Crypto-Gram Newsletter

October 15, 2006

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@schneier.com
http://www.schneier.com
http://www.counterpane.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <http://www.schneier.com/crypto-gram-0610.html>. These same essays appear in the "Schneier on Security" blog: <http://www.schneier.com/blog>. An RSS feed is available.


In this issue:


Screening People with Clearances

Why should we waste time at airport security, screening people with U.S. government security clearances? This perfectly reasonable question was asked recently by Robert Poole, director of transportation studies at The Reason Foundation, as he and I were interviewed by WOSU Radio in Ohio.

Poole argued that people with government security clearances, people who are entrusted with U.S. national security secrets, are trusted enough to be allowed through airport security with only a cursory screening. They've already gone through background checks, he said, and it would be more efficient to concentrate screening resources on everyone else.

To someone not steeped in security, it makes perfect sense. But it's a terrible idea, and understanding why teaches us some important security lessons.

The first lesson is that security is a system. Identifying someone's security clearance is a complicated process. People with clearances don't have special ID cards, and they can't just walk into any secured facility. A clearance is held by a particular organization -- usually the organization the person works for -- and is transferred by a classified message to other organizations when that person travels on official business.

Airport security checkpoints are not set up to receive these clearance messages, so some other system would have to be developed.

Of course, it makes no sense for the cleared person to have his office send a message to every airport he's visiting, at the time of travel. Far easier is to have a centralized database of people who are cleared. But now you have to build this database. And secure it. And ensure that it's kept up to date.

Or maybe we can create a new type of ID card: one that identifies people with security clearances. But that also requires a backend database and a card that can't be forged. And clearances can be revoked at any time, so there needs to be some way of invalidating cards automatically and remotely.

Whatever you do, you need to implement a new set of security procedures at airport security checkpoints to deal with these people. The procedures need to be good enough that people can't spoof it. Screeners need to be trained. The system needs to be tested.

What starts out as a simple idea -- don't waste time searching people with government security clearances -- rapidly becomes a complicated security system with all sorts of new vulnerabilities.

The second lesson is that security is a trade-off. We don't have infinite dollars to spend on security. We need to choose where to spend our money, and we're best off if we spend it in ways that give us the most security for our dollar.

Given that very few Americans have security clearances, and that speeding them through security wouldn't make much of a difference to anyone else standing in line, wouldn't it be smarter to spend the money elsewhere? Even if you're just making trade-offs about airport security checkpoints, I would rather take the hundreds of millions of dollars this kind of system could cost and spend it on more security screeners and better training for existing security screeners. We could both speed up the lines and make them more effective.

The third lesson is that security decisions are often based on subjective agenda. My guess is that Poole has a security clearance -- he was a member of the Bush-Cheney transition team in 2000 -- and is annoyed that he is being subjected to the same screening procedures as the other (clearly less trusted) people he is forced to stand in line with. From his perspective, not screening people like him is obvious. But objectively it's not.

This issue is no different than searching airplane pilots, something that regularly elicits howls of laughter among amateur security watchers. What they don't realize is that the issue is not whether we should trust pilots, airplane maintenance technicians or people with clearances. The issue is whether we should trust people who are dressed as pilots, wear airplane-maintenance-tech IDs or claim to have clearances.

We have two choices: Either build an infrastructure to verify their claims, or assume that they're false. And with apologies to pilots, maintenance techs and people with clearances, it's cheaper, easier and more secure to search you all.

This essay originally appeared on Wired.com.
http://www.wired.com/news/columns/1,71906-0.html


Did Hezbollah Crack Israeli Secure Radio?

According to Newsday:

"Hezbollah guerrillas were able to hack into Israeli radio communications during last month's battles in south Lebanon, an intelligence breakthrough that helped them thwart Israeli tank assaults, according to Hezbollah and Lebanese officials.

"Using technology most likely supplied by Iran, special Hezbollah teams monitored the constantly changing radio frequencies of Israeli troops on the ground. That gave guerrillas a picture of Israeli movements, casualty reports and supply routes. It also allowed Hezbollah anti-tank units to more effectively target advancing Israeli armor, according to the officials."

Read the article. Basically, the problem is operational error:

"With frequency-hopping and encryption, most radio communications become very difficult to hack. But troops in the battlefield sometimes make mistakes in following secure radio procedures and can give an enemy a way to break into the frequency-hopping patterns. That might have happened during some battles between Israel and Hezbollah, according to the Lebanese official. Hezbollah teams likely also had sophisticated reconnaissance devices that could intercept radio signals even while they were frequency-hopping."

I agree with The Register: "Claims that Hezbollah fighters were able to use this intelligence to get some intelligence on troop movement and supply routes are plausible, at least to the layman, but ought to be treated with an appropriate degree of caution as they are substantially corroborated by anonymous sources."

But I have even more skepticism. If indeed Hezbollah was able to do this, the last thing they want is for it to appear in the press. But if Hezbollah can't do this, then a few good disinformation stories are a good thing.

http://www.newsday.com/news/printedition/stories/...
http://www.theregister.co.uk/2006/09/20/...


