Crypto-Gram Newsletter

August 15, 2003

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@schneier.com
<http://www.counterpane.com>

A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography.

Back issues are available at <http://www.schneier.com/crypto-gram.html>. To subscribe, visit <http://www.schneier.com/crypto-gram-faq.html> or send a blank message to crypto-gram-subscribe@chaparraltree.com.

Copyright (c) 2003 by Counterpane Internet Security, Inc.


In this issue:


New Book: Beyond Fear

I have a new book on security:

Beyond Fear
Thinking Sensibly About Security in an Uncertain World

This isn't a book about computer security; it's a book about security in general. In it I cover the entire spectrum of security, from the personal issues we face at home and in the office to the broad public policies implemented as part of the worldwide war on terrorism. With examples and anecdotes from history, sports, natural science, movies, and the evening news, I explain how security really works, how it fails, and how to make it effective.

If I can name one overarching goal of the book, it's to explain how we all can make ourselves safer by thinking of security not in absolutes, but in terms of trade-offs -- the inevitable expenses, inconveniences, and diminished freedoms we accept (or have forced on us) in the name of enhanced security. Only after we accept the inevitability of trade-offs and learn to negotiate accordingly will we have a truly realistic sense of how to deal with risks and threats.

This is a book for everyone. I believe that security, as a topic, is something we all can understand. And even more importantly, I believe that the subject is just too critical, too integral a part of our everyday lives, to be left exclusively in the hands of experts. By demystifying security, I hope to encourage all of us to think more sensibly about the topic, to contribute to what should be an open and informed public discussion of security, and to participate vocally in ongoing security negotiations in our civic, professional, and personal lives.

I am very pleased with this book. I started writing it in June 2002, and continued writing it through spring 2003. It has been a lot of work, and I think it's paid off. It's a good book.

Beyond Fear lists for $25, and the publisher is Copernicus Books. It's on Amazon at a 30% discount, with free shipping if you order something else as well. (And they have a really good package deal with my previous book, Practical Cryptography.)

And finally, I have a favor to ask. I'd like to see if I can subvert the Amazon bestseller system and get to #1. My previous big book, "Secrets and Lies," made it to #4. (Harry Potter was #1, #2, #3, and #5.) If everyone who plans on buying this book on Amazon waits until 12:15 PM Pacific time (that's 2:15 PM Central Time, 3:15 PM Eastern time, 8:15 PM UK Time, and 9:15 PM Western European time) on Friday, August 15, and all does it together, I might make #1. Don't worry if you can't do this, but I would appreciate it if you can. Thanks.

Beyond Fear home page:
<http://www.schneier.com/bf.html>

Amazon's page:
<http://www.amazon.com/exec/obidos/ASIN/0387026207/...>

Publisher's page:
<http://www.copernicusbooks.com/detail.tpl?...>


The Doghouse: Top Secret Crypto

This is your pretty standard doghouse crypto product: "true one time pad," "the most powerful encryption program in the world," "RSA key size from 480 to 16,384 bits," (why would anyone use a 480-bit RSA key?), that sort of thing. But here's the funny part: this company cites fiction writer Tom Clancy as an authoritative crypto expert. Here are two quotes from their help file:

"There are many encryption programs that use the 56-bit DES cipher as their conventional encryption algorithm. This has been broken. In fact, the U.S. government has banned its use by government agencies because it does not consider it secure any more. Most of the other encryption programs use conventional encryption algorithms that have 80 or 128 bits keys, such as PGP(tm), which uses the 128 bit IDEAL cipher. These may not be secure either. See Rainbow Six by Tom Clancy for more information."

"Rainbow Six by Tom Clancy--(c) 1998--paperback edition pages 436 and 437. Here Tom Clancy writes that the NSA, with the application of quantum theory to communications security can decipher codes with 128 bit keys, and it appears from his writing that it hardly takes any time at all. The conventional key used by PGP(tm) is only 128 bits. Do you suppose the NSA can break it? Tom Clancy is noted for his accuracy in writing about technology, so I would not be a bit surprised."

