convictions, and sentencing of early hackers -- Kevin Poulsen, Kevin Mitnick, etc. -- and we've seen it in some of the government's large-scale Internet surveillance initiatives. The punishments do not fit the crimes. In the 1800s in the American West, stealing horses was often punished by death. The extreme punishment was because horses were so important to society, and people would not tolerate the disruption. The Internet is becoming increasingly important to industrialized society, and I worry that this kind of extreme punishment will continue.
<http://www.zdnet.com/enterprise/stories/security/...>

An interesting spin on something I've been saying for a long time: the interconnectedness of systems increases their vulnerability:
<http://www.nytimes.com/2001/07/27/opinion/27FRIE.html>

Here's a hacker who knows how to make money. Someone broke into the Web site of a company called JDS and gained early access to a press release announcing its fourth-quarter financial results. The company asked both NASDAQ and the Toronto Stock Exchange to halt trading it its stock.
<http://dailynews.yahoo.com/h/nm/20010726/wr/...>

I'm not sure if I want to write about the SirCam worm. On one hand, it's just another Windows e-mail worm that automatically sends itself to people in an infected computer's address book. But it has some clever features. One, it hides in the trash, where most anti-virus programs don't bother checking. Two, it e-mails random data files from the victim's "My Documents" folder to other people. This is probably the cleverest payload I've seen. Many people I know are posting the documents they've received via this worm: personal letters, recipes, business plans, financial documents, and one case of "personal pornography." I read one story about sensitive FBI documents being mailed to people by this worm. I've received 51 copies of this worm so far; more than any other.
<http://news.cnet.com/news/0-1003-200-6671080.html?...>
<http://cgi.zdnet.com/slink?122010:8469234>
And another about secret Ukrainian documents being leaked:
<http://news.cnet.com/news/0-1003-200-6763200.html>
Malware authors are certainly getting more clever.

Way back in 1984, John Gordon gave an after-dinner speech at a coding theory and cryptography conference. The story of this speech has been passed down through the years, as perhaps the funniest speech about cryptography ever given. It's the story of Alice and Bob, of coding theory and cryptography. And it's available online for you to read.
<http://www.conceptlabs.co.uk/alicebob.html>

NIST has posted two new crypto standards for comment. The first is a new version of FIPS 186-2, the Digital Signature Standard (DSS):
<http://csrc.nist.gov/186-2.pdf>
And there's the "Recommendation for Block Cipher Modes of Operation," associated with AES. Especially notice Dual Counter Mode, by Mike Boyle and Chris Salter of the National Security Agency.
<http://csrc.nist.gov/publications/drafts/Modes01.pdf>

Most hacking and cracking contests are nothing more than self-serving nonsense. It's nice to be able to point to an exception: the RSA factoring contest. It has a real objective, fair rules, and a good prize.
<http://www.theregister.co.uk/content/55/20638.html>

Iris recognition will be used to identify passengers at Heathrow Airport. I've written a lot about bad biometric applications. This is actually a good one.
<http://www.msnbc.com/news/605612.asp?pne=msn>

Security problems with Microsoft's Passport protocol. It's a long article and worth reading. From the conclusion: "The bulk of Passport's flaws arise directly from its reliance on systems that are either not trustworthy (such as HTTP referrals and the DNS) or assume too much about user awareness (such as SSL). Another flaw arises out of interactions with a particular browser (Netscape). Passport's attempt to retrofit the complex process of single sign-on to fit the limitations of existing browser technology leads to compromises that create real risks."
<http://avirubin.com/passport.html>

More details on the FBI's bugging of a suspect's computer without a wiretap. Soon we'll find out whether this is constitutional or not.
<http://news.cnet.com/news/0-1003-200-6719544.html>
<http://www.wired.com/news/privacy/0,1848,45684,00.html>
<http://www.wired.com/news/politics/0,1283,45730,00.html>
The FBI says the technology is secret, but the judge asks the FBI for it anyway:
<http://www.wired.com/news/politics/0,1283,45851,00.html>
<http://www.wired.com/news/politics/0,1283,45925,00.html>

