October 15, 2003

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

Back issues are available at <>. To subscribe, visit <> or send a blank message to

In this issue:

The Future of Surveillance

At a gas station in Coquitlam, British Columbia, two employees installed a camera in the ceiling in front of an ATM machine. They recorded thousands of people as they typed in their PIN numbers. Combined with a false front on the ATM that recorded account numbers from the cards, the pair was able to steal millions before they were caught.

In at least 14 Kinko’s copy shops in New York City, Juju Jiang installed keystroke loggers on the rentable computers. For over a year he eavesdropped on people, capturing more than 450 user names and passwords, and using them to access and open bank accounts online.

A lot has been written about the dangers of increased government surveillance, but we also need to be aware of the potential for more pedestrian forms of surveillance. A combination of forces—the miniaturization of surveillance technologies, the falling price of digital storage, the increased power of computer programs to sort through all of this data—means that surveillance abilities that used to be limited to governments are now, or soon will be, in the hands of everyone.

Some uses of surveillance are benign. Fine restaurants sometimes have cameras in their dining rooms so the chef can watch diners as they eat their creations. Telephone help desks sometimes record customer conversations in order to help train their employees.

Other uses are less benign. Some employers monitor the computer use of their employees, including use of company machines on personal time. A company is selling an e-mail greeting card that surreptiously installs spyware on the recipient’s computer. Some libraries keep records of what books people check out, and Amazon keeps records of what books people browse on their website.

And, as we’ve seen, some uses are criminal.

This trend will continue in the years ahead, because technology will continue to improve. Cameras will become even smaller and more inconspicuous. Imaging technology will be able to pick up even smaller details, and will be increasingly able to “see” through walls and other barriers. And computers will be able to process this information better. Today, cameras are just mindlessly watching and recording, but eventually sensors will be able to identify people. Photo IDs are just temporary; eventually no one will have to ask you for an ID because they’ll already know who you are. Walk into a store, and you’ll be identified. Sit down at a computer, and you’ll be identified. I don’t know if the technology will be face recognition, DNA sniffing, or something else entirely. I don’t know if this future is ten or twenty years out—but eventually it will work often enough and be cheap enough for mass-market use. (Remember, in marketing, even a technology with a high error rate can be good enough.)

The upshot of this is that you should consider the possibility, albeit remote, that you are being observed whenever you’re out in public. Assume that all public Internet terminals are being eavesdropped on; either don’t use them or don’t care. Assume that cameras are watching and recording you as you walk down the street. (In some cities, they probably are.) Assume that surveillance technologies that were science fiction ten years ago are now mass-market.

This loss of privacy is an important change to society. It means that we will leave an even wider audit trail through our lives than we do now. And it’s not only a matter of making sure this audit trail is accessed only by “legitimate” parties: an employer, the government, etc. Once data is collected, it can be compiled, cross-indexed, and sold; it can be used for all sorts of purposes. (In the U.S., data about you is not owned by you. It is owned by the person or company that collected it.) It can be accessed both legitimately and illegitimately. And it can persist for your entire life. David Brin got a lot of things wrong in his book The Transparent Society. But this part he got right.

Kinko’s story:

ATM fraud story:

Net spying:

Crypto-Gram Reprints

Crypto-Gram is currently in its sixth year of publication. Back issues cover a variety of security-related topics, and can all be found on <>. These are a selection of articles that appeared in this calendar month in other years.

National Strategy to Secure Cyberspace:


Dangers of Port 80

Semantic Attacks:

NSA on Security:

So, You Want to be a Cryptographer:

Key Length and Security:

Steganography: Truths and Fictions:

Memo to the Amateur Cipher Designer:


I’ve gone back and forth about whether to doghouse this. Although silly, it’s not as obviously nonsensical as my typical doghouse item.

It’s a shield designed to protect contactless smart cards from surreptitious access. A contactless smart card works in proximity to a reader. It looks like a regular smart card, but there is an inductor (i.e., a coil) running around the outer edge of the card. If you put the card in a strong, varying field, it’ll power itself from the coil (and be able to communicate wirelessly). Conventional smart cards are more common, but wireless smart cards are being used for applications where it’s awkward to have the customer remove the card from his wallet and insert it in a slot (e.g., transit applications).