Renew Your Passport Now!

If you have a passport, now is the time to renew it -- even if it's not set to expire anytime soon. If you don't have a passport and think you might need one, now is the time to get it. In many countries, including the United States, passports will soon be equipped with RFID chips. And you don't want one of these chips in your passport.

RFID stands for "radio-frequency identification." Passports with RFID chips store an electronic copy of the passport information: your name, a digitized picture, etc. And in the future, the chip might store fingerprints or digital visas from various countries.

By itself, this is no problem. But RFID chips don't have to be plugged in to a reader to operate. Like the chips used for automatic toll collection on roads or automatic fare collection on subways, these chips operate via proximity. The risk to you is the possibility of surreptitious access: Your passport information might be read without your knowledge or consent by a government trying to track your movements, a criminal trying to steal your identity or someone just curious about your citizenship.

At first the State Department belittled those risks, but in response to criticism from experts it has implemented some security features. Passports will come with a shielded cover, making it much harder to read the chip when the passport is closed. And there are now access-control and encryption mechanisms, making it much harder for an unauthorized reader to collect, understand and alter the data.

Although those measures help, they don't go far enough. The shielding does no good when the passport is open. Travel abroad and you'll notice how often you have to show your passport: at hotels, banks, Internet cafes. Anyone intent on harvesting passport data could set up a reader at one of those places. And although the State Department insists that the chip can be read only by a reader that is inches away, the chips have been read from many feet away.

The other security mechanisms are also vulnerable, and several security researchers have already discovered flaws. One found that he could identify individual chips via unique characteristics of the radio transmissions. Another successfully cloned a chip. The State Department called this a "meaningless stunt," pointing out that the researcher could not read or change the data. But the researcher spent only two weeks trying; the security of your passport has to be strong enough to last 10 years.

This is perhaps the greatest risk. The security mechanisms on your passport chip have to last the lifetime of your passport. It is as ridiculous to think that passport security will remain secure for that long as it would be to think that you won't see another security update for Microsoft Windows in that time. Improvements in antenna technology will certainly increase the distance at which they can be read and might even allow unauthorized readers to penetrate the shielding.

Whatever happens, if you have a passport with an RFID chip, you're stuck. Although popping your passport in the microwave will disable the chip, the shielding will cause all kinds of sparking. And although the United States has said that a nonworking chip will not invalidate a passport, it is unclear if one with a deliberately damaged chip will be honored.

The Colorado passport office is already issuing RFID passports, and the State Department expects all U.S. passport offices to be doing so by the end of the year. Many other countries are in the process of changing over. So get a passport before it's too late. With your new passport you can wait another 10 years for an RFID passport, when the technology will be more mature, when we will have a better understanding of the security risks and when there will be other technologies we can use to cut the risks. You don't want to be a guinea pig on this one.

This op-ed originally appeared in the Washington Post.
http://www.washingtonpost.com/wp-dyn/content/...

Rebuttal:
http://www.mercurynews.com/mld/mercurynews/news/...

My previous writings on RFID passports:
http://www.schneier.com/blog/archives/2006/08/...
http://www.schneier.com/blog/archives/2004/10/...
http://www.schneier.com/blog/archives/2005/04/...
http://www.schneier.com/essay-060.html http://www.schneier.com/blog/archives/2005/08/...


Faulty Data and the Arar Case

Maher Arar is a Syrian-born Canadian citizen. On September 26, 2002, he tried to fly from Switzerland to Toronto. Changing planes in New York, he was detained by the U.S. authorities, and eventually shipped to Syria where he was tortured. He's 100% innocent.

The Canadian government has completed its "Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar," the results of which are public. From their press release: "On Maher Arar, the Commissioner comes to one important conclusion: 'I am able to say categorically that there is no evidence to indicate that Mr. Arar has committed any offence or that his activities constitute a threat to the security of Canada.'"

Certainly something that everyone who supports the U.S.'s right to detain and torture people without having to demonstrate their guilt should think about. But what's more interesting to readers of this blog is the role that inaccurate data played in the deportation and ultimately torture of an innocent man.

Privacy International summarizes the report. These are among their bullet points:

"The RCMP provided the U.S. with an entire database of information relating to a terrorism investigation (three CDs of information), in a way that did not comply with RCMP policies that require screening for relevance, reliability, and personal information. In fact, this action was without precedent.

"The RCMP provided the U.S. with inaccurate information about Arar that portrayed him in an infairly negative fashion and overstated his importance to a RCMP investigation. They included some 'erroneous notes.'

"While he was detained in the U.S., the RCMP provided information regarding him to the U.S. Federal Bureau of Investigation (FBI), 'some of which portrayed him in an inaccurate and unfair way.' The RCMP provided inaccurate information to the U.S. authorities that tended to link Arar to other terrorist suspects; and told the U.S. authorities that Arar had previously refused to be interviewed, which was also incorrect; and the RCMP also said that soon after refusing the interview he suddenly left Canada for Tunisia. 'The statement about the refusal to be interviewed had the potential to arouse suspicion, especially among law enforcement officers, that Mr. Arar had something to hide.' The RCMP's information to the U.S. authorities also placed Arar in the vicinity of Washington DC on September 11, 2001 when he was instead in California."

