Crypto-Gram Newsletter

July 15, 2005

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@schneier.com
<http://www.schneier.com>
<http://www.counterpane.com>

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <http://www.schneier.com/crypto-gram-0507.html>. These same essays appear in the "Schneier on Security" blog: <http://www.schneier.com/blog>. An RSS feed is available.


In this issue:


London Transport Bombings

I was on vacation last weekend, and still haven't had a lot of time to read or write about the London Transport bombings. For now, I would just like to express my sympathy and condolences to those directly affected, and to the good people of London, England, Europe, and the world. Targeting innocents might be an effective tactic, but that doesn't make it any less craven and despicable.

I would also like to urge everyone not to get wrapped up in the particulars of the terrorist tactics. We need to resist the urge to react against the particulars of this particular terrorist plot, and to keep focused on the terrorists' goals. Spending billions to defend our trains and buses at the expense of other counterterrorist measures makes no sense. Terrorists are out to cause terror, and they don't care if they bomb trains, buses, shopping malls, theaters, stadiums, schools, markets, restaurants, discos, or any other collection of 100-plus people in a small space. There are simply too many targets to defend, and we need to think more intelligently than simply protecting the particular targets the terrorists attacked last week.

Smart counterterrorism focuses on the terrorists and their funding -- stopping plots regardless of their targets -- and emergency response that limits their damage.

I'll have more to say next month. But again, my sympathy goes out to those killed and injured, their family and friends, and everyone else in the world indirectly affected by these acts as they are endlessly replayed in the media.


Terrorism Defense: A Failure of Imagination

The 9/11 Commission report talked about a "failure of imagination" before the 9/11 attacks: "The most important failure was one of imagination. We do not believe leaders understood the gravity of the threat. The terrorist danger from Bin Ladin and al Qaeda was not a major topic for policy debate among the public, the media, or in the Congress. Indeed, it barely came up during the 2000 presidential campaign."

More generally, this term has been used to describe the U.S. government's response to the terrorist threat. We spend a lot of money defending against what they did last time, or against particular threats we imagine, but ignore the general threat or the root causes of terrorism.

With the London bombings, we're doing it again. I was going to write a long post about this, but Richard Forno already wrote a nice essay.

Forno's essay:
<http://www.infowarrior.org/articles/2005-01.html>

9/11 Commission Report:
<http://www.washingtonpost.com/wp-srv/nation/...>

<http://en.wikipedia.org/wiki/Failure_of_imagination>


CardSystems Exposes 40 Million Identities

The personal information of over 40 million people has been hacked. The hack occurred at CardSystems Solutions, a company that processes credit card transactions. The details are still unclear. The New York Times reports that "data from roughly 200,000 accounts from MasterCard, Visa and other card issuers are known to have been stolen in the breach," although 40 million were vulnerable. The theft was an intentional malicious computer hacking activity: the first in all these recent personal-information breaches, I think. The rest were accidental -- backup tapes gone walkabout, for example -- or social engineering hacks. Someone was after this data, which implies that's more likely to result in fraud than those peripatetic backup tapes.

CardSystems says that they found the problem, while MasterCard maintains that they did; the New York Times agrees with MasterCard. Microsoft software may be to blame. And in a weird twist, CardSystems admitted they weren't supposed to keep the data in the first place.

From the New York Times: "The official, John M. Perry, chief executive of CardSystems Solutions...said the data was in a file being stored for 'research purposes' to determine why certain transactions had registered as unauthorized or uncompleted."

Yeah, right. Research = marketing, I'll bet.

This is exactly the sort of thing that Visa and MasterCard are trying very hard to prevent. They have imposed their own security requirements on companies -- merchants, processors, whoever -- that deal with credit card data. Visa has instituted a Cardholder Information Security Program (CISP). MasterCard calls its program Site Data Protection (SDP). These have been combined into a single joint security standard, PCI, which also involves Discover, American Express, JCB, and Diners Club to some degree.

PCI requirements encompass network security, password management, stored-data encryption, access control, monitoring, testing, policies, etc. And the credit-card companies are backing these requirements up with stiff penalties: cash fines of up to $100,000, increased transaction fees, and termination of the account. For a retailer that does most of its business via credit cards, this is an enormous incentive to comply.

These aren't laws, they're contractual business requirements. They're not imposed by government; the credit card companies are mandating them to protect their brands.

Every credit card company is terrified that people will reduce their credit card usage. They're worried that all of this press about stolen personal data, as well as actual identity theft and other types of credit card fraud, will scare shoppers off the Internet. They're worried about how their brands are perceived by the public. And they don't want some idiot company ruining their reputations by exposing 40 million cardholders to the risk of fraud. (Or, at least, by giving reporters the opportunity to write headlines like "CardSystems Solutions hands over 40M credit cards to hackers.")

So independent of any laws or government regulations, the credit card companies are forcing companies that process credit card data to increase their security. Companies have to comply with PCI or face serious consequences.

Was CardSystems in compliance? They should have been in compliance with Visa's CISP by 30 September 2004, and certainly they were in the highest service level. (PCI compliance wasn't required until 30 June 2005 -- about two weeks after the breach was announced.) The reality is more murky.

Also from the New York Times:

"After the disclosure of the security breach at CardSystems, varying accounts were offered about the company's compliance with card association standards.

"Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. 'They were in violation of our rules,' she said.

