June 15, 2006
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at <http://www.schneier.com/crypto-gram-0606.html>. These same essays appear in the "Schneier on Security" blog: <http://www.schneier.com/blog>. An RSS feed is available.
In this issue:
Last month, revelation of yet another NSA surveillance effort against the American people rekindled the privacy debate. Those in favor of these programs have trotted out the same rhetorical question we hear every time privacy advocates oppose ID checks, video cameras, massive databases, data mining, and other wholesale surveillance measures: "If you aren't doing anything wrong, what do you have to hide?"
Some clever answers: "If I'm not doing anything wrong, then you have no cause to watch me." "Because the government gets to define what's wrong, and they keep changing the definition." "Because you might do something wrong with my information." My problem with quips like these -- as right as they are -- is that they accept the premise that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.
Two proverbs say it best: "Quis custodiet ipsos custodes?" ("Who watches the watchers?") and "Absolute power corrupts absolutely."
Cardinal Richelieu understood the value of surveillance when he famously said, "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." Watch someone long enough, and you'll find something to arrest -- or just blackmail -- him with. Privacy is important because without it, surveillance information will be abused: to peep, to sell to marketers, and to spy on political enemies -- whoever they happen to be at the time.
Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance.
We do nothing wrong when we make love or go to the bathroom. We are not deliberately hiding anything when we seek out private places for reflection or conversation. We keep private journals, sing in the privacy of the shower, and write letters to secret lovers and then burn them. Privacy is a basic human need.
A future in which privacy would face constant assault was so alien to the framers of the Constitution that it never occurred to them to call out privacy as an explicit right. Privacy was inherent to the nobility of their being and their cause. Of course being watched in your own home was unreasonable. Watching at all was an act so unseemly as to be inconceivable among gentlemen in their day. You watched convicted criminals, not free citizens. You ruled your own home. It's intrinsic to the concept of liberty.
For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that -- either now or in the uncertain future -- patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable.
How many of us have paused during conversations in the past four-and-a-half years, suddenly aware that we might be eavesdropped on? Probably it was a phone conversation, although maybe it was an e-mail or instant message exchange or a conversation in a public place. Maybe the topic was terrorism, or politics, or Islam. We stop suddenly, momentarily afraid that our words might be taken out of context, then we laugh at our paranoia and go on. But our demeanor has changed, and our words are subtly altered.
This is the loss of freedom we face when our privacy is taken from us. This was life in the former East Germany, or life in Saddam Hussein's Iraq. And it's our future as we allow an ever-intrusive eye into our personal, private lives.
Too many wrongly characterize the debate as "security versus privacy." The real choice is liberty versus control. Tyranny, whether it arises under threat of foreign physical attack or under constant domestic authoritative scrutiny, is still tyranny. Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that's why we should champion privacy even when we have nothing to hide.
A version of this essay originally appeared on Wired.com.
Daniel Solove comments:
I can tell you one thing, you guys are really imaginative. The response to my Movie-Plot Threat Contest was more than I could imagine: 892 comments. I printed them all out -- 195 pages, double sided -- and spiral bound them, so I could read them more easily. The cover read: "The Big Book of Terrorist Plots." I tried not to wave it around too much in airports.
I almost didn't want to pick a winner, because the real point is the enormous list of them all. And because it's hard to choose. But after careful deliberation, the winning entry is by Tom Grant. Although planes filled with explosives is already cliche, destroying the Grand Coulee Dam is inspired. Here it is:
"Mission: Terrorize Americans. Neutralize American economy, make America feel completely vulnerable, and all Americans unsafe.
"Scene 1: A rented van drives from Spokane, WA, to a remote setting in Idaho and loads up with shoulder-mounted rocket launchers and a couple of people dressed in fatigues.
"Scene 2: Terrorists dressed in 'delivery man' garb take over the UPS cargo depot at the Spokane, WA, airport. A van full of explosives is unloaded at the depot.
"Scene 3: Terrorists dressed in 'delivery man' garb take over the UPS cargo depot at the Kamloops, BC, airport. A van full of explosives is unloaded at the depot.
"Scene 4: A van with mercenaries drives through the Idaho forests en route to an unknown destination. Receives cell communiqu矴hat locations Alpha and Bravo are secured.
