Crypto-Gram

September 15, 2005

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@schneier.com
<http://www.schneier.com>
<http://www.counterpane.com>

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <http://www.schneier.com/crypto-gram-0509.html>. These same essays appear in the “Schneier on Security” blog: <http://www.schneier.com/>. An RSS feed is available.

In this issue:

Movie-Plot Threats

Sometimes it seems like the people in charge of homeland security spend too much time watching action movies. They defend against specific movie plots instead of against the broad threats of terrorism.

We all do it. Our imaginations run wild with detailed and specific threats. We imagine anthrax spread from crop dusters. Or a contaminated milk supply. Or terrorist scuba divers armed with almanacs. Before long, we’re envisioning an entire movie plot, without Bruce Willis saving the day. And we’re scared.

Psychologically, this all makes sense. Humans have good imaginations. Box cutters and shoe bombs conjure vivid mental images. “We must protect the Super Bowl” packs more emotional punch than the vague “we should defend ourselves against terrorism.”

The 9/11 terrorists used small pointy things to take over airplanes, so we ban small pointy things from airplanes. Richard Reid tried to hide a bomb in his shoes, so now we all have to take off our shoes. Recently, the Department of Homeland Security said that it might relax airplane security rules. It’s not that there’s a lessened risk of shoes, or that small pointy things are suddenly less dangerous. It’s that those movie plots no longer capture the imagination like they did in the months after 9/11, and everyone is beginning to see how silly (or pointless) they always were.

Commuter terrorism is the new movie plot. The London bombers carried bombs into the subway, so now we search people entering the subways. They used cell phones, so we’re talking about ways to shut down the cell-phone network.

It’s too early to tell if hurricanes are the next movie-plot threat that captures the imagination.

The problem with movie plot security is that it only works if we guess right. If we spend billions defending our subways, and the terrorists bomb a bus, we’ve wasted our money. To be sure, defending the subways makes commuting safer. But focusing on subways also has the effect of shifting attacks toward less-defended targets, and the result is that we’re no safer overall.

Terrorists don’t care if they blow up subways, buses, stadiums, theaters, restaurants, nightclubs, schools, churches, crowded markets or busy intersections. Reasonable arguments can be made that some targets are more attractive than others: airplanes because a small bomb can result in the death of everyone aboard, monuments because of their national significance, national events because of television coverage, and transportation because most people commute daily. But the United States is a big country; we can’t defend everything.

One problem is that our nation’s leaders are giving us what we want. Party affiliation notwithstanding, appearing tough on terrorism is important. Voting for missile defense makes for better campaigning than increasing intelligence funding. Elected officials want to do something visible, even if it turns out to be ineffective.

The other problem is that many security decisions are made at too low a level. The decision to turn off cell phones in some tunnels was made by those in charge of the tunnels. Even if terrorists then bomb a different tunnel elsewhere in the country, that person did his job.

And anyone in charge of security knows that he’ll be judged in hindsight. If the next terrorist attack targets a chemical plant, we’ll demand to know why more wasn’t done to protect chemical plants. If it targets schoolchildren, we’ll demand to know why that threat was ignored. We won’t accept “we didn’t know the target” as an answer. Defending particular targets protects reputations and careers.

We need to defend against the broad threat of terrorism, not against specific movie plots. Security is most effective when it doesn’t make arbitrary assumptions about the next terrorist act. We need to spend more money on intelligence and investigation: identifying the terrorists themselves, cutting off their funding, and stopping them regardless of what their plans are. We need to spend more money on emergency response: lessening the impact of a terrorist attack, regardless of what it is. And we need to face the geopolitical consequences of our foreign policy and how it helps or hinders terrorism.

These vague things are less visible, and don’t make for good political grandstanding. But they will make us safer. Throwing money at this year’s movie plot threat won’t.

This essay was originally published in Wired:
<http://www.wired.com/news/business/0,1367,68789,00.html>

I am now doing a biweekly column for them. You can read the essays at Wired.com, or you can wait until I reprint them in Crypto-Gram.

Katrina and Security

Leaving aside the political posturing and the finger-pointing, how did our nation mishandle Katrina so badly? After spending tens of billions of dollars on homeland security (hundreds of billions, if you include the war in Iraq) in the four years after 9/11, what did we do wrong? Why were there so many failures at the local, state and federal levels?

These are reasonable questions. Katrina was a natural disaster and not a terrorist attack, but that only matters before the event. Large-scale terrorist attacks and natural disasters differ in cause, but they’re very similar in aftermath. And one can easily imagine a Katrina-like aftermath to a terrorist attack, especially one involving nuclear, biological or chemical weapons.

Improving our disaster response was discussed in the months after 9/11. We were going to give money to local governments to fund first responders. We established the Department of Homeland Security to streamline the chains of command and facilitate efficient and effective response.

