September 15, 2006
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at <http://www.schneier.com/crypto-gram-0609.html>. These same essays appear in the “Schneier on Security” blog: <http://www.schneier.com/>. An RSS feed is available.
In this issue:
- What the Terrorists Want
- Details on the British Terrorist Arrest
- More Than 10 Ways to Avoid the Next 9/11
- Fifth Anniversary of September 11, 2001
- Crypto-Gram Reprints
- Educating Users
- Human/Bear Security Trade-Off
- Land Title Fraud
- Is There Strategic Software?
- Media Sanitization and Encryption
- What is a Hacker?
- Counterpane News
- Microsoft and FairUse4WM
- Comments from Readers
On August 16, two men were escorted off a plane headed for Manchester, England, because some passengers thought they looked either Asian or Middle Eastern, might have been talking Arabic, wore leather jackets, and looked at their watches — and the passengers refused to fly with them on board. The men were questioned for several hours and then released.
On August 15, an entire airport terminal was evacuated because someone’s cosmetics triggered a false positive for explosives. The same day, a Muslim man was removed from an airplane in Denver for reciting prayers. The Transportation Security Administration decided that the flight crew overreacted, but he still had to spend the night in Denver before flying home the next day. The next day, a Port of Seattle terminal was evacuated because a couple of dogs gave a false alarm for explosives.
On August 19, a plane made an emergency landing in Tampa, Florida, after the crew became suspicious because two of the lavatory doors were locked. The plane was searched, but nothing was found. Meanwhile, a man who tampered with a bathroom smoke detector on a flight to San Antonio was cleared of terrorism, but only after having his house searched.
On August 16, a woman suffered a panic attack and became violent on a flight from London to Washington, so the plane was escorted to the Boston airport by fighter jets. “The woman was carrying hand cream and matches but was not a terrorist threat,” said the TSA spokesman after the incident.
And on August 18, a plane flying from London to Egypt made an emergency landing in Italy when someone found a bomb threat scrawled on an air sickness bag. Nothing was found on the plane, and no one knows how long the note was on board.
I’d like everyone to take a deep breath and listen for a minute.
The point of terrorism is to cause terror, sometimes to further a political goal and sometimes out of sheer hatred. The people terrorists kill are not the targets; they are collateral damage. And blowing up planes, trains, markets, or buses is not the goal; those are just tactics. The real targets of terrorism are the rest of us: the billions of us who are not killed but are terrorized because of the killing. The real point of terrorism is not the act itself, but our reaction to the act.
And we’re doing exactly what the terrorists want.
We’re all a little jumpy after the recent arrest of 23 terror suspects in Great Britain. The men were reportedly plotting a liquid-explosive attack on airplanes, and both the press and politicians have been trumpeting the story ever since.
In truth, it’s doubtful that their plan would have succeeded; chemists have been debunking the idea since it became public. Certainly the suspects were a long way off from trying: None had bought airline tickets, and some didn’t even have passports.
Regardless of the threat, from the would-be bombers’ perspective, the explosives and planes were merely tactics. Their goal was to cause terror, and in that they’ve succeeded.
Imagine for a moment what would have happened if they had blown up ten planes. There would be canceled flights, chaos at airports, bans on carry-on luggage, world leaders talking tough new security measures, political posturing and all sorts of false alarms as jittery people panicked. To a lesser degree, that’s basically what’s happening right now.
Our politicians help the terrorists every time they use fear as a campaign tactic. The press helps every time it writes scare stories about the plot and the threat. And if we’re terrified, and we share that fear, we help. All of these actions intensify and repeat the terrorists’ actions, and increase the effects of their terror.
(I am not saying that the politicians and press are terrorists, or that they share any of the blame for terrorist attacks. I’m not that stupid. But the subject of terrorism is more complex than it appears, and understanding its various causes and effects are vital for understanding how to best deal with it.)
The implausible plots and false alarms actually hurt us in two ways. Not only do they increase the level of fear, but they also waste time and resources that could be better spent fighting the real threats and increasing actual security. I’ll bet the terrorists are laughing at us.
Another thought experiment: Imagine for a moment that the British government arrested the 23 suspects without fanfare. Imagine that the TSA and its European counterparts didn’t engage in pointless airline security measures like banning liquids. And imagine that the press didn’t write about it endlessly, and that the politicians didn’t use the event to remind us all how scared we should be. If we’d reacted that way, then the terrorists would have truly failed.