"It is not clear whether or when MasterCard intervened with the company in the past to insure compliance, but MasterCard said Friday that it had now given CardSystems 'a limited amount of time' to do so.

"Asked about compliance with Visa's standards, a Visa spokeswoman, Rosetta Jones, said, 'This particular processor was not following Visa's security requirements when we found out there was a potential data compromise.'

"Earlier, Mr. Perry of CardSystems said his company had been audited in December 2003 by an unspecified independent assessor and had received a seal of approval from the Visa payment associations in June 2004."

All of this demonstrates some limitations of any certification system. One, companies can take advantage of interpersonal and intercompany politics to get themselves special treatment with respect to the policies. And two, all audits rely to a great extent on self-assessment and self-disclosure. If a company is willing to lie to an auditor, it's unlikely that it will get caught.

Unless they get really caught, like this incident.

Self-reporting only works if the punishment exceeds the crime. The reason people accurately declare what they bring into the country on their customs forms, for example, is because the penalties for lying are far more expensive than paying any duty owed.

If the credit card industry wants their PCI requirements taken seriously, they need to make an example out of CardSystems. They need to revoke whatever credit card processing license CardSystems has, to the maximum extent possible by whatever contracts they have in place. Only by making CardSystems a demonstration of what happens to someone who doesn't comply will everyone else realize that they had better comply.

(CardSystems should also face criminal prosecution, but that's unlikely in today's business-friendly political environment.)

I have great hopes for PCI. I like security solutions that involve contracts between companies more than I like government intervention. Often the latter is required, but the former is more effective. Here's PCI's chance to demonstrate their effectiveness.

News articles:
<http://news.bbc.co.uk/2/hi/americas/4107236.stm>
<http://www.computerworld.com/securitytopics/...>
<http://www.merit.edu/mail.archives/netsec/msg00625.html>
<http://businessweek-cnet.com.com/...>
<http://techrepublic.com.com/5254-6257-0.html?...>
<http://news.softpedia.com/news/...>
<http://news.softpedia.com/news/...>

Press releases from CardSystems and MasterCard:
<http://www.cardsystems.com/news.html>
<http://www.mastercardinternational.com/cgi-bin/... >

CISP, SDP, and PCI:
<http://usa.visa.com/business/accepting_visa/...>
<https://sdp.mastercardintl.com/>
<http://usa.visa.com/download/business/...>
<http://usa.visa.com/business/accepting_visa/...>


Noticing Data Misuse

Everyone seems to be looking at their databases for personal information leakages. Here's one article:

"Tax liens, mortgage papers, deeds, and other real estate-related documents are publicly available in on-line databases run by registries of deeds across the state. The Globe found documents in free databases of all but three Massachusetts counties containing the names and Social Security numbers of Massachusetts residents....

"Although registers of deeds said that they are unaware of cases in which criminals used information from their databases maliciously, the information contained in the documents would be more than enough to steal an identity and open new lines of credit...."

Isn't that part of the problem, though? It's easy to say "we haven't seen any cases of fraud using our information," because there's rarely a way to tell where information comes from. The recent epidemic of public leaks comes from people noticing the leak process, not the effects of the leaks. So everyone thinks their data practices are good, because there have never been any documented abuses stemming from leaks of their data, and everyone is fooling themselves.

<http://www.boston.com/business/technology/articles/...>


Indian Call Center Sells Personal Information

There was yet another incident where a call center staffer was selling personal data. The data consisted of banking details of British customers, and was sold by people at an outsourced call center in India.

I predict a spate of essays warning us of the security risks of offshore outsourcing. That's stupid; this has almost nothing to do with offshoring. It's no different than the Lembo case, and that happened in the safe and secure United States.

There are security risks to outsourcing, and there are security risks to offshore outsourcing. But the risk illustrated in this story is the risk of malicious insiders, and that is mostly independent of outsourcing. Lousy wages, lack of ownership, a poor work environment, and so on can all increase the risk of malicious insiders, but that's true regardless of who owns the call center or in what currency the salary is paid in. Yes, it's harder to prosecute across national boundaries, but the deterrence here is more contractual than criminal.

(On the one hand, since the standard of living is lower in India, it's presumably cheaper to bribe employees. But on the other hand, offshore employees, since they're well-paid by comparison to general salaries, have more incentive to keep their jobs.)

The problem here is people, not corporate or national boundaries.

<http://uk.biz.yahoo.com/050622/323/flt1q.html>
<http://yro.slashdot.org/article.pl?sid=05/06/23/...>

Lembo Case:
<http://www.schneier.com/blog/archives/2005/05/...>
<http://www.computerworld.com/securitytopics/...>


Crypto-Gram Reprints

Crypto-Gram is currently in its eighth year of publication. Back issues cover a variety of security-related topics, and can all be found on <http://www.schneier.com/crypto-gram.html>. These are a selection of articles that appeared in this calendar month in other years.

