Crypto-Gram Newsletter

June 15, 2007

by Bruce Schneier
Founder and CTO
BT Counterpane
schneier@schneier.com
http://www.schneier.com
http://www.counterpane.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <http://www.schneier.com/crypto-gram-0706.html>. These same essays appear in the "Schneier on Security" blog: <http://www.schneier.com/blog>. An RSS feed is available.


In this issue:


Rare Risk and Overreactions

Everyone had a reaction to the horrific events of the Virginia Tech shootings. Some of those reactions were rational. Others were not.

A high school student was suspended for customizing a first-person shooter game with a map of his school. A contractor was fired from his government job for talking about a gun, and then visited by the police when he created a comic about the incident. A dean at Yale banned realistic stage weapons from the university theaters -- a policy that was reversed within a day. And some teachers terrorized a sixth-grade class by staging a fake gunman attack, without telling them that it was a drill.

These things all happened, even though shootings like this are incredibly rare; even though -- for all the press -- less than one percent of homicides and suicides of children ages 5 to 19 occur in schools. In fact, these overreactions occurred, not despite these facts, but *because* of them.

The Virginia Tech massacre is precisely the sort of event we humans tend to overreact to. Our brains aren't very good at probability and risk analysis, especially when it comes to rare occurrences. We tend to exaggerate spectacular, strange and rare events, and downplay ordinary, familiar and common ones. There's a lot of research in the psychological community about how the brain responds to risk -- some of it I have already written about -- but the gist is this: Our brains are much better at processing the simple risks we've had to deal with throughout most of our species' existence, and much poorer at evaluating the complex risks society forces us to face today.

Novelty plus dread equals overreaction.

We can see the effects of this all the time. We fear being murdered, kidnapped, raped and assaulted by strangers, when it's far more likely that the perpetrator of such offenses is a relative or a friend. We worry about airplane crashes and rampaging shooters instead of automobile crashes and domestic violence -- both far more common.

In the United States, dogs, snakes, bees and pigs each kill more people per year than sharks. In fact, dogs kill more humans than any animal except for other humans. Sharks are more dangerous than dogs, yes, but we're far more likely to encounter dogs than sharks.

Our greatest recent overreaction to a rare event was our response to the terrorist attacks of 9/11. I remember then-Attorney General John Ashcroft giving a speech in Minnesota -- where I live -- in 2003, and claiming that the fact there were no new terrorist attacks since 9/11 was proof that his policies were working. I thought: "There were no terrorist attacks in the two years preceding 9/11, and you didn't have any policies. What does that prove?"

What it proves is that terrorist attacks are very rare, and maybe our reaction wasn't worth the enormous expense, loss of liberty, attacks on our Constitution and damage to our credibility on the world stage. Still, overreacting was the natural thing for us to do. Yes, it's security theater, but it makes us feel safer.

People tend to base risk analysis more on personal story than on data, despite the old joke that "the plural of anecdote is not data." If a friend gets mugged in a foreign country, that story is more likely to affect how safe you feel traveling to that country than abstract crime statistics.

We give storytellers we have a relationship with more credibility than strangers, and stories that are close to us more weight than stories from foreign lands. In other words, proximity of relationship affects our risk assessment. And who is everyone's major storyteller these days? Television. (Nassim Nicholas Taleb's great book, "The Black Swan: The Impact of the Highly Improbable," discusses this.)

Consider the reaction to another event from last month: professional baseball player Josh Hancock got drunk and died in a car crash. As a result, several baseball teams are banning alcohol in their clubhouses after games. Aside from this being a ridiculous reaction to an incredibly rare event (2,430 baseball games per season, 35 people per clubhouse, two clubhouses per game. And how often has this happened?), it makes no sense as a solution. Hancock didn't get drunk in the clubhouse; he got drunk at a bar. But Major League Baseball needs to be seen as doing *something*, even if that something doesn't make sense -- even if that something actually increases risk by forcing players to drink at bars instead of at the clubhouse, where there's more control over the practice.

I tell people that if it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." It's when something isn't in the news, when it's so common that it's no longer news -- car crashes, domestic violence -- that you should start worrying.

But that's not the way we think. Psychologist Scott Plous said it well in "The Psychology of Judgment and Decision Making": "In very general terms: (1) The more *available* an event is, the more frequent or probable it will seem; (2) the more *vivid* a piece of information is, the more easily recalled and convincing it will be; and (3) the more *salient* something is, the more likely it will be to appear causal."

So, when faced with a very available and highly vivid event like 9/11 or the Virginia Tech shootings, we overreact. And when faced with all the salient related events, we assume causality. We pass the Patriot Act. We think if we give guns out to students, or maybe make it harder for students to get guns, we'll have solved the problem. We don't let our children go to playgrounds unsupervised. We stay out of the ocean because we read about a shark attack somewhere.

It's our brains again. We need to "do something," even if that something doesn't make sense; even if it is ineffective. And we need to do something directly related to the details of the actual event. So instead of implementing effective, but more general, security measures to reduce the risk of terrorism, we ban box cutters on airplanes. And we look back on the Virginia Tech massacre with 20-20 hindsight and recriminate ourselves about the things we *should have done.

Lastly, our brains need to find someone or something to blame. (Jon Stewart has an excellent bit on the Virginia Tech scapegoat search, and media coverage in general.) But sometimes there is no scapegoat to be found; sometimes we did everything right, but just got unlucky. We simply can't prevent a lone nutcase from shooting people at random; there's no security measure that would work.

As circular as it sounds, rare events are rare primarily because they don't occur very often, and not because of any preventive security measures. And implementing security measures to make these rare events even rarer is like the joke about the guy who stomps around his house to keep the elephants away.

"Elephants? There are no elephants in this neighborhood," says a neighbor.

"See how well it works!"