"Scene 5: UPS cargo plane lands in Kamloops and is met at the depot by terrorists who overtake the plane and its crew. Explosives are loaded aboard the aircraft. The same scene plays out in Spokane moments later, and that plane is loaded with explosives. Two pilots board each of the cargo planes and ask for takeoff instructions as night falls across the West.
"Scene 6: Two cargo jets go airborne from two separate locations. A van with four terrorists arrives at its destination, parked on an overlook ridge just after nightfall. They use infrared glasses to scope the target. The camera pans down and away from the van, exposing the target. Grand Coulee Dam. The cell phone rings and notification comes to the leader that 'Nighthawks alpha and bravo have launched.'
"Scene 7: Two radar operators in separate locations note with alarm that UPS cargo jets they have been tracking have dropped off the radar and may have crashed. Aboard each craft the pilots have turned off navigational radios and are flying on 'manual' at low altitude. One heading South, one heading North.
"Scene 8: Planes are closing in on the 'target' and the rocket launcher crew goes to work. With precision they strike lookout and defense positions on the dam, then target the office structures below. As they finish, a cargo jet approaches from the North at high velocity, slamming into the back side of the dam just above the waterline and exploding, shuddering the earth. A large portion of the center-top of the dam is missing. Within seconds a cargo plane coming from the South slams into the front face of the dam, closer to the base, and explodes in a blinding flash, shuddering the earth. In moments, the dam begins to fail, and a final volley from four rocket launchers on the hill above helps break open the face of the dam. The 40-mile-long Lake Roosevelt begins to pour down the Columbia River Valley, uncontrolled. No warning is given to the dams downriver, other than the generation at G.C. is now offline.
"Scene 9: Through the night, the surging wall of water roars down the Columbia waterway, overtopping dam after dam and gaining momentum (and huge amounts of water) along the way. The cities of Wenatchee and Kennewick are inundated and largely swept away. A van of renegades retreats to Northern Idaho to hide.
"Scene 10: As day breaks in the West, there is no power from Seattle to Los Angeles. The Western power grid has failed. Commerce has ground to a halt west of the Rocky Mountains. Water is sweeping down the Columbia River gorge, threatening to overtop Bonneville dam and wipe out the large metro area of Portland, OR.
"Scene 11: Bin Laden releases a video on Al Jazeera that claims victory over the Americans.
"Scene 12: Pandemonium, as water sweeps into a panicked Portland, Oregon, washing all away in its path, and surging water well up the Willamette valley.
"Scene 13: Washington situation room...little input is coming in from the West. Some military bases have emergency power and sat phones, and are reporting that the devastation of the dam infrastructure is complete. Seven major and five minor dams have been destroyed. Re-powering the West coast will take months, as connections from the Eastern grid will have to be made through the New Mexico Mountains.
"Scene 14: Worst U.S. market crash in history. America's GNP drops from the top of the charts to 20th worldwide. Exports and imports cease on the West coast. Martial law fails to control mass exodus from Seattle, San Francisco, and L.A. as millions flee to the east. Gas shortages and vigilante mentality take their toll on the panicked populace. The West is 'wild' once more. The East is overrun with millions seeking homes and employment."
Congratulations, Tom. I'm still trying to figure out what you win.
Contest rules and all entries:
Update, including selection criteria:
Crypto-Gram is currently in its ninth year of publication. Back issues cover a variety of security-related topics, and can all be found on <http://www.schneier.com/crypto-gram-back.html>. These are a selection of articles that appeared in this calendar month in other years.
Internet Attack Trends:
U.S. Medical Privacy Law Gutted:
Breaking Iranian Codes:
The Witty Worm:
The Risks Of Cyberterrorism:
Fixing Intelligence Failures:
Honeypots and the Honeynet Project
The Data Encryption Standard (DES):
The internationalization of cryptography policy:
The new breeds of viruses, worms, and other malware:
Timing attacks, power analysis, and other "side-channel" attacks against cryptosystems:
This quote sums up nicely why Diebold should not be trusted to secure election machines:
"David Bear, a spokesman for Diebold Election Systems, said the potential risk existed because the company's technicians had intentionally built the machines in such a way that election officials would be able to update their systems in years ahead.