Due Process and Security:
<http://www.schneier.com/crypto-gram-0407.html#1>

Coca-Cola and the NSA:
<http://www.schneier.com/crypto-gram-0407.html#8>

How to Fight:
<http://www.schneier.com/crypto-gram-0307.html#1>

Crying Wolf:
<http://www.schneier.com/crypto-gram-0307.html#8>

Embedded Control Systems and Security:
<http://www.schneier.com/crypto-gram-0207.html#1>

Phone Hacking: The Next Generation:
<http://www.schneier.com/crypto-gram-0107.html#1>

Monitoring First:
<http://www.schneier.com/crypto-gram-0107.html#5>

Full Disclosure and the CIA:
<http://www.schneier.com/crypto-gram-0007.html#1>

Security Risks of Unicode:
<http://www.schneier.com/crypto-gram-0007.html#9>

The Future of Crypto-Hacking:
<http://www.schneier.com/crypto-gram-9907.html#hacking>

Bungled SSL:
<http://www.schneier.com/crypto-gram-9907.html#doghouse>

Declassifying Skipjack:
<http://www.schneier.com/crypto-gram-9807.html#skip>


Write Down Your Password

Last month, Microsoft's Jesper Johansson made the news when he urged people to write down their passwords. This is good advice, and I've been saying it for years.

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their valuable passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet. Obscure it somehow if you want added security: write "bank" instead of the URL of your bank, transpose some of the characters, leave off your userid. This will give you a little bit of time if you lose your wallet and have to change your passwords. But even if you don't do any of this, writing down your impossible-to-memorize password is more secure than making your password easy to memorize.

<http://news.com.com/...>

Or you can use PasswordSafe:
<http://www.schneier.com/passsafe.html>


The Adaptability of Iraqi Insurgents

This Newsweek article on the insurgents in Iraq includes an interesting paragraph on how they adapt to American military defenses.

"Counterinsurgency experts are alarmed by how fast the other side's tactics can evolve. A particularly worrisome case is the ongoing arms race over improvised explosive devices. The first IEDs were triggered by wires and batteries; insurgents waited on the roadside and detonated the primitive devices when Americans drove past. After a while, U.S. troops got good at spotting and killing the triggermen when bombs went off. That led the insurgents to replace their wires with radio signals. The Pentagon, at frantic speed and high cost, equipped its forces with jammers to block those signals, accomplishing the task this spring. The insurgents adapted swiftly by sending a continuous radio signal to the IED; when the signal stops or is jammed, the bomb explodes. The solution? Track the signal and make sure it continues. Problem: the signal is encrypted. Now the Americans are grappling with the task of cracking the encryption on the fly and mimicking it-so far, without success. Still, IED casualties have dropped, since U.S. troops can break the signal and trigger the device before a convoy passes. That's the good news. The bad news is what the new triggering system says about the insurgents' technical abilities."

The CIA is worried that Iraq is becoming a far more effective breeding ground for terrorists than Afghanistan ever was, because they get real-world experience with urban terrorist-style combat.

<http://www.msnbc.msn.com/id/8272786/site/newsweek/>


News

Airplane security is getting surreal: "...FAA regulation that requires soldiers -- all of whom were armed with an arsenal of assault rifles, shotguns and pistols -- to surrender pocket knives, nose hair scissors and cigarette lighters."
<http://www.ajc.com/news/content/custom/blogs/guard/...>
"A foolish consistency is the hobgoblin of little minds." -- Ralph Waldo Emerson

This is from 2003, but I had not seen it before: "Analysis of the MediaMax CD3 Copy-Prevention System."
<http://www.cs.princeton.edu/~jhalderm/cd3/>

The story about Dell Computers selling machines with hardware keyboard loggers built in is a hoax.
<http://c0x2.de/lol/lol.html>
<http://www.snopes.com/computer/internet/dellbug.asp>

The Underhanded C Contest is, as far as I know, the only security-related programming contest. The object is to write clear, readable C code with hidden malicious behavior; in other words, to hide evil stuff in code that passes visual inspection of source by other programmers.
<http://www.brainhz.com/underhanded/>

Here's an interesting application of DNA identification. It's a spray that triggers if a door is opened, spraying the burglar with a powder. Then, instead of searching for your DNA at the crime scene, the police search for the crime-scene DNA on you.
<http://news.bbc.co.uk/1/hi/wales/north_east/4566991.stm>

Dell Computer demands to know what you're going to use your new computer for, because of the PATRIOT Act.
<http://www.skippy.net/blog/2005/06/09/...>

Seagate has introduced a hard drive with full-disk encryption.
<http://www.computerworld.com/securitytopics/...>
<http://www.eweek.com/article2/0,1759,1825740,00.asp>
Here's the press release, and here's the product spec sheet. Ignore the "TDEA 192" nonsense. It's a typo; the product uses triple-DES, and the follow-on product will use AES.
<http://www.seagate.com/cda/newsinfo/newsroom/...>
<http://www.seagate.com/content/docs/pdf/marketing/...>

Good interview with Marcus Ranum:
<http://www.securityfocus.com/columnists/334>

The U.S. Justice Department wants your ISP to spy on you:
<http://news.com.com/Your+ISP+as+Net+watchdog/...>

Great editorial from Wired on identity theft. It includes specific recommendations to Congress.
<http://wired.com/news/privacy/0,1848,67845,00.html>

I'm not going to doghouse this, because it seems like good technology that has been mauled by dumb PR agents: "The newly developed network, said the researchers, is compatible with existing Internet protocols, which means that current Internet applications will be able to use standard transmission techniques and even high-level encryption up to and beyond 256 bits, which is currently double the amount considered essential for secure Internet transactions."
<http://www.wirelessnewsfactor.com/story.xhtml?...>

A security analysis of Diebold's Opti-Scan (paper ballot) voting machine.
<http://www.bbvforums.org/cgi-bin/forums/...>