If you want to do something that makes security sense, figure out what's common among a bunch of rare events, and concentrate your countermeasures there. Focus on the general risk of terrorism, and not the specific threat of airplane bombings using liquid explosives. Focus on the general risk of troubled young adults, and not the specific threat of a lone gunman wandering around a college campus. Ignore the movie-plot threats, and concentrate on the real risks.

Irrational reactions:
http://arstechnica.com/news.ars/post/...
http://www.boingboing.net/2007/05/03/...
http://www.yaledailynews.com/articles/view/20843
http://yaledailynews.com/articles/view/20913
http://www.msnbc.msn.com/id/18645623/

Risks of school shootings (from 2000):
http://www.cdc.gov/HealthyYouth/injury/pdf/...

Crime statistics -- strangers vs. acquaintances:
http://www.fbi.gov/ucr/05cius/offenses/...
Me on the psychology of risk and security:
http://www.schneier.com/essay-155.html

Risk of shark attacks:
http://www.oceanconservancy.org/site/DocServer/...

Ashcroft speech:
http://www.highbeam.com/doc/1G1-107985887.html

Me on security theater:
http://www.schneier.com/essay-154.html

Baseball beer ban:
http://blogs.csoonline.com/baseballs_big_beer_ban

Nicholas Taub essay:
http://www.fooledbyrandomness.com/nyt2.htm
http://www.telegraph.co.uk/opinion/main.jhtml?xml=/...
VA Tech and gun control:
http://abcnews.go.com/International/wireStory?...
http://www.cnn.com/2007/US/04/19/commentary.nugent/...

VA Tech hindsight:
http://news.independent.co.uk/world/americas/...
http://www.mercurynews.com/charliemccollum/ci_5701552

Jon Stewart video:
http://www.comedycentral.com/motherload/...

Me on movie-plot threats:
http://www.schneier.com/essay-087.html

Another opinion:
http://www.socialaffairsunit.org.uk/blog/archives/...

This essay originally appeared on Wired.com, my 42nd essay on that site.
http://www.wired.com/politics/security/commentary/...
French translation:
http://archiloque.net/spip.php?...


Tactics, Targets, and Objectives

If you encounter an aggressive lion, stare him down. But not a leopard; avoid his gaze at all costs. In both cases, back away slowly; don't run. If you stumble on a pack of hyenas, run and climb a tree; hyenas can't climb trees. But don't do that if you're being chased by an elephant; he'll just knock the tree down. Stand still until he forgets about you.

I spent the last few days on safari in a South African game park, and this was just some of the security advice we were all given. What's interesting about this advice is how well-defined it is. The defenses might not be terribly effective -- you still might get eaten, gored or trampled -- but they're your best hope. Doing something else isn't advised, because animals do the same things over and over again. These are security countermeasures against specific tactics.

Lions and leopards learn tactics that work for them, and I was taught tactics to defend myself. Humans are intelligent, and that means we are more adaptable than animals. But we're also, generally speaking, lazy and stupid; and, like a lion or hyena, we will repeat tactics that work. Pickpockets use the same tricks over and over again. So do phishers, and school shooters. If improvised explosive devices didn't work often enough, Iraqi insurgents would do something else.

So security against people generally focuses on tactics as well.

A friend of mine recently asked me where she should hide her jewelry in her apartment, so that burglars wouldn't find it. Burglars tend to look in the same places all the time -- dresser tops, night tables, dresser drawers, bathroom counters -- so hiding valuables somewhere else is more likely to be effective, especially against a burglar who is pressed for time. Leave decoy cash and jewelry in an obvious place so a burglar will think he's found your stash and then leave. Again, there's no guarantee of success, but it's your best hope.

The key to these countermeasures is to find the pattern: the common attack tactic that is worth defending against. That takes data. A single instance of an attack that didn't work -- liquid bombs, shoe bombs -- or one instance that did -- 9/11 -- is not a pattern. Implementing defensive tactics against them is the same as my safari guide saying: "We've only ever heard of one tourist encountering a lion. He stared it down and survived. Another tourist tried the same thing with a leopard, and he got eaten. So when you see a lion...." The advice I was given was based on thousands of years of collective wisdom from people encountering African animals again and again.

Compare this with the Transportation Security Administration's approach. With every unique threat, TSA implements a countermeasure with no basis to say that it helps, or that the threat will ever recur.

Furthermore, human attackers can adapt more quickly than lions. A lion won't learn that he should ignore people who stare him down, and eat them anyway. But people will learn. Burglars now know the common "secret" places people hide their valuables -- the toilet, cereal boxes, the refrigerator and freezer, the medicine cabinet, under the bed -- and look there. I told my friend to find a different secret place, and to put decoy valuables in a more obvious place.

This is the arms race of security. Common attack tactics result in common countermeasures. Eventually, those countermeasures will be evaded and new attack tactics developed. These, in turn, require new countermeasures. You can easily see this in the constant arms race that is credit card fraud, ATM fraud or automobile theft.

The result of these tactic-specific security countermeasures is to make the attacker go elsewhere. For the most part, the attacker doesn't particularly care about the target. Lions don't care who or what they eat; to a lion, you're just a conveniently packaged bag of protein. Burglars don't care which house they rob, and terrorists don't care who they kill. If your countermeasure makes the lion attack an impala instead of you, or if your burglar alarm makes the burglar rob the house next door instead of yours, that's a win for you.

Tactics matter less if the attacker is after you personally. If, for example, you have a priceless painting hanging in your living room and the burglar knows it, he's not going to rob the house next door instead -- even if you have a burglar alarm. He's going to figure out how to defeat your system. Or he'll stop you at gunpoint and force you to open the door. Or he'll pose as an air-conditioner repairman. What matters is the target, and a good attacker will consider a variety of tactics to reach his target.

This approach requires a different kind of countermeasure, but it's still well-understood in the security world. For people, it's what alarm companies, insurance companies and bodyguards specialize in. President Bush needs a different level of protection against targeted attacks than Bill Gates does, and I need a different level of protection than either of them. It would be foolish of me to hire bodyguards in case someone was targeting me for robbery or kidnapping. Yes, I would be more secure, but it's not a good security trade-off.

