February 15, 2004

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

Back issues are available at <>. To subscribe, visit <> or send a blank message to

In this issue:

Toward Universal Surveillance

Last month the Supreme Court let stand the Justice Department’s right to secretly arrest non-citizen residents. Combined with the government’s power to designate foreign prisoners of war as “enemy combatants” in order to ignore international treaties regulating their incarceration, and their power to indefinitely detain U.S. citizens without charge or access to an attorney, the United States is looking more and more like a police state.

Since 9/11, the Justice Department has asked for, and largely received, additional powers that allow it to perform an unprecedented amount of surveillance of American citizens and visitors. The USA PATRIOT Act, passed in haste after 9/11, started the ball rolling. In December, a provision slipped into an appropriations bill allowing the FBI to obtain personal financial information from banks, insurance companies, travel agencies, real estate agents, stockbrokers, the U.S. Postal Service, jewelry stores, casinos, and car dealerships without a warrant—because they’re all construed as financial institutions. Starting this year, the U.S. government is photographing and fingerprinting foreign visitors into this country from all but 27 other countries.

The litany continues. CAPPS-II, the government’s vast computerized system for probing the backgrounds of all passengers boarding flights, will be fielded this year. Total Information Awareness, a program that would link diverse databases and allow the FBI to collate information on all Americans, was halted at the federal level after a huge public outcry, but is continuing at a state level with federal funding. Over New Year’s, the FBI collected the names of 260,000 people staying at Las Vegas hotels. More and more, at every level of society, the “Big Brother is Watching You” style of total surveillance is slowly becoming a reality.

Security is a trade off. It makes no sense to ask whether a particular security system is effective or not—otherwise you’d all be wearing bulletproof vests and staying immured in your home. The proper question to ask is whether the trade-off is worth it. Is the level of security gained worth the costs, whether in money, in liberties, in privacy, or in convenience?

This is a personal decision, and one greatly influenced by the situation. For most of us, bulletproof vests are not worth the cost and inconvenience. For some of us, home burglar alarm systems are. And most of us lock our doors at night.

Terrorism is no different. We need to weigh each security countermeasure. Is the additional security against the risks worth the costs? Are there smarter things we can be spending our money on? How does the risk of terrorism compare with the risks in other aspects of our lives: automobile accidents, domestic violence, industrial pollution, and so on? Are there costs that are just too expensive for us to bear?

Unfortunately, it’s rare to hear this level of informed debate. Few people remind us how minor the terrorist threat really is. Rarely do we discuss how little identification has to do with security, and how broad surveillance of everyone doesn’t really prevent terrorism. And where’s the debate about what’s more important: the freedoms and liberties that have made America great or some temporary security?

Instead, the DOJ (fueled by a strong police mentality inside the Administration) is directing our nation’s political changes in response to 9/11. And it’s making trade-offs from its own subjective perspective: trade-offs that benefit it even if they are to the detriment of others.

From the point of view of the DOJ, judicial oversight is unnecessary and unwarranted; doing away with it is a better trade off. They think collecting information on everyone is a good idea, because they are less concerned with the loss of privacy and liberty. Expensive surveillance and data mining systems are a good trade-off for them because more budget means even more power. And from their perspective, secrecy is better than openness; if the police are absolutely trustworthy, then there’s nothing to be gained from a public process.

If you put the police in charge of security, the trade-offs they make result in measures that resemble a police state.

This is wrong. The trade-offs are larger than the FBI or the DOJ. Just as a company would never put a single department in charge of its own budget, someone above the narrow perspective of the DOJ needs to be balancing the country’s needs and making decisions about these security trade-offs.

The laws limiting police power were put in place to protect us from police abuse. Privacy protects us from threats by government, corporations, and individuals. And the greatest strength of our nation comes from our freedoms, our openness, our liberties, and our system of justice. Ben Franklin once said: “Those who would give up essential liberty for temporary safety deserve neither liberty nor safety.” Since 9/11 Americans have squandered an enormous amount of liberty, and we didn’t even get any temporary safety in return.