"'For there to be a problem here, you're basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software,' he said. 'I don't believe these evil elections people exist.'"
If you can't get the threat model right, you can't hope to secure the system.
Consumers are willing to trade privacy for convenience:
Online student exams. I'm sure this is a good idea, but I wonder when the first case of cheating-by-rootkit will occur.
Bundesamt fur Sicherheit in der Informationstechnik, or Federal Office for Information Security, or BSI, is Germany's equivalent of the NSA. They have an English-language website that has a number of English-language security publications.
The National Institute of Standards and Technology has released a document detailing how federal agencies should manage security logs: NIST Special Publication 800-92: Guide to Computer Security Log Management.
Really good advice, step by step, on how to survive identity theft:
The U.S. Coast Guard solicits Hollywood screenwriters to help them with movie-plot threats. No, really.
Smart profiling from the DHS and the TSA: "Select TSA employees will be trained to identify suspicious individuals who raise red flags by exhibiting unusual or anxious behavior, which can be as simple as changes in mannerisms, excessive sweating on a cool day, or changes in the pitch of a person's voice." About time.
Russian spammers have been attacking the company Blue Security, and Blue Security has given up.
Winning my award for dumb movie-plot threat of the month, here's someone who thinks that counterfeit electronics are a terrorist tool.
First runner up for dumb movie-plot threat of the month, here's someone who thinks that a public aviation tracking system is a "terrorist's dream."
A clip from the movie "Team America: World Police," was mistaken for an al Qaeda video at a Congressional committee. Oops.
Ira Winkler on why NSA spying hurts security:
You too can spy on the Internet, just like the NSA.
This essay makes the case that there is no way to safely report a computer vulnerability. Whatever you do opens you up to prosecution.
TrueCrypt: On-the-fly encryption with plausible deniability:
From Charlie Stross: "A report on the state of the National Identity Register, May 2016." Note the date; it's fiction.
Great quote by Alexander Solzhenitsyn (1968) on data and privacy: "As every man goes through life he fills in a number of forms for the record, each containing a number of questions... There are thus hundreds of little threads radiating from every man, millions of threads in all. If these threads were suddenly to become visible, the whole sky would look like a spider's web, and if they materialized as rubber bands, buses; trams and even people would all lose the ability to move, and the wind would be unable to carry torn-up newspapers or autumn leaves along the streets of the city. They are not visible, they are not material, but every man is constantly aware of their existence.... Each man, permanently aware of his own invisible threads, naturally develops a respect for the people who manipulate the threads."
In the long term, corporate data mining efforts are more of a privacy risk than government data mining efforts. And here's an off-the-shelf product from IBM:
From a list of 100,000 passwords for a German dating site, we learn that "123456" works 1.4% of the time and that 2.5% of all passwords begin with "1234." Interesting.
Bank defends its bad security by saying that everyone else does it, too.
Interesting essay about how EU law would treat the NSA's collection of everyone's phone records.
Fascinating interview with a debit card scammer. Moral: securing this system isn't going to be easy.
And some comments from a fake ID salesman, in case you thought hard-to-forge national ID cards would solve the problem:
Nice article discussing the hype, and reality, over the threat of homebrew chemical weapons.
Just hide this gadget in someone's car or briefcase -- or maybe sew it into his coat -- and then track his every move using GPS. You have to recover the device to play it back, but presumably the next generation will be queryable remotely.
The U.S. government is asking ISPs to save personal data about you, in case they need access to it.
From "Assassination in the United States: An Operational Study of Recent Assassins, Attackers, and Near-Lethal Approachers," (a 1999 article published in the "Journal of Forensic Sciences"): "Few attackers or near-lethal approachers possessed the cunning or the bravado of assassins in popular movies or novels. The reality of American assassination is much more mundane, more banal than assassinations depicted on the screen. Neither monsters nor martyrs, recent American assassins, attackers, and near-lethal approachers engaged in pre-incident patterns of thinking and behaviour." The quote is from the last page. The whole thing is interesting reading.