Your typical contactless smart card has a range of about ten inches. Someone could, at least in theory, walk up behind someone carrying one of these cards and access a card in his wallet. With specialized equipment, like a directional antenna pumping out a lot more power, an attacker could probably get the range quite a bit higher. If the attacker knew the protocol, he might be able to steal money or, even easier, cause the card to fail. A metal shield around the card would prevent such attacks.

All security is a trade-off, and I don’t think it’s worth the additional security to carry the shield around. Also, having to take the card out of the shield every time you want to use it negates much of the convenience of a contactless card. Honestly, the risk that someone will steal the card, shield and all, is much greater.


The Patriot Act and Mission Creep

One of the problems with laws is that the crimes that justify their passage are not always the crimes they are used against. In the United States, the RICO (Racketeering Influenced Corrupt Organizations) law was passed to help fight organized crime, but was used against anti-abortion protesters and relatively minor drug offenders. And the Patriot Act, passed to help fight terrorism, is being used against a variety of other crimes.

According to a TRAC report, definitions of “terrorism” have broadened considerably. The AP reports that the Justice Department admits that the Patriot Act has been used “to crack down on currency smugglers and seize money hidden overseas by alleged bookies, con artists, and drug dealers.” So someone with a pipe bomb in California is suddenly charged with “terrorism using a weapon of mass destruction,” and a North Carolina man who had a methamphetamine lab is suddenly charged with breaking a new state law barring the manufacture of chemical weapons. The Justice Department has even been conducting seminars on how to use the new wiretapping provisions in the Patriot Act in non-terrorism cases.

It’s a big deal. The guy with the meth lab could get 12 years to life in prison for a crime that, under the old laws, was only worth about six months. The Patriot Act was hurriedly passed less than two months after 9/11 with almost no debate. That was a mistake, but it echoed the national mood about terrorism. Having the law applied broadly against common criminals is something that we shouldn’t do lightly. Security is a trade-off, and the trade-offs in the Patriot Act were extreme. Maybe treating drug dealers like terrorists is something Americans want. But we should debate it in public, and not let the Justice Department sneak it by us.

Report: “Criminal Enforcement Against Terrorists and Spies in the Year After the 9/11 Attacks”:


Small events can have large consequences. To me, the moral of this very funny webpage is that you shouldn’t base public policy on what’s possible; you should base it on what’s likely. Much of the security changes post 9/11 indicate that few really understand this moral.

Canadian privacy commissioner rejects national ID cards:

Lawyers are starting to look at security and liability. This article is from a law journal: “Snake-Oil Security Claims: The Systematic Misrepresentation of Product Security in the E-Commerce Arena.”

CAPPS-II will color-code airline passengers. According to a Washington Post article: “Most people will be coded green and sail through. But up to 8% of passengers who board the nation’s 26,000 daily flights will be coded ‘yellow’ and will undergo additional screening at the checkpoint, according to people familiar with the program. An estimated 1% to 2% will be labeled ‘red’ and will be prohibited from boarding. These passengers also will face police questioning and may be arrested.” Searching 10% of airline passengers daily will be a logistical nightmare. The TSA doesn’t have the manpower.

The CEO of Symantec is advocating “legislation to criminalize the sharing of information and tools online that can be used by malicious hackers and virus writers.” Doesn’t he realize that most of his company’s engineers would end up in jail?

U.S. State Department was disrupted by a virus:

“A 40-year-old man was arrested Wednesday and charged with stealing a
computerized tracking device that uses a global positioning system to
keep track of jail prisoners on home detention.” Police just turned the unit on to find him.

Someone steals the identity of another, but the person whose identity he stole was a child molester.

The U.S. Department of Homeland Security has announced the creation of a US-CERT (Computer Emergency Response Team).

Microsoft is the defendant of a proposed class-action suit on security
The lawsuit complaint:

How not to point out a security flaw. “A computer security specialist who claimed he hacked into top-secret military computers to show how vulnerable they were to snooping by terrorists was arrested and charged Monday with six felony counts that could bring a 30-year prison sentence.”