Al-Qaeda terrorism is different yet again. The goal is to terrorize. It doesn't care about the target, but it doesn't have any pattern of tactic, either. Given that, the best way to spend our counterterrorism dollar is on intelligence, investigation and emergency response. And to refuse to be terrorized.

These measures are effective because they don't assume any particular tactic, and they don't assume any particular target. We should only apply specific countermeasures when the cost-benefit ratio makes sense (reinforcing airplane cockpit doors) or when a specific tactic is repeatedly observed (lions attacking people who don't stare them down). Otherwise, general countermeasures are far more effective a defense.

Safari security advice:
http://www.cybertracker.co.za/DangerousAnimals.html

School shooter security advice:
http://www.ucpd.ucla.edu/ucpd/zippdf/2007/...
Burglar security advice:
http://www.pfadvice.com/2007/02/05/...
http://www.pfadvice.com/2007/03/06/...
Me on terrorism:
http://www.schneier.com/essay-096.html
http://www.schneier.com/blog/archives/2006/08/...
http://www.schneier.com/blog/archives/2005/09/...
http://www.schneier.com/blog/archives/2006/08/...

Learning behavior in tigers:
http://www.cptigers.org/animals/species.asp?speciesID=9

This essay originally appeared on Wired.com.
http://www.wired.com/print/politics/security/...


News

In an effort to prevent terrorism, parts of the mobile phone network will be disabled when President Bush visits Australia. I've written about this kind of thing before; it's a perfect example of security theater: a countermeasure that works if you happen to guess the specific details of the plot correctly, and completely useless otherwise. On the plus side, it's only a small area that's blocked.
http://www.smh.com.au/news/NATIONAL/...
http://www.schneier.com/blog/archives/2007/04/...
http://it.slashdot.org/it/07/05/17/1221255.shtml
http://www.theregister.co.uk/2007/05/18/...
Dan Geer writes about security trade-offs, monoculture, and genetic diversity in honeybees:
http://geer.tinho.net/acm.geer.0704.pdf

The e-mail EPIC Alert comes out twice a week from the Electronic Privacy Information Center. It's a great resource for information on privacy and policy, both in the U.S. and abroad.
http://www.epic.org/alert/

WEP attack researchers explain how their attack on the 802.11 wireless security protocol works.
http://www.theregister.co.uk/2007/05/15/...
http://www.schneier.com/blog/archives/2007/05/...

Airline security cartoon -- literal CYA security:
http://www.clarionledger.com/misc/blogs/mramsey/...
Funny "Saturday Night Live" TSA skit:
http://www.youtube.com/watch?v=ykzqFz_nHZE

Here's a joke that'll get you arrested:
http://www.schneier.com/blog/archives/2007/05/...

London is running a dirty-bomb drill. Mostly a movie-plot threat, but these sorts of drills are useful, regardless of the scenario. Honestly, though, plain old explosives are much more of a risk than these exotic bombs. Although with a dirty bomb, the media-inspired panic would certainly be a huge factor.
http://www.theregister.co.uk/2007/05/18/...

We have a new factoring record: 307 digits (1023 bits). It's a special number -- 2^1039 - 1 -- but the techniques can be generalized. Expect regular 1024-bit numbers to be factored soon. I hope RSA application users would have moved away from 1024-bit security years ago, but for those who haven't yet: wake up.
http://www.physorg.com/news98962171.html

On the futility of fighting online pirates:
http://www.forbes.com/2007/05/04/...
Good article on image spam:
http://csoonline.com/read/040107/fea_spam.html
Definitely look at the interactive graphics page.
http://csoonline.com/read/040107/...

>From the U.S. GAO: "Aviation Security: Efforts to Strengthen International Prescreening are Under Way, but Planning and Implementations Remain," May 2007. Worth reading the summary, at least.
http://www.gao.gov/new.items/d07346.pdf

The TSA airport security screeners caught a guy in a fake uniform. It reads like a joke. We spend billions on airport security, and we have so little to show for it that the TSA has to make a big deal about the crime of impersonating a member of the military?
http://www.tsa.gov/press/happenings/...

UK police using military drones: yet another step in the militarization of the police.
http://news.bbc.co.uk/1/hi/england/merseyside/...

Criminals hijack large web hosting firm. "The company claims to have more than 700,000 customers. If we assume for the moment the small segment of IPOWER servers Security Fix analyzed is fairly representative of a larger trend, IPOWER may well be home to nearly a quarter-million malicious Web sites."
http://blog.washingtonpost.com/securityfix/2007/05/...
The FBI has lousy security against insider attacks, according to a GAO report.
http://www.pcworld.com/article/...
Interesting spoofing attack:
http://www.theregister.co.uk/2007/05/25/...

I thought terrorism is why we have a DHS, but they've been preoccupied with other things: "Of the 814,073 people charged by DHS in immigration courts during the past three years, 12 faced charges of terrorism, TRAC said." TRAC is a great group, and I recommend wandering around their site if you're interested in what the U.S. government is actually doing.
http://www.cnn.com/2007/POLITICS/05/27/...
http://trac.syr.edu/

Last November, the Data Privacy and Integrity Advisory Committee of the Department of Homeland Security recommended against putting RFID chips in identity cards. DHS ignored them, and went ahead with the project anyway. Now, the Smart Card Alliance is criticizing the DHS's RFID program for cross-border identification -- the People Access Security Services (PASS) cards -- basically saying that it is making the very mistakes the Data Privacy and Integrity Advisory Committee warned about.
http://www.gcn.com/online/vol1_no1/44338-1.html
http://www.schneier.com/blog/archives/2006/11/...
http://www.schneier.com/blog/archives/2007/05/...