The problem is that we all got caught up in “movie-plot threats,” specific attack scenarios that capture the imagination and then the dollars. Whether it’s terrorists with box cutters or bombs in their shoes, we fear what we can imagine. We’re searching backpacks in the subways of New York, because this year’s movie plot is based on a terrorist bombing in the London subways.

Funding security based on movie plots looks good on television, and gets people reelected. But there are millions of possible scenarios, and we’re going to guess wrong. The billions spent defending airlines are wasted if the terrorists bomb crowded shopping malls instead.

Our nation needs to spend its homeland security dollars on two things: intelligence-gathering and emergency response. These two things will help us regardless of what the terrorists are plotting, and the second helps both against terrorist attacks and national disasters.

Katrina demonstrated that we haven’t invested enough in emergency response. New Orleans police officers couldn’t talk with each other after power outages shut down their primary communications system—and there was no backup. The Department of Homeland Security, which was established in order to centralize federal response in a situation like this, couldn’t figure out who was in charge or what to do, and actively obstructed aid by others. FEMA did no better, and thousands died while turf battles were being fought.

Our government’s ineptitude in the aftermath of Katrina demonstrates how little we’re getting for all our security spending. It’s unconscionable that we’re wasting our money fingerprinting foreigners, profiling airline passengers, and invading foreign countries while emergency response at home goes underfunded.

Money spent on emergency response makes us safer, regardless of what the next disaster is, whether terrorist-made or natural.

This includes good communications on the ground, good coordination up the command chain, and resources—people and supplies—that can be quickly deployed wherever they’re needed.

Similarly, money spent on intelligence-gathering makes us safer, regardless of what the next disaster is. Against terrorism, that includes the NSA and the CIA. Against natural disasters, that includes the National Weather Service and the National Earthquake Information Center.

Katrina deftly illustrated homeland security’s biggest challenge: guessing correctly. The solution is to fund security that doesn’t rely on guessing. Defending against movie plots doesn’t make us appreciably safer. Emergency response does. It lessens the damage and suffering caused by disasters, whether man-made, like 9/11, or nature-made, like Katrina.

This essay was originally published in the Minneapolis Star Tribune:
<http://www.startribune.com/stories/562/5606306.html>

My preliminary thoughts are here:
<https://www.schneier.com/blog/archives/2005/09/…>

The Keys to the Sydney Subway

Global secrets are generally considered poor security. The problems are twofold. One, you cannot apply any granularity to the security system; someone either knows the secret or does not. And two, global secrets are brittle. They fail badly; if the secret gets out, then the bad guys have a pretty powerful secret.

This is the situation right now in Sydney, where someone stole the master key that gives access to every train in the metropolitan area, and also starts them.

Unfortunately, this isn’t a thief who got lucky. It happened twice in Sydney, and it’s possible that the keys were the target

So, what can someone do with the master key to the Sydney subway? It’s more likely a criminal than a terrorist, but even so it’s definitely a serious issue

I don’t know if RailCorp should change the locks. I don’t know the risk: whether that “range of security measures” only protects against train theft—an unlikely scenario, if you ask me—or other potential scenarios as well. And I don’t know how expensive it would be to change the locks.

Another problem with global secrets is that it’s expensive to recover from a security failure.

And this certainly isn’t the first time a master key fell into the wrong hands: “[RailCorp chief executive Vince] Graham said there was no point changing any of the metropolitan railway key locks.

“‘We could change locks once a week but I don’t think it reduces in any way the security threat as such because there are 2000 of these particular keys on issue to operational staff across the network and that is always going to be, I think, an issue.'”

A final problem with global secrets is that it’s simply too easy to lose control of them.

Moral: Don’t rely on global secrets.

<https://www.schneier.com/blog/archives/2005/09/…>
<http://smh.com.au/news/national/…>
<http://news.ninemsn.com.au/article.aspx?id=15096

Crypto-Gram Reprints

Crypto-Gram is currently in its seventh year of publication. Back issues cover a variety of security-related topics, and can all be found on <http://www.schneier.com/crypto-gram.html>. These are a selection of articles that appeared in this calendar month in other years.

Security at the Olympics:
<http://www.schneier.com/crypto-gram-0409.html#2>

Trusted Traveler program:
<http://www.schneier.com/crypto-gram-0409.html#5>

No-fly list:
<http://www.schneier.com/crypto-gram-0409.html#10>

Accidents and security incidents:
<http://www.schneier.com/crypto-gram-0309.html#1>

Benevolent worms:
<http://www.schneier.com/crypto-gram-0309.html#8>

Special issue on 9/11, including articles on airport security, biometrics, cryptography, steganography, intelligence failures, and protecting liberty:
<http://www.schneier.com/crypto-gram-0109a.html>

Full Disclosure and the Window of Exposure:
<http://www.schneier.com/crypto-gram-0009.html#1>

Open Source and Security:
<http://www.schneier.com/…>

Factoring a 512-bit Number:
<http://www.schneier.com/…>

New Cryptanalytic Results Against SHA-1

Xiaoyun Wang, one of the team of Chinese cryptographers that successfully broke SHA-0 and SHA-1, along with Andrew Yao and Frances Yao, announced new results against SHA-1 at Crypto’s rump session. (Actually, Adi Shamir announced the results in their name, since she and her student did not receive U.S. visas in time to attend the conference.)