Judicial oversight is a security mechanism. It prevents the police from incarcerating the wrong person. The point of habeas corpus is that the police need to present their evidence in front of a neutral third party, and not indefinitely detain or torture people just because they believe they're guilty. We are all less secure if we water down these security measures.

Background:
http://www.privacyinternational.org/article.shtml?...
Government report:
http://www.ararcommission.ca/eng/index.htm
http://www.ararcommission.ca/eng/...

Privacy International:
http://www.privacyinternational.org/article.shtml?...
Judicial oversight:
http://www.schneier.com/essay-045.html


Crypto-Gram Reprints

Crypto-Gram is currently in its ninth year of publication. Back issues cover a variety of security-related topics, and can all be found on <http://www.schneier.com/crypto-gram-back.html>. These are a selection of articles that appeared in this calendar month in other years.

Phishing:
http://www.schneier.com/crypto-gram-0510.html#1

Secure Flight Working Group Report:
http://www.schneier.com/crypto-gram-0510.html#10

Judge Roberts, Privacy, and the Future:
http://www.schneier.com/crypto-gram-0510.html#16

Keeping Network Outages Secret:
http://www.schneier.com/crypto-gram-0410.html#2

RFID Passports:
http://www.schneier.com/crypto-gram-0410.html#3

The Legacy of DES:
http://www.schneier.com/crypto-gram-0410.html#8

Wholesale Surveillance:
http://www.schneier.com/crypto-gram-0410.html#10
http://www.schneier.com/crypto-gram-0410.html#11

Academic Freedom and Security:
http://www.schneier.com/crypto-gram-0410.html#13

The Future of Surveillance:
http://www.schneier.com/crypto-gram-0310.html#1

National Strategy to Secure Cyberspace:
http://www.schneier.com/crypto-gram-0210.html#1

Cyberterrorism:
http://www.schneier.com/crypto-gram-0110.html#1

Dangers of Port 80
http://www.schneier.com/crypto-gram-0110.html#9

Semantic Attacks:
http://www.schneier.com/crypto-gram-0010.html#1

NSA on Security:
http://www.schneier.com/crypto-gram-0010.html#7

So, You Want to be a Cryptographer:
http://www.schneier.com/...
Key Length and Security:
http://www.schneier.com/...

Steganography: Truths and Fictions:
http://www.schneier.com/...

Memo to the Amateur Cipher Designer:
http://www.schneier.com/...


Expensive Cameras in Checked Luggage

This is a blog post about the problems of being forced to check expensive camera equipment on airplanes:

"Well, having lived in Kashmir for 12+ years I am well accustomed to this type of security. We haven't been able to have hand carries since 1990. We also cannot have batteries in any of our equipment checked or otherwise. At least we have been able to carry our laptops on and recently been able to actually use them (with the batteries). But, if things keep moving in this direction, and I'm sure it will, we need to start thinking now about checking our cameras and computers and how to do it safely. This is a very unpleasant idea. Two years ago I ordered a Canon 20D and had it "hand carried" over to meet me in England by a friend. My friend put it in their checked bag. The bag never showed up. She did not have insurance and all I got $100 from British Airways for the camera and $500 from American Express (buyers protection) that was it. So now it looks as if we are going to have to check our cameras and our computers involuntarily. OK here are a few thoughts."

Pretty basic stuff, and we all know about the risks of putting expensive stuff in your checked luggage.

The interesting part is one of the blog comments, about halfway down. Another photographer wonders if the TSA rules for firearms could be extended to camera equipment:

"Why not just have the TSA adopt the same check in rules for photographic and video equipment as they do for firearms?

"All firearms must be in checked baggage, no carry on.

"All firearms must be transported in a locked, hard sided case using a non-TSA approved lock. This is to prevent anyone from opening the case after its been screened.

"After bringing the equipment to the airline counter and declaring and showing the contents to the airline representative, you take it over to the TSA screening area where it is checked by a screener, relocked in front of you, your key or keys returned to you (if it's not a combination lock) and put directly on the conveyor belt for loading onto the plane.

"No markings, stickers or labels identifying what's inside are put on the outside of the case or, if packed inside something else, the bag.

"Might this solve the problem? I've never lost a firearm when flying."

Then someone has the brilliant suggestion of putting a firearm in your camera-equipment case:

"A 'weapons' is defined as a rifle, shotgun, pistol, airgun, and STARTER PISTOL. Yes, starter pistols -- those little guns that fire blanks at track and swim meets -- are considered weapons...and do NOT have to be registered in any state in the United States.

"I have a starter pistol for all my cases. All I have to do upon check-in is tell the airline ticket agent that I have a weapon to declare...I'm given a little card to sign, the card is put in the case, the case is given to a TSA official who takes my key and locks the case, and gives my key back to me.