There's a lot more in the help files, if you're looking for some good laughs.

The company:
<http://www.topsecretcrypto.com/>

The help files:
<http://www.topsecretcrypto.com/files/TscgHelpFiles.zip>


News

Interesting and amusing story about a handwritten signature in Delaware.
<http://www.delawareonline.com/newsjournal/local/...>

Reconstructing shredded documents. Note that they're not just talking about those cheap shredders that cut documents into thin strips; those have been reconstructed manually for decades now. The article is saying that documents that have gone through cross-cut shredders can -- at least sometimes -- be reconstructed.
<http://www.sanmateocountytimes.com/Stories/...>

Interesting story about the tactics of electronic credit card thieves:
<http://www.securityfocus.com/news/6353>

A good article on John Gilmore's legal battle for the right to fly anonymously:
<http://www.reason.com/0308/fe.bd.suspected.shtml>

And John Gilmore's story of being ejected from a plane for wearing a button reading "Suspected Terrorist":
<http://www.politechbot.com/p-04973.html>

MS Windows passwords can be cracked in an average of 13.6 seconds. Assuming your password consists of just letters and numbers, that is. But my guess is that almost everyone falls into that category.
<http://news.com.com/2100-1009_3-5053063.html>
<http://lasecpc13.epfl.ch/ntcrack/>

Identity thefts in the U.S. have increased by 70% over the last year, but only about 1 in 700 thieves ever get caught.
<http://www.vnunet.com/News/1142517>

The governor of Wisconsin has a secure hotline to national homeland security officials. And he gets telemarketing calls on it...
<http://www.jsonline.com/news/state/apr03/135674.asp>

Really interesting paper on security patches and their installation rate. Turns out that lots and lots of system administrators don't install security patches.
<http://www.rtfm.com/upgrade.html>

RFID implants for humans. I love the "LoJack for people" quote.
<http://www.conspiracyplanet.com/channel.cfm?...>

Overhyping security threats is damaging:
<http://www.wired.com/news/infostructure/...>

The Internet epidemic du jour is the Blaster Worm. I'm not writing about it because it isn't very interesting; it's just more of the same thing we've been seeing for years. But there's one new idea. One variant of the worm downloads a file whose name contains an anatomical term that many spam filters block. I wonder how many emails about the worm never reach their recipient because the filename is given? VERY clever.
<http://www.counterpane.com/alert-v20030811-001.html>

One of the electronic voting machines has been analyzed by computer-security experts, and the results aren't very promising:
<http://www.msnbc.com/news/943558.asp?0cv=TA00&cp1=1>
<http://www.avirubin.com/vote.pdf>
<http://www.scoop.co.nz/mason/stories/HL0307/S00198.htm>
<http://apnews.excite.com/article/20030726/...>

But no one cares about voting machine security:
<http://newsforge.com/article.pl?sid=03/07/25/...>

A good article on how to rig an election with these sorts of machines:
<http://www.truthout.org/docs_03/voting.shtml>

Security and fear:
<http://www.csoonline.com/read/070103/fear.html>

Fun with credit card signatures and verification:
<http://www.zug.com/pranks/credit/index.html>

Good article on Communications Assistance to Law Enforcement Act (CALEA). Among other things, the author asserts that CALEA terminals have been hacked regularly.
<http://www.pbs.org/cringely/pulpit/pulpit20030710.html>

Very interesting article on ATM fraud, in all its varieties:
<http://www.iht.com/articles/105087.html>

Once again, the courts have ordered the Department of Interior to get its computers off the Internet if they can't protect the privacy of American Indian data.
<http://www.gcn.com/vol1_no1/security/22935-1.html>
<http://www.dcd.uscourts.gov/96-1285at.pdf>
<http://www.dcd.uscourts.gov/96-1285as.pdf>
I wrote about this exact problem a year and a half ago:
<http://www.schneier.com/crypto-gram-0112.html#2>