This essay originally appeared on CNet:

The Politicization of Security

Since 9/11, security has become an important political issue. The Bush administration has seized on terrorism as a means to justify its policies. Bush is running for re-election on a “strong on security” platform. The Democrats are attacking the administration’s record on security. Congress has voted on, and will continue to vote on, security countermeasures. And the FBI and the Justice Department are implementing others, even without Congressional approval.

In the last issue of Crypto-Gram I published a couple of security essays that had a political component. I was surprised by the number of e-mails I received from people accusing me of bashing Bush (or worse). American politics may be getting vitriolic, but I think it’s worth stepping back and looking at the political security landscape.

I believe that the Bush administration is using the fear of terrorism as a political tool. That being said, I’m not sure a Democrat would do anything different in Bush’s place. Fear is a powerful motivator, and it takes strong ethics to resist the temptation to abuse it. I believe the real problem with America’s national security policy is that the police are in charge; that’s far more important than which party is in office.

Some of the Democratic presidential candidates for president have been more rational about security, but none have discussed security in terms of trade-offs. On the Republican side, I’ve read some criticisms of Bush’s heavy-handed security policies. Certainly the traditional Republican ideals of personal liberty and less government intervention are in line with smart security. And have the people who accuse me of hating Republicans forgotten that the Clipper Chip initiative was spearheaded by the Clinton administration?

The Republicans don’t have a monopoly on reducing civil liberties in the United States.

Rational security is not the sole purview of any political party. Fighting stupid security does not have to be partisan. Bush’s White House has done more to damage American national security than they have done to improve it. That’s not an indictment of the entire Republican party; it’s a statement about the current President, his Attorney General, and the Secretary of the Department of Homeland Security. It’s a statement about the current political climate, where the police—and I use this term to encompass the FBI, the Justice Department, the military, and everyone else involved in enforcing order—and their interests are put ahead of the interests of the people. My personal politics on non-security issues are not relevant.


Good article on outsourcing computer security:

Another e-mail scam. This one uses people’s fear of terror, and a month-old Microsoft vulnerability that obscures true URLs.

Hacking in Congress. Looks like some Republican staffers hacked a bunch of Democratic computers and accessed confidential files for about a year, sometimes leaking them to the press.
I’ve read various people asking why this isn’t Watergate-II. Watergate was such a big deal because the direction came directly from the President. Since then, all politicians have learned not to leave that kind of evidence lying around. There are always sufficient underlings available to take the fall when this kind of thing comes to light. And if you think about it, that is itself a security countermeasure.

Interesting computer-related theft from an Israeli bank. Someone installed a wireless networking device on a computer rack in the bank, and then used it to gain surreptitious access into the system. I think this sort of thing is a harbinger of computer crime to come.

Cheating during a security drill at a nuclear plant. This is the best quote: “I understand the perception, but the fact is there was nothing wrong with what occurred,” said Burleson, the Wackenhut executive. “If we had lost the exercise, it wouldn’t have been an issue because they expected us to lose the exercise.”

Regularly I see estimates about the costs of worms and viruses, and they are invariably complete fabrications. This is the most egregious estimate yet: according to the BBC, MyDoom cost $26.1 billion. I wonder which anti-virus company made up that ludicrous number.

Trend Micro estimates $55 billion from all viruses in 2003:
Does anyone believe these numbers anymore?

NIST’s Computer Incident Handling Guide:

Security through obscurity in public schools:

A study finds vulnerabilities in computerized voting machines:
RABA’s report:

More problems with electronic voting machines:

Good list of resources on the economics of privacy:

An interesting international border security story. Great quote: “The next time you’re asked to perform a semi-striptease at an airport X-ray point (shoes, jacket, belt, wallet), consider the law of diminishing returns. We’re probably now at the point where the world could double its investment in air-travel controls for no appreciable gain, except to those in the business of providing security services.”

Five million names on U.S. terrorism watch list:

“Biometrics won’t catch disposable terrorists.” Isn’t that a good turn of phrase?

Security outsourcing and how to make it successful. (Counterpane is mentioned.)

Amusing security stories. People are still the weakest link.

Only 10% of spam is compliant with the new U.S. law. I’m surprised it’s so high.

Last month I wrote about the jammers used by Musharraf to prevent bombings. This article says that the U.S. is using the same technology in Iraq.