"That's the procedure. The case is extra-tracked...TSA does not want to lose a weapons case. This reduces the chance of the case being lost to virtually zero.

"It's a great way to travel with camera gear...I've been doing this since Dec 2001 and have had no problems whatsoever."

I have to admit that I am impressed with this solution.

http://blogs.lexar.com/mattbrandon/2006/08/...


Facebook and Data Control

Earlier this month, the popular social networking site Facebook learned a hard lesson in privacy. It introduced a new feature called "News Feeds" that shows an aggregation of everything members do on the site: added and deleted friends, a change in relationship status, a new favorite song, a new interest, etc. Instead of a member's friends having to go to his page to view any changes, these changes are all presented to them automatically.

The outrage was enormous. One group, Students Against Facebook News Feeds, amassed over 700,000 members. Members planned to protest at the company's headquarters. Facebook's founder was completely stunned, and the company scrambled to add some privacy options.

Welcome to the complicated and confusing world of privacy in the information age. Facebook didn't think there would be any problem; all it did was take available data and aggregate it in a novel way for what it perceived was its customers' benefit. Facebook members instinctively understood that making this information easier to display was an enormous difference, and that privacy is more about control than about secrecy.

But on the other hand, Facebook members are just fooling themselves if they think they can control information they give to third parties.

Privacy used to be about secrecy. Someone defending himself in court against the charge of revealing someone else's personal information could use as a defense the fact that it was not secret. But clearly, privacy is more complicated than that. Just because you tell your insurance company something doesn't mean you don't feel violated when that information is sold to a data broker. Just because you tell your friend a secret doesn't mean you're happy when he tells others. Same with your employer, your bank, or any company you do business with.

But as the Facebook example illustrates, privacy is much more complex. It's about who you choose to disclose information to, how, and for what purpose. And the key word there is "choose." People are willing to share all sorts of information, as long as they are in control.

When Facebook unilaterally changed the rules about how personal information was revealed, it reminded people that they weren't in control. Its eight million members put their personal information on the site based on a set of rules about how that information would be used. It's no wonder those members -- high school and college kids who traditionally don't care much about their own privacy -- felt violated when Facebook changed the rules.

Unfortunately, Facebook can change the rules whenever it wants. Its Privacy Policy is 2,800 words long, and ends with a notice that it can change at any time. How many members ever read that policy, let alone read it regularly and check for changes? Not that a Privacy Policy is the same as a contract. Legally, Facebook owns all data members upload to the site. It can sell the data to advertisers, marketers, and data brokers. (Note: there is no evidence that Facebook does any of this.) It can allow the police to search its databases upon request. It can add new features that change who can access what personal data, and how.

But public perception is important. The lesson here for Facebook and other companies -- for Google and MySpace and AOL and everyone else who hosts our e-mails and webpages and chat sessions -- is that people believe they own their data. Even though the user agreement might technically give companies the right to sell the data, change the access rules to that data, or otherwise own that data, we -- the users -- believe otherwise. And when we who are affected by those actions start expressing our views -- watch out.

What Facebook should have done was add the feature as an option, and allow members to opt in if they wanted to. Then, members who wanted to share their information via News Feeds could do so, and everyone else wouldn't have felt that they had no say in the matter. This is definitely a gray area, and it's hard to know beforehand which changes need to be implemented slowly and which won't matter. Facebook, and others, need to talk to its members openly about new features. Remember: members want control.

The lesson for Facebook members might be even more jarring: if they think they have control over their data, they're only deluding themselves. They can rebel against Facebook for changing the rules, but the rules have changed, regardless of what the company does.

Whenever you put data on a computer, you lose some control over it. And when you put it on the internet, you lose a lot of control over it. News Feeds brought Facebook members face to face with the full implications of putting their personal information on Facebook. It had just been an accident of the user interface that it was difficult to aggregate the data from multiple friends into a single place. And even if Facebook eliminates News Feeds entirely, a third party could easily write a program that does the same thing. Facebook could try to block the program, but would lose that technical battle in the end.

We're all still wrestling with the privacy implications of the Internet, but the balance has tipped in favor of more openness. Digital data is just too easy to move, copy, aggregate, and display. Companies like Facebook need to respect the social rules of their sites, to think carefully about their default settings -- they have an enormous impact on the privacy mores of the online world -- and to give users as much control over their personal information as they can.

But we all need to remember that much of that control is illusory.

This essay originally appeared on Wired.com.
http://www.wired.com/news/columns/0,71815-0.html

http://www.danah.org/papers/FacebookAndPrivacy.html
http://www.motherjones.com/interview/2006/09/...
http://www.nytimes.com/2006/09/10/fashion/...
http://berkeley.facebook.com/group.php?gid=2208288769
http://blog.facebook.com/blog.php?post=2208197130
http://blog.facebook.com/blog.php?post=2208562130
http://mashable.com/2006/08/25/facebook-profile

Facebook privacy policy:
http://www.facebook.com/policy.php


Indexes to NSA Publications Declassified and Online

In May 2003, Michael Ravnitzky submitted a Freedom of Information Act (FOIA) request to the National Security Agency for a copy of the index to their historical reports at the Center for Cryptologic History and the index to certain journals: the NSA Technical Journal and the Cryptographic Quarterly. These journals had been mentioned in the literature but are not available to the public. Because he thought NSA might be reluctant to release the bibliographic indexes, he also asked for the table of contents to each issue.