It’s time we calm down and fight terror with anti-terror. This does not mean that we simply roll over and accept terrorism. There are things our government can and should do to fight terrorism, most of them involving intelligence and investigation — and not focusing on specific plots.
But our job is to remain steadfast in the face of terror, to refuse to be terrorized. Our job is to not panic every time two Muslims stand together checking their watches. There are approximately 1 billion Muslims in the world, a large percentage of them not Arab, and about 320 million Arabs in the Middle East, the overwhelming majority of them not terrorists. Our job is to think critically and rationally, and to ignore the cacophony of other interests trying to use terrorism to advance political careers or increase a television show’s viewership.
The surest defense against terrorism is to refuse to be terrorized. Our job is to recognize that terrorism is just one of the risks we face, and not a particularly common one at that. And our job is to fight those politicians who use fear as an excuse to take away our liberties and promote security theater that wastes money and doesn’t make us any safer.
There have been many more incidents since I wrote this — all false alarms. I’ve stopped keeping a list.
The chemical unreality of the plot:
This essay also makes the same point that we’re overreacting, as well as describing a 1995 terrorist plot that was remarkably similar in both materials and modus operandi — and didn’t result in a complete ban on liquids.
My previous related writings:
This essay originally appeared in Wired:
Details are emerging:
* There was some serious cash flow from someone, presumably someone abroad.
* There was no imminent threat.
* However, the threat was real. And it seems pretty clear that it would have bypassed all existing airport security systems.
* The conspirators were radicalized by the war in Iraq, although it is impossible to say whether they would have been otherwise radicalized without it.
* They were caught through police work, not through any broad surveillance, and were under surveillance for more than a year.
What pisses me off most is the second item. By arresting the conspirators early, the police squandered the chance to learn more about the network and arrest more of them — and to present a less flimsy case. There have been many news reports detailing how the U.S. pressured the UK government to make the arrests sooner, possibly out of political motivations. (And then Scotland Yard got annoyed at the U.S. leaking plot details to the press, hampering their case.)
I still think that all of the new airline security measures are an overreaction. As I said on a radio interview a couple of weeks ago: “We ban guns and knives, and the terrorists use box cutters. We ban box cutters and corkscrews, and they hide explosives in their shoes. We screen shoes, and the terrorists use liquids. We ban liquids, and the terrorist will use something else. It’s not a fair game, because the terrorists get to see our security measures before they plan their attack.” And it’s not a game we can win. So let’s stop playing, and play a game we actually can win. The real lesson of the London arrests is that investigation and intelligence work.
The above URL is unavailable in the UK:
My initial comments on the arrests:
On 10 September 2006, the New York Times published a feature called “Ten Ways to Avoid the Next 9/11”: “The Op-Ed page asked 10 people with experience in security and counterterrorism to answer the following question: What is one major reason the United States has not suffered a major attack since 2001, and what is the one thing you would recommend the nation do in order to avoid attacks in the future?”
Actually, they asked more than 10, myself included. But some of us were cut because they didn’t have enough space. This was my essay:
Despite what you see in the movies and on television, it’s actually very difficult to execute a major terrorist act. It’s hard to organize, plan, and execute an attack, and it’s all too easy to slip up and get caught. Combine that with our intelligence work tracking terrorist cells and interdicting terrorist funding, and you have a climate where major attacks are rare. In many ways, the success of 9/11 was an anomaly; there were many points where it could have failed. The main reason we haven’t seen another 9/11 is that it isn’t as easy as it looks.
Much of our counterterrorist efforts are nothing more than security theater: ineffectual measures that look good. Forget the war on terror; the difficulty isn’t killing or arresting the terrorists, it’s finding them. Terrorism is a law enforcement problem, and needs to be treated as such. For example, none of our post-9/11 airline security measures would have stopped the London shampoo bombers. The lesson of London is that our best defense is intelligence and investigation. Rather than spending money on airline security, or sports stadium security — measures that require us to guess the plot correctly in order to be effective — we’re better off spending money on measures that are effective regardless of the plot.
Intelligence and investigation have kept us safe from terrorism in the past, and will continue to do so in the future. If the CIA and FBI had done a better job of coordinating and sharing data in 2001, 9/11 would have been another failed attempt. Coordination has gotten better, and those agencies are better funded — but it’s still not enough. Whenever you read about the billions being spent on national ID cards or massive data mining programs or new airport security measures, think about the number of intelligence agents that the same money could buy. That’s where we’re going to see the greatest return on our security investment.
It occurs to me that many people here didn’t read what I wrote a few days after 9/11, or what I wrote a couple of weeks after that.
Crypto-Gram is currently in its ninth year of publication. Back issues cover a variety of security-related topics, and can all be found on <http://www.schneier.com/crypto-gram-back.html>. These are a selection of articles that appeared in this calendar month in other years.
Hurricane Katrina and Security:
Trusted Computing Best Practices:
Security at the Olympics:
Trusted Traveler program:
Accidents and Security Incidents:
Special issue on 9/11, including articles on airport security, biometrics, cryptography, steganography, intelligence failures, and protecting liberty:
Full Disclosure and the Window of Exposure:
I’ve met users, and they’re not fluent in security. They might be fluent in spreadsheets, eBay, or sending jokes over e-mail, but they’re not technologists, let alone security people. Of course they’re making all sorts of security mistakes. I too have tried educating users, and I agree that it’s largely futile.
Part of the problem is generational. We’ve seen this with all sorts of technologies: electricity, telephones, microwave ovens, VCRs, video games. Older generations approach newfangled technologies with trepidation, distrust, and confusion, while the children who grew up with them understand them intuitively.
But while the don’t-get-it generation will die off eventually, we won’t suddenly enter an era of unprecedented computer security. Technology moves too fast these days; there’s no time for any generation to become fluent in anything.
Earlier this year, researchers ran an experiment in London’s financial district. Someone stood on a street corner and handed out CDs, saying they were a “special Valentine’s Day promotion.” Many people, some working at sensitive bank workstations, ran the program on the CDs on their work computers. The program was benign — all it did was alert some computer on the Internet that it was running — but it could just have easily been malicious. The researchers concluded that users don’t care about security. That’s simply not true. Users care about security — they just don’t understand it.
I don’t see a failure of education; I see a failure of technology. It shouldn’t have been possible for those users to run that CD, or for a random program stuffed into a banking computer to “phone home” across the Internet.
The real problem is that computers don’t work well. The industry has convinced everyone that people need a computer to survive, and at the same time it’s made computers so complicated that only an expert can maintain them.
If I try to repair my home heating system, I’m likely to break all sorts of safety rules. I have no experience in that sort of thing, and honestly, there’s no point in trying to educate me. But the heating system works fine without my having to learn anything about it. I know how to set my thermostat and to call a professional if anything goes wrong.
Punishment isn’t something you do instead of education; it’s a form of education — a very primal form of education best suited to children and animals (and experts aren’t so sure about children). I say we stop punishing people for failures of technology, and demand that computer companies market secure hardware and software.
This originally appeared in the April 2006 issue of “Information Security Magazine,” as the second part of a point/counterpoint with Marcus Ranum. You can read Marcus’s essay here:
I like this example from SlashDot: “Back in the 1980s, Yosemite National Park was having a serious problem with bears: They would wander into campgrounds and break into the garbage bins. This put both bears and people at risk. So the Park Service started installing armored garbage cans that were tricky to open — you had to swing a latch, align two bits of handle, that sort of thing. But it turns out it’s actually quite tricky to get the design of these cans just right. Make it *too* complex and people can’t get them open to put away their garbage in the first place. Said one park ranger, ‘There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists.'”
It’s a tough balance to strike. People are smart, but they’re impatient and unwilling to spend a lot of time solving the problem. Bears are dumb, but they’re tenacious and are willing to spend hours solving the problem. Given those two constraints, creating a trash can that can both work for people and not work for bears is not easy.
There seems to be a small epidemic of land title fraud in Ontario, Canada.
What happens is someone impersonates the homeowner, and then sells the house out from under him. The former owner is still liable for the mortgage, but can’t get in his former house. Cleaning up the problem takes a lot of time and energy.
The problem is one of economic incentives. If banks were held liable for fraudulent mortgages, then the problem would go away really quickly. But as long as they’re not, they have no incentive to ensure that this fraud doesn’t occur. (They have some incentive, because the fraud costs them money, but as long as the few fraud cases cost less than ensuring the validity of *every* mortgage, they’ll just ignore the problem and eat the losses when fraud occurs.)
Last year, New York City implemented a program of random bag searches in the subways. It was a silly idea, and I wrote about it then. Recently the U.S. Court of Appeals for the 2nd Circuit upheld the program. Daniel Solove wrote about the ruling.
My commentary from last year:
A futile attempt to improve the security of Japan’s hanko identification system.
A 1963 FBI book in fingerprinting, with an introduction by J. Edgar Hoover, is on Project Gutenberg
You can buy a real copy here.
A 2001 story about people dressing up as Australian census takers to collect personal data for fraudulent purposes.
The age of this story makes it more interesting. This is the sort of identity-theft tactic that I would have expected to see this year, as criminals have gotten more and more sophisticated. It surprises me that they were doing this five years ago as well.
“Ten Worst Privacy Debacles of All Time.” Not a bad list.
Daniel Solove comments:
“You are what you say: privacy risks of public mentions,” Proceedings of the 29th Annual International ACM SIGIR Conference on Research and Development in Information Retrieval, 2006.
Kobi Alexander fled the United States ten days ago. He was tracked down in Sri Lanka via a Skype call. Ars Technica explains: “The fugitive former CEO may have been convinced that using Skype made him safe from tracking, but he — and everyone else that believes VoIP is inherently more secure than a landline — was wrong. Tracking anonymous peer-to-peer VoIP traffic over the Internet is possible. In fact, it can be done even if the parties have taken some steps to disguise the traffic.” Let this be a warning to all of you who thought Skype was anonymous.
Stephen Colbert on protecting your computer:
Stupid Security Award nominations open:
Call forwarding credit card scam:
World War II statistics-and-security story: estimating the number of tanks the Germans produced:
“The Dread Pirate Bin Ladin” argues that, legally, terrorists should be treated as pirates under international law:
Ross Anderson’s “Security Engineering” is a great book. And I’m not saying that because I wrote the foreword. Since it was published in 2001, I have regularly recommended it to engineers interested in security. None of this is news. What is news is that you can download the book, free and legally.
Some news about behavioral profiling as a counterterrorism measure:
And behavioral profiling caught Warren Jeffs:
Don’t use Browzar:
An anti-terrorism expert claimed to have smuggled a bomb onto an airplane, twice. Then he recanted. Near as I can tell, he’s an idiot.
Airport security cartoons, lots of them:
This is absolutely essential reading for anyone interested in how the U.S. is prosecuting terrorism. Put aside the rhetoric and the posturing; this is what is actually happening. Transactional Records Access Clearinghouse (TRAC) puts this data together by looking at Justice Department records. The data research organization is connected to Syracuse University, and has been doing this sort of thing — tracking what federal agencies actually do rather than what they say they do — for over fifteen years.
I am particularly entertained by the Justice Department’s rebuttal, which basically just calls the study names without offering any substantive criticism:
People sell, give away, and throw away their cell phones without even thinking about the data still on them:
More and more, our data is not really under our control. We store it on devices and third-party websites, or on our own computer. We try to erase it, but we really can’t. We try to control its dissemination, but it’s harder and harder.
California is about to secure wireless networks with stickers:
An August 2005 cover story from Business Week on “The State of Surveillance”:
A CIO Insight article on the death of privacy:
And here’s my essay on “The Future of Privacy.”
Bomb or not? Can you identify the bomb:
In related news, here’s a guy who makes it through security with a live vibrator in his pants.
There’s also a funny video on Dutch TV. A screener scans a passenger’s bag, putting aside several obvious bags of cocaine to warn him about a very tiny nail file.
Here’s where to buy stuff seized at Boston’s Logan Airport. I also read somewhere that some stuff ends up on eBay.
And finally, Quinn Norton said: “I think someone should try to blow up a plane with a piece of ID, just to watch the TSA’s mind implode.”
The chairman of Hewlett-Packard, annoyed at leaks, hired investigators to track down the phone records (including home and cell) of the other HP board members. One board member resigned because of this. The leaker has refused to resign, although he has been outed. Note that the article says that the investigators used “pretexting,” which is illegal.
Police lose Semtex during test. Oops. It’s only eight ounces of the stuff, but still….
Digital snooping for the masses:
Notes from the Hash Function Workshop:
Seems like Sudanese customs officials are seizing laptops from people entering the country and checking the data on their hard drives. While the stated reason is pornography, anyone bringing a computer into the country should be concerned about personal information, writing that might be deemed political by the Sudanese authorities, confidential business information, and so on.
This should be a concern regardless of the border you cross. Your privacy rights when trying to enter a country are minimal, and this kind of thing could happen anywhere. (I have heard anecdotal stories about Israel doing this, but don’t have confirmation.) If you’re bringing a laptop across an international border, you should clean off all unnecessary files and encrypt the rest.
Turing Bombe recreated at Bletchley Park:
Burglars foil alarm system. Clever hack I talked about in Beyond Fear:
A paper from the CATO Institute: “Doublespeak and the War on Terrorism”:
Defeating a coin-op photocopy machine with a paper clip:
Article on industrial spying. Lots of hype, but interesting nonetheless:
Ed Felten and his team at Princeton have analyzed a Diebold AccuVote-TS machine, and they have discovered all sorts of vulnerabilities. They’re able to introduce a virus that flips votes, and automatically spreads from machine to machine. Amazing stuff. Diebold, of course, is pretending that there’s no problem.
Video demonstration: http://itpolicy.princeton.edu/voting/videos.html
“The Onion” on airport security oversights:
And a cryptography cartoon:
If you define “critical infrastructure” as “things essential for the functioning of a society and economy,” then software is critical infrastructure. For many companies and individuals, if their computers stop working, they stop working.
It’s a situation that snuck up on us. Everyone knew that the software that flies 747s or targets cruise missiles was critical, but who thought of the airlines’ weight and balance computers, or the operating system running the databases and spreadsheets that determine which cruise missiles get shipped where?
And over the years, common, off-the-shelf, personal- and business-grade software has been used for more and more critical applications. Today we find ourselves in a situation where a well-positioned flaw in Windows, Cisco routers or Apache could seriously affect the economy.
It’s perfectly rational to assume that some programmers — a tiny minority I’m sure — are deliberately adding vulnerabilities and back doors into the code they write. I’m actually kind of amazed that back doors secretly added by the CIA/NSA, MI5, the Chinese, Mossad and others don’t conflict with each other. Even if these groups aren’t infiltrating software companies with back doors, you can be sure they’re scouring products for vulnerabilities they can exploit, if necessary. On the other hand, we’re already living in a world where dozens of new flaws are discovered in common software products weekly, and the economy is humming along. But we’re not talking about this month’s worm from Asia or new phishing software from the Russian mafia — we’re talking national intelligence organizations. “Infowar” is an overhyped term, but the next war will have a cyberspace component, and these organizations wouldn’t be doing their jobs if they weren’t preparing for it.
Marcus is 100 percent correct when he says it’s simply too late to do anything about it. The software industry is international, and no country can start demanding domestic-only software and expect to get anywhere. Nor would that actually solve the problem, which is more about the allegiance of millions of individual programmers than which country they happen to inhabit.
So, what to do? The key here is to remember the real problem: current commercial software practices are not secure enough to reliably detect and delete deliberately inserted malicious code. Once you understand this, you’ll drop the red herring arguments that led to CheckPoint not being able to buy Sourcefire and concentrate on the real solution: defense in depth.
In theory, security software is an after-the-fact kludge because the underlying OS and apps are riddled with vulnerabilities. If your software were written properly, you wouldn’t need a firewall — right?
If we were to get serious about critical infrastructure, we’d recognize it’s all critical and start building security software to protect it. We’d build our security based on the principles of safe failure; we’d assume security would fail and make sure it’s OK when it does. We’d use defense in depth and compartmentalization to minimize the effects of failure. Basically, we’d do everything we’re supposed to do now to secure our networks.
It’d be expensive, probably prohibitively so. Maybe it would be easier to continue to ignore the problem, or at least manage geopolitics so that no national military wants to take us down.
This is the second half of a point/counterpoint I did with Marcus Ranum the September 2006 issue of “Information Security Magazine.” Here’s his half:
Last week NIST released Special Publication 800-88, “Guidelines for Media Sanitization.”
There is a new paragraph in this document (page 7) that was not in the draft version: “Encryption is not a generally accepted means of sanitization. The increasing power of computers decreases the time needed to crack cipher text and therefore the inability to recover the encrypted data can not be assured.”
I have to admit that this doesn’t make any sense to me. If the encryption is done properly, and if the key is properly chosen, then erasing the key — and all copies — is equivalent to erasing the files. And if you’re using full-disk encryption, then erasing the key is equivalent to sanitizing the drive. For that not to be true means that the encryption program isn’t secure.
I think NIST is just confused.
A hacker is someone who thinks outside the box. It’s someone who discards conventional wisdom, and does something else instead. It’s someone who looks at the edge and wonders what’s beyond. It’s someone who sees a set of rules and wonders what happens if you don’t follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity.
I wrote that last sentence in the year 2000, in my book “Beyond Fear.” And I’m sticking to that definition.
This is what else I wrote in “Beyond Fear”:
“Hackers are as old as curiosity, although the term itself is modern. Galileo was a hacker. Mme. Curie was one, too. Aristotle wasn’t. (Aristotle had some theoretical proof that women had fewer teeth than men. A hacker would have simply counted his wife’s teeth. A good hacker would have