Shamir presented few details—and there’s no paper—but the time complexity of the new attack is 2^63. (Their previous result was 2^69; brute force is 2^80.) He did say that he expected Wang and her students to improve this result over the next few months. The modifications to their published attack are still new, and more improvements are likely over the next several months. There is no reason to believe that 2^63 is anything like a lower limit.

But an attack that’s faster than 2^64 is a significant milestone. We’ve already done massive computations with complexity 2^64. Now that the SHA-1 collision search is squarely in the realm of feasibility, some research group will try to implement it. Writing working software will both uncover hidden problems with the attack, and illuminate hidden improvements. And while a paper describing an attack against SHA-1 is damaging, software that produces actual collisions is even more so.

The story of SHA-1 is not over. Again, I repeat the saying I’ve heard comes from inside the NSA: “Attacks always get better; they never get worse.”

Details of the SHA break:
<https://www.schneier.com/blog/archives/2005/02/…>

NIST’s Hash Function Workshop, to be held in late October:
<http://www.csrc.nist.gov/pki/HashWorkshop/index.html>

Effects of the attack on S/MIME, TLS, and IPsec:
<http://www.educatedguesswork.org/movabletype/…>

Xiaoyun Wang’s two papers from Crypto:
Efficient Collision Search Attacks on SHA-0
<http://202.194.5.130/admin/infosec/download.php?id=1>
Finding Collisions in the Full SHA-1
<http://202.194.5.130/admin/infosec/download.php?id=2>
The rest of her papers:
<http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm>

Story of them being denied visas to attend the conference:
<https://www.schneier.com/blog/archives/2005/08/…>
<http://www.navyseals.com/community/articles/…>

Zotob

I’ve been reading the massive press coverage about Zotob, and can’t figure out what the big deal is about. Yes, it propagates in Windows 2000 without user intervention, which is always nastier. It uses a Microsoft plug-and-play vulnerability, which is somewhat interesting. But the only reason I can think of that CNN did rolling coverage on it is that CNN was hit by it.

<http://www.theregister.co.uk/2005/08/15/zytob_worm/…>
<http://www.securityfocus.com/news/11281>
<http://news.ft.com/cms/s/…>
<http://www.theregister.co.uk/2005/08/16/irc_bot/>
<http://it.slashdot.org/it/05/08/16/2247228.shtml?…>
<http://www.computerworld.com/printthis/2005/…>
<http://www.newsfactor.com/story.xhtml?story_id=37727>
<http://www.pcworld.idg.com.au/index.php/…>
<http://www.securityfocus.com/news/11285>

Technical details:
<http://www.sophos.com/virusinfo/analyses/w32zotoba.html>
<http://www.f-secure.com/v-descs/zotob_a.shtml>
<http://securityresponse.symantec.com/avcenter/venc/…>

Vulnerability:
<http://www.microsoft.com/technet/security/Bulletin/…>

News

SANS NewsBites is a weekly email digest of the computer-security news stories out there. There is some commentary, but it’s kept to an absolute minimum. It’s primarily short descriptions and links to news articles. There are a lot of email newsletters, but this is one that I read every time. Subscribing is free, which is a great deal for one of the most useful computer-security news sources on the Internet. And, as an aside, I’m on the editorial board. Past issues and sign up:
<http://www.sans.org/newsletters>

Research in behavioral risk analysis:
<https://www.fastlane.nsf.gov/servlet/showaward?…>

Interesting law-review article on crime-facilitating speech:
<http://www.law.ucla.edu/volokh/facilitating.pdf>

Privacy-enhanced computer display:
<http://www.merl.com/projects/privatedisplay/>

If you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can figure out everything he typed.
<http://www.freedom-to-tinker.com/?p=893>
<http://www.cs.berkeley.edu/~tygar/papers/…>

Putting aside geopolitics for a minute, it’s interesting to read the technical security details about the barrier the Israelis built around Gaza:
<http://www.jpost.com/servlet/Satellite?…>
In Beyond Fear, pages 207-8, I wrote about the technical details of the Berlin Wall. This is far more sophisticated.