Interesting article on the August blackout on the East Coast, and how a previously unknown software vulnerability contributed:

The GAO has released a very interesting report on the CAPPS-2 airline passenger screening program. According to the report, the Transportation Security Administration has failed to address Congress’s concerns about the program, including whether it will comply with the Privacy Act.
EPIC’s passenger profiling page:
My essay on airline profiling:

Counterpane News

RSA 2004, 23-27 February 2004, Moscone Center, San Francisco, CA
Counterpane is exhibiting. Come by our booth #1227 to see what Counterpane can do to help secure your networks. Contact us in advance at 888-710-8175 if you’d like to set up a meeting with us.
Schneier is moderating the Cryptographer’s Panel on Tuesday at 11:00.
Schneier is giving a talk on security titled “What Works, What Doesn’t, and Why” on Tuesday at 5:15.

Counterpane announces its 2003 performance:

Counterpane monitors Northeast Utilities:

Counterpane’s monitoring service has been nominated for an award for Best Security Service from SC Magazine. Anyone can vote, although you have to give them your personal information.

“Beyond Fear” News

Another review of “Beyond Fear”:

“‘Beyond Fear’ is a tour de force, stuffed with more ideas than I have room to talk about here. It is a timely contribution to our national debate.”

And another review:

“Beyond Fear” website:

Identification and Security

In recent years there has been an increased use of identification checks as a security measure. Airlines always demand photo IDs, and hotels increasingly do so. They’re often required for admittance into government buildings, and sometimes even hospitals. Everywhere, it seems, someone is checking IDs. The ostensible reason is that ID checks make us all safer, but that’s just not so. In most cases, identification has very little to do with security.

Let’s debunk the myths one by one. First, verifying that someone has a photo ID is a completely useless security measure. All the 9/11 terrorists had photo IDs. Some of the IDs were real. Some were fake. Some were real IDs in fake names, bought from a crooked DMV employee in Virginia for $1,000 each. Fake driver’s licenses for all fifty states, good enough to fool anyone who isn’t paying close attention, are available on the Internet. Or if you don’t want to buy IDs online, just ask any teenager where to get a fake ID.

Harder-to-forge IDs only help marginally, because the problem is not making sure the ID is valid. This is the second myth of ID checks: that identification combined with profiling can be an indicator of intention.

Our goal is to somehow identify the few bad guys scattered in the sea of good guys. In an ideal world, what we’d want is some kind of ID that denotes intention. We’d want all terrorists to carry a card that says “evildoer” and everyone else to carry a card that said “honest person who won’t try to hijack or blow up anything.” Then, security would be easy. We’d just look at people’s IDs and, if they were evildoers, we wouldn’t let them on the airplane or into the building.

This is, of course, ridiculous, so we rely on identity as a substitute. In theory, if we know who you are, and if we have enough information about you, we can somehow predict whether you’re likely to be an evildoer. This is the basis behind CAPPS-2, the government’s new airline passenger profiling system. People are divided into two categories based on various criteria: the traveler’s address, credit history, and police and tax records; flight origin and destination; whether the ticket was purchased by cash, check, or credit card; whether the ticket is one way or round trip; whether the traveler is alone or with a larger party; how frequently the traveler flies; and how long before departure the ticket was purchased.

Profiling has two very dangerous failure modes. The first one is obvious. The intent of profiling is to divide people into two categories: people who may be evildoers and need to be screened more carefully, and people who are less likely to be evildoers and can be screened less carefully. But any such system will create a third, and very dangerous, category: evildoers who don’t fit the profile.

Oklahoma City bomber Timothy McVeigh, DC sniper John Allen Muhammed, and many of the 9/11 terrorists had no previous links to terrorism. The Unabomber taught mathematics at Berkeley. The Palestinians have demonstrated that they can recruit suicide bombers with no previous record of anti-Israeli activities. Even the 9/11 hijackers went out of their way to establish a normal-looking profile; frequent-flier numbers, a history of first-class travel, etc. Evildoers can also engage in identity theft, and steal the identity-and profile-of an honest person. Profiling can actually result in less security by giving certain people an easy way to skirt security.