An amusing Flash animation featuring a musical opinion of Clarke's proposed UK national ID card.
<http://eclectech.co.uk/clarkeidcards.php>

Interesting story on the black market for data in Moscow:
<http://attrition.org/errata/dataloss/russia02.html>

Here's a body-scan technology -- Millimeter-Wave Detection -- that's less invasive than backscatter X-ray technology.
<http://www.brijot.com/>

The Hymn Project exists to break the iTunes mp4 copy-protection scheme, so you can hear the music you bought on any machine you want. Initially, the software recovered your iTunes password (your key, basically) from your hard drive. In response, Apple obfuscated the format and no one has yet figured out how to recover the keys cleanly. To get around this, they developed a program called FairKeys that impersonates iTunes and contacts the server. Since the iTunes client can still get your password, this works. More security by inconvenience, and yet another illustration of the never-ending arms race between attacker and defender.
<http://www.hymn-project.org/>
<http://www.hymn-project.org/jhymndoc/...>

I got some really good quotes in this New York Times article on identity theft.
<http://www.nytimes.com/2005/07/09/business/...>

Interesting article on the particular art form of street photography. One ominous paragraph: "More onerous are post-9/11 restrictions that have placed limits on photographing in public settings. Tucker has received e-mails from professionals detained by authorities for photographing bridges and elevated trains. 'There are places where photographing people on the street may become illegal,'" observes Westerbeck." Sad.
<http://csmonitor.com/2005/0708/p12s01-alar.html>

Police have arrested a man for using someone else's wireless Internet network without permission. Near as I can tell, there was no other criminal activity involved. The man who used someone else's wireless wasn't doing anything wrong with it; he was just using the Internet. I believe this is the first criminal case involving this fairly common practice.
<http://www.cnn.com/2005/LAW/07/07/wi.fi.theft.ap/...>

A recently published book claims that Himmler was murdered by the British Special Operations Executive, rather than committing suicide after the Allies captured him. The book was based on documents found -- apparently in good faith -- in the UK's National Archive, which now appear to have been faked and inserted. It seems that the security effort at the National Archives is directed towards preventing people from removing documents. But the effects of adding forged documents could be much worse.
<http://news.telegraph.co.uk/news/main.jhtml?xml=/...>
<http://opinion.telegraph.co.uk/opinion/main.jhtml?...>

I've already written about the stupidity of worrying about cell phones on airplanes. Now the Department of Homeland Security is worried about broadband Internet, and wants the ability to begin eavesdropping on any passenger's internet use within 10 minutes of obtaining court authorization. Terrorists never use SSH, after all. (I suppose that's the next thing the DHS is going to try to ban.)
<http://wirednews.com/news/technology/...>

NIST (The United States' National Institute of Standards and Technology) has released a draft of "Special Publication 800-56, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography." They're looking for comments before the document is finalized. Send comments to ebarker@nist.gov by Friday, August 19th, with "Comments on SP800-56" in the subject line.
<http://csrc.nist.gov/CryptoToolkit/kms/...>

Secure RSS syndication:
<http://www.xml.com/pub/a/2005/07/13/secure-rss.html>

I was going to write something about the foolishness of adding cameras to public spaces as a response to terrorism threats, but Scott Henson said it already.
<http://gritsforbreakfast.blogspot.com/2005/07/...>

According to the London Times: "Security sources confirmed that none of the bombers was on any MI5 file, although one had links to a person investigated by police."
<http://www.timesonline.co.uk/article/...>


Organized Retail Theft

There are two distinct shoplifting threats: petty shoplifting and Organized Retail Theft. "ORT crime is separate and distinct from petty shoplifting in that it involves professional theft rings that move quickly from community to community and across state lines to steal large amounts of merchandise that is then repackaged and sold back into the marketplace. Petty shoplifting, as defined, is limited to items stolen for personal use or consumption."

Their list of 50 most shoplifted items consists of small, expensive things with long shelf life: over-the-counter drugs, mostly.

#1 Advil tablet 50 ct
#2 Advil tablet 100 ct
#3 Aleve caplet 100 ct
#4 EPT Pregnancy Test single
#5 Gillette Sensor 10 ct
#6 Kodak 200 24 exp
#7 Similac w/iron powder - case
#8 Similac w/iron powder - single can
#9 Preparation H 12 ct
#10 Primatene tablet 24 ct

<http://www.fmi.org/loss/ORT/>
<http://www.fmi.org/loss/ORT/top50_shoplifted_items.pdf>


The Doghouse: Privacy.li

This company has a heartwarming description on its website: "Privacy from the Principality of Liechtenstein, in the heart of the Alps, nestled between Switzerland and Austria. In times of turmoil and insecurity, witch hunt and suspicions, expropriations and diminishing credibility of our world leaders it's always good to have a place you can turn to. This is the humble effort to provide a place to the privacy and freedom concerned world citizens to meet, discuss, help each other and foster ones desire for liberty and freedom."

But they have no intention of letting their customers know anything about themselves: "Company Profile -- Actually, this is not to be published here:-) A privacy service like ours is best if not too many details are known, we hope you fully understand and support this. The makers of this page are veterans at the chosen subject, and will under no circumstances jeopardize your privacy."

Oh yeah, and the "DriveCrypt" product they sell includes "real Time, 1344 bit - Military Strength encryption."

Somehow, my heart is no longer warm.