This is a surreal story from 2005 of someone who was chained up for hours for trying to spend $2 bills. Clerks at Best Buy thought the bills were counterfeit, and had him arrested. The most surreal quote of the article is the last sentence: "Commenting on the incident, Baltimore County police spokesman Bill Toohey told the Sun: 'It's a sign that we're all a little nervous in the post-9/11 world.'" What in the world do the terrorist attacks of 9/11 have to do with counterfeiting? How does being "a little nervous in the post-9/11 world" have anything to do with this incident? Counterfeiting is not terrorism; it isn't even a little bit like terrorism.
http://www.worldnetdaily.com/news/article.asp?...

Port defense against swimming terrorists: cool science and engineering, but definitely a movie-plot threat.
http://blog.wired.com/defense/2007/05/...

DHS uses actual science-fiction writers to help develop movie-plot threats. At least they're honest about it this time.
http://www.usatoday.com/tech/science/...
Head-mounted police cameras in the UK:
http://www.manchestereveningnews.co.uk/news/s/1007/...
I haven't written anything about the cyberwar between Russia and Estonia because, well, because I didn't think there was anything new to say. We know that this kind of thing is possible. We don't have any definitive proof that Russia was behind it. But it would be foolish to think that the various world's militaries don't have capabilities like this. And anyway, I wrote about cyberwar back in January 2005.
http://www.schneier.com/crypto-gram-0501.html#10

Information leakage in the Slingbox:
http://www.freedom-to-tinker.com/?p=1163
http://www.cs.washington.edu/research/security/...

Outfitting moths with sensors:
http://government.zdnet.com/?p=3189

Teaching computers how to forget: an article on the huge amount of data that now follows us through life, and whether we'd be better off it computers "forgot" things after a set amount of time:
http://arstechnica.com/news.ars/post/...
http://ksgnotes1.harvard.edu/Research/wpaper.nsf/...
More about this issue:
http://www.concurringopinions.com/archives/2007/05/...
http://www.harvardlawreview.org/forum/issues/119/...
http://www.lcs.gov.bc.ca/privacyaccess/Conferences/...
http://www.washingtonpost.com/wp-dyn/content/...
I've written about this, too:
http://www.schneier.com/essay-109.html
http://www.schneier.com/essay-129.html

There have been some interesting court cases in the U.S. about computer searches and third-party consent:
http://www.law.com/jsp/article.jsp?id=1179092588804
http://www.wired.com/politics/law/commentary/...
Interesting terrorism statistics: "The majority of terrorist attacks result in no fatalities, with just 1 percent of such attacks causing the deaths of 25 or more people.... The database identifies more than 30,000 bombings, 13,400 assassinations and 3,200 kidnappings. Also, it details more than 1,200 terrorist attacks within the United States." A lot of this depends on your definition of "terrorism," but it's interesting stuff.
http://www.livescience.com/history/...
http://www.start.umd.edu/data/gtd/

The Department of Homeland Security is soliciting research proposals in computer and network security. There are nine research areas: Botnets and Other Malware: Detection and Mitigation, Composable and Scalable Secure Systems, Cyber Security Metrics, Network Data Visualization for Information Assurance, Internet Tomography/Topography, Routing Security Management Tool, Process Control System Security, Data Anonymization Tools and Techniques, and Insider Threat Detection and Mitigation.
http://www.hsarpabaa.com/Solicitations/...
Remote metal sensors used to detect poachers. I'm sure this technology has more value on the battlefield.
http://www.technologyreview.com/Biotech/18722/

The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security has issued an excellent report on REAL ID:
http://www.dhs.gov/xlibrary/assets/privacy/...
Great article on perceived vs. actual risks to children, and how overly protecting them can actually cause harm.
http://news.bbc.co.uk/1/hi/education/6720661.stm
Commentary:
http://www.timesonline.co.uk/tol/comment/columnists/...
Two shielding stories:
Special underwear protects wearers from infrared photographers.
http://inventorspot.com/...
And a window film that blocks electromagnetic radiation but lets in light.
http://www.stltoday.com/stltoday/business/...
Somehow, I don't see either becoming a mass-market consumer item, although I can certainly imagine military facilities installing the latter.

The DHS wants universities to inventory a long list of chemicals. Interesting stuff about specific chemicals in the article.
http://www.theregister.co.uk/2007/06/02/...

DNA-based watermarks. It's not cryptography -- despite the name -- but it's interesting.
http://www.biomedcentral.com/1471-2105/8/176/abstract

New directions in malware: evasive malicious code. Just another step in the never-ending arms race of network security.
http://news.zdnet.co.uk/security/...

More on Kish's encryption scheme:
http://www.arxiv.org/abs/physics/0612153
And a paper claiming this is totally insecure:
http://www.lightbluetouchpaper.org/2006/10/08/...
Again, I don't have the EE background to know who's right. But this is exactly the sort of back-and-forth I want to see. My previous article on the topic:
http://www.schneier.com/essay-099.html

The growing problem of license plate cloning:
http://news.bbc.co.uk/1/hi/uk/6707367.stm

Interesting paper: "Data Mining and the Security-Liberty Debate," by Daniel J. Solove.
http://papers.ssrn.com/sol3/papers.cfm?...

Dorky real-life/Second-Life security awareness video:
http://www.youtube.com/watch?v=WMe3gbC-dXc

According to the Kennedy Space Center website, "stand alone GPS equipment is not permitted on property." It's okay if they're embedded in your phone or computer, though.
http://www.kennedyspacecenter.com/visitKSC/...


Portrait of the Modern Terrorist as an Idiot

The recently publicized terrorist plot to blow up John F. Kennedy International Airport, like so many of the terrorist plots over the past few years, is a study in alarmism and incompetence: on the part of the terrorists, our government and the press.

Terrorism is a real threat, and one that needs to be addressed by appropriate means. But allowing ourselves to be terrorized by wannabe terrorists and unrealistic plots -- and worse, allowing our essential freedoms to be lost by using them as an excuse -- is wrong.