Dealing with security regulations:
<http://www.csoonline.com/read/070103/chaos.html>

Police bees. A fascinating article about how bees cope with security problems:
<http://www.nature.com/nsu/nsu_pf/020422/020422-16.html>

Will anonymous mail become a thing of history?
<http://computerworld.com/newsletter/...>

Long, but very well written, article about identity theft:
<http://www.washingtonpost.com/wp-dyn/articles/...>
SlashDot discussion of countermeasures:
<http://ask.slashdot.org/askslashdot/03/08/12/...>


Counterpane News

Counterpane has a new CEO. Paul Stich has been promoted from COO to CEO. Former CEO Tom Rowley remains as Chairman of the Board.
<http://www.counterpane.com/pr-20030813.html>

Schneier is speaking at the International Design Conference in Aspen on August 21st.
<www.idca.org>

Password Safe is available for the PocketPC:
<https://sourceforge.net/project/showfiles.php?group_id=41019&release_id=172730>
And Release 1.92c for Windows is available for download. This is a maintenance release, fixing a few minor annoyances.
<https://sourceforge.net/project/showfiles.php?group_id=41019&release_id=177038>


Security Notes from All Over: Photo-ID Verification

A reader sent in this conversation he overheard at a corporate security desk one morning:

Employee: I have lost my photo-ID card, can I get a day pass please?

Security Guard: Certainly, what is your serial number?

Employee: 123456

[Security guard pulls up the details on his computer, which includes a photograph of the employee.]

Security Guard: Do you have a driver's license or another piece of identification which has your picture on it?

Employee: Why would you need that?

Security Guard: To match against our records.

Employee: A picture of my face?

Security Guard: Yes

Employee: This is my face -- I am wearing it on my head.

Security Guard: I need another piece of ID with a picture on it to compare against this one.

This is a great story, because it illustrates how completely clueless security guards can be about how security really works. The point of the photo ID is to allow the guard to match a face with an authorization. A photo ID that is only issued to employees accomplishes that. The database does the same thing: it contains both the employee's photo and his authorization. But the guard doesn't understand that; all he knows is that he needs to look at a piece of plastic with the person's picture.


Flying on Someone Else's Airplane Ticket

The photo-ID requirement on airplanes was established in 1996 by a still-secret FAA order. It was a reaction to TWA flight 800, which exploded shortly after takeoff, killing all 230 on board. This was an accident -- after 18 months the FBI concluded that there was no evidence of a bomb or missile -- but the ID requirement was established anyway. The idea is that checking IDs increases security by making sure that the person flying is the person who bought the ticket. After 9/11, the government decided that checking IDs multiple times increased security even more, especially since there is now a "watch list" of suspicious people to check the names against.

It doesn't work. It's actually easy to fly on someone else's ticket. Here's how: First, have an upstanding citizen buy an e-ticket. (This also works if you steal someone's identity or credit card.) Second, on the morning of the flight print the boarding pass at home. (Most airlines now offer this convenient feature.) Third, change the name on the e-ticket boarding pass you print out at home to your own. (You can do this with any half-way decent graphics software package.) Fourth, go to the airport, go through security, and get on the airplane.

This is a classic example of a security failure because of an interaction between two different systems. There's a system that prints out boarding passes in the name of the person who is in the computer. There's another system that compares the name on the boarding pass to the name on the photo ID. But there's no system to make sure that the name on the photo ID matches the name in the computer.

In terms of security, this is no big deal; the photo-ID requirement doesn't provide much security. Identification of passengers doesn't increase security very much. All of the 9/11 terrorists presented photo-IDs, many in their real names. Others had legitimate driver's licenses in fake names that they bought from unscrupulous people working in motor vehicle offices.