<http://www.privacy.li/>
<http://www.privacy.li/drivecrypt.htm>


SHA-1 Cryptanalysis

In February, I wrote about a group of Chinese researchers who broke the SHA-1 hash function. That posting was based on short notice from the researchers. Since then, many people have written me asking about the research and the actual paper, some questioning the validity of the research because of the lack of documentation.

The paper did exist; I saw a copy. They will present it at the Crypto conference in August. I believe they didn't post it because Crypto requires that submitted papers not be previously published, and they misunderstood that to mean that it couldn't be widely distributed in any way.

Now there's a copy of the paper on the Web. You can read "Finding Collisions in the Full SHA-1," by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu.

The paper:
<http://cryptome.org/wang_sha1_v2.zip>

<http://www.schneier.com/blog/archives/2005/02/...>
<http://theory.csail.mit.edu/~yiqun/shanote.pdf>


Security Skins

Much has been written about the insecurity of passwords. Aside from being guessable, people are regularly tricked into providing their passwords to rogue servers because they can't distinguish spoofed windows and webpages from legitimate ones.

There's a clever scheme by Rachna Dhamija and Doug Tygar at the University of California Berkeley that tries to deal with the problem. It's called "Dynamic Security Skins," and it's a pair of protocols that augment passwords.

First, the authors propose creating a trusted window in the browser dedicated to username and password entry. The user chooses a photographic image (or is assigned a random image), which is overlaid across the window and text entry boxes. If the window displays the user's personal image, it is safe for the user to enter his password.

Second, to prove its identity, the server generates a unique abstract image for each user and each transaction. This image is used to create a "skin" that automatically customizes the browser window or the user interface elements in the content of a webpage. The user's browser can independently reach the same image that it expects to receive from the server. To verify the server, the user only has to visually verify that the images match.

Not a perfect solution by any means -- much Internet fraud bypasses authentication altogether and this system is susceptible to man-in-the-middle attacks -- but two clever ideas that use visual cues to ensure security. You can also verify server authenticity by inspecting the SSL certificate, but no one does that. With this scheme, the user has to recognize only one image and remember one password, no matter how many servers he interacts with. In contrast, the recently announced Site Key (Bank of America's implementation of the Passmark scheme) requires users to save a different image with each server.

The paper:
<http://www.tygar.net/papers/Battle_against_phishing.pdf>

SiteKey and Passmark:
<http://www.bankofamerica.com/privacy/passmark/>
<http://www.passmarksecurity.com/main.jsp>

Limits of authentication:
<http://www.schneier.com/blog/archives/2005/03/...>


Counterpane News

Counterpane's second-quarter results:
<http://www.counterpane.com/pr-20050715.html>

Counterpane is seeking talents to fill openings in operations and sales:
<http://www.counterpane.com/jobs.html>

Review of Beyond Fear:
<http://www.securitypipeline.com/...>

Review of Secrets and Lies:
<http://www-128.ibm.com/developerworks/rational/...>

In December, I gave a long interview to a literary magazine called Turnrow. That interview was finally published, and it's even better than I remembered.
<http://turnrow.ulm.edu/bruceschneierinterview.htm>


Evaluating the Effectiveness of Security Countermeasures

Amidst all the emotional rhetoric about security, it's nice to see something well-reasoned. A New York Times op-ed by Nicholas Kristof earlier this month looks at security as a trade-off, and makes a distinction between security countermeasures that reduce the threat and those that simply shift it.

I wrote about this in Beyond Fear: "A burglar who sees evidence of an alarm system is more likely to go rob the house next door. As far as the local police station is concerned, this doesn't mitigate the risk at all. But for the homeowner, it mitigates the risk just fine."

The difference is the perspective of the defender.

Problems with perspectives show up in counterterrorism defenses all the time. Also from Beyond Fear: "It's important not to lose sight of the forest for the trees. Countermeasures often focus on preventing particular terrorist acts against specific targets, but the scope of the assets that need to be protected encompasses all potential targets, and they all must be considered together. A terrorist's real target is morale, and he really doesn't care about one physical target versus another. We want to prevent terrorist acts everywhere, so countermeasures that simply move the threat around are of limited value. If, for example, we spend a lot of money defending our shopping malls, and bombings subsequently occur in crowded sports stadiums or movie theaters, we haven't really received any value from our countermeasures."

<http://www.newsobserver.com/print/thursday/opinion/...>

I like seeing thinking like this in the media, and wish there were more of it.


Speeding Ticket Avoidance

No matter what you think about the morality of speeding, this is a very popular security-related field...and one that every driver is at least somewhat interested in.

The Radarbusters site is run by an ex-policeman, and feels authoritative. He places a lot of emphasis on education; installing a fancy radar detector isn't doing to do much for you unless you know how to use it correctly. (He also sells the radar detector he recommends.)
<http://www.radarbusters.com/>

Here's a product that seems to counter the threat of aerial license-plate scanners.
<http://www.radarbusters.com/products/photo-radar/...>
<http://www.schneier.com/blog/archives/2005/04/...>

This spray claims to make your license plate invisible to cameras. I have no idea if it works.
<http://www.phantomplate.com/>

One final note: the ex-cop is offering a $5,000 reward for the first person who can point him to a passive laser jammer that works.
<http://www.radarjammer.com/get-5000/index.htm>


Redefining Spyware

The problem with spyware is that it can be in the eye of the beholder. There are companies that decry the general problem, but have their own software report back to a central server.