There’s another, even more dangerous, failure mode for these systems: honest people who fit the evildoer profile. Because actual evildoers are so rare, almost everyone who fits the profile will turn out to be a false alarm. This not only wastes investigative resources that might be better spent elsewhere, but it causes grave harm to those innocents who fit the profile. Whether it’s something as simple as “driving while black” or “flying while Arab,” or something more complicated like taking scuba lessons or protesting the current administration, profiling harms society because it causes us all to live in fear…not from the evildoers, but from the police.

Security is a trade-off; we have to weigh the security we get against the price we pay for it. Better trade-offs are to spend money on intelligence and analysis, investigation, and making ourselves less of a pariah on the world stage. And to spend money on the other, non-terrorist, security issues that affect far more Americans every year.

Identification and profiling don’t provide very good security, and they do so at an enormous cost. Dropping ID checks completely, and engaging in random screening where appropriate, is a far better security trade-off. People who know they’re being watched, and that their innocent actions can result in police scrutiny, are people who become scared to step out of line. They know that they can be put on a “bad list” at any time. People living in this kind of society are not free, despite any illusionary security they receive. It’s contrary to all the ideals that went into founding the United States.

This essay originally appeared in the San Francisco Chronicle:

Crypto-Gram Reprints

Crypto-Gram is currently in its seventh year of publication. Back issues cover a variety of security-related topics, and can all be found on <>. These are a selection of articles that appeared in this calendar month in other years.

Militaries and Cyber-War:

The RMAC Authentication Mode:

Microsoft and “Trustworthy Computing”:

Judging Microsoft:

Hard-drive-embedded copy protection:

A semantic attack on URLs:

E-mail filter idiocy:

Air gaps:

Internet voting vs. large-value e-commerce:

Distributed denial-of-service attacks:

Recognizing crypto snake-oil:

The Doghouse: E-mail Readers

Security vulnerabilities aren’t like the weather; they don’t just happen. They are the result of mistakes: mistakes in the code, mistakes in design, or mistakes in specification. MyDoom spread across the Internet because of an enormous vulnerability in e-mail software: users are allowed to execute arbitrary e-mail attachments.

This is a bug. I know it’s generally called a feature, but it’s not. It’s a design flaw. It’s a huge security vulnerability. And I think it’s high time we started calling it that.

Most people have no need to execute e-mail attachments. Some do—I receive software updates in e-mail pretty regularly—but most do not. Why can’t this “feature” be turned off by default? Or turn it off for everyone; I’m willing to accept a URL to a webpage where I can download the software updates I need.

I don’t think the solution is to educate users. This is a case where overall security is determined by the stupidest user. If 1,000 people in your corporate network know enough not to click on the attachment and only one does not, you’re still infected.

Microsoft isn’t alone in the doghouse on this one. I use Eudora, and that e-mail program also allows the user, by default, to execute e-mail attachments. I don’t know about other e-mail programs, but I assume that others have the same security vulnerability.

The Economics of Spam

Last month Bill Gates talked about spam at the World Economic Forum. He said, “Two years from now, spam will be solved.”

He listed three technologies he claims will solve spam. The first is based on positively identifying the sender of any e-mail. The second involves a computational puzzle, something that a computer must do for each message that becomes prohibitively expensive for any bulk mailing. The third involves forcing the sender to pay for e-mail. Gates feels that this is the most promising technology to kill spam once and for all.

Spam is an interesting problem, because it’s an economic one. Spam is prevalent because—as bizarre as it may seem—it is profitable. If spam were not profitable, it wouldn’t be done.

Gates is right that the best way to deal with the problem is to change the economics. If spammers had to pay money for each message, as paper bulk mailers do, they would spam a lot less. They would only spam interesting and effective messages. Because spam is nearly free, even messages with marginal rates of return are profitable.

Today, accounts that spam are shut down pretty quickly. Or, at least, large ISPs block e-mail from those addresses. In retaliation, spammers are more likely to use stolen accounts to send spam, and to change those accounts regularly. Spammers are also willing to pay for hacker exploits in order to more efficiently break into systems.