The photo-ID requirement is presented as a security measure, but business is the real reason. Airlines didn't resist it, even though they resisted every other security measure of the past few decades, because it solved a business problem: the reselling of nonrefundable tickets. Such tickets used to be advertised regularly in newspaper classifieds. An ad might read: "Round trip, Boston to Chicago, 11/22-11/30, female, $50." Since the airlines didn't check IDs and could observe gender, any female could buy the ticket and fly the route. Now that won't work. Under the guise of helping prevent terrorism, the airlines solved a business problem of their own and passed the blame for the solution on to FAA security requirements.

But the system fails. I can fly on your ticket. You can fly on my ticket. We don't even have to be the same gender.


More Airline Insecurities

Number one. By now everyone has seen those large CTX baggage scanning machines. At about $2 million each, they're very good at finding explosives in luggage. Unfortunately, they're also very good at finding other things too -- the false positive rate is very high. Turns out that peanut butter looks a whole lot like plastic explosives (C-4, Semtec, etc). Smuggling a bomb on board an airplane is as easy as taking a jar of peanut butter, breaking it in your luggage so that it smears around everything, and then slipping a bomb into the suitcase.

Number two I wrote about in my book, Beyond Fear: "You can even make a knife on board the plane. Buy some steel epoxy glue at a local hardware store. It comes in two tubes: a base with steel dust and a hardener. Make a knifelike mold by folding a piece of cardboard in half. Then mix equal parts from each tube and form into a knife shape, using a metal fork from your first-class dinner service (or a metal spoon you carry aboard) for the handle. Fifteen minutes later you've got a reasonably sharp, very pointy, black steel knife."

The point here is to realize that security screening will never be 100% effective. There will always be ways to sneak guns, knives, and bombs through security checkpoints. Screening is an effective component of a security system, but it should never be the sole countermeasure in the system.

"Confessions of a Baggage Screener":
<http://www.wired.com/wired/archive/11.09/bagscan.html>


Hidden Text in Computer Documents

In the beginning, computer text files were filled with weird formatting commands. (Anyone remember WordStar's dot commands?) Then we had WYSIWYG: What You See Is What You Get. Or, more accurately, what you see on the screen is what you get on the printer. In the beginning, what you saw on the screen what was what was actually in the digital file. With WYSIWYG, what you saw on the screen was not in the digital file; formatting commands remained hidden from view, and the screen looked like the printed page.

WYSIWYG was an huge improvement, because it enabled writers to more easily format documents and see the results of that formatting. But it also brought with it a new security vulnerability: the leakage of information not shown on the screen (or on the printed document). Most of the time it's completely benign formatting information, but sometimes it's actual text. And because the user sees what the printed page looks like, he never even knows that this text is in the file. But someone who is even a little bit clever can recover the text, with embarrassing or even damaging results.

Three examples:

Last month, Alastair Campbell, Tony Blair's Director of Communications and Strategy, was in the hot seat in British Parliament hearings explaining what roles four of his employees played in the creation of a plagiarized dossier on Iraq that the UK government published in February 2003. The names of these four employees were found hidden inside of a Microsoft Word file of the dossier, which was posted on the 10 Downing Street Web site for the press. The "dodgy dossier," as it became known in the British press, raised serious questions about the quality of British intelligence before the second Iraq war.

Last year, during the manhunt for the DC sniper, a letter was left for the police by the sniper that included specific names and telephone numbers. Perhaps in order to persuade the panicking public that the police were in fact doing something, they allowed the letter to be published -- in redacted form -- on the Washington Post's Web site. Unfortunately, they implemented the redactions by the completely pointless method of placing black rectangles over the sensitive text in the PDF. A simple script was able to remove these boxes and recover the full PDF.

And three years ago in Crypto-Gram, I told the story of a CIA document that the New York Times redacted and posted as a PDF on its Web site. The document concerned an old Iranian plot, and contained the names of the conspirators. The New York Times redacted the document in the same reversible way that the Washington Post did.

So much for examples. How pervasive is this problem? In a recent research paper, S.D. Byers went out on the Internet to see what sorts of hidden information he could find. He concentrated on Microsoft Word, because Word documents are notorious for containing private information that people would sometimes rather not share. This information includes people who wrote or edited the document (as Blair's government discovered), information about the computers and networks and printers involved in the document, text that had been deleted from the document at some prior time, and in some cases text from completely unrelated documents.