The request took more than three years for them to process and declassify -- sadly, not atypical -- and during the process they asked if he would accept the indexes in lieu of the tables of contents pages: specifically, the cumulative indices that included all the previous material in the earlier indices. He agreed, and got them last month. The results are online.

This is just a sampling of some of the article titles from the NSA Technical Journal: "The Arithmetic of a Generation Principle for an Electronic Key Generator" - "CATNIP: Computer Analysis - Target Networks Intercept Probability" - "Chatter Patterns: A Last Resort" - "COMINT Satellites - A Space Problem" - "Computers and Advanced Weapons Systems" - "Coupon Collecting and Cryptology" - "Cranks, Nuts, and Screwballs" - "A Cryptologic Fairy Tale" - "Don't Be Too Smart" - "Earliest Applications of the Computer at NSA" - "Emergency Destruction of Documents" - "Extraterrestrial Intelligence" - "The Fallacy of the One-Time-Pad Excuse" - "GEE WHIZZER" - "The Gweeks Had a Gwoup for It" - "How to Visualize a Matrix" - "Key to the Extraterrestrial Messages" - "A Mechanical Treatment of Fibonacci Sequences" - "Q.E.D.- 2 Hours, 41 Minutes" - "SlGINT Implications of Military Oceanography" - "Some Problems and Techniques in Bookbreaking" - "Upgrading Selected US Codes and Ciphers with a Cover and Deception Capability" - "Weather: Its Role in Communications Intelligence" - "Worldwide Language Problems at NSA"

In the materials the NSA provided, they also included indices to two other publications: Cryptologic Spectrum and Cryptologic Almanac.

The indices to Cryptologic Quarterly and NSA Technical Journal have indices by title, author, and keyword. The index to Cryptologic Spectrum has indices by author, title, and issue.

Consider these bibliographic tools as stepping stones. If you want an article, send a FOIA request for it. Send a FOIA request for a dozen. There's a lot of stuff here that would help elucidate the early history of the agency and some interesting cryptographic topics.

Thanks, Mike, for doing this work.

http://www.thememoryhole.org/nsa/bibs.htm


News

More on the HP spying scandal:
http://www.schneier.com/blog/archives/2006/09/...

Cybercrime is moving up in the criminal food chain: more organized crime syndicates are getting involved:
http://www.wired.com/news/wireservice/0,71793-0.html
I've been saying this sort of thing for years, and have long complained that cyberterrorism gets all the press, while cybercrime is the real threat. I don't think this article is fear and hype; it's a real problem.

You can program an ATM to believe that $20 bills are $5 bills, and then withdraw four times the money you're entitled to. It's surprisingly easy, actually.
http://www.schneier.com/blog/archives/2006/09/...

People applying for a U.S. visa have to answer this question: "Have you ever been arrested of convicted for any offense or crime, even through subject of a pardon, amnesty or other similar legal action? Have you ever unlawfully distributed or sold a controlled substance (drug), or been a prostitute or procurer for prostitutes?"
And this question: "Did you seek to enter the United States to engage in export control violations, subversive or terrorist activities, or any other unlawful purpose? Are you a member or representative of a terrorist organization as currently designated by the U.S. Secretary of State? Have you ever participated in persecutions directed by the Nazi government or Germany; or have you ever participated in genocide?"
http://www.schneier.com/blog/archives/2006/09/...

Germans are spying on British trash. You just can't make this stuff up:
http://www.thisislondon.co.uk/news/...
An anonymous note in the Harvard Law Review argues that there is a significant benefit from Internet attacks:
http://www.harvardlawreview.org/issues/119/june06/...
You can open a car door in only 3,129 button presses. On the average, it should take half that. (Article is from 2004.)
http://everything2.com/index.pl?node_id=1520430

Torpark is a free anonymous web browser. It's based on a portable version of Firefox, runs on a USB drive so it leaves no traces on the PC, and uses the TOR network for anonymous web browsing.
http://www.darkreading.com/document.asp?doc_id=104381
http://www.torrify.com/
http://www.boingboing.net/2006/09/19/...

Funny future history: "19 Year Old Diebold Technician Wins U.S. Presidency."
http://www.avantnews.com/modules/news/article.php?...

Steganographic squid can hide messages in their skin:
http://www.sciencedaily.com/releases/2006/09/...

The Onion on TSA's liquid ban:
http://www.theonion.com/content/node/53536?...