Despite admitting that Diebold voting machines have a high risk of compromise, the state of Maryland is going to buy them:

Security on the Massachusetts Turnpike toll booths:

Report on the DSN 2003 Workshop on Principles of Dependable Systems

A 19-year-old used a fake website to lure victims into downloading his Trojaned software, and then captured their stock account information and traded stocks in their name.
The scary thing is how effective this attack could be. This guy was pretty stupid, but imagine for a minute what the results would be if a smart attacker planned his attack better. He could make millions and be out of the country before anyone knew.

Really good FAQ on Internet worms:

Balancing security and liberties:

There’s a new SANS Top 20 list. This is a list of the top 20 vulnerabilities in Windows and UNIX. If we just secured these 20 things, we’d all be a lot safer.

China is getting a copy of the Windows source code. I’ve already written about the security risks of open-source versus proprietary software. One of the problems with open source is that the bad guys get to look at the code. One of the good things about open source is that the good guys get to look at the code, too. If I were the Chinese government, I’d turn that code upside down looking for vulnerabilities, and then not tell anyone about them. This seems like a huge security risk to me, even though Microsoft might consider it a smart business move.

A Polish hacking group claims to have taken control of 450,000 Windows computers, and is selling services to spammers based on that control.

Counterpane News

Two interviews with Schneier:

Schneier has written an op-ed piece on fixing national intelligence:

Counterpane is hiring:

More Beyond Fear Reviews

The book is continuing to get great reviews. I’ve sent about 100 books to Capital Hill, into the offices of representitives who are involved in these issues. And it’s continued to get excellent reviews in magazines, newspapers, and weblogs.

“What Schneier could have chosen to do in this book—or for that matter any book he writes—was to create a treatise for experts. He has the expertise to do it, is eminently qualified to do so and would be taken seriously if he did. Instead, he has chosen to cater to the masses and written what is, in my opinion, the best primer on security, one that can be understood by the man in the street.”
—Sydney Morning Herald

“Once again Schneier proves he is the one of few people who indeed understand security, and what is more important and more difficult, that he can explain complex security concepts to people not specialising in security. Whatever your trade and whatever your background, go ahead and read it because security affects your life.”
—TECS (The Encyclopedia of Computer Security)

All reviews are archived on the book’s website:

Security Notes from All Over: Reaction to a Bomb Threat

I found this in Tim Bray’s weblog: “In the speakers’ room at Seybold, there were plenty of Cat5 drops but a shortage of DHCP leases. When they announced the bomb threat, Lauren saw people unplugging and leaving, brightened up and said ‘Oh good, I can grab my e-mail’ and plugged in. Is that great or what, and I ask: why would a geek ever marry a non-geek?”

This is a great story: someone taking advantage of the Internet services made temporarily available because of a bomb threat. And honestly, this would probably have been my reaction as well. Bombings are much less common than bomb threats, and staying in a threatened building is only slightly more dangerous than leaving. But getting your e-mail—now that’s important.

Security is always a trade-off.


Pirating Movies

Understandably, the movie industry is really incensed by the movie copies that are traded back and forth on the Internet. The industry has responded by trying to make DVDs harder to copy, citing consumers as the culprit. But a new research paper out of AT&T Labs indicates otherwise. The researchers collected 285 popular movies on file sharing networks, and found that 77% of them were leaked by industry insiders. These files include various warnings and messages. For example, “Property of Miramax Films, for screening purposes only,” or a time code indicating a production copy. Indeed, most of the samples appeared on file sharing networks prior to their official consumer DVD release date.

One of the first rules of security is that you need to know who your attacker is before you consider countermeasures. In this case, the movie industry has the threat wrong. The attackers aren’t DVD owners making illegal copies and putting them on file sharing networks. The attackers are industry insiders making illegal copies long before the DVD is ever on the market.

The paper:

Security Notes from All Over: Precision Stripping

One of the security countermeasures used to help prevent car thefts is Vehicle Identification Numbers (VINs) stamped on the chassis. This unique number makes it possible to track individual cars, and to determine if a used car has been stolen. Criminals have devised two primary responses to this. One, they steal cars and then ship them to countries that don’t care very much about VINs. Two, they steal cars, take them apart, and sell the parts. This is very common; “chop shops” can strip a car and turn it into parts in a few hours.