This kind of thing can result in a conflict of interest: "Spyware is spyware only if I don't have a corporate interest in it." Here's the most recent example: "Microsoft's Windows AntiSpyware application is no longer flagging adware products from Claria Corp. as a threat to PC users. Less than a week after published reports of acquisition talks between Microsoft Corp. and the Redwood City, Calif.-based distributor of the controversial Gator ad-serving software, security researchers have discovered that Microsoft has quietly downgraded its Claria detections. "

If you're a user of AntiSpyware, you can fix this. Claria's spyware is now flagged as "Ignore" by default, but you can still change the action to "Quarantine" or "Remove." I recommend "Remove."

<http://www.eweek.com/article2/0,1895,1834607,00.asp>


Talking to Strangers

In Beyond Fear I wrote: "Many children are taught never to talk to strangers, an extreme precaution with minimal security benefit."

In talks, I'm even more direct. I think "don't talk to strangers" is just about the worst possible advice you can give a child. Most people are friendly and helpful, and if a child is in distress, asking the help of a stranger is probably the best possible thing he can do.

This advice would have helped Brennan Hawkins, the 11-year-old boy who was lost in the Utah wilderness for four days last month. He avoided people searching for him because he had been taught not to talk to strangers.

In a world where good guys are common and bad guys are rare, assuming a random person is a good guy is a smart security strategy. We need to help children develop their natural intuition about risk, and not give them overbroad rules.

Also in Beyond Fear, I wrote:

"As both individuals and a society, we can make choices about our security. We can choose more security or less security. We can choose greater impositions on our lives and freedoms, or fewer impositions. We can choose the types of risks and security solutions we're willing to tolerate and decide that others are unacceptable.

"As individuals, we can decide to buy a home alarm system to make ourselves more secure, or we can save the money because we don't consider the added security to be worth it. We can decide not to travel because we fear terrorism, or we can decide to see the world because the world is wonderful. We can fear strangers because they might be attackers, or we can talk to strangers because they might become friends."

<http://wireservice.wired.com/wired/story.asp?...>


Comments from Readers

From: "Richard M. Conlan" <kaige embracetherandom.com>
Subject: Stupid People Buy Fake Concert Tickets
Your analysis includes the assumption that the system is actually used as you profess. In practice I have purchased and printed TicketMaster online tickets for a number of shows and NEVER has the venue actually scanned the tickets. Knowing that, people may expect that even a scalped ticket would get them in...all depends on the shows and the venue. Admittedly, the shows I am referencing are not necessarily big-name shows or at big-name venues, but the point remains.
Along the same lines, I keep wondering how hard it would be for somebody to write a virus that checked mailboxes on POP servers for e-mails including "ticketmaster" in the FROM address with attached PDFs and sending the PDFs to a central location.
The above is especially useful if a scalper takes the tickets, sells one copy and just tells the individuals to get there early (i.e., before the valid ticket holders). Then the VALID ticket holders get denied access...or come to find innocent scam-victims sitting in their seats.

From: Paul Schumacher <psch optonline.net>
Subject: Forget X-ray strip-searches
Using soft X-rays to examine people for weapons is just the foot in the door. What happens when police cars are equipped with it, scanning people on the street for proscribed items? Will aluminized clothing become vogue, just for the privacy, or will that become proscribed as well?
Worse is terahertz imaging radar. Like soft X-ray backscatter, it can see through clothing. Unlike it, it can also see through walls. I can imagine police vans cruising residential streets, performing searches of homes without having to enter the home. They could claim no search warrant is needed because they do not even enter the property, let alone the home. Combined with image recognition computers, a scan-search of a home could be done very quickly.
The questions become:
1. will the police be permitted to immediately break in and arrest people found this way possessing contraband, much like police observing a crime through an open window?
2. Will soft X-ray and terahertz imaging radar be allowed to be used to perform scan-searches of people on the street, especially without their knowledge or permission?
3. Will the courts allow such evidence in court, or as grounds for a legal search warrant?
4. Will passive countermeasures to soft X-ray backscatter and terahertz imaging radar be proscribed for public use, much like bullet-proof vests are in many areas? (Aluminized clothing and drapes on windows, aluminum sheathing on walls and ceiling, metalized or virtual windows).
With the anti-privacy policies of the current administration, I can see an era where our fourth amendment rights may become meaningless.
Back in the 1960s and 1970s, there was a public outcry about governmental computer data bases on individuals, and Congress virtually outlawed them. Today, they are as common as cockroaches in a slum. This technology will have the same creep into our daily lives.

From: "Thomas Bryce, M.D." <bryce miyako.org>
Subject: U.S. Medical Privacy Law Gutted
> The healthcare industry has been opposed to HIPAA from the
> beginning, because it puts constraints on their business in
> the name of security and privacy.
Many physicians such as myself are opposed to the protected information portions of HIPAA (which is fairly comprehensive legislation dealing with a number of topics), not because it puts constraints on business, but because it simply is not the federal government's business to regulate the flow of medical information.
The practice of medicine and the protection of patients has always been strictly in the domain of the states and the privacy regulations of HIPAA are no more than an attempt by Washington to continue to creep and expand its authority and influence to cover every aspect of government of our nation.
Beyond the fact that the federal government has no business regulating the practice of medicine, HIPAA is simply... stupid. The regulations are ridiculously stringent and absurd for no justifiable reason. For example, HIPAA purports (I believe HIPAA to be unconstitutional and hence invalid -- thus the use of the word "purports") to proscribe a physician giving information regarding a patient to third parties except with the patient's express consent or in certain circumstances.
This means that a physician receiving a phone call, for example from a patient's relative asking for information about the patient, cannot provide that information unless the patient has previously given their express consent.
This is (1) simply stupid. The physician should use their judgment about the medical situation and its character/seriousness, and whatever knowledge they have of the patient and their family, and make a determination regarding whether or not it is appropriate to talk to that family member. And (2) even if not stupid, simply not the federal government's business. This kind of stuff is regulated on the state level.