Risks of spyware. Some software packages monitor the customers using the software. But what if the servers that the spyware talks to are infected by viruses and Trojans?
<http://www.kuro5hin.org/?op=displaystory;sid=2001/6/...>

Update on the sentencing of the convicted author of the Melissa virus:
<http://www.securityfocus.com/news/230>

We'll soon have software capable of copying any human voice. In a world where voice is a prevalent means of authentication, this will have serious ramifications.
<http://www.nytimes.com/2001/07/31/technology/...>

This story is too weird for words. Microsoft adds PGP signatures at the bottom of its security bulletins, for verification. But if you try to verify the signatures, they fail. Already there has been at least one forged security bulletin, urging people to install a "patch" with a Trojan Horse. Microsoft's reaction to this all simply makes no sense; it's like there's no one thinking there.
<http://www.newsbytes.com/news/01/168397.html>

PDF files can contain viruses. This is 1) another example of the dangers of mixing code and data, and 2) a potential rat's nest if Adobe keeps using the DMCA to restrict people from reverse-engineering its security.
<http://computerworld.com/nlt/...>

If you thought Code Red's infection speed was bad, read about Warhol Worms: malware capable of infecting the Internet in 15 minutes.
<http://www.cs.berkeley.edu/~nweaver/warhol.html>


Counterpane Internet Security News

Schneier is speaking at ISSA events in Wilmington on 8/17, and in Portland, OR, on 9/13.
<http://www.issa-dv.org/>
<http://www.issa.org/Portland/> [note: this appearance has been cancelled]

A couple of months ago, I gave the URL for my white paper on the state of security and the value of network monitoring. Here's a review of the white paper:
<http://www.nwfusion.com/newsletters/sec/2001/...>
The white paper itself:
<http://www.counterpane.com/msm.html>

Along with Vint Cerf, Schneier testified before a U.S. Senate Subcommittee on the subject of Internet security:
<http://www.schneier.com/testimony-commerce.html>
News reports:
<http://www.cnn.com/2001/TECH/internet/07/16/...>
<http://www.newsbytes.com/news/01/167998.html>
<http://www.thestandard.com/article/0,1902,27996,00.html>
<http://www.computerworld.com/itresources/rcstory/...>


The Doghouse: Chantilley Data Security

This column hasn't appeared recently. Things that two years ago deserved "doghouse" treatment -- badly configured Web sites, ineffectual security standards, lousy product security -- are commonplace today; exposing them feels like shooting fish in a barrel. But once in a while I stumble on a company so bizarre that it just screams for ridicule.

Let's all welcome Chantilley Data Security to the world of encryption. From their Web site: "Until five years ago, encryption technology was the province of state security, diplomacy, banking and multinational corporations. Now it is the concern of everyone who sends information by e-mail, who trades on the web, who uses a credit card or who, for any reason, needs to authenticate himself/herself or preserve the integrity of information. Incredible as it may appear, this huge explosion in demand has not been matched by any improvement in encryption technology. Until now." Five years ago? What happened in 1996? Could they possibly be referring to the publication of the second edition of "Applied Cryptography"?

It gets *much* better. On another page they describe "Ciphers:XES the new European Encryption Standard?" "A Solar Cipher is an idea unique to Chantilley. It uses a PRIMARY ENCRYPTION STREAM to 'fire up' a system of SUN WHEELS and PLANET WHEELS providing high encryption strength and using only a small number of simple logical on-line operations. In a Solar Cipher, each new key is a set of primitives which generate cryptographically strong pseudo-random streams, which in turn scramble the wiring of three 256-position rotors as in a rotary cipher." When I first read this page, I thought it was a joke.