The alleged plan, to blow up JFK's fuel tanks and a small segment of the 40-mile petroleum pipeline that supplies the airport, was ridiculous. The fuel tanks are thick-walled, making them hard to damage. The airport tanks are separated from the pipelines by cutoff valves, so even if a fire broke out at the tanks, it would not back up into the pipelines. And the pipeline couldn't blow up in any case, since there's no oxygen to aid combustion. Not that the terrorists ever got to the stage -- or demonstrated that they could get there -- where they actually obtained explosives. Or even a current map of the airport's infrastructure.

But read what Russell Defreitas, the lead terrorist, had to say: "Anytime you hit Kennedy, it is the most hurtful thing to the United States. To hit John F. Kennedy, wow.... They love JFK -- he's like the man. If you hit that, the whole country will be in mourning. It's like you can kill the man twice."

If these are the terrorists we're fighting, we've got a pretty incompetent enemy.

You couldn't tell that from the press reports, though. "The devastation that would be caused had this plot succeeded is just unthinkable," U.S. Attorney Roslynn R. Mauskopf said at a news conference, calling it "one of the most chilling plots imaginable." Sen. Arlen Specter (R-Pennsylvania) added, "It had the potential to be another 9/11."

These people are just as deluded as Defreitas.

The only voice of reason out there seemed to be New York's Mayor Michael Bloomberg, who said: "There are lots of threats to you in the world. There's the threat of a heart attack for genetic reasons. You can't sit there and worry about everything. Get a life.... You have a much greater danger of being hit by lightning than being struck by a terrorist."

And he was widely excoriated for it.

This isn't the first time a bunch of incompetent terrorists with an infeasible plot have been painted by the media as poised to do all sorts of damage to America. In May we learned about a six-man plan to stage an attack on Fort Dix by getting in disguised as pizza deliverymen and shooting as many soldiers and Humvees as they could, then retreating without losses to fight again another day. Their plan, such as it was, went awry when they took a videotape of themselves at weapons practice to a store for duplication and transfer to DVD. The store clerk contacted the police, who in turn contacted the FBI. (Thank you to the video store clerk for not overreacting, and to the FBI agent for infiltrating the group.)

The "Miami 7," caught last year for plotting -- among other things -- to blow up the Sears Tower, were another incompetent group: no weapons, no bombs, no expertise, no money and no operational skill. And don't forget Iyman Faris, the Ohio trucker who was convicted in 2003 for the laughable plot to take out the Brooklyn Bridge with a blowtorch. At least he eventually decided that the plan was unlikely to succeed.

I don't think these nut jobs, with their movie-plot threats, even deserve the moniker "terrorist." But in this country, while you have to be competent to pull off a terrorist attack, you don't have to be competent to cause terror. All you need to do is start plotting an attack and -- regardless of whether or not you have a viable plan, weapons or even the faintest clue -- the media will aid you in terrorizing the entire population.

The most ridiculous JFK Airport-related story goes to the New York Daily News, with its interview with a waitress who served Defreitas salmon; the front-page headline blared, "Evil Ate at Table Eight."

Following one of these abortive terror misadventures, the administration invariably jumps on the news to trumpet whatever ineffective "security" measure they're trying to push, whether it be national ID cards, wholesale National Security Agency eavesdropping or massive data mining. Never mind that in all these cases, what caught the bad guys was old-fashioned police work -- the kind of thing you'd see in decades-old spy movies.

The administration repeatedly credited the apprehension of Faris to the NSA's warrantless eavesdropping programs, even though it's just not true. The 9/11 terrorists were no different; they succeeded partly because the FBI and CIA didn't follow the leads before the attacks.

Even the London liquid bombers were caught through traditional investigation and intelligence, but this doesn't stop Secretary of Homeland Security Michael Chertoff from using them to justify access to airline passenger data.

Of course, even incompetent terrorists can cause damage. This has been repeatedly proven in Israel, and if shoe-bomber Richard Reid had been just a little less stupid and ignited his shoes in the lavatory, he might have taken out an airplane.

So these people should be locked up ... assuming they are actually guilty, that is. Despite the initial press frenzies, the actual details of the cases frequently turn out to be far less damning. Too often it's unclear whether the defendants are actually guilty, or if the police created a crime where none existed before.

The JFK Airport plotters seem to have been egged on by an informant, a twice-convicted drug dealer. An FBI informant almost certainly pushed the Fort Dix plotters to do things they wouldn't have ordinarily done. The Miami gang's Sears Tower plot was suggested by an FBI undercover agent who infiltrated the group. And in 2003, it took an elaborate sting operation involving three countries to arrest an arms dealer for selling a surface-to-air missile to an ostensible Muslim extremist. Entrapment is a very real possibility in all of these cases.

The rest of them stink of exaggeration. Jose Padilla was not actually prepared to detonate a dirty bomb in the United States, despite histrionic administration claims to the contrary. Now that the trial is proceeding, the best the government can charge him with is conspiracy to murder, kidnap and maim, and it seems unlikely that the charges will stick. An alleged ringleader of the U.K. liquid bombers, Rashid Rauf, had charges of terrorism dropped for lack of evidence (of the 25 arrested, only 16 were charged). And now it seems like the JFK mastermind was more talk than action, too.

Remember the "Lackawanna Six," those terrorists from upstate New York who pleaded guilty in 2003 to "providing support or resources to a foreign terrorist organization"? They entered their plea because they were threatened with being removed from the legal system altogether. We have no idea if they were actually guilty, or of what.

Even under the best of circumstances, these are difficult prosecutions. Arresting people before they've carried out their plans means trying to prove intent, which rapidly slips into the province of thought crime. Regularly the prosecution uses obtuse religious literature in the defendants' homes to prove what they believe, and this can result in courtroom debates on Islamic theology. And then there's the issue of demonstrating a connection between a book on a shelf and an idea in the defendant's head, as if your reading of this article -- or purchasing of my book -- proves that you agree with everything I say. (The Atlantic recently published a fascinating article on this.)