This means that anti-spam security that relies on positive identification isn’t likely to work. It’ll mean that more spam will rely on stolen accounts. It’ll change the tactics of spammers, but not the amount of spam. E-mail recipients could decide to only accept mail from people they already know—so called white lists—but those solutions are available and effective today. But most people want to get e-mail from people they don’t expect to get e-mail from, so most people don’t use white lists. Enforcing strong identification won’t make this issue any different.

Computational puzzles are an interesting idea, and one that has been talked about in the security community for a while. The basic idea is that Alice sends Bob an e-mail. Bob’s computer responds with a mathematical puzzle for Alice’s computer to solve. Alice’s computer does so and sends the result to Bob’s computer, which in turn delivers the mail to Bob.

You can see how this deals with spam. Alice’s computer has no trouble solving the puzzle, but it takes time. If Alice’s computer has to solve millions of these a day, it won’t be able to. So spam is reduced.

It’s an economic solution; it makes the sending of e-mail more expensive. Spammers will respond by breaking into a lot more accounts and send a lot less spam out of each of them. My guess is that no real spam reduction will result.

Gates’s third solution is the direct economic solution: charge for e-mail. This one has also been talked about a lot in the security community. It is also a very difficult one to implement. Overlaying a fee structure on top of the existing e-mail system will be complicated. It will have to deal with the fact that spam comes from every country, and not just the economically sophisticated ones. The best solution is for fees to be collected close to the sender—so spam doesn’t clog the network—but the easiest solution is for fees to be collected by the recipient. And we’ll all have to get beyond the expectation that e-mail is free.

But this solution won’t necessarily solve the problem of spammers breaking into other people’s accounts, either. You’d have to add some additional controls inside the network: how much e-mail a person can send in a day, maximum charges that can be accrued, that sort of thing. Again, extremely difficult to implement in practice. But at least it’s thinking along the right lines.

In general, I think that Gates is being overly optimistic. Some of these ideas are promising, but most of the anti-spam ideas are more likely to change the tactics of spammers than reduce the overall rate of spam. What’s interesting to me is that his optimism comes largely from ignoring the problem of insecure computers on the Internet, primarily insecure Windows computers on the Internet.

Right now the best solution is a spam filter. I use one, and I get almost no spam. There are a few false positives, but I find those when I clean out the filter every week.

Now I just have to convince a bunch of filters that Crypto-Gram is not spam.

Gates’s talk:

Comments from Readers

From: Mark Moss <MMoss>
Subject: President Musharraf and Signal Jammers

I have some experience in military radio jammers, and I find the story of Pakistani security jamming a bomb detonator signal very unlikely. We had two possible methods to jam a field radio (voice signals, and usually some version of AM). One was to obviously jam whatever frequencies the enemy might be using, with a much stronger signal than the radio transmitters you wanted to block. This took a lot of power, and it invited countermeasures—from changing the channel to destroying the jamming transmitter—so it’s not very effective and is apt to get you killed.

So the usual approach was to listen to the enemy communications and try to interfere with them so subtly that they don’t realize it is jamming. E.g., an officer is trying to call in an artillery strike on your forces. Just when he gives the coordinates, you hit a button to transmit a short burst of “static.” Static is pretty common with these radios, so they’ll think it’s just too bad that it happened to block a critical number and ask for it to be repeated. Pop some static into the “say again” response also, and continue to sow confusion without making it too obvious. If you can imitate voices sufficiently well, you might even inject a few words here and there. Meanwhile, your buddy calls up the troops being targeted to see if they can move or eliminate the enemy observer.

The subtle approach obviously won’t work to block a detonator. It’s a one-time transmission, exact time unknown, and nothing is going to detect it before it’s too late. Assuming the detonation signal is coded so random noise and transmissions on the right channel won’t set off the bomb, you could block it by overt jamming. Continuously transmit noise on all possible channels at a sufficiently high power level to drown out the detonator. It might take a truck with a big generator trailer, but it’s possible.

But what if instead of a complex circuit to receive and detect one particular code sequence, the terrorist or assassin just uses a simple circuit that will trigger whenever the RF power at one frequency exceeds a threshold? Then if he knows you will be jamming, he doesn’t even have to stick around with the detonator; he just sets the threshold quite high and your jamming will detonate it.