Byers collected 100,000 MS Word documents, at random, from the Web. He built three scripts to look for hidden text, and found it in all documents. Most of it was uninteresting -- the name of the author -- but sometimes it was very interesting. His conclusion was that this problem is pervasive.

MS Word was the subject of Byers's paper, but other data files can leak private information: Excel, PowerPoint, PDF, PostScript, etc. There's no excuse for the companies that own those formats not to create a program that scrubs hidden information from these files. And certainly there's a business opportunity for some third party to create such a scrubber program, but they should be outside the U.S., because it might be a violation of the DMCA to do it. Microsoft's closed proprietary file formats make it harder to write such a scrubber, and unless Microsoft makes some additional changes in its software (e.g. usage and default values), scrubbers will remain an imperfect solution.

Oh, and the press uses techniques like this to unredact stuff all the time. I believe they don't mention it much because they're afraid they'll lose access to all that leaked information.

Byers's research paper:
<http://www.user-agent.org/word_docs.pdf>

Tony Blair bitten by inadvertent info left in MS Word files:
<http://www.computerbytesman.com/privacy/blair.htm>

The DC sniper letter:
<http://www.planetpdf.com/mainpage.asp?webpageid=2434>

DC sniper letter in redacted form:
<http://www.user-agent.org/washpost_sniperletter.pdf>

Same letter, unredacted:
<http://www.user-agent.org/washpost_unredacted.pdf>

The CIA and a redacted PDF file:
<http://www.schneier.com/crypto-gram-0007.html#1>


Comments from Readers

From: Elliotte Rusty Harold <elharo metalab.unc.edu>
Subject: How to Fight
In your recent Cryptogram, you say: "Second, naming and shaming doesn't work. Just as it doesn't make sense to negotiate with a clerk, it doesn't make sense to insult him."
I have to disagree. Sometimes it does make sense to argue with or occasionally even insult a clerk. Consider the case of airlines. In particular, consider the counter clerks. For years, they have routinely and repeatedly ignored and violated airline rules on excess baggage and baggage weight. Why? Simply because these workers know from experience that if they enforce the rules, the customer is very likely to complain, become irate, call for a manager, slow down their line, possibly yell at them, possibly insult them, and generally make their day unpleasant. Multiply this by the dozens of customers they see each day with too much baggage, and they simply stop enforcing the rules.
How effective this is is all relative. It depends on how irate customers get, how many customers become irate, who the guards are, and how real the security measure is. I doubt becoming irate would have much effect on the guards at the metal detector you pass through before entering the concourse. There probably wouldn't be enough irate customers to change the behavior of a pharmacist, though the loss of business for an owner-operated pharmacist might be significant enough to make a personal negotiation effective. (Yet another reason to support family pharmacies instead of chains.) However, at the hotel I think it could be very effective. If the desk clerk knew that every time they insisted on photocopying a customer's driver license, they were going to be subjected to a unpleasant experience, they would simply stop asking for it, or they would back down very quickly as soon as the customer raised an objection.
The clerks may not make the rules, but they do enforce them and they have the direct and immediate power not to enforce them. Whether they enforce them is directly tied to their expectations of the personal consequences of enforcing or not enforcing those rules. As long as customers are invariably polite and understanding, there are no negative consequences for the clerk for enforcing the rules.
No, this isn't particularly nice; but neither is photocopying your personal information for no good reason. Until the rules can be changed, it is only reasonable to expect that hostile, anti-customer requirements will elicit hostile customer feedback. Long term, this is a significant component of changing the rules. As long as airlines/pharmacists/hotels can argue that no one objects to the rules, they don't have any incentive to change them. As soon as it becomes obvious that hostile reactions to the rules are costing them money by taking more time and making it harder to recruit good employees, they'll take notice.