I'll be the first to admit that I don't have all the facts in any of these cases. None of us do. So let's have some healthy skepticism. Skepticism when we read about these terrorist masterminds who were poised to kill thousands of people and do incalculable damage. Skepticism when we're told that their arrest proves that we need to give away our own freedoms and liberties. And skepticism that those arrested are even guilty in the first place.

There is a real threat of terrorism. And while I'm all in favor of the terrorists' continuing incompetence, I know that some will prove more capable. We need real security that doesn't require us to guess the tactic or the target: intelligence and investigation -- the very things that caught all these terrorist wannabes -- and emergency response. But the "war on terror" rhetoric is more politics than rationality. We shouldn't let the politics of fear make us less safe.

There a zillion links associated with this essay. You can find them on the online version:
http://www.schneier.com/blog/archives/2007/06/...

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...


Teaching Viruses

Over two years ago, George Ledin wrote an essay in "Communications of the ACM," where he advocated teaching worms and viruses to computer science majors: "Computer science students should learn to recognize, analyze, disable, and remove malware. To do so, they must study currently circulating viruses and worms, and program their own. Programming is to computer science what field training is to police work and clinical experience is to surgery. Reading a book is not enough. Why does industry hire convicted hackers as security consultants? Because we have failed to educate our majors."

This spring semester, he taught the course at Sonoma State University. It got a lot of press coverage. No one wrote a virus for a class project. No new malware got into the wild. No new breed of supervillain graduated.

Teaching this stuff is just plain smart.

Essay:
http://www.csl.sri.com/neumann/insiderisks05.html#175

http://www.sonoma.edu/pubs/newsrelease/archives/...
http://www1.pressdemocrat.com/apps/pbcs.dll/article?...
http://blogs.pcworld.com/staffblog/archives/004452.html
http://www1.pressdemocrat.com/apps/pbcs.dll/article?...
http://www.hardocp.com/news.html?...
http://technews.acm.org/archives.cfm?fo=2007-05-may/...
http://www.calstate.edu/pa/clips2007/may/22may/...


Bush's Watch Stolen?

Watch the video very carefully; it's President Bush working the crowds in Albania. 0.50 seconds into the clip, Bush has a watch. 1.04 seconds into the clip, he had a watch.

The U.S. is denying that his watch was stolen: "Photographs showed Bush, surrounded by five bodyguards, putting his hands behind his back so one of the bodyguards could remove his watch."

I simply don't see that in the video. Bush's arm is out in front of him during the entire nine seconds between those stills.

Another denial: "An Albanian bodyguard who accompanied Bush in the town told The Associated Press he had seen one of his U.S. colleagues close to Bush bend down and pick up the watch."

That's certainly possible; it may have fallen off.

But possibly the pickpocket of the century. (Although would anyone actually be stupid enough to try? There must be a zillion easier-to-steal watches in that crowd, many of them nicer than Bush's.)

Video clip:
http://www.youtube.com/watch?v=PKDdF6vfjoo

Denials:
http://uk.reuters.com/article/oddlyEnoughNews/...
http://www.guardian.co.uk/worldlatest/story/...

Update: a video in which it seems clear that Bush removes the watch himself:
http://www.poroj.com/index.php?...


Schneier/BT Counterpane News

Interview with me from "Infosecurity Magazine":
http://www.infosecurity-magazine.com/features/...
Interview with me from IT Security:
http://www.itsecurity.com/interviews/...

At the kickoff reception for the IT Security Summit in Johannesburg, there was a bit of industrial theater about identity theft. Someone tried to pretend he was me; it was pretty funny, really. Someone captured my discussion after on video.
http://blogs.zdnet.com/threatchaos/?p=458

Two interviews with me in Norwegian:
http://www.dagensit.no/bedrifts-it/article1104925.ece
http://www.digi.no/php/art.php?id=384118

Schneier is speaking at the I-4 Conference on June 25th in Milan.
https://i4online.com/

Schneier is speaking at Secure 2007 on June 26th in Bad Homburg, Germany.
http://www.secure2007.de/


Second Movie-Plot Threat Contest Winner

On April 1, I announced the Second Annual Movie-Plot Threat Contest:

"Your goal: invent a terrorist plot to hijack or blow up an airplane with a commonly carried item as a key component. The component should be so critical to the plot that the TSA will have no choice but to ban the item once the plot is uncovered. I want to see a plot horrific and ridiculous, but just plausible enough to take seriously.

"Make the TSA ban wristwatches. Or laptop computers. Or polyester. Or zippers over three inches long. You get the idea.

"Your entry will be judged on the common item that the TSA has no choice but to ban, as well as the cleverness of the plot. It has to be realistic; no science fiction, please. And the write-up is critical; last year the best entries were the most entertaining to read."

On June 5, I posted three semi-finalists out of the 334 comments:

* Butterflies and beverages; water must be banned.

* Dimethylmercury; security checkpoints must be banned, but of course they can't be. Oh, what to do!

* Oxy-hydrogen bomb; wires -- earphones, power cables, etc. -- must be banned.

Well, we have a winner. I can't divulge the exact formula -- because you'll all hack the system next year -- but it was a combination of my opinion, popular acclaim in blog comments, and the opinion of Tom Grant (the previous year's winner -- not his real name).

The winner is: "Butterflies and Beverages," posted by Ron. (Ron gets signed copies of my books, a $50 Amazon gift certificate contributed by a reader, and -- if I can find one -- an interview with a real-live movie director. (Does anyone know one?) We hope that one of his prizes isn't a visit by the FBI.)

Here is the winning entry:

It must have been a pretty meadow, Wilkes thought, just a day before. He tried to picture how it looked then: without the long, wide wound in the earth, without the charred and broken fuselage of the jet that gouged it out, before the rolling ground was strewn with papers and cushions and random bits of plastic and fabric and all the things inside the plane that lay like the confetti from a brief, fiery parade.