"The theoretical maximum entropy of the algorithm is therefore ... equivalent to a 100818 bit key." "There are very sound reasons for claiming that XES1152 may be the best combination of strength and speed of any software cipher in the world." "XES-36 is 30,000 times stronger than DES with similar key strength (if that were possible)." What in the world does that last quote mean?

Their Web site rings all the snake-oil warning bells. They give their stuff weird fancy names: e.g. "expert encryption standard." There are claims about breakthrough technology and totally new cryptography and the like. There are unsubstantiated accolades from nameless experts. There's scientific mumbo-jumbo (that "solar cipher" stuff had me rolling on the floor, and they invoke something called "Multiple Fermat Sequencing"): comparisons with a one-time pad, ridiculous key lengths (they have a symmetric 1152-bit cipher), and claims that conventional ciphers are too slow for real-time data encryption. (Here's a representative quote: "XES-1152 is the fastest and strongest cipher of its kind in the world.") And they clearly don't know what's going on in the cryptography world; they have a product called "Automatic E-Mail Security" that they refer to as "AES."

There's more, but I can't reprint it all. These guys are too much, and their Web site is great entertainment.

<http://www.chantilley.com>

Generic snake-oil information:
<http://www.schneier.com/...>
<http://www.interhack.net/people/cmcurtin/...>


Adobe, Elcomsoft, and the DMCA

In July, after DefCon in Las Vegas, the FBI arrested a Russian computer security researcher who had presented a paper on the strengths and weaknesses of software used to protect electronic books. Dmitry Sklyarov (age 27) landed in jail because the Digital Millennium Copyright Act (DMCA) makes publishing critical research on this technology a more serious offense than publishing nuclear weapon designs. Just how did the United States of America end up with a law protecting the entertainment industry at the expense of freedom of speech? And How did the entertainment industry end up with stronger laws protecting their content than the information on constructing nuclear weapons?

I've already written about the DMCA, and the ultimate futility of employing technical solutions to prevent digital copying. The specific DMCA provision at work here is the one that explicitly forbids the invention and distribution of "circumvention devices" and "reverse engineering of document protection." Basically, it is illegal to break -- or explain how to break -- technology used to protect digital copyright. If you do, you go to jail (see above).

Technically, the law only protects "effective" copy-protection technology. This is a wonderful piece of circular logic: surely if it has been broken, it wasn't effective. The complaint against Sklyarov sidestepped this problem: "Nevertheless, because the book sold in encrypted form and only accessible through the eBook Reader and is not duplicatable, the copyright holder's interest in the book is protected." But if that were true, then there would no grounds for the case.

There are also provisions in the DMCA to allow for security research, provisions that I and others fought hard to have included. But these provisions are being ignored, as we've seen in the DeCSS case against 2600 Magazine, the RIAA case against Ed Felten, and this arrest.

What the DMCA has done is create a new controlled technology. In the United States there are several technologies that normal citizens are prohibited from owning: lock picks, fighter aircraft, pharmaceuticals, explosives. (Ignore guns, since the 2nd Amendment makes it impossible to generalize from their example.) In each of these cases, only people with the proper credentials can legally buy and sell these technologies. (Every participant in the commerce of these items -- buying, selling, or even possessing -- must be registered with some governmental agency. Registration is a mandatory requirement for commerce.) The DMCA goes one step further, though. Not only are circumvention tools controlled, but information about them is also controlled. 2600 Magazine merely described, and linked to implementations of, DeCSS. Ed Felten wanted to present a paper on the deficiencies of the RIAA's various watermark schemes.

I attended Dmitry Sklyarov's talk at DefCon. What he did was legitimate security research. He determined the security of several popular e-book reader products and then notified the respective firms of his findings. His company Elcomsoft published, in Russia, software that circumvented these ineffectual security systems. His DefCon talk was a clear and evenhanded presentation of the facts. He said, in effect: "This security is weak, and here's why." (One particular company he mentioned stored the password in plaintext inside the executable. So anyone with Notepad could have the book modified for easy distribution.)