Marcus Ranum’s “The Six Dumbest Ideas in Computer Security”:
<http://www.ranum.com/security/computer_security/…>

Criminals are learning forensic science, and juries are getting unrealistic expectations of forensic science, both from television shows like CSI.
<http://www.newscientist.com/channel/opinion/…>

Fascinating article on A.G. Tolkachev, a Russian who spied for the CIA for almost ten years. I was particularly interested in reading the tradecraft descriptions.
<http://www.cia.gov/csi/studies/vol47no3/article02.html>

An awful essay suggesting a U.S. national firewall:
<http://www.pcmag.com/article2/0,1895,1831969,00.asp>

Here’s a criminal who videotaped keys as they were being used and then duplicated them:
<http://www.philly.com/mld/philly/news/local/…>

A researcher writes about how criminals adapt to security features of identity cards, like chip and pin:
<https://www.schneier.com/blog/archives/2005/09/…>
<http://www.guardian.co.uk/crime/article/…>
<http://smh.com.au/news/World/…>
<http://news.bbc.co.uk/1/hi/sci/tech/4213848.stm>
<http://software.silicon.com/security/…>

The Digital-ER mailing list is dedicated to discussing technical solutions to emergency and crisis management.
<http://lists.networkcommand.com/mailman/listinfo/…>

A fun, and ultimately tragic, story about a bad game-show random-number generator.
<http://www.rotten.com/library/conspiracy/…>

Security at Hogwarts
<https://www.schneier.com/blog/archives/2005/09/…>
<http://ritestuff.blogspot.com/2005/08/…>
<http://www.veryard.com/trust/potter.htm>

There’s a discussion on SlashDot about the security of code signing, and particularly my comments on the topic in the book Secrets and Lies.
<http://ask.slashdot.org/askslashdot/05/08/31/…>

Cryptome has a list of 276 MI6 agents:
<http://cryptome.org/mi6-list-276.htm>
Debate the security, legality, ethics, and wisdom of this here:
<https://www.schneier.com/blog/archives/2005/08/…>

Here’s a new Internet data-mining research program with a cool name: Unintended Information Revelation
<http://www.contractoruk.com/news/002194.html>

The security of tamper-evident paper mailings, the kind used by banks and credit-card companies to send PIN numbers and passwords:
<https://www.schneier.com/blog/archives/2005/08/…>
<http://news.bbc.co.uk/1/hi/technology/4183330.stm>
<http://www.cl.cam.ac.uk/~mkb23/research/PIN-Mailer.pdf>

Good article on security at Visa in light of the CardSystems incident.
<http://www.nytimes.com/2005/08/25/business/25visa.html>
The article echoes some of the security arguments I made here:
<https://www.schneier.com/blog/archives/2005/07/…>

Identity thief steals house:
<http://www.plastic.com/article.html;sid=05/08/23/…>

Cingular employee sells used cell phones with personal information still on them:
<https://www.schneier.com/blog/archives/2005/08/…>
<http://www.wfmynews2.com/watercooler/…>
Risks of losing small portable devices:
<https://www.schneier.com/blog/archives/2005/07/…>

U.S. government computers attacked from China:
<http://www.washingtonpost.com/wp-dyn/content/…>

Did you know you could be arrested for carrying a police uniform in New York City? Even if you’re an actor playing the part of a policeman in a play?
<https://www.schneier.com/blog/archives/2005/08/…>
<http://www.usatoday.com/life/television/news/…>

Interesting research grant from the NSF: A Socio-Technical Approach to Internet Security.
<https://www.fastlane.nsf.gov/servlet/showaward?…>

Here’s a piece of interesting research out of Ohio State: it’s a passive sensor that could be cheaper, better, and less intrusive than technologies like backscatter x-rays.
<https://www.schneier.com/blog/archives/2005/08/…>
<http://www.sciencedaily.com/releases/2005/08/…>

Advertisers are beaming unwanted content to Bluetooth phones at a distance of 100 meters.
<https://www.schneier.com/blog/archives/2005/08/…>
<http://www.newscientist.com/article.ns?id=dn7883>

RFID in British license plates:
<http://www.wired.com/news/privacy/0,1848,68429,00.html>

Thieves are using Bluetooth phones to find Bluetooth-enabled laptops in parked cars, which they then steal.
<http://www.cambridge-news.co.uk/news/region_wide/…>
Nice example of unintended security consequences of a new technology. And more evidence that new features need to be turned off by default.