Yes, a nice little spot, just far enough from the airport's runways to be not too noisy, but close enough to watch the planes going in and out, fortunately just a bit too close to have been developed. When the plane rolled over and angled downward, not even a mile past the end of the runway, at least the only people at risk were the ones on the plane. For them, it was mercifully quick, the impact breaking their necks before the breaking wing tanks ignited in sheets of flame, the charred bodies still in their seats.

He spotted the NTSB guy, standing by the forward half of the fuselage, easy to spot among the FAA and local airport people -- they were always the only suits in the crowd. Heading over, Wilkes saw this one wasn't going to be too hard: when planes came down intact like this, breaking in to just a few pieces on impact, the cause was always easier to find. This one looked to be no exception.

He muttered to the suit, "Wilkes," gesturing at the badge clipped to his shirt. No need to get too friendly, they'd file separate reports anyway. As long as they were remotely on the same page, there wasn't much need to actually talk to the guy. "What's this little gem?" he wondered aloud, looking at the hole in the side of the downed jet.

"Explosion," drawled the NTSB guy; he had that Chuck Yeager slow-play sound, Wilkes thought, like someone who could sound calm describing Armageddon. "Looks like it was from the inside, something just big enough to rip a few square feet out of the side. Enough to throw it on its side"

"And if the plane is low enough, still taking off, with the engines near full thrust, it rolls over and down too fast…" he trailed off, picturing the result.

"Yep, all in a couple of seconds. Too quick for the flight crew to have time to get it back." The NTSB guy shook his head, the id clipped to his suit jacket swaying back and forth with the motion. "Always the best time if you're going to take a bird down: takeoff or landing, guess whoever did this one wanted to get it over with sooner rather than later." He snorted in derision, "Somebody snuck in an explosive, must have been a screener havin' an off day."

"Maybe," said Wilkes, not ready to write it off as just a screener's error. The NTSB guys were always quick to find a bad decision, one human error, and explain the whole thing away. But Wilkes' job was to find the flaws in the systems, the procedures, the way to come up with prophylactic precautions. Maybe there was nothing more than a screener who didn't spot a grenade or a stick of dynamite, something so obvious that there was nothing to do but chalk up a hundred and eighty three dead lives to one madman and one very bad TSA employee.

But maybe not. That's when Wilkes spotted the first two of the butterflies. Bright yellow against the charred black of the burned wreckage, they seemed like the most incongruous things -- and as he thought this, another appeared.

As they took photos and made measurements, more showed up -- by ones and twos, a few flying away, but gradually building up to dozens over the course of the morning. Odd, the NTSB rep agreed, but nothing that tells us anything about the terrorist who brought down that plane.

Wilkes wasn't so sure. Nature was handing out a big fat clue here, he was sure of that. What he wasn't sure of was what in the hell it could possibly mean.

He leaned in close with the camera on his phone, getting some good close images of the colorful insects, emailing back to the office with a request to reach out to an expert. He needed a phone consult, someone who knew the behavior of this particular butterfly, someone who could put him on the right track.

Within minutes, his phone was buzzing, with a conference call already set up with a professor of entomology, and even better one local to the area; a local might know this bug better than an academic from a more prestigious, but distant university.

He was half-listening during the introductions, Wilkes wasn't interested in this guy's particulars, the regional team would have that all available if he needed it later. He just wanted answers.

"Pieridae," the professor offered, "and all males, I'd bet."

"Okay," Wilkes answered, wondering if he this really would tell him anything. "Why are they all over my bomb hole?"

"I can't be sure, but it must be something attracting them. These are commonly called 'sulfur butterflies', could there be sulfur on your wreckage?"

Yeah, Wilkes thought, this is looking like a wild goose chase. "No sulfur, we already did a quick chem test for it. Anything else these little fellas like?"

"Sure, but not something you'd be likely to find in a bomb -- just sodium. They package it up with their sperm and deliver it to the female as an extra little bonus -- sort of the flowers and candy of the butterfly world."

"Okay, that's…wow, the things I learn in this job. Sorry to bother you, sir, I guess it's just…yeah, thanks."

Butterfly sperm -- now this might set a new record for useless trivia learned in a crash investigation. Unbelievable.

The NTSB guy wandered over, seeing Wilkes was off the phone. "Get anything from your expert?" he queried, trying and failing to suppress a grin. Wilkes suspected there would soon be a story going around the NTSB office about the FAA "butterfly guy"; ah well, better to be infamous than anonymous.

"Nah, not much. The little guys like sulfur," Wilkes offered, seeing his counterpart give a cynical chuckle at that, "and sodium. Unless there was a whole lot of salt packed around the perp's explosive, our little yellow friends are just a mystery."

The NTSB rep got a funny look on his face, a faraway look. "Sodium. An explosive that leaves behind sodium. Well, that could be…"

They looked at each other, both heading to the same conclusion, both reluctant to get there. Wilkes said it first: "Sodium metal. Cheap, easy to get, it would have to be: sodium metal."

"And easy," the NTSB rep drawled, "to sneak on the plane. The stuff is soft, but you could fashion it in to any simple things: eyeglass frames, belt buckles, buttons, simple things the screeners would never be lookin' at."

"Wouldn't take much," Wilkes offered, an old college chemistry-class prank coming to mind. "An couple of ounces, that would be enough to blow out the side of a plane, enough for what we're seeing here."

"With the easiest trigger in the world," the NTSB man added, putting words to the picture forming in Wilkes mind. A cup of water would be enough, just drop the sodium metal in to it and the chemical reaction would quickly release hydrogen gas, with enough heat generated as a byproduct of the reaction to ignite the gas. In just a second or two, you'd have an explosion strong enough to knock the side out of a plane.