There’s a third response: precision stripping. Here’s how it works. A criminal steals a car. A chop shop strips it down to the chassis, and saves all the parts. Then the criminal takes the empty chassis and dumps it on the street.

The police tow the chassis away and, eventually, someone (either the police or the township or the insurance company) sells it at auction. The original criminals buy it back and reattach the parts. Now the criminals have a legitimately purchased car that they can sell on the used market; the VIN has effectively been “laundered.”


Issuing Identity Cards

There are a lot of things wrong with the proliferation of identity checks at airports, hotels, government buildings, and the like. One, they don’t actually solve any real security problem; seeing the identity card of someone doesn’t make him any less likely to commit a terrorist act, for example. Two, it’s easy to obtain a fake ID and it’s really hard for a security guard to distinguish a good fake ID from a real ID. And three, they’re expensive to implement and inconvenient for everyone. Given the minimal additional security these checks provide and the large cost associated with them, most of the time they’re not a good security trade-off.

There’s one other problem with identity documents: the ease of getting legitimate documents in fraudulent names. Several of the 9/11 terrorists obtained fraudulent IDs from the Virginia Department of Motor Vehicles by paying a corrupt employee $1000 each. These weren’t fake IDs. These were real IDs in fake names, with all the holograms and micro printing and whatever else the driver’s licenses have to make them hard to forge.

Turns out this kind of thing is surprisingly easy to do.

In the 1972 book “The Day of the Jackal,” an assassin obtains a real British passport in someone else’s name by wandering around graveyards looking for a headstone belonging to a dead boy born at about the same time he was. He then gets a copy of the boy’s birth certificate and, pretending to be that boy, gets a British passport in the boy’s name. A real British passport. According to the BBC, this loophole *may* be fixed this year.

Any security countermeasure works within a larger system. In evaluating the effectiveness of the countermeasure, you need to understand the system. It’s not just how hard the document is to forge. You need to look at the security of the issuance process and the security of the revocation process. People will lose their documents; what’s the security of the backup system, and what’s the security of the reissuance system? How trusted are the people who handle the blank documents, or the databases those documents are tied into? Again and again, the weak link in a security system turns out to be the people.

Using birth certificates of the dead to get UK passports in fraudulent names:

Obtaining driver’s licenses in fraudulent names in the U.S.:

Security Risks of Monoculture

The ubiquity of the Microsoft operating system is a security risk. There’s an inherent security risk in any monoculture, and we’re seeing the effects of it: vulnerabilities, exploits, worms and viruses have catastrophic effects, because they affect so many systems. How good or bad Microsoft is at security is, in some ways, beside the point. Because all of our OS eggs are in one basket, there’s a significant security risk.

In some ways this has nothing to with Microsoft in particular. Our concerns would be no different if everyone ran Macintosh OS X, or Linux. Security researchers sounded the same alarm in 1988, when the Morris Worm infected about 5% of the UNIX systems on the Internet. Today the monoculture is much more pervasive.

In other ways this is very much about Microsoft. My worry here is that Microsoft is using security as a justification to give itself even further competitive advantages in the marketplace. After their antitrust trial, they refused to divulge file format information and cited security concerns. They’re developing a document security feature for Office programs that will make it harder for competitors to build compatible products. And NGSCB (Palladium) promises to be a significant barrier to competition. In economics this is called “lock in”: actions by a company to ensure that its customers can’t switch. It’s bad for society, and it’s also bad for security.

It’s important to put this in context. Monoculture is just one security risk networks face. There are other risks, and diversifying operating systems isn’t going to magically fix those other ones. But when our nation’s critical infrastructure increasingly relies on a single system that can be attacked everywhere at the same time, we should worry.

The report:

A rebuttal:

For the record, no one funded the report. The CCIA distributed the report, but they had no hand in the writing, nor did they pay anybody anything.

One unfortunate outcome of this report is that the principal instigator, Dan Geer, was fired from his job as CTO of @Stake. @Stake gets a considerable amount of consulting work from Microsoft, and tried to distance itself from both Geer and the report.