Infants on the terrorist watch list:
<https://www.schneier.com/blog/archives/2005/08/…>
<http://www.cnn.com/2005/TRAVEL/08/15/…>

The Kutztown 13: Thirteen high-school kids were charged with felonies for bypassing the security of their school-issued laptops.
<https://www.schneier.com/blog/archives/2005/08/…>
<http://www.theregister.co.uk/2005/08/10/kutztown_13/>
<http://www.wired.com/news/technology/…>
<http://www.usatoday.com/tech/columnist/andrewkantor/…>
Charges were eventually dropped:
<http://it.slashdot.org/article.pl?sid=05/09/02/0712237>

Looks like the DHS and TSA are finally beginning to realize that small pointy things are not a terrorist threat to aviation.
<http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/…>

Privacy implications of unmanned planes patrolling borders:
<http://www.epic.org/privacy/surveillance/spotlight/…>

Airline Security, Trade-offs, and Agenda

All security decisions are trade-offs, and smart security trade-offs are ones where the security you get is worth what you have to give up. This sounds simple, but it isn’t. There are differences between perceived risk and actual risk, differences between perceived security and actual security, and differences between perceived cost and actual cost. And beyond that, there are legitimate differences in trade-off analysis. Any complicated security decision affects multiple players, and each player evaluates the trade-off from his or her own perspective.

I call this “agenda,” and it is one of the central themes of Beyond Fear. It is clearly illustrated in the current debate about rescinding the prohibition against small pointy things on airplanes. The flight attendants are against the change. Reading their comments, you can clearly see their subjective agenda:

“‘As the front-line personnel with little or no effective security training or means of self defense, such weapons could prove fatal to our members,’ Patricia A. Friend, international president of the Association of Flight Attendants, said in a letter to Edmund S. ‘Kip’ Hawley, the new leader of the Transportation Security Administration. ‘They may not assist in breaking through a flightdeck door, but they could definitely lead to the deaths of flight attendants and passengers’….

“The flight attendants, whose union represents 46,000 members, said that easing the ban on some prohibited items could pose a safety risk on board the aircraft and lead to incidents that terrorize passengers even if they do not involve a hijacking.

“‘Even a plane that is attacked and results in only a few deaths would seriously jeopardize the progress we have all made in restoring confidence of the flying public,’ Friend said in her letter. ‘We urge you to reconsider allowing such dangerous items—which have no place in the cabin of an aircraft in the first place—to be introduced into our workplace.'”

The flight attendants are not evaluating the security countermeasure from a global perspective. They’re not trying to figure out what the optimal level of risk is, what sort of trade-offs are acceptable, and what security countermeasures most efficiently achieve that trade-off. They’re looking at the trade-off from their perspective: they get more benefit from the countermeasure than the average flier because it’s their workplace, and the cost of the countermeasure is borne largely by the passengers.

There is nothing wrong with flight attendants evaluating airline security from their own agenda. I’d be surprised if they didn’t. But understanding agenda is essential to understanding how security decisions are made.

<http://www.washingtonpost.com/wp-dyn/content/…>

Cameras in the New York City Subways

New York City is spending $212 million on surveillance technology: 1,000 video cameras and 3,000 motion sensors for the city’s subways, bridges, and tunnels.

Why? Why, given that cameras didn’t stop the London train bombings? Why, when there is no evidence that cameras are effective at reducing either terrorism and crime, and every reason to believe that they are ineffective?

One reason is that it’s the “movie plot threat” of the moment. (You can hear the echoes of the movie plots when you read the various quotes in the news stories.) The terrorists bombed a subway in London, so we need to defend our subways. The other reason is that New York City officials are erring on the side of caution. If nothing happens, then it was only money. But if something does happen, they won’t keep their jobs unless they can show they did everything possible. And technological solutions just make everyone feel better.

If I had $212 million to spend to defend against terrorism in the U.S., I would not spend it on cameras in the New York City subways. If I had $212 million to defend New York City against terrorism, I would not spend it on cameras in the subways. This is nothing more than security theater against a movie plot threat.

On the plus side, the money will also go for a new radio communications system for subway police, and will enable cell phone service in underground stations, but not tunnels.

<http://www.nytimes.com/2005/08/23/nyregion/…>
<http://www.washingtonpost.com/wp-dyn/content/…>
<http://news.yahoo.com/s/nm/20050823/us_nm/…>
<http://it.slashdot.org/it/05/08/23/2237220.shtml?…>

Effectiveness of cameras:
<https://www.schneier.com/blog/archives/2005/07/…>
<https://www.schneier.com/blog/archives/2005/05/…>

Counterpane News

Counterpane Joins Sourcefire Certified Snort Integrator Program
<http://www.counterpane.com/pr-20050824.html>

Teleware is Counterpane’s new partner and reseller in Scandinavia and the Baltic.
<http://www.counterpane.com/pr-20050822.html>

WilTel Communications announces an alliance with Counterpane.
<http://www.counterpane.com/pr-20050912.html>

Countermeasures is a quarterly newsletter covering techniques to combat threats and protect the integrity of networked systems. The first issue will go out on the 19th, but you can view a partial preview here:
<http://www.counterpane.com/countermeasures.html>

Schneier is speaking at the Texas Regional Infrastructure Security Conference in Austin, TX on September 19th.
<http://www.trisc.org/>

Schneier is speaking at ACLU events in Columbus and Dayton on September 20-21.
<http://www.acluohio.org/schneier.htm>

Schneier is speaking at the ACLU Hawaii Awards Dinner on September 25th.
<http://www.acluhawaii.org/>

Schneier is speaking at the Information Security Forum in Munich on October 10th.
<http://www.securityforum.org/html/frameset.htm>

Lance Armstrong Accused of Doping

Lance Armstrong has been accused of using a banned substance while racing the Tour de France. From a security perspective, this isn’t very interesting. Blood and urine tests are used to detect banned substances all the time. But what is interesting is that the urine sample was from 1999, and the test was done in 2005.