"Sounds like a problem for you FAA boys," his counterpart teased. "What ya gonna do, ban passengers from carrying more than a few grams of anything made of metal? "

"No," Wilkes shot back, "we can't ban everything that could be made of sodium metal. Or all the other water-reactives," he mused aloud, thinking of all the carbides, anhydrides, and alkali metals that would cover. "Too many ways to hide them, too many types to test for them all. No, it isn't the metals we'll have to ban."

"Naw, you don't mean," the NTSB man stared in disbelief, his eyes growing wide. "You couldn't, I mean, it's the only other way but it's ridiculous."

"No, it's not so ridiculous, it's really the only way. We're going to have to ban water, and anything containing a significant amount of water, from all passenger flights. It's the only way, otherwise we could have planes dropping out of the sky every time someone is served a beverage."

Contest and entries:
http://www.schneier.com/blog/archives/2007/04/...

Winning entry:
http://www.schneier.com/blog/archives/2007/04/...
Other semi-finalists:
http://www.schneier.com/blog/archives/2007/04/...
http://www.schneier.com/blog/archives/2007/04/...
Ron's home page:
http://www.ronaldphillips.com/


Perpetual Doghouse: Meganet

I first wrote about Meganet in 1999, in a larger article on cryptographic snake-oil, and formally put them in the doghouse in 2003:

"They build an alternate reality where every cryptographic algorithm has been broken, and the only thing left is their own system. 'The weakening of public crypto systems commenced in 1997. First it was the 40-bit key, a few months later the 48-bit key, followed by the 56-bit key, and later the 512 bit has been broken...' What are they talking about? Would you trust a cryptographer who didn't know the difference between symmetric and public-key cryptography? 'Our technology... is the only unbreakable encryption commercially available.' The company's founder quoted in a news article: 'All other encryption methods have been compromised in the last five to six years.' Maybe in their alternate reality, but not in the one we live in.

"Their solution is to not encrypt data at all. 'We believe there is one very simple rule in encryption: if someone can encrypt data, someone else will be able to decrypt it. The idea behind VME is that the data is not being encrypted nor transferred. And if it's not encrypted and not transferred, there is nothing to break. And if there's nothing to break, it's unbreakable.' Ha ha; that's a joke. They really do encrypt data, but they call it something else."

Read the whole thing; it's pretty funny.

They're still around, and they're still touting their snake-oil "virtual matrix encryption." (The patent is finally public, and if someone can reverse-engineer the combination of patentese and gobbledygook into an algorithm, we can finally see how actually awful it really is.) The tech on their website is better than it was in 2003, but it's still pretty hokey.

Back in 2005, they got their product FIPS 140-1 certified. The certification was for their AES implementation, but they're sneakily implying that VME was certified. From their website: "The Strength of a Megabit Encryption (VME). The Assurance of a 256 Bit Standard (AES). Both Technologies Combined in One Certified Module! FIPS 140-2 CERTIFICATE # 505."

Just goes to show that with a bit of sleight-of-hand you can get anything FIPS 140 certified.

http://www.meganet.com/
http://www.meganet.com/Technology/intro.asp
http://www.meganet.com/Technology/explain.asp
http://www.meganet.com/challenges/default.asp

My doghouse article:
http://www.schneier.com/crypto-gram-0302.html#4

My snake oil article:
http://www.schneier.com/crypto-gram-9902.html#snakeoil

Patent:
http://patft.uspto.gov/netacgi/nph-Parser?...
FIPS certification (#505 on this page):
http://csrc.nist.gov/cryptval/140-1/1401val2005.htm


Non-Security Considerations in Security Decisions

(This essay has an accompanying diagram that's necessary to understand what I'm saying. You can find it here: http://www.schneier.com/blog/archives/2007/06/....)

Security decisions are generally made for nonsecurity reasons. For security professionals and technologists, this can be a hard lesson. We like to think that security is vitally important. But anyone who has tried to convince the sales VP to give up her department's Blackberries or the CFO to stop sharing his password with his secretary knows security is often viewed as a minor consideration in a larger decision. This issue's articles on managing organizational security make this point clear.

Below is a diagram of a security decision. At its core are assets, which a security system protects. Security can fail in two ways: either attackers can successfully bypass it, or it can mistakenly block legitimate users. There are, of course, more users than attackers, so the second kind of failure is often more important. There's also a feedback mechanism with respect to security countermeasures: both users and attackers learn about the security and its failings. Sometimes they learn how to bypass security, and sometimes they learn not to bother with the asset at all.

Threats are complicated: attackers have certain goals, and they implement specific attacks to achieve them. Attackers can be legitimate users of assets, as well (imagine a terrorist who needs to travel by air, but eventually wants to blow up a plane). And a perfectly reasonable outcome of defense is attack diversion: the attacker goes after someone else's asset instead.

Asset owners control the security system, but not directly. They implement security through some sort of policy -- either formal or informal -- that some combination of trusted people and trusted systems carries out. Owners make their judgments based on risks ... but really, only by perceived risks. They're also affected by a host of other considerations, including those legitimate users mentioned previously, and the trusted people needed to implement the security policy.

Looking over the diagram, it's obvious that the effectiveness of security is only a minor consideration in an asset owner's security decision. And that's how it should be.

This essay originally appeared in "IEEE Computers and Security."


Comments from Readers

There are hundreds of comments -- many of them interesting -- on these topics on my blog. Search for the story you want to comment on, and join in.

http://www.schneier.com/blog


CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish and Twofish algorithms. He is founder and CTO of BT Counterpane, and is a member of the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.

BT Counterpane is the world's leading protector of networked information - the inventor of outsourced security monitoring and the foremost authority on effective mitigation of emerging IT threats. BT Counterpane protects networks for Fortune 1000 companies and governments world-wide. See <http://www.counterpane.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT or BT Counterpane.

Copyright (c) 2007 by Bruce Schneier.

later issue
earlier issue
back to Crypto-Gram index

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..