Interesting law review article by Helen Nissenbaum: "Privacy as Contextual Integrity."
New directions in chemical warfare: chemicals that make enemy soldiers sexually irresistible to each other, attract swarms of enraged wasps, or cause "severe and lasting halitosis":
NSA surveillance cartoon:
Interesting paper on the security of contactless smartcards:
Wireless surveillance camera detector:
Great article comparing the barrier Israel is erecting to protect itself from the West Bank with the hypothetical barrier the U.S. would build to protect itself from Mexico: "No wonder the [Israeli] fence is considered a good deal by those living on its western side. But applying this model to the U.S.-Mexico border will not be easy. U.S. citizens will find it hard to justify such tough measures when their only goal is to stop people coming in for work -- rather than preventing them from trying to commit murder. And the cost will be more important. It's much easier to open your wallet when someone is threatening to blow up your local cafe."
$1M VoIP scam:
NIST has just published "Recommendation for Random Number Generation Using Deterministic Random Bit Generators."
The NSA is combing through MySpace:
I've previously written about the risks of small portable computing devices; how more and more data can be stored on them, and then lost or stolen. But there's another risk: if an attacker can convince you to plug his USB device into your computer, he can take it over. From CSO Magazine:
"Plug an iPod or USB stick into a PC running Windows and the device can literally take over the machine and search for confidential documents, copy them back to the iPod or USB's internal storage, and hide them as "deleted" files. Alternatively, the device can simply plant spyware, or even compromise the operating system. Two features that make this possible are the Windows AutoRun facility and the ability of peripherals to use something called direct memory access (DMA). The first attack vector you can and should plug; the second vector is the result of a design flaw that's likely to be with us for many years to come."
The article has the details, but basically you can configure a file on your USB device to automatically run when it's plugged into a computer. That file can, of course, do anything you want it to.
Recently I've been seeing more and more written about this attack. The Spring 2006 issue of 2600 Magazine, for example, contains a short article called "iPod Sneakiness" (unfortunately, not online). The author suggests that you can innocently ask someone at an Internet cafe if you can plug your iPod into his computer to power it up -- and then steal his passwords and critical files.
And about someone used this trick in a penetration test:
"We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user's computer, and then email the findings back to us.
"The next hurdle we had was getting the USB drives in the hands of the credit union's internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.
"Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.
"I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software."
There is a partial defense. From the first article:
"AutoRun is just a bad idea. People putting CD-ROMs or USB drives into their computers usually want to see what's on the media, not have programs automatically run. Fortunately you can turn AutoRun off. A simple manual approach is to hold down the "Shift" key when a disk or USB storage device is inserted into the computer. A better way is to disable the feature entirely by editing the Windows Registry. There are many instructions for doing this online (just search for 'disable autorun') or you can download and use Microsoft's TweakUI program, which is part of the Windows XP PowerToys download. With Windows XP you can also disable AutoRun for CDs by right-clicking on the CD drive icon in the Windows explorer, choosing the AutoPlay tab, and then selecting 'Take no action' for each kind of disk that's listed. Unfortunately, disabling AutoPlay for CDs won't always disable AutoPlay for USB devices, so the registry hack is the safest course of action."
In the 1990s, the Macintosh operating system had this feature, which was removed after a virus made use of it in 1998. Microsoft needs to remove this feature as well.
But it's only a partial defense. In the penetration test, they didn't use AutoRun. They just created a sufficiently enticing file, and the people who found the USB drives manually invoked the executable.
My previous essay:
The website is hysterical:
"Proof of the Krypto security !
Machine translated (on the website; not by me) from German into English. My head hurts just trying to read that.
Schneier is speaking at the FIRST Conference in Baltimore on June 30:
Interview with Bruce Schneier:
Counterpane announced two pretty cool service agreements:
Network World wrote about Counterpane at the Gartner Security Conference:
Have you ever been to a retail store and seen this sign on the register: "Your purchase free if you don't get a receipt"? You almost certainly didn't see it in an expensive or high-end store. You saw it in a convenience store, or a fast-food restaurant, or maybe a liquor store. That sign is a security device, and a clever one at that. And it illustrates a very important rule about security: it works best when you align interests with capability.