From: “John Faulkner” <J.Faulkner>
Subject: President Musharraf and Signal Jammers

There is no mystery about the jamming device used to protect Musharraf s convoy from the recent assassination attempt and thus no point in keeping it secret. It was a jammer for GSM mobile phones (cell phones to North Americans); these jammers are in use worldwide by government security agencies following the almost universal adoption of the GSM standard.

The bomb itself seems to have been five 50kg packages of explosive positioned to bring down the central part of the bridge and linked by a central control device, probably a GSM modem or modem-phone. It cannot have been a trivial or quick exercise to put this in place. The police who were assigned to guard the bridge have explained their absence as due to the bad weather.

The use of a mobile phone suggests al-Qaeda or one of their allies. The truck bomb used by Jemaah Islamiah in their attack on the Sari nightclub in Bali, Indonesia, in 2002 was triggered by a mobile phone. This is the most notorious example but there have been similar incidents throughout Asia.

Mobiles are a good choice for an intending bomber. They are readily available and are inconspicuous in use. The supporting infrastructure is already in place. The triggering transmission is lost in the vast number of innocent messages. Using a pre-paid SIM card in the phone would render its user untraceable.

GSM modems are readily available and are widely used for industrial process control. Every vending machine is Australia is fitted with one, for example. They are password protected and are addressable by SMS (text messages). They can usually switch a connected device on or off immediately, or at any time using their inbuilt calendar/clock. They can use their RS-232 port for serial data input and output.

If obtaining a GSM modem leaves too much of a paper trail, a modem-phone could be used instead like the one used in the Bali bomb. The model reportedly used on this occasion is one that has an inbuilt modem that responds to Hayes (AT) commands and has an RS-232 port. It is a popular model and readily available.

GSM signals are, however, readily susceptible to jamming because, like other forms of digital radio, a certain signal-to-noise threshold must be achieved. GSM mobiles sample the nearest base station’s signals to check that they are above this threshold. If they are not, then the mobile shuts down. In operation, a jammer would transmit an interfering signal within the control channel. This lowers the signal-to-noise ratio for any GSM mobile within a small radius around the jammer. The mobile then shuts down temporarily.

When the vehicle carrying the jammer has passed by, the GSM mobile in the bomb would reconnect with the base station and download any waiting SMS messages. In this case, the message would be the command to explode, but now received too late to do any harm to the target. This is why the bomb exploded some seconds after the convoy had passed.

Mobile phone networks in the U.S. make use of a hotch-potch of older technology and WCDMA with a little GSM penetration. This does not make the U.S. immune from such an attack. On the contrary, this mixture of technologies makes it just that more difficult to use protective measures.

In particular, WCDMA is well-known for its strong immunity to jamming and this seems to be the technology chosen to replace the older analog system in the U.S. and the technology that will be imposed on Iraq by the U.S. The existence of GSM jammers are an example of the benefits of a global standard. For a known vulnerability, there is a known response and jammers were available as soon as the first GSM mobile appeared.

From: <alexcole>
Subject: President Musharraf and Signal Jammers

Another possible explanation on the Musharraf story—Pakistani security officials may have found and disabled the bomb through human intelligence channels and published the story in an attempt to preserve the life of their source.

From: “WJK” <wjk>
Subject: New Credit Card Scam

I could just slap you (OK I will cut you some slack)…. Why did you not reveal a counter-measure to this kind of credit card attack? The “victim” could play along with the scammer and provide false information for the digits on the back of the credit card.

After hanging up, the “victim” can call their credit card company and alert the fraud branch to be on the look out for this card. At the same time, to be safe, another card could be issued.

The upside of this is that the fraud could be caught by the next merchant and ended much sooner. Instead, with no positive action the scam continues and merchants and card holder are harmed. Anyone “in-the-know” could be a good influence on catching these thieves, and they are thieves.

From: “Clive Robinson” <crob235>
Subject: Diverting Aircraft and National Intelligence

I live and work in London and the “Cancellation of the flights by the FBI” was very newsworthy in the UK and was covered repeatedly by the BBC on television. (It was only later pointed out that it was BA that had made the decision not to fly on the advice of the UK government based on information provided by the FBI.)