Back in 1999, there was no test for the drug EPO. Now there is. Someone took a old urine sample—who knew that they stored old urine samples?—and ran the new test.

This ability of a security mechanism to go back in time is interesting, and similar to police exhuming dead bodies for new forensic analysis, or a new cryptographic technique permitting decades-old encrypted messages to be read.

It also has some serious ramifications for athletes considering using banned substances. Not only do they have to evade any tests that exist today, but they have to at least think about how they could evade any tests that might be invented in the future. You could easily imagine athletes being stripped of their records, medals, and titles decades in the future after past transgressions are discovered.

On the other hand, athletes accused of using banned substances in the past have limited means by which to defend themselves. Perhaps they will start storing samples of their own blood and urine in escrow, year after year, so they’d have well-stored and untainted bodily fluids with which to refute charges of past transgressions.

<http://www.timesonline.co.uk/article/…>

Peggy Noonan and Movie-Plot Terrorist Threats

Peggy Noonan is opposed to the current round of U.S. base closings because, well, basically because she thinks they’ll be useful if the government ever has to declare martial law.

I don’t know anything about military bases, and what should be closed or remain open. What’s interesting to me is that her essay is a perfect example of thinking based on movie-plot threats:

“Among the things we may face over the next decade, as we all know, is another terrorist attack on American soil. But let’s imagine the next one has many targets, is brilliantly planned and coordinated. Imagine that there are already 100 serious terror cells in the U.S., two per state. The members of each cell have been coming over, many but not all crossing our borders, for five years. They’re working jobs, living lives, quietly planning.

“Imagine they’re planning that on the same day in the not-so-distant future, they will set off nuclear suitcase bombs in six American cities, including Washington, which will take the heaviest hit. Hundreds of thousands may die; millions will be endangered. Lines will go down, and to make it worse the terrorists will at the same time execute the cyberattack of all cyberattacks, causing massive communications failure and confusion. There will be no electricity; switching and generating stations will also have been targeted. There will be no word from Washington; the extent of the national damage will be as unknown as the extent of local damage is clear. Daily living will become very difficult, and for months—food shortages, fuel shortages.

“Let’s make it worse. On top of all that, on the day of the suitcase nukings, a half dozen designated cells will rise up and assassinate national, state and local leaders. There will be chaos, disorder, widespread want; law-enforcement personnel, or what remains of them, will be overwhelmed and outmatched.

“Impossibly grim? No, just grim. Novelistic? Sure. But if you’d been a novelist on Sept. 10, 2001, and dreamed up a plot in which two huge skyscrapers were leveled, the Pentagon was hit, and the wife of the solicitor general of the United States was desperately phoning him from a commercial jet that had been turned into a missile, you would have been writing something wild and improbable that nonetheless happened a day later.

“And all this of course is just one scenario. The madman who runs North Korea could launch a missile attack on the United States tomorrow, etc. There are limitless possibilities for terrible trouble.”

This game of “let’s imagine” really does stir up emotions, but it’s not the way to plan national security policy. There’s a movie plot to justify any possible national policy, and another to render that same policy ineffectual.

Noonan writes: “This of course is pure guessing on my part. I can’t prove it with data.”

That’s precisely the problem.

<http://www.opinionjournal.com/columnists/pnoonan/?…>

Trusted Computing Best Practices

The Trusted Computing Group (TCG) is an industry consortium that is trying to build more secure computers. They have a lot of members, although the board of directors consists of Microsoft, Sony, AMD, Intel, IBM, SUN, HP, and two smaller companies who are voted on in a rotating basis.

The basic idea is that you build a computer from the ground up securely, with a core hardware “root of trust” called a Trusted Platform Module (TPM). Applications can run securely on the computer, can communicate with other applications and their owners securely, and can be sure that no untrusted applications have access to their data or code.

This sounds great, but it’s a double-edged sword. The same system that prevents worms and viruses from running on your computer might also stop you from using any legitimate software that your hardware or operating system vendor simply doesn’t like. The same system that protects spyware from accessing your data files might also stop you from copying audio and video files. The same system that ensures that all the patches you download are legitimate might also prevent you from, well, doing pretty much anything.