The FBI nabbed him at the request of Adobe Systems, Inc. for breaking the security on Acrobat's E-Reader API, and held him for weeks without bail. (He's currently out on bail.) The arrest was not because of his presentation, but because of the work his company did while in Russia. This is even more confusing. Elcomsoft created and marketed a product that circumvented Adobe's product. This kind of software is often required in Russia, where people have a legal right to make personal backups. Sklyarov was one of the programmers working on this project, which was completed entirely in Russia. The FBI seems to be claiming that they can arrest you for breaking U.S. law while not in the U.S. Additionally, they can arrest you if your company breaks U.S. law while not in the U.S. Computer scientists have long viewed reverse-engineering as legitimate security research. Fair use allows the owner of a copyrighted work to make copies for his personal use. The DMCA assumes that the
only reason to do any of this work is to pirate copyrighted works. Writing software, publishing technical details, even giving a technical talk is illegal under the DMCA.

In 1979, "The Progressive" magazine tried to publish an article containing technical information on H-bomb design. The government claimed publication of the would result in "grave, direct, immediate and irreparable harm to the national security of the United States." After six months of legal maneuvering, the magazine published it. In 1971, the government tried to prevent "The New York Times" from publishing "The Pentagon Papers." The Supreme Court promptly voted 6-3 to reject the government's censorship attempt, with Chief Justice Warren Burger declaring that "prior restraints on speech and publication are the most serious and least tolerable infringement on First Amendment rights."

Welcome to 21st century America, where the profits of the major record labels, movie houses, and publishing companies are more important than First Amendment rights or nuclear weapons information. (The more you look at the problem, the weirder it becomes. "The New York Times" has the legal right to publish secret government documents, unless they are protected by a digital copy-protection scheme, in which case publishing them would lead to an FBI raid.)

In many ways, the entertainment industry's tactics are similar to the NSA's during their long war against cryptography and cryptographic information. Until the late 1990s, the NSA used the threat of national security to prevent the dissemination of encryption technologies. When they could, they blocked the publication and dissemination of cryptographic information. When that failed, they concentrated on products, using both legal and illegal methods to block encryption software. Many people believe the NSA's primary rubric, export controls, would not stand up to a constitutional challenge, but it was never tested. It wasn't until the Internet made cryptography ubiquitous that the NSA eventually gave up.

During those years I was often asked about the NSA's strategy. Wasn't it doomed to fail? Yes, eventually. But for the NSA, every day they could delay the failure was another day of victory. Maybe the export control regulations (they were never laws) were unconstitutional. Maybe preventing publication of this and that was prior restraint. Maybe pressuring companies to install back doors into their software was illegal. But if it worked for a while, who cares? The NSA was fighting a holding action, and they knew it.

The entertainment industry is behaving the same way. The DMCA is unconstitutional, but they don't care. Until it's ruled unconstitutional, they've won. The charges against Sklyarov won't stick, but the chilling effect it will have on other researchers will. If they can scare software companies, ISPs, programmers, and T-shirt manufacturers (Hollywood has sued CopyLeft for publishing the DeCSS code on a T-shirt) into submission, they've won for another day. The entertainment industry is fighting a holding action, and fear, uncertainty, and doubt are their weapons. We need to win this, and we need to win it quickly. Please support those who are fighting these cases in the courts: the EFF and others. Every day we don't win is a loss.