Clever new voting protocol from Ron Rivest:
http://theory.csail.mit.edu/~rivest/...
Interesting story on the risks of dying without telling anyone your computer passwords.
http://news.com.com/Taking+passwords+to+the+grave/...
Scary airplane security false alarm. This is what vigilantism looks like:
http://www.schneier.com/blog/archives/2006/10/...

Hoax flaw in Firefox JavaScript:
http://www.schneier.com/blog/archives/2006/10/...

This is a really interesting post about someone finding SQL injection vulnerabilities with Google. His result is that 11.3% of websites are vulnerable to this attack.
http://portal.spidynamics.com/blogs/msutton/archive/...
"PhishTank is a collaborative clearing house for data and information about phishing on the Internet. Also, PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications at no charge."
http://www.phishtank.com

60 Minutes got a copy of the TSA no-fly list. The errors and problems are enormous.
http://rawstory.com/showoutarticle.php?...
The DHS is funding the development of software that monitors opinions in newspapers world-wide. One can easily imagine the chilling effect this would have on worldwide freedom of the press.
http://www.schneier.com/blog/archives/2006/10/...

You can use Google's new code search feature to find usernames and passwords, confidential code, buffer overflows, and all sorts of other things.
http://www.kottke.org/06/10/google-code-search
http://www.computerworld.com/action/article.do?...
http://monkey.org/~jose/blog/viewpage.php?...

Airport security confiscated a rock.
http://www.courant.com/news/opinion/op_ed/...
They already take away scissors. Can paper be far behind?

Continued terrorist paranoia causes yet another ridiculous story, as a HAZMAT team is called in to deal with Jell-O by the side of the road.
http://news.bbc.co.uk/1/hi/world/europe/6035821.stm

In an effort to deal with the problem of imposters in fake uniforms, Iraqi policemen now have a new, harder-to-counterfeit uniform. I'm sure it will help, but I don't see what kind of difference it will make to a normal citizen faced with someone in a police uniform breaking down his door at night. Or when gunmen dressed in police uniforms execute the brother of Iraqi Vice President Tariq al-Hashimi.
http://english.aljazeera.net/NR/exeres/...
http://www.swissinfo.org/eng/international/ticker/...
Fukuyama on secrecy:
http://www.nytimes.com/2006/10/08/books/review/...
Nice essay on the idiocy of the "ticking time bomb" theory of torture:
http://balkin.blogspot.com/2006/10/...
See also:
http://fafblog.blogspot.com/2005/03/...
How's this for a dumb idea? Tagging all passengers at airports.
http://news.bbc.co.uk/1/hi/technology/6044310.stm
http://www.theregister.co.uk/2006/10/12/airport_rfid/

The Rand Corporation published A Million Random Digits with 100,000 Normal Deviates back in 1955, when generating random numbers was hard. I have a copy of the original book; it's one of my library's prize possessions. I had no idea that the book was reprinted in 2002; it's available on Amazon. But even if you don't buy it, go to the Amazon page and read the user reviews. They're hysterical.
http://www.amazon.com/...
http://www.schneier.com/blog/archives/2006/10/...


Pupillometer

Does this EyeCheck device sound like anything other than snake oil: "The device looks like binoculars, and in seconds it scans an individuals pupils to detect a problem.

"'They'll be able to tell if they're on drugs, and what kind, whether marijuana, cocaine, or alcohol. Or even in the case of a tractor trailer driver, is he too tired to drive his rig?' said Ohio County Sheriff Tom Burgoyne.

"The device can also detect abnormalities from chemical and biological effects, as well as natural disasters."

The device is called a pupillometer, and -- according to the company website -- "uses patented technologies to deliver reliable pupil measurements in less than five minutes for the detection of drugs and fatigue." And despite what the article implied, the device doesn't do this at a distance.

I'm not impressed with the research, but this is not my area of expertise.

http://www.officer.com/article/article.jsp?...
http://www.mcjeyecheck.com/index.htm
http://www.mcjeyecheck.com/research.htm


On-Card Displays

This is impressive: a display that works on a flexible credit card.

One of the major security problems with smart cards is that they don't have their own I/O. That is, you have to trust whatever card reader/writer you stick the card in to faithfully send what you type into the card, and display whatever the card spits back out. Way back in 1999, Adam Shostack and I wrote a paper about this general class of security problem.

Think WYSIWTCS: What You See Is What The Card Says. That's what an on-card display does.

No, it doesn't protect against tampering with the card. That's part of a completely different set of threats.

http://www.cr80news.com/library/2006/09/16/...
http://www.schneier.com/paper-smart-card-threats.html


Screaming Cell Phones

Wired has the story:

"Does it pay to scream if your cell phone is stolen? Synchronica, a mobile device management company, thinks so. If you use the company's Mobile Manager service and your handset is stolen, the company, once contacted, will remotely lockdown your phone, erase all its data and trigger it to emit a blood-curdling scream to scare the bejesus out of the thief."

The general category of this sort of security countermeasure is "benefit denial." It's like those dye tags on expensive clothing; if you shoplift the clothing and try to remove the tag, dye spills all over the clothes and makes them unwearable. The effectiveness of this kind of thing relies on the thief knowing that the security measure is there, or is reasonably likely to be there. It's an effective shoplifting deterrent; my guess is that it will be less effective against cell phone thieves.