From: Jeff Bee <jeff.bee sbcglobal.net>
Subject: Re: Risks of Pointy Knives
As a woodworker, engineer, and connoisseur of good knives and sharp things in general, I can identify some of the reasons for the continued existence of pointy ends on longer blades, in the order of what I believe to be greatest to least effect.
1. Consumer expectations: Same reason most vacuum cleaners are intentionally much louder than necessary. People subconsciously equate the effectiveness of the vacuum with its noise level, and if you give the buying public a pencil and ask them to draw a knife, they will give it a pointy end. Whether this is a bow to knives' potential use as a weapon, or a demonstration of the inertia of public perception is a matter for a different letter.
2. Mechanics of balance: Most users are comfortable with a blade that has a balance point (more accurately, the center of the moment of inertia, for fellow nerds) close to the transition from handle to blade. If a blade is longer than the handle it is attached to, the simplest means of maintaining the proper balance it to taper the blade. If a blade tapers in thickness, intuitive design dictates that it should also taper in width, maintaining a relatively constant aspect ratio in cross section. This results in a point.
3. Mechanics of curved cuts: The minimum radius of a concave curved cut that a knife can make is limited by the width of the blade. In order to maximize utility, some portion of a blade should be very narrow if curved cuts are intended. Mechanics of materials dictates that the narrow portion should be at the end of a tapering blade; in other words, it should come to a point.
4. Mechanics of cutting in swung blades: Blades that are intended to be used dynamically, or swung, such as a machete, can actually require a point for best effect. As you know, a slicing cut is most often more effective than simply forcing a blade into a material perpendicular to the edge. There are two reasons for this which I won't go into here; suffice to say that in order to achieve this slicing motion in a swung blade, the cutting edge is set at an angle to the direction of travel. This can result in a curved blade, as in the scimitar, or more commonly, a long blade that tapers to a point. This doesn't apply to kitchen knives, as most aren't swung, and cleavers are intended to cut by wedging, as slicing is ineffective on rigid materials such as bone.
I have always carried knives when I'm out and about. I also usually carry some form of pliers, a flashlight, a pen; in one word, tools. My primary knife is a tanto-blade 3.95" lockblade clipped into my pocket, and sometimes it is visible. From time to time I am questioned on why I'm carrying a weapon, and have to explain the following:
I have never, and hopefully never will use a knife in self-defense and certainly not in anger for the simple fact that a knife is only an effective weapon in a very few situations where you have an element of surprise and intend to permanently disable or more likely kill your opponent outright. I don't put myself in those type of situations.
The situation I am more likely to encounter is a belligerent attack borne out of anger or intent of robbery. In this situation, I don't want to kill, but only temporarily disable or merely slow down my opponent enough to get away, a very poor task for a knife. Deep puncture wounds from stabbing or lacerations from slicing do not disable unless very carefully placed, leaving you with an enraged attacker, a slippery sharp blade in your hand, and very likely legal charges of assault with a deadly weapon.
I do not think that availability of pointy knives should be placed in the same security category as handguns for two reasons. One, long pointy knives have more legitimate uses than defense or attack. And two, pointy knives, or any knife, derives its effectiveness from the skill and strength of the user. Handguns derive their effectiveness from stored chemical energy and require almost no skill to create deadly force.
At the end of the day, security risk lies not in the tools a person uses to attack others; it lies in the intent of the mind wielding the tools. Deprived of one tool, a person with intent will choose another. Mathematically, you can consider this unbounded, iteration without end; therefore, we would be better from an efficiency standpoint to attempt to limit the causes of intent and vulnerability to attack rather than the tools of attack.

From: Rob Isaac <rob automagic.org>
Subject: Re: Risks of Pointy Knives
Why are long knives pointy? Mechanical engineering, cost efficiency, and tradition.
European long knives are traditionally made by a stock removal method -- the cutting edge is created by grinding away metal to reach the shape of the blade. Knives are pointy at the end because it's easier to reach that shape when you're grinding the edge into a curve.
There's also a cost implication, because although the point of a long knife is rarely used to stab anything in a cooking context, the cutting surface is used all the way to the end of the knife, which naturally leads to a point. If you want to make a knife that's missing the last half inch or so of cutting edge, then you really need to make the whole knife a half inch longer to achieve the same utility. The stock removal approach means you have to start with a bigger piece of steel.
The tradition aspect is simple. Knives of any kind are evolved from designs that are thousands of years old, and people's impressions of what a knife should look like and how it should be used are hard to change. There's no universally agreed point at which a knife becomes too long to be used for stabbing things as well as cutting them. When most of the well-known, high quality mass-produced chefs knives in the world are made in the same handful of German towns they've been made in for the past three hundred years, and people are still buying them, there's little incentive to mess with the formula.