From: "Taylor, Stephen" <STEPHEN.TAYLOR saic.com>
Subject: How to Fight
Bad experiences with people who do not have power to make decisions is not new, but it is getting worse. I think that we suffer from the fact that the world has so many people in it; we are always just another face in line. To me it is an effect of the "mall"-ing of America and of the growth of corporate and government bureaucracies. The procedures which you don't like were probably given little if any thought during their creation. Once in place, the employees follow them or chance losing their jobs.
In particular situations, it may be worth the fight. Education is the key to permanently changing the culture. The public needs to understand security so that they are not fooled by the politicians and the media managers. An airline should not be able to reject the suggestion to put locks on cockpit doors (prior to 9/11), for instance. The media should quit throwing the word "security" around as if the word itself conveys the same meaning to everyone. And something that is dear to me right now, companies that deal in financial information should not be so easily fooled by someone with a stolen Social Security number. The situation with the use of the SSN has gone far beyond the need for action.

From: Carsten Turner <carsten netway.com>
Subject: How to Fight
In the instance of the pharmacy, you don't write and say "I'll never shop here again." Instead, you write, "I'm writing to the manufacturers whose products you sell and tell them that as long as they do business with you, I'll think less of their products." It's a variation of telling the newspaper "I'm sick of your yellow journalism, so I'm writing to your advertisers and telling them what I think."
You are only one consumer, and your spending habits will cost the pharmacy only so much. If you bang on the door of enough manufacturers, you might find the one that is sympathetic to your opinions, and the pharmacy might stand to lose more.

From: Radovan Semancik <semancik bgs.sk>
Subject: How to Fight
If I was an owner of a hotel, I would really want to know the identity of my guests. The risk of unpaid bills or other damage could be quite high. If I had a big corporate building, I would like to know the identity of people entering it. There could be high-value assets to protect, and if anyone enters to do the maintenance, I would like to know who he is and check his permission to enter. I could even understand the Japanese mobile company, their risk may be high. But I could not understand why they want a passport number without checking it. That is IMHO the real flaw in security, not the fact that they want to identify their customers.
I cannot say I understand "American" way of life and your public security ideals. If I've got it right, you live without any document that asserts your identity (like national ID). If that's true, how do you get an account in a bank? How do you prove your identity while entering a higher-security area? How you get identified for the university exams? Driver's license? What if I do not posses one? Signature? I cannot produce the same signature twice. (My bank occasionally refuses to give me my money because of this.) My girlfriend can make a better signature of mine than I can. What else?
We in Europe (well, in central and eastern Europe at least) have national IDs issued (legacy of 'communist' age) and I do not think our security or privacy is worse. I have to prove my identity if I go to the hotel, but the hotel owner must tell me why he wants my personal data and he must to destroy it once I leave the hotel and all my bills are paid. If I want to make bank withdrawal I need to present my photo ID. Is that unnecessary annoyance? I don't think so. I see it as a protection measure for my money (anyone stealing my money must steal or counterfeit my ID first). If I want to rent a car or a boat, I need to present my ID. That is a measure for me to return the rented machine back or to be sued for stealing it.
I'm not arguing that all identification attempts are right. The pharmacy example in your article may be an example, but as I do not see all the details I do not dare to judge. Quick judgments with lack of complete information could be really dangerous.
IMHO, the real problem is that pseudonymity (as used for example in some digital identity systems) is not possible in real life (yet). And we must present our full identity too often. But by fighting any and each identification attempt without first telling apart the good ones and the bad ones may cause much harm.

From: Richard Kay <rich copsewood.net>
Subject: How to Fight
On the question of giving away personal details through corporate rule-followers, I have got into the habit of giving scrambled details where appropriate; e.g., my phone number if I don't want my real one on the relevant database. Encouraging enough people to do this seems likely to be easier than getting a lot of people politically active over what may seem, to non-geeks, a technical and obscure cause.
Even reversing a couple of digits in a phone number or post (Zip) code is enough to reduce the validity of a database, and if enough people do this the corporate marketeers who create rules requiring employees to collect this information will end up with unreliable and unusable data. Even on official forms where there is a criminal penalty for giving false information, apparently accidental minor dyslexia is unlikely to be provable as intent to give false information in a court of law and can help to throw grit in the wheels of unwelcome bureaucracy.