In May, the Trusted Computing Group published a best practices document: “Design, Implementation, and Usage Principles for TPM-Based Platforms.” Written for users and implementers of TCG technology, the document tries to draw a line between good uses and bad uses of this technology.

“The principles that TCG believes underlie the effective, useful, and acceptable design, implementation, and use of TCG technologies are the following:

“Security: TCG-enabled components should achieve controlled access to designated critical secured data and should reliably measure and report the system’s security properties. The reporting mechanism should be fully under the owner’s control.

“Privacy: TCG-enabled components should be designed and implemented with privacy in mind and adhere to the letter and spirit of all relevant guidelines, laws, and regulations. This includes, but is not limited to, the OECD Guidelines, the Fair Information Practices, and the European Union Data Protection Directive (95/46/EC).

“Interoperability: Implementations and deployments of TCG specifications should facilitate interoperability. Furthermore, implementations and deployments of TCG specifications should not introduce any new interoperability obstacles that are not for the purpose of security.

“Portability of data: Deployment should support established principles and practices of data ownership.

“Controllability: Each owner should have effective choice and control over the use and operation of the TCG-enabled capabilities that belong to them; their participation must be opt-in. Subsequently, any user should be able to reliably disable the TCG functionality in a way that does not violate the owner’s policy.

“Ease-of-use: The nontechnical user should find the TCG-enabled capabilities comprehensible and usable.”

It’s basically a good document, although there are some valid criticisms. I like that the document clearly states that coercive use of the technology—forcing people to use digital rights management systems, for example, are inappropriate: “>The use of coercion to effectively force the use of the TPM capabilities is not an appropriate use of the TCG technology.”

I like that the document tries to protect user privacy: “All implementations of TCG-enabled components should ensure that the TCG technology is not inappropriately used for data aggregation of personal information.”

I wish that interoperability were more strongly enforced. The language has too much wiggle room for companies to break interoperability under the guise of security: “Furthermore, implementations and deployments of TCG specifications should not introduce any new interoperability obstacles that are not for the purpose of security.”

That sounds good, but what does “security” mean in that context? Security of the user against malicious code? Security of big media against people copying music and videos? Security of software vendors against competition? The big problem with TCG technology is that it can be used to further all three of these “security” goals, and this document is where “security” should be better defined.

Complaints aside, it’s a good document and we should all hope that companies follow it. Compliance is totally voluntary, but it’s the kind of document that governments and large corporations can point to and demand that vendors follow.

But there’s something fishy going on. Microsoft is doing its best to stall the document, and to ensure that it doesn’t apply to Vista (formerly known as Longhorn), Microsoft’s next-generation operating system.

The document was first written in the fall of 2003, and went through the standard review process in early 2004. Microsoft delayed the adoption and publication of the document, demanding more review. Eventually the document was published in June of this year (with a May date on the cover).

Meanwhile, the TCG built a purely software version of the specification: Trusted Network Connect (TNC). Basically, it’s a TCG system without a TPM.

The best practices document doesn’t apply to TNC, because Microsoft (as a member of the TCG board of directors) blocked it. The excuse is that the document hadn’t been written with software-only applications in mind, so it shouldn’t apply to software-only TCG systems.

This is absurd. The document outlines best practices for how the system is used. There’s nothing in it about how the system works internally. There’s nothing unique to hardware-based systems, nothing that would be different for software-only systems. You can go through the document yourself and replace all references to “TPM” or “hardware” with “software” (or, better yet, “hardware or software”) in five minutes. There are about a dozen changes, and none of them make any meaningful difference.

The only reason I can think of for all this Machiavellian maneuvering is that the TCG board of directors is making sure that the document doesn’t apply to Vista. If the document isn’t published until after Vista is released, then obviously it doesn’t apply.

Near as I can tell, no one is following this story. No one is asking why TCG best practices apply to hardware-based systems if they’re writing software-only specifications. No one is asking why the document doesn’t apply to all TCG systems, since it’s obviously written without any particular technology in mind. And no one is asking why the TCG is delaying the adoption of any software best practices.

I believe the reason is Microsoft and Vista, but clearly there’s some investigative reporting to be done.