Security researchers write and speak all the time, and are almost always speaking for themselves and not their company. Crypto-Gram is my newsletter, not Counterpane’s. And Counterpane management regularly cringes when I talk about companies they might want to partner with, or companies our investors are investing in. But I don’t think anyone confuses my position with Counterpane’s position.

Dan Geer was in a similar situation. He is a researcher with an impeccable reputation for honesty and integrity. When @Stake first formed, Dan was immediately hired for those exact qualities. @Stake was formed from the L0pht, one of the best hacker groups in the world with a reputation for irritating Microsoft. Now there’s only one L0pht member left at @Stake, and Dan Geer was fired for displaying the same qualities that got him hired.


Dan Geer’s comments:

Comments from Readers

From: Scott Tousley <stousley>
Subject: Accidents and Security Incidents

I think you failed to mention something very important. You talk about the interconnectedness of our systems as a base reason why these events turn into large-scale disasters. But there is an additional and equally important reason for our problem.

An effective attacker anticipates responses and plans the attack to leverage response into a stronger outcome. Like the Arkansas case where the killers pulled the fire alarm and then shot as kids responded.

So in addition to understanding interconnectedness, we must have knowledgeable operators that understand “normal” accidents, have some communication with intelligence personnel and systems, and can quickly recognize when events smell like more than just a normal accident or random incident. The better our intelligent operator feedback systems, the faster we can respond and mitigate the efforts of the intelligent adversary. I believe this is Counterpane’s value proposition.

Our challenge is to nurture and build intelligent system response to catch back up to and pass the massive growth in interconnectedness that we have seen in the past decade. We must accelerate our society’s movement from lemming to bird-flock behavior.

From: Brad Knowles <brad.knowles>
Subject: Denial-of-Service Attack

“An interesting, inadvertent, distributed denial-of-service. An accident, not an attacker. <>

This statement does not place the problem in the proper perspective. Let me quote from the abstract: “In May 2003, the University of Wisconsin – Madison found that it was the recipient of a continuous large scale flood of inbound Internet traffic destined for one of the campus’ public Network Time Protocol (NTP) servers. The flood traffic rate was hundreds-of-thousands of packets-per-second, and hundreds of megabits-per-second.”

The only recourse available to the University was to go to their ISP and get them to null-route all this traffic to their servers, meanwhile paying a huge increase in bandwidth costs—an increase that seriously hurt their budget, and would have quickly bankrupted them if they hadn’t been able to get their ISP to null-route the traffic.

In the NTP world, this is an attack nearly on the scale of the airplanes crashing into the World Trade Center twin towers on 9/11. Damn few places in the world would be able to sustain that kind of DDoS attack. People have been put in jail for long periods of time for much, much less.

While NetGear has “fixed” this problem in their latest router images, very few customers have bothered to update their firmware, and the attack continues to this day. NetGear needs to be given the necessary incentive (i.e., risk being put out of business, and the management put behind bars) to actively induce all customers to update their routers ASAP, so that this attack can finally be put behind us.

Other software has caused similar problems for other sites. For example, NetTime was the reason why was taken off the air, and yet the owners of what is now continue to see very high DNS traffic for the time servers which no longer exist at the original IP addresses, and where even the names were removed from the DNS long ago. Many of the source IP addresses are generating queries on the order of one per second, which gets unbelievably high when you start talking about thousands or tens of thousands of clients worldwide.

The issue is all those damn PCs running Microsoft OSs, with seriously broken DNS resolvers, which don’t do any caching and which can re-query for nonexistent data as quickly as your program can ask for the information. Since NetTime can be set to recheck the time sync every second, this causes very severe problems.

From: Derek Schatz <cissp_ds>
Subject: Acxiom Hack

> Shouldn’t Acxiom have been required to send its
> California customers an embarrassing confession?

Well, no. The Acxiom hack occurred last December, while the California Security Breach Information Act didn’t go into effect until July 1, 2003 (I think “ex post facto” is the appropriate term here). Also, there were indications that some of the data was encrypted, which would absolve Acxiom from the SBIA. Last, unless I missed something, I didn’t see any indication that there was actually personally identifiable info that was compromised. Maybe there was, but “marketing databases” can be analyzed without customer names.