From: "bill" <bill strahm.net>
Subject: National Threat Levels
Your comments about national threat levels don't seem quite accurate to me. You said: "The U.S. military has a similar system; DEFCON 1-5 corresponds to the five threat alerts levels: Green, Blue, Yellow, Orange, and Red. The difference is that the DEFCON system is tied to particular procedures; military units have specific actions they need to perform every time the DEFCON level goes up or down. The color-alert system, on the other hand, is not tied to any specific actions. People are left to worry, or are given nonsensical instructions to buy plastic sheeting and duct tape. Even local police departments and government organizations largely have no idea what to do when the threat level changes."
There are specific things that happen at least in the two threat levels that we have seen (yellow and orange). For one, during orange alerts I can detect raised security; there are more police in and around the airport, more checks, etc. I was very surprised that they didn't raise the level over the 4th of July holiday weekend like they have over all of the other holidays. However what I saw was a "orange" alert level of security at the airports. I would love to know if security was silently raised at the airports, if it was a local decision (at the two airports I fly between) or was a silent raising of security on a national level.

From: Bron Gondwana <brong brong.net>
Subject: Hiding Jewelry in Red Wine
This is a very clever idea, but unfortunately here is a fantastic example of how security through obscurity (possibly better said as security through rarity or security through diversity) does work.
While the robbers are unaware of this technique, it will work, but once it becomes common enough -- or well enough publicized -- the technique no longer works. The robbers will just knock over every glass of red wine in the house which is close enough to a woman.
If the restaurant offers cheap house red for this purpose, then the robber would have to be blind (or very poor at doing their homework) to miss this possibility.
I guess the more intelligent of those women will already be looking for a new way to protect their possessions -- one which hasn't become trendy enough to be detected yet. If I was one of them, I certainly wouldn't be telling anyone what my technique was.

From: "Steven Alexander" <alexander.s mccd.edu>
Subject: Teaching Viruses
Allan Dyer wrote: "We need more people who understand viruses and how to combat them, but it is not necessary to create a virus to understand them."
It is necessary. Granted, the basic idea behind a virus or worm can be understood without writing one. However, to really understand how viruses work, writing a virus does become necessary. Writing a program that adds another program to itself is not the same thing. Infecting new files from already infected executables is quite a bit more difficult because you have to design a program that can handle a general case rather than a specific one.
Viruses have to do things such as detect executable types and extract their code from the infected program that they are running in. At times, they have to perform some sort of privilege escalation in order to spread. Copying another program into your own wouldn't normally require this, though you could try to add a program that you don't have permission to read. To be an expert on the subject you need to know the difference between infecting a .COM, .EXE, Windows PE or ELF executable; you need to know how the differences in Windows and Unix memory organization affect viruses. The subtleties will escape you if you've never sat down and actually written a virus.

From: "Singer, Nicholas" <nick.singer us.army.mil>
Subject: American Express Security
When I called to activate an American Express credit card I had received in the mail, the automated system told me that I would have to associate a PIN with it. The system told me that other users liked the idea of using their mother's birthday as a four digit PIN. After some experimentation, I discovered that the system would accept only those four digit PINs that corresponded to dates: 0229" was acceptable but not 0230" and certainly not 3112" (New Year's Eve, European style.) Thus the system policy administrators had reduced the 10,000 possible four-digit PINs to 366.
When I asked a human being at American Express if I could be allowed to choose a non-datelike PIN, they complied but warned me that they wouldn t be able to give me a hint if I later forgot it.

From: Phil Stripling <philip civex.com>
Subject: "I haven't a clue, really"
On the letter you received from "Somewhere," I'm surprised you have published it and are treating it a source of entertainment for your readers. It appears to me, as you say it does to you, to be from a mentally ill person, and I am sorry to say I just don't see the entertainment value of this poor person's suffering. I think you made a slip in judgment.