Remotely erasing data on stolen cell phones is a good idea regardless, though. And since cell phones are far more often lost than stolen, how about the phone calmly announcing that it is lost and it would like to be returned to its owner?

http://blog.wired.com/gadgets/index.blog?...


Counterpane News

The Associated Press ran a profile about me.
http://apnews.excite.com/article/20060925/...

Last month I gave a lecture on "The Future of Privacy" at the University of Southern California. The audio is online.
http://uscpublicdiplomacy.org/index.php/events/...

Schneier is speaking at the InfoSecurity Conference in Chicago on October 20:
http://infosecurityconference.techtarget.com/

Schneier is speaking at RSA Europe in Nice, France on October 24:
http://2006.rsaconference.com/europe/

Schneier is speaking at Rendez-vous de la Securite de l'Information in Montreal on October 30:
http://rsec-info.com/

Schneier is speaking at the ACLU Delaware Membership Conference in Wilmington on November 10:
http://www.aclu-de.org/...

Schneier is speaking at the ACLU Rhode Island in Providence on November 16:
http://www.riaclu.org/events.html

Counterpane announced new data security solutions supporting IBM, SAP, Oracle and MSSQL platforms to help customers defend against unauthorized activity and improve compliance:
http://www.counterpane.com/pr-20061009.html
http://www.counterpane.com/pr-20061002.html
http://www.counterpane.com/pr-20060918.html

Current Counterpane job openings:
http://www.counterpane.com/jobs.html


FairUse4WM News

A couple of weeks I ago I wrote about the battle between Microsoft's DRM system and FairUse4WM, which breaks it. The new news is that Microsoft has patched its security against FairUseWM 1.2 and filed a lawsuit against the program's anonymous authors, and those same anonymous authors have released FairUse4WM 1.3, which breaks the latest Microsoft patch.

From Engaget: "We asked Viodentia about Redmond's accusation that he and/or his associates broke into its systems in order to obtain the IP necessary to crack PlaysForSure; Vio replied that he's 'utterly shocked' by the charge. 'I didn't use any Microsoft source code. However, I believe that this lawsuit is a fishing expedition to get identity information, which can then be used to either bring more targeted lawsuits, or to cause other trouble.' We're sure Microsoft would like its partners and the public to think that its DRM is generally infallible and could only be cracked by stealing its IP, so Viodentia's conclusion about its legal tactics seems pretty fair, obvious, and logical to us."

What's interesting about this continuing saga is how different it is from the normal find-vulnerability-then-patch sequence. The authors of FairUse4WM aren't finding bugs and figuring out how to exploit them, forcing Microsoft to patch them. This is a sequence of crack, fix, re-crack, re-fix, etc.

The reason we're seeing this -- and this is going to be the norm for DRM systems -- is that DRM is fundamentally an impossible problem. Making it work at all involves tricks, and breaking DRM is akin to "fixing" the software so the tricks don't work. Anyone looking for a demonstration that technical DRM is doomed should watch this story unfold. (If Microsoft has any chance of winning at all, it's via the legal route.)

http://www.schneier.com/blog/archives/2006/09/...
http://www.engadget.com/2006/09/25/...
http://arstechnica.com/news.ars/post/20060927-7849.html
http://www.engadget.com/2006/09/27/...


Voting Software and Secrecy

Here's a quote from an elections official in Los Angeles: "The software developed for InkaVote is proprietary software. All the software developed by vendors is proprietary. I think it's odd that some people don't want it to be proprietary. If you give people the open source code, they would have the directions on how to hack into it. We think the proprietary nature of the software is good for security."

It's funny, really. What she meant, and should be saying, is something like: "I think it's odd that everyone who has any expertise in computer security doesn't want the software to be proprietary. Speaking as someone who knows nothing about computer security, I think that secrecy is an asset." That's a more realistic quote.

As I've said many times, secrecy is not the same as security. And in many cases, secrecy hurts security.

http://www.dailynews.com/news/ci_4407865?source=email

Secrecy and security:
http://www.schneier.com/crypto-gram-0205.html#1


Torture Bill as C Code

Kevin Poulsen boils down the new terrorist (and others) arrest/detainment/torture bill into a small piece of C code:

if (person = terrorist) {
punish_severely();
} else {
exit(-1);
}

There's one obvious error, but there are other problems with the code. Anyone care to comment?

http://blog.wired.com/27bstroke6/2006/09/bad_code.html
http://www.boingboing.net/2006/10/02/...
http://www.schneier.com/blog/archives/2006/10/...

U.S. bill:
http://thomas.loc.gov/cgi-bin/query/z?c109:S.3930.ES:


The Doghouse: SecureRF

SecureRF: "Claims to offer the first feasible security for RFIDs. Conventional public key cryptography (such as RSA) is far too computationally intensive for an RFID. SecureRF provides a similar technology at far lower footprint by harnessing a relatively obscure area of mathematics: infinite group theory, which comes (of all places) from knot theory, a branch of topology."