From: Ernst Jan Plugge <rmc>

Some time ago, I went on a short business trip from the Netherlands to the UK. This was my first flight since the Sep. 11 attacks. I’d brought a single carry-on bag containing, among other things, a shaving kit with one of those safety blades. Not anyone’s choice for a weapon, but it might do some damage if necessary, I suppose. I saw a handwritten notice that razor blades of any kind were not allowed in carry-on luggage.

I didn’t feel like checking my bag, considering the high failure rate of checked baggage handling, and I wanted the contents for some reading material on board. I also didn’t want to toss the blade because I didn’t know how hard it would be to buy a new one before the next morning. It turns out that’s extremely easy, which should have been pretty obvious, but I didn’t realize that. So I decided to just leave the blade in my bag, and play dumb if anyone caught me. Zero points for smarts, but that’s what happened.

I wasn’t caught, although my bag went through an X-ray scanner several times. But all the way to the hotel, I was extremely anxious. Not about terrorists—they barely crossed my mind the whole time. I was anxious about what a derailed security apparatus at a small airport could do to me over nothing more than an innocent safety razor. I’d heard about the awful way innocent people have been treated over issues that wouldn’t have raised an eyebrow a little over two years ago, even outside the US.

I was actually more afraid of the people who are supposed to protect me than of a terrorist attack. Looking back, that worries me a lot.

On the way back I tossed the blade, of course, but I still had a very uncomfortable time at both airports. I actually felt safer and more comfortable on board than on the ground, which is a weird sensation, because it used to be the other way around.

From: andre szykier <andre>
Subject: Benevolent Worms

Your response to benevolent worms was interesting but only partially correct. Where you faltered is in the idea that the “average” person needs to opt-in or agree to some action to happen on his/her computer. Specifically you stated:

“A good software distribution mechanism has the following characteristics:
1) People can choose the options they want.
2) Installation is adapted to the host it’s running on.
3) It’s easy to stop an installation in progress, or uninstall the software.
4) It’s easy to know what has been installed where.”

Items 1 through 4 assume an active and participatory role by the user. Face it, Bruce, you are talking to the 80% plus of users who are grateful if their AOL e-mail and messenger software is working, without even addressing things such as virus updates and MSFT security settings on their browser.

Perhaps benevolent but signed worms are the model of the future for security. I believe that this will be the method for “fixing” bad software that requires continual patching. Why should a user belonging to the 80% of the users who have no idea what they should do to be secure be involved in a decision-making process where their input is almost random in outcome.

I suggest that you be less elitist and more pragmatic. After all, when your car is up for service, do you need to know what service is required, even if you have no idea how the car runs? Yes, you can be the decision maker, but so maybe can your pet. Both of you have just about the same technical know-how to make the right decision about timing chain replacement, computer ignition settings and so on.

From: “Peter Schaeffer” <PSchaeffer>
Subject: Hats in Banks

Your article about hat bans as a security measure shows a significant ignorance of bank operations. Your thesis that the teller will press her (male tellers are common) button, before the guard approaches a potential criminal, assumes that banks have guards. They don’t. Big downtown banks typically do have security guards. However, the vast numbers of branch banks dotting suburbia and urban areas don’t. For example, in 2001 94% of all bank robberies were in branch banks <…>. Even banks with security guards don’t rush to arrest everyone they think has committed bank robbery.

Of course, someone entering a bank in Atlanta, in July, with a ski mask is likely to set off alarms, both literally and figuratively. As a consequence, bank employees are likely to respond immediately. If the bank robber doesn’t make his way to the counter and get his money very quickly, he is likely to be caught by police arriving at the scene. If the bank has guards, they may well respond by drawing weapons or at least preparing to do so.

In practice, this means that only the most dangerous robbers attempt crimes using ski masks and guns. Given how quickly the authorities respond to such severe incidents and the likely substantial criminal penalties, deterrence works and such crimes are relatively rare. Stated differently, the “ban” (de facto) on ski masks in banks does work, not perfectly of course, but to a quite substantial extent. If anything, the ski mask analogy supports a hypothetical ban on hats, not the other way around.