Elcomsoft's products:
<http://www.elcomsoft.com/>
Government document:
<http://www.eff.org/IP/DMCA/US_v_Sklyarov/...>

A description of Sklyarov's talk, including a link to the slides:
<http://www.zdnet.com/zdnn/stories/comment/...>

EFF support:
<http://www.eff.org/IP/DMCA/US_v_Sklyarov/...>
<http://www.eff.org/IP/DMCA/US_v_Sklyarov/...>

News articles:
<http://www.nytimes.com/2001/07/18/technology/...>
<http://dailynews.yahoo.com/h/nm/20010717/wr/...>
<http://www.wired.com/news/politics/0,1283,45298,00.html>
<http://news.cnet.com/news/0-1003-202-6651535.html>
<http://news.cnet.com/news/0-1005-200-6699001.html>
<http://news.cnet.com/news/0-1005-200-6794178.html>

Thoughtful analyses:
<http://www.osopinion.com/perl/story/12143.html>
<http://securitygeeks.shmoo.com/article.php?...>
<http://www.nytimes.com/2001/07/30/opinion/30LESS.html>
<http://www.zdnet.com/anchordesk/stories/story/...>

Other DMCA cases:
<http://www.eff.org/IP/DMCA/>

Essays about the dangers of the DMCA:
<http://www.privacyfoundation.org/commentary/...>
<http://www.infowarrior.org/articles/2001-05.html>
<http://www.cs.cmu.edu/~dst/DeCSS/Gallery/...>

Poignant satire of the DMCA:
<http://www.linuxplanet.com/linuxplanet/opinions/3642/1/>

Article about this essay:
<http://www.theregister.co.uk/content/4/20932.html>


Protecting Copyright in the Digital World

Every time I write about the impossibility of effectively protecting digital files on a general-purpose computer, I get responses from people decrying the death of copyright. "How will authors and artists get paid for their work?" they ask me. Truth be told, I don't know. I feel rather like the physicist who just explained relativity to a group of would-be interstellar travelers, only to be asked: "How do you expect us to get to the stars, then?" I'm sorry, but I don't know that, either.

I am a scientist, and I explain the realities of the science. I apologize if you don't like the truth, but the truth doesn't change because people wish it would be something else. I don't know how authors and artists will make money in a world of easy copyability. I'm an author myself, personally concerned about protecting my own copyright, but I still don't know. I can tell you what will and won't work, technically. You can argue about whether my technical analysis is correct, but it just doesn't make sense to bring social arguments into the technical discussion.

If I had to guess, I believe companies will find a way to make money despite the prevalence of digital copying. Television stations figured out how to make money despite having to broadcast their programming to everyone. There are lots of financial models that don't require selling individual units to make money: advertising, patronage, pay-for-performance, pay-for-timeliness, pay-for-interaction, public funding. I started Crypto-Gram when I was a consultant; I gave the newsletter away and charged for my time. The newsletter was free advertising. The Grateful Dead gave away concert recordings but charged for live performances. Stephen King kept writing chapters of his electronic book as long as a sufficient percentage of his readers paid him to.

I don't know what model will become the prevalent one in the digital world. But I do know that technical methods to prevent digital copying are doomed to fail. (This is not to say that social methods, or legal methods, won't work.) Those companies that have business models that accept this reality are more likely to succeed than those that have business models that reject it. Complain all you like, but reality is reality.

My original analysis:
<http://www.schneier.com/crypto-gram-0105.html#3>


Europe's Cybercrime Treaty

About a year ago, around eighty of us computer-security people signed a letter to the Council of Europe expressing grave concerns with the Council's draft of the Crime in Cyberspace Treaty. Basically, we were concerned about provisions that would criminalize legitimate security research in the same way the DMCA does.

Surprise, surprise: it seems like they listened. Here's the new treaty language:

Article 6: Misuse of devices

1. Each Party shall adopt such legislative and 
other measures as may be necessary to establish as 
criminal offences under its domestic law, when 
committed intentionally and without right:

a. the production, sale, procurement for use, 
import, distribution or otherwise making available 
of: 1. a device, including a computer program, 
designed or adapted primarily for the purpose of 
committing any of the offences established in 
accordance with Article 2 -5; 2. a computer 
password, access code, or similar data by which 
the whole or any part of a computer system is 
capable of being accessed with intent that it be 
used for the purpose of committing any of the 
offences established in Articles 2 - 5; and

b. the possession of an item referred to in 
paragraphs (a)(1) or (2) above, with intent that 
it be used for the purpose of committing any of 
the offences established in Articles 2 - 5.  A 
Party may require by law that a number of such 
items be possessed before criminal liability 
attaches.