On one news item, the presenter specifically asked the reporter at Heathrow Airport if “The cancellation had anything to do with the BA pilots saying no to sky marshals.” The reply was a simple “I don’t know” but was said in a very doubtful voice.

On another program the presenter actually asked a UK politician if the “U.S. were crying wolf” the reply was unsurprisingly not very convincing, especially when he tried to explain that the threat had been that a woman was going to swallow a bomb before boarding the flight.

A view that has been voiced more than once is that the terrorists know how to “jerk the FBI’s strings” and deliberately provide misleading intelligence that causes the FBI to make a “knee jerk reaction.” The view is each canceled flight is yet another propaganda victory for the terrorists, in the information war. Although the later observation is true, I doubt the former, since providing any intelligence to the opposition is dangerous for the terrorist, as it provides a link no matter how tenuous, back to them.

On speaking socially to a friend in France, he said that the French take was different. Apparently a French reporter had noted that no U.S. aircraft had been affected and that there was no credible evidence of any threat. Apparently the reporter then indicated that perhaps the U.S. was trying to start economic warfare on Europe by making non-U.S. airlines appear at risk, and therefore make business travelers switch to U.S. carriers. On trying to make light of it with him, my friend stopped me and pointed out that the U.S. had just been very silly over steel and bananas and now BSE.

I get the feeling that in Britain support for the U.S. “war on terror” was at best marginal even amongst politicians. However the news that a man boarded an aircraft in the U.S. with five rounds of live ammunition in his pocket and was only detected in the UK has probably diminished the view to the point that it is now “U.S. security is incompetent and ineffectual.”

In the rest of Europe the view is decidedly less friendly, in that they see the war as being run by an “unelected incompetent trying to buy America out of a recession.”

The BA pilots saying no to sky marshals appears to be based on two fairly sensible grounds,

1: A gun that would be safe to use on an aircraft would be of too low a power to be effective against somebody wearing a stab-proof vest (these, by the way, being made of Kevlar and ceramic, do not show up on a lot of metal detectors and X-ray equipment). Therefore a gun is only a threat to passengers and crew, and the terrorists know this already.

2: Division of responsibility. Under international law the pilot is responsible for the aircraft and the passengers, A sky marshal would be unlikely to have the training to understand fully what behavior would endanger the aircraft and would in an emergency be very unlikely to defer to the pilot’s judgment, even if they had the time to ask.

Also a UK politician (who should have known better) tried to make a joke out of “Sky Marshals” whilst political point scoring. He said that there was too much jargon coming from the U.S., The inference was however that the “Texas Rangers would be shooting from the hip” on all U.S.-bound aircraft.

Overall, I think that the U.S. security measures have had a very bad effect on the credibility of the U.S. outside of the U.S., and that this is actually detrimental to the U.S. overall. Perhaps it is time for the three letter agencies to reassess the way they are currently doing things, before the damage is to great.

From: Steve Loughran <steve_loughran>
Subject: Diverting Aircraft and National Intelligence

The goal of terrorism is to spread terror, usually in the (mistaken) belief that this will force your opponent to change some aspect of their behavior. While physical acts of terrorism are the core way to achieve this, if terror can be spread without actually going to any risk, then all the better.

The IRA used to do this here in the UK; there was one period in 1993 when they started attacking bits of road infrastructure (like the Staples Corner M1/North Circular junction in North London). After a few of these, sometimes they would phone up a news source, give their identification keywords and name a few popular motorway intersections. The end result was transport chaos, as the police essentially shut down the main road backbone of the country. The IRA didn’t plant the bombs, but there was no way of knowing that without checking. And so the country had its roads shut down at no risk whatsoever to the active IRA members. Terrorism without effort or risk: all you need is a payphone and knowledge of the expected behaviors of the security forces. Best yet, because the feigned attacks can be achieved without loss of life, it does not incur any moral doubts by your supporters (in this case, anyone in the U.S. who donated money to “the cause,” the population of Crossmaglen, County Armagh, etc.).

Which brings me to the airlines. If all you need to do to bring high-profile disruption is to have the government intercept a phone call that names a flight, or a city and a key word “dirty-bomb,” then all you need to do is make such phone calls in a way that strives for “interception.” Or you predict what criteria passenger profiling will be using, and buy one-way tickets under suspicious names—with no intention of turning up at all.