If you're a store owner, one of your security worries is employee theft. Your employees handle cash all day, and dishonest ones will pocket some of it for themselves. The history of the cash register is mostly a history of preventing this kind of theft. Early cash registers were just boxes with a bell attached. The bell rang when an employee opened the box, alerting the store owner -- who was presumably elsewhere in the store -- that an employee was handling money.
The register tape was an important development in security against employee theft. Every transaction is recorded in write-only media, in such a way that it's impossible to insert or delete transactions. It's an audit trail. Using that audit trail, the store owner can count the cash in the drawer, and compare the amount with the register tape. Any discrepancies can be docked from the employee's paycheck.
If you're a dishonest employee, you have to keep transactions off the register. If someone hands you money for an item and walks out, you can pocket that money without anyone being the wiser. And, in fact, that's how employees steal cash in retail stores.
What can the store owner do? He can stand there and watch the employee, of course. But that's not very efficient; the whole point of having employees is so that the store owner can do other things. The customer is standing there anyway, but the customer doesn't care one way or another about a receipt.
So here's what the employer does: he hires the customer. By putting up a sign saying "Your purchase free if you don't get a receipt," the employer is getting the customer to guard the employee. The customer makes sure the employee gives him a receipt, and employee theft is reduced accordingly.
There is a general rule in security to align interest with capability. The customer has the capability of watching the employee; the sign gives him the interest.
In Beyond Fear, I wrote about ATM fraud; you can see the same mechanism at work:
"When ATM cardholders in the US complained about phantom withdrawals from their accounts, the courts generally held that the banks had to prove fraud. Hence, the banks' agenda was to improve security and keep fraud low, because they paid the costs of any fraud. In the UK, the reverse was true: The courts generally sided with the banks and assumed that any attempts to repudiate withdrawals were cardholder fraud, and the cardholder had to prove otherwise. This caused the banks to have the opposite agenda; they didn't care about improving security, because they were content to blame the problems on the customers and send them to jail for complaining. The result was that in the US, the banks improved ATM security to forestall additional losses--most of the fraud actually was not the cardholder's fault -- while in the UK, the banks did nothing."
The banks had the capability to improve security. In the US, they also had the interest. But in the UK, only the customer had the interest. It wasn't until the UK courts reversed themselves and aligned interest with capability that ATM security improved.
Computer security is no different. For years I have argued in favor of software liabilities. Software vendors are in the best position to improve software security; they have the capability. But, unfortunately, they don't have much interest. Features, schedule, and profitability are far more important. Software liabilities will change that. They'll align interest with capability, and they'll improve software security.
One last story. In Italy, tax fraud used to be a national hobby. (It may still be; I don't know.) The government was tired of retail stores not reporting sales and paying taxes, so they passed a law regulating the customers. Any customer having just purchased an item and stopped within a certain distance of a retail store, had to produce a receipt or they would be fined. Just as in the "Your purchase free if you don't get a receipt" story, the law turned the customers into tax inspectors. They demanded receipts from merchants, which in turn forced the merchants to create a paper audit trail for the purchase and pay the required tax.
This was a great idea, but it didn't work very well. Customers, especially tourists, didn't like to be stopped by police. People started demanding that the police prove they just purchased the item. Threatening people with fines if they didn't guard merchants wasn't as effective an enticement as offering people a reward if they didn't get a receipt.
Interest must be aligned with capability, but you need to be careful how you generate interest.
This essay originally appeared on Wired.com.
There are hundreds of comments -- many of them interesting -- on these topics on my blog. Search for the story you want to comment on, and join in.
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Comments on CRYPTO-GRAM should be sent to firstname.lastname@example.org. Permission to print comments is assumed unless otherwise stated. Comments may be edited for length and clarity.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish and Twofish algorithms. He is founder and CTO of Counterpane Internet Security Inc., and is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.
Counterpane is the world's leading protector of networked information - the inventor of outsourced security monitoring and the foremost authority on effective mitigation of emerging IT threats. Counterpane protects networks for Fortune 1000 companies and governments world-wide. See <http://www.counterpane.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Counterpane Internet Security, Inc.
Copyright (c) 2006 by Bruce Schneier.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.