<http://www.trustedcomputinggroup.org>

The document:
<https://www.trustedcomputinggroup.org/downloads/…>

Commentary on the document:
<http://cyberlaw.stanford.edu/s/bechtold/…>

Trusted Network Connect:
<https://www.trustedcomputinggroup.org/downloads/TNC/>

Commentary and rebuttals of my essay:
<http://s.zdnet.com/Ou/?p=96>
<http://it.slashdot.org/it/05/09/01/1419222.shtml?…>
<http://cyberlaw.stanford.edu/s/bechtold/…>

Ross Anderson on Trusted Computing:
<http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html>

Me on Trusted Computing, back when Microsoft called it Palladium:
<http://www.schneier.com/crypto-gram-0208.html#1>

A version of this essay previously appeared in several places:
<http://news.com.com/Something+fishys+going+on/…>
<http://news.zdnet.com/2100-1009_22-5844520.html>
<http://www.smh.com.au/articles/2005/09/02/…>
<http://www.theage.com.au/articles/2005/09/02/…>

Comments from Readers

From: Stephen Wilson <swilson lockstep.com.au>
Subject: Comment on MD5 legal case in Australia

The court case—perhaps unfortunately—was not as technical as you imply in the last Crypto-Gram. There is nothing in the newspaper articles you quote nor in the public domain that refers to MD5 being broken. Rather, the case has been dismissed because the government lawyers simply could not find an expert witness in the time allotted who could talk sensibly about the technology. So it’s a legal technicality, not a crypto technicality, at work here!

Interestingly, this speed camera hash issue has some more history. A year ago, another Sydney motorist succeeded in having a different matter thrown out of court on a really extreme technicality. The relevant legislation here said at the time that the digest code generated by the speed cameras consisted of “letters, numerals and symbols” but because an MD5 hash only has letters and numerals—and nothing else like &%^ #(!—the motorist argued that the law was flawed and therefore the devices could not be relied upon. The law was fixed almost overnight to drop vague references to “symbols”.

So you see, there is a sport amongst lawyers here to tackle speed camera technology on a range of technicalities. Just wait till they find out about the “real” problems with MD5!

From: Shachar Shemesh <shachar lingnu.com>
Subject: Re: Profiling and El Al

I think your characteristics of what El Al are doing as “profiling” are a bit off. It’s not that they do not profile (as well as all the rest of the Israeli defense system), it’s just that they only profile those who deserve less attention.

In general, the El Al screening process questions EVERYONE, and to an amount of detail that are, quite frankly, embarrassing. However, the El Al screening process made a few decisions in the sake of security. 90% of the people flying El Al are Jewish Israeli citizens. In the history of aviation, this population has been responsible for zero terrorist attacks. An Israeli-born Jewish selector (as almost all El Al’s security selectors are) can easily tell, without looking at a passport, whether someone does or does not belong to said group. Being as that is the case, this specific group gets a special treatment in the form of reduced severity questioning.

The thing to understand is that in order to bypass this profiling, one cannot simply pretend to be out of his/her group. If an Israeli Arab pretends to be an African business man, he will likely be questioned more, not less, due to stepping outside of his profile. He is even going to be questioned, in details, if he manages to pose as a Christian American-born business man. On the other hand, trying to pose as a Jewish Israeli is very highly likely to get noticed, due to the fact that the security screener knows how a Jewish Israeli looks, what his accent is like, etc. To understand just how much this is the case, I will note that I’m routinely approached, in Hebrew, whenever I step near an El Al counter anywhere in the world. This takes place before I take my passport or flying tickets out of my bag.

This same policy is employed in many other areas. When hot alerts for a terrorist attack that is supposed to come out of, say, Gaza are known, it is not uncommon to close down the passages between Gaza and Israel. Due to the huge economical pressure that such closure puts on the Palestinian population (most of which make their living inside Israel), profiles-based permission are granted. At first these were fairly wide. Married people over 30 who have kids, women, etc. As the terrorists consistently found people inside the profiled whitelists, these were consistently narrowed. The thing is that allowing married people through was not done because the Israeli security thought that it’s impossible that someone from that group could be a terrorist, but because between the option of closing the passages down for EVERYONE, and closing them down to most, they preferred to let some through.

Don’t get me wrong. I agree with you completely that profiling in the USA is a bad idea, when done like that. I just think that it’s a bad idea because circumstances within America are very different, and that makes profiling statistically ineffective, making the democratic related costs far exceed the benefit. If, however, El Al were to start questioning EVERYONE (i.e.—no white profiling), the prices in terms of time before flight and cost of ticket would mean they would have to provide a security level which is considerably less high.

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Comments on CRYPTO-GRAM should be sent to schneier@schneier.com. Permission to print comments is assumed unless otherwise stated. Comments may be edited for length and clarity.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers “Beyond Fear,” “Secrets and Lies,” and “Applied Cryptography,” and an inventor of the Blowfish and Twofish algorithms. He is founder and CTO of Counterpane Internet Security Inc., and is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.

Counterpane is the world’s leading protector of networked information – the inventor of outsourced security monitoring and the foremost authority on effective mitigation of emerging IT threats. Counterpane protects networks for Fortune 1000 companies and governments world-wide. See <http://www.counterpane.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Counterpane Internet Security, Inc.

Copyright (c) 2005 by Bruce Schneier.

Sidebar photo of Bruce Schneier by Joe MacInnis.