From: Anonymous
Subject: Re: Public Disclosure of Personal Data Loss
Bruce, your comments on Data Loss were spot on. Yes, it has been going on for years and yes, the sensitivity of the public to such losses will decline.
You closed with, "Public disclosure is good. But it's not enough." The answer to your implied question about how we solve this mess currently lies in regulatory oversight. Most of the companies that have suffered public disclosures of personal data loss are financial service organizations governed by regulators. Behind the scenes, the regulators are making it very clear that they are dissatisfied with the current levels of controls over personally identifiable information and expect significant changes to be made. The regulated companies are responding, because they have to.
Those companies that have suffered losses, but which are not regulated (e.g., ChoicePoint), clearly do not want such incidents to provide a reason for Congress to add them to the list of regulated entities. This provides a clear incentive for the non-regulated companies to make changes.
The other driving force is outsourcing. No country supports the outsourcing of jobs to another country and will use any excuse to prevent or limit the loss of jobs. One argument that is receiving a great deal of attention in Congress is that the offshore outsourcing companies have poor security and present an increased risk of data loss. Whether the argument is based in fact or not, it attracts significant public support. Any company that is heavily dependent on offshore outsourcing of personal information processing understands the potential risk that the government may place significant limitations on moving data offshore and realizes that it must take steps to ensure the public that their data is protected. In most cases, if the company devises ways to protect data as it moves offshore, it will be able to use the same processes domestically.
I'm not worried about whether U.S. companies get the message. I'm more worried about whether they will be able to devise solutions quickly enough that effectively and efficiently address the issue. Because if they are unsuccessful, we should we all go out and buy stock in Brinks.

From: "Nick Swift" <nick swift.me.uk>
Subject: Re: REAL ID
In response to Petri Aukia on IDs: There is a subtle difference you have not alluded to with regards to the European and American driver's licenses and their privacy implications.
The Finnish and French (most likely all other EU driver's licenses as well) do not have the home address of the driver. They serve to document your existence, name, photo, signature, Social Security number, and the types of vehicles you are allowed to drive. Pictograms and standardized numbers and locations of datum are used so that a patrol officer can read a license from any EU country.
Each country has a mechanism to map from the Social Security number or the local equivalent to the current home address of the driver, but this is available only to the government and the companies you have given the right to know of your address (magazines, newspapers, and the like).
UK driving licenses show the holder's home address -- this is item 8 in the EU model license. This item is optional but appears on many photo licenses: e.g., this document about Spain.
<http://europa.eu.int/comm/transport/home/...>
The actual requirements for a license are shown here:
<http://europa.eu.int/eur-lex/en/consleg/pdf/1991/...>
Note that Social Security number is not required to be part of the license.

From: Brad Knowles <brad stop.mail-abuse.org>
Subject: Re: REAL ID
In the "Comments from Readers" section, Julien Maisonneuve said: "In addition to your mention of European legal frameworks protecting data (which are not as complete and as prevalent across the union as one may wish), the very notion of identity theft is almost unknown in Europe. There are many causes, many linked to the limited benefits you can draw from 'identity' by itself. This is including the absence of credit rating as it exists in the U.S., and different procedures to open bank accounts and get access to their resources."
There are other side-effects to this issue. For one, knowing someone's bank account number is enough to be able to send them money, but not withdraw it. Many businesses will print their bank account numbers on their letterhead, and some people will put their bank account numbers on their business cards. There's no risk of having this information "stolen," because the banks don't allow you to withdraw money by knowing only the bank account number, and this makes it much easier to transfer money to someone electronically. This is a large part of the reason why no one uses checks anymore in Europe -- it's faster and easier to transfer the money electronically.
On the other hand, trying to set up electronic payment to U.S. accounts is a pain-in-the-ass. I've tried to do it through my bank. If they already have a record of the organization in question, it may only take two or three months to set up electronic billing and payment. It's not nearly so painful to do that in Europe.
Many European banks will create their own customized software to do all electronic banking, and this software will not only run on Windows but also on Macintosh and Linux. Just about everything you can do by going to an ATM or visiting a branch in person can be done with this software, either in offline mode or in the online module.
There's another side-effect -- European banks and money lending institutions don't validate credit cards online. They have to go through a manual process which takes hours to days to process, frequently involving manual intervention and the use of fax machines. This makes it very painful to do online shopping when the merchant requires online validation. This makes it impossible to use any online storefront where online validation is the only choice available.
Even though they're Visa cards, and they have the Visa logo and hologram on them, they're not recognized as Visa cards because the first few digits of the card indicate that they are not issued to a U.S. banking institution. If you rent cars from Avis, just tell them that the renter's address is overseas, and you can rent a vehicle on a check card, which is something that they don't normally allow.

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Comments on CRYPTO-GRAM should be sent to schneier@schneier.com. Permission to print comments is assumed unless otherwise stated. Comments may be edited for length and clarity.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish and Twofish algorithms. He is founder and CTO of Counterpane Internet Security Inc., and is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.

Counterpane is the world's leading protector of networked information - the inventor of outsourced security monitoring and the foremost authority on effective mitigation of emerging IT threats. Counterpane protects networks for Fortune 1000 companies and governments world-wide. See <http://www.counterpane.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Counterpane Internet Security, Inc.

Copyright (c) 2005 by Bruce Schneier.

later issue
earlier issue
back to Crypto-Gram index

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..