Their website claims to have "white papers" on the theory, but you have to give them your personal information to get it. Of course, they reference no actual published cryptography papers. "New mathematics" is my Snake-Oil Warning Sign #2 -- and I strongly suspect their documentation displays several other of the warning signs, too. I'd stay away from this one.

http://www.oreillynet.com/etel/blog/2006/09/...
http://www.securerf.com/

Snake-oil warning signs:
http://www.schneier.com/crypto-gram-9902.html#snakeoil


Bureau of Industry and Security Hacked

The BIS is the part of the U.S. Department of Commerce responsible for export control. If you have a dual-use technology that you need special approval in order to export outside the U.S., or to export it to specific countries, BIS is what you submit the paperwork to.

It's been hacked by "hackers working through Chinese servers," and has been shut down. This may very well have been a targeted attack.

Manufacturers of hardware crypto devices -- mass-market software is exempted -- must submit detailed design information to BIS in order to get an export license. There's a lot of detailed information on crypto products in the BIS computers.

Of course, I have no way of knowing if this information was breached or if that's what the hackers were after, but it is interesting. On the other hand, any crypto product that relied on this information being secret doesn't deserve to be on the market anyway.

http://www.techweb.com/...


University Networks and Data Security

In general, the problems of securing a university network are no different than those of securing any other large corporate network. But when it comes to data security, universities have their own unique problems. It's easy to point fingers at students -- a large number of potentially adversarial transient insiders. Yet that's really no different from a corporation dealing with an assortment of employees and contractors -- the difference is the culture.

Universities are edge-focused; central policies tend to be weak, by design, with maximum autonomy for the edges. This means they have natural tendencies against centralization of services. Departments and individual professors are used to being semiautonomous. Because these institutions were established long before the advent of computers, when networking did begin to infuse universities, it developed within existing administrative divisions. Some universities have academic departments with separate IT departments, budgets, and staff, with a central IT group providing bandwidth but little or no oversight. Unfortunately, these smaller IT groups don't generally count policy development and enforcement as part of their core competencies.

The lack of central authority makes enforcing uniform standards challenging, to say the least. Most university CIOs have much less power than their corporate counterparts; university mandates can be a major obstacle in enforcing any security policy. This leads to an uneven security landscape.

There's also a cultural tendency for faculty and staff to resist restrictions, especially in the area of research. Because most research is now done online -- or, at least, involves online access -- restricting the use of or deciding on appropriate uses for information technologies can be difficult. This resistance also leads to a lack of centralization and an absence of IT operational procedures such as change control, change management, patch management, and configuration control.

The result is that there's rarely a uniform security policy. The centralized servers -- the core where the database servers live -- are generally more secure, whereas the periphery is a hodgepodge of security levels.

So, what to do? Unfortunately, solutions are easier to describe than implement. First, universities should take a top-down approach to securing their infrastructure. Rather than fighting an established culture, they should concentrate on the core infrastructure.

Then they should move personal, financial, and other comparable data into that core. Leave information important to departments and research groups to them, and centrally store information that's important to the university as a whole. This can be done under the auspices of the CIO. Laws and regulations can help drive consolidation and standardization.

Next, enforce policies for departments that need to connect to the sensitive data in the core. This can be difficult with older legacy systems, but establishing a standard for best practices is better than giving up. All legacy technology is upgraded eventually.

Finally, create distinct segregated networks within the campus. Treat networks that aren't under the IT department's direct control as untrusted. Student networks, for example, should be firewalled to protect the internal core from them. The university can then establish levels of trust commensurate with the segregated networks' adherence to policies. If a research network claims it can't have any controls, then let the university create a separate virtual network for it, outside the university's firewalls, and let it live there. Note, though, that if something or someone on that network wants to connect to sensitive data within the core, it's going to have to agree to whatever security policies that level of data access requires.

Securing university networks is an excellent example of the social problems surrounding network security being harder than the technical ones. But harder doesn't mean impossible, and there is a lot that can be done to improve security.

This essay originally appeared in the September/October issue of IEEE Security & Privacy.


Comments from Readers

There are hundreds of comments -- many of them interesting -- on these topics on my blog. Search for the story you want to comment on, and join in.

http://www.schneier.com/blog


CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Comments on CRYPTO-GRAM should be sent to schneier@schneier.com. Permission to print comments is assumed unless otherwise stated. Comments may be edited for length and clarity.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish and Twofish algorithms. He is founder and CTO of Counterpane Internet Security Inc., and is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.

Counterpane is the world's leading protector of networked information - the inventor of outsourced security monitoring and the foremost authority on effective mitigation of emerging IT threats. Counterpane protects networks for Fortune 1000 companies and governments world-wide. See <http://www.counterpane.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Counterpane Internet Security, Inc.

Copyright (c) 2006 by Bruce Schneier.

later issue
earlier issue
back to Crypto-Gram index

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..