2. This article shall not be interpreted as 
imposing criminal liability where the production, 
sale, procurement for use, import, distribution or 
otherwise making available or possession referred 
to in paragraph 1 of this Article is not for the 
purpose of committing an offence established in 
accordance with articles 2 through 5 of this 
Convention, such as for the authorized testing or 
protection of a computer system.

3. Each Party may reserve the right not to apply 
paragraph 1 of this Article, provided that the 
reservation does not concern the sale, 
distribution or otherwise making available of the 
items referred to in paragraph 1 (a) (2).

Not bad. Not perfect, but not bad. It's rare in this business that governments actually listen and do the right thing. Kudos to the European governments who drafted the treaty. This is kind of neat, really.

Let's hope the Americans don't muck it all up.

The entire treaty:
<http://conventions.coe.int/Treaty/EN/projets/...>

Our letter:
<http://www.cerias.purdue.edu/homes/spaf/coe/...>

My original analysis of the treaty:
<http://www.schneier.com/crypto-gram-0008.html#6>


Comments from Readers

From: Bill_Royds pch.gc.ca
Subject: Monitoring
One important thing modern control theory works on is error modeling. As well as controlling the process, you also monitor the changes in process error to know when processes are getting too many errors. In systems administration we often are so concerned about getting the thing to work, that we don't also watch our processes and improve them as well. This attitude (if it ain't broke, don't fix it) works with static systems, but is absolutely dangerous in the dynamic world of IT security. The real slogan should be "if it ain't broke now, it will be soon."

From: "Dmitry Streblechenko" <dmitry dimastr.com>
Subject: Outlook Redemption
You mention one of my products (Outlook Redemption) in your Crypto-Gram newsletter on July 15, and I strongly believe that you are missing the point. Redemption bypasses the Outlook security patch (aka HELL) only when it comes to executing the code already downloaded to a local machine. It does *not* bypass the Outlook security when Outlook disables scripting in HTML e-mails or hides executable attachments. Big difference.
Outlook provides two layers of API: object model (which can be accessed by any language, including any scripting language) and Extended MAPI, which Outlook itself (and Redemption!) uses and which is only accessible to C/C++/Delphi. No scripting languages or VB. Extended MAPI cannot possibly be crippled because Outlook itself will simply stop working. So instead of only blocking the means of receiving and executing the malicious code, MS created an annoyance for those using Outlook Object Model from their legitimate (local) applications. Being an Outlook MVP, I witnessed people who built their businesses using Visual Basic screaming for help when the security patch was released.
For all practical reasons, one can write a virus that uses Extended MAPI instead of the Outlook object model (it just takes more time and a little knowledge of the relevant API); there will be no way to block it short of uninstalling Outlook. Which is fine, since once the code is downloaded and run in the current user security context it can do anything it wants whether Outlook or any other application is installed.
The only way to stop spreading such code is to block it from executing automatically (e.g. script in an HTML e-mail) or to make a user think twice before executing it. Blocking the code which is already installed and assumed to come from a trusted source is outright stupid. That's where Redemption comes into play.

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography.

To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit <http://www.schneier.com/crypto-gram-faq.html>. Back issues are available on <http://www.counterpane.com>.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of "Secrets and Lies" and "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on computer security and cryptography.

Counterpane Internet Security, Inc. is the world leader in Managed Security Monitoring. Counterpane's expert security analysts protect networks for Fortune 2000 companies world-wide.

<http://www.counterpane.com/>

later issue
earlier issue
back to Crypto-Gram index

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..