From: Andy Brown <RobertTaylor SpamCop.net>
Subject: "I haven't a clue, really"
I am writing with regard to the message in the Letters-section of your Crypto-Gram of 15 July, 2003, which contains the header, "From: Somewhere / Subject: I haven't a clue, really". In a preamble to this message, you assert, "I reprint it here solely for entertainment purposes."
With respect, I must tell you that I did not find this letter entertaining in the slightest degree; on the contrary, I found it disturbing in its content, and annoying inasmuch as you should have chosen to publicize it. Perhaps, as you intimate, the writer of this missive may be delusional. If that were the case, surely s/he would be deserving of compassion -- but hardly of public display; and in any event, it is anything but yours (or mine) to arrogate to ourselves the role of armchair-analyst omniscience. ("... delusional paranoia ..."? That is an extremely powerful term, which even the "experts" appear to have trouble with.)

From: Andy Brown <logic warthog.com>
Subject: "I haven't a clue, really"
Paranoia, in small doses, is a virtue of a diligent security professional. Delusion is among the worst vices. Reading the two clash in this month's Crypto-Gram was fascinating. More so after spending a few minutes Googling and finding a few links to reality from that poor woman's letter.
Being in the position you are, you must receive a barrage of bizarre letters. But I'm sure I'm not your only reader who would like to see more of these reprinted in Crypto-Gram, even if the identities of the innocent are removed. I find the relationship between security and psychology to be both important in practice, and thought-provoking. You are in a unique position to share these interesting (if occasionally disturbing) blends, and I encourage you to do so.

From: Alexandre [mailto:salexru2000 sympatico.ca]
Sent: Friday, August 08, 2003 1:53 PM
To: info@counterpane.com
Subject: "I haven't a clue, really"
As I am familiar with some aspects of paranoia this letter was interesting for me because it is known that in many cases persecutory paranoia is caused by real reasons. Attacker has to be just persistent and have sufficient resources to make the world lopsided for chosen person. It could be drug, environmentally and/or motivationally induced.
This poses interesting and so far unsolved question: which techniques could be used to differentiate reality from imagination if reality exists at all? How reality could be "authenticated"?
This woman doesn't seem to be entertained by her situation -- she is clearly "authenticating" wrongly. It might be already too late for her. Anyway, when you receive e-mail from known or unknown source, which looks like triggered or stimulated the process in her case, how can you be sure that information there is authentic? Maybe passwords, keys and other secrets were stolen or broken and used against you and you just don't know yet about it. Maybe person, who calls you on the phone is just computer synthesized or recorded voice? Future might be even worse in this respect--how about bioclones and AI, which will cheat any possible biometrics?
You can't fight delusions and you can't really ignore them, especially when you can't discern between delusions and reality. In real life we use "common sense" criteria. If something happens is it unusual/harmful? Unusual is red flag. Harmful too. We exercise caution then. And common sense helps us to stop before drowning in "what ifs". Unfortunately on bigger scale this approach also doesn't work properly -- we can't predict reliably enough if our actions will be harmful in the long run and for whom -- like in your story with faked passport data. Next year you might be filtered out as "suspect" person or even worse, right?
Cryptography is reeking of paranoia -- can it help fight it? Or is it helping to build up paranoid tendencies? The more you know about how "they" can cheat you -- the more suspicious you become, right?

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. Back issues are available on <http://www.schneier.com/crypto-gram.html>.

To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, see <http://www.schneier.com/crypto-gram-faq.html>.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of "Secrets and Lies" and "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on computer security and cryptography.

Counterpane Internet Security, Inc. is the world leader in Managed Security Monitoring. Counterpane's expert security analysts protect networks for Fortune 1000 companies world-wide.

<http://www.counterpane.com/>

Copyright (c) 2003 by Counterpane Internet Security, Inc.

later issue
earlier issue
back to Crypto-Gram index

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..