I am not sure al-Qaeda have adopted such tactics yet—perhaps a belief in the glory of martyrdom has obscured their minds to the joy of survival—but given how massively the orange-alert governments are being seen to overreact, I would expect them to pick up the technique.

From: Mike Stay <staym>
Subject: Cryptogram: MS Word Forms Password

Eric Thompson of AccessData wrote a program more than ten years ago to reverse that particular hash on MS Word files; Microsoft never changed that protection. There’s almost identical functionality in Excel, with the same weakness. I wrote almost all the rest of the password crackers found at <…>. Of the 50 listed there, more than half work exactly the same way as the attack described on SecurityFocus; if you overwrite a few bytes with a hex editor, the password protection is gone, and can be restored just as easily.

From: Paul Schumacher <psch>
Subject: Security can be Terrorism’s Best Ally

Having worked in Psyops (psychological warfare) in the Army many years ago, I learned about the tactical use of psychology. One of my programs was about land crabs, and how they stripped the flesh from the bones of shipwrecked sailors too weak to crawl up off the beach. The night this was delivered to a battalion of Marines on the land-crab-infested beaches of Viaques, none of them got much sleep.

The point is that the real target of terrorism is the mind of the victim, not their body or property. Like a perverse form of jujitsu, the very security we put in place to protect us from terror attacks can be used as a key part of the attack.

For example, airports have dogs and devices for detecting the chemical emissions from explosives. If I took a small perfume sprayer and filled it with nitrobenzene (used in firearm bore cleaning solvents) and sprayed people’s luggage with it as they awaited security screening, the airport would soon be shut down due to the threat perceived by security. Or if I sprayed the seats in the airports lounge or restaurant, the bomb-sniffing dogs would become butt-sniffing dogs, to the major embarrassment of security. This last, while humorous, would go a long way toward discrediting the security force.

With both of these, I have both terrorized and inconvenienced the public. They have been kept from a timely departure, and reminded that they are vulnerable to terrorism. I have taken from the credibility of the security force by having them react, appropriately, to a situation that was a threat, but to the general public was not. How were they to know that my spray was just a physically harmless terror attack, and not a mask to cover a real attack? I have successfully attacked and terrorized the minds of everyone involved.

From: Tim Goudy <packrat42>
Subject: Voting booths and Camera phones

In the January 15th issue one of your readers, Andrew Odlyzko, stated that “The voting booth does provide some security against bribery and coercion, but only as long as we can stop camera phones from being used in them!” The implication is that camera-equipped cell phones will increase the risk of bribery and coercion by allowing the briber and/or coercer a means of verifying that a vote has been cast in accordance with their wishes. This is not, in fact, a significant risk.

Consider a hypothetical situation: Alice is going to her polling place to vote. On the way, she is approached by Bob, who wishes to bribe her to vote for a particular candidate. Alice is to send Bob an image of the completed ballot via her camera phone in order to verify that she has completed her part of the scheme. Inside the privacy of the voting booth, Alice marks her ballot as Bob has specified, photographs it, and sends Bob the image. Alice then approaches a poll worker and says “Excuse me, but I’ve mismarked my ballot. I need another one, please.” Alice then proceeds to vote for the candidate of her choice and also collect her bribe money from Bob. The risk of Bob discovering this is minimal, since there is no way to link Alice to a particular vote once it is cast.

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. Back issues are available on <>.

To subscribe, visit <> or send a blank message to To unsubscribe, visit <>.

Comments on CRYPTO-GRAM should be sent to Permission to print comments is assumed unless otherwise stated. Comments may be edited for length and clarity.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers “Beyond Fear,” “Secrets and Lies,” and “Applied Cryptography,” and an inventor of the Blowfish and Twofish algorithms. He is founder and CTO of Counterpane Internet Security Inc., and is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <>.

Counterpane Internet Security, Inc. is the world leader in Managed Security Monitoring. Counterpane’s expert security analysts protect networks for Fortune 1000 companies world-wide. See <>.

Sidebar photo of Bruce Schneier by Joe MacInnis.