As for false alarms (harmless folks wearing hats), of course this is an issue. However, any bank that is serious about a no-hat policy will post signs to that effect. Since most folks use the same bank repeatedly, they will quickly learn what rules are in effect. Certainly anyone who is asked to remove his/her hat will probably remember the rules the next time they visit the bank. In practice, the issue is substantially moot. Very few Americans wear hats these days (true since the 1950s).

Your note mentions that a ban on hats is probably intentioned to enable security cameras to get a better look at bank robbers. This is correct. In practice, security cameras are a (the?) primary mechanism for catching bank robbers. Given that bank robbers presumably don’t want to be prosecuted, getting better pictures of them is a very positive benefit to society. Clearly, the bank in Alabama must have thought so.

Consider some of the practical details. Say a robber enters a bank wearing a hat and is asked to remove it. If he refuses, alarms go off to some greater or lesser extent. Unless the robber immediately draws a weapon and orders everyone onto the floor, the robbery will end right there. Fortunately, very few bank robbers have any interest in confrontations of any kind. A more likely outcome is that the robber will just leave. Another possibility is that the robber will remove his or her hat and then proceed with the robbery. In that case, the cameras will get a much better look at the perpetrator. Note that bank robbers routinely wait in line before demanding money.

As for bank robbers dressing up as “a nun, an Orthodox Jew, a Sikh in a turban or a burqa-clad Muslim woman.” Of course, they could. In real life, they don’t. A New York detective was once asked whether pickpockets in Manhattan dressed in suits and ties to facilitate their crimes and subsequent escape. He responded by saying that in twenty years he had never arrested even one pickpocket in a tie.

As for hats in cold climates, I have lived, worked, and played in some of the coldest parts of the U.S., including Montana, Alaska, Colorado, and (worst of all) Chicago. Hats (much less ski masks) are not all that common even in areas with extreme climates. And yes, when people go indoors they take them off.

The broader point is that imperfect security measures add value in real life situations. Of course they can be circumvented. However, history has shown that barriers (figurative and literal) work, even if they don’t work perfectly.

From: MacMinn <macminn>
Subject: Hats in Banks

In the real world, prohibiting hats in banks is likely to be more effective than you give it credit for. Judging by admittedly anecdotal evidence, a significant number of bank robbers aren’t operating on all cylinders. They’re robbing a bank, after all! Data to back this up can be found at any number of “stupid criminal” websites, including:


… the list goes on.

I’m guessing that many garden variety prospective bank robbers (if there is such a thing) faced with the situation in the Alabama bank would simply remove their hats to try to “fit in,” without stopping to consider the effect on their image in the security camera. In short, this may be an effective detective (catch ’em) measure, although not necessarily a good (preventive) security measure.

All this leaves aside whether it’s good public relations or business practice.

From: Don Hurter <deluxe>
Subject: Hats in Banks

Regarding your commentary on hats and bank robbers, I’ve seen an earlier article (no URL available) which did a better job explaining the real reason. Overhead security cameras cannot easily capture the robber’s face if he is wearing a hat with a long visor. Even the article you cited mentions this, but does not give it proper emphasis:

“It is going to potentially inhibit bank robberies, and more importantly, it will produce better imagery from the surveillance cameras.”

Another rule some banks now enforce is no sunglasses, for the same reason. Other than for recent pupil-dilation patients it would be a more difficult rule to dispute. I personally wish we lived in a society where such rules are unnecessary, but it’s a sign of the times…

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. Back issues are available on <>.

To subscribe, visit <> or send a blank message to To unsubscribe, visit <>.

Comments on CRYPTO-GRAM should be sent to Permission to print comments is assumed unless otherwise stated. Comments may be edited for length and clarity.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers “Beyond Fear,” “Secrets and Lies,” and “Applied Cryptography,” and an inventor of the Blowfish and Twofish algorithms. He is founder and CTO of Counterpane Internet Security Inc., and is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <>.

Counterpane Internet Security, Inc. is the world leader in Managed Security Monitoring. Counterpane’s expert security analysts protect networks for Fortune 1000 companies world-wide. See <>.

Sidebar photo of Bruce Schneier by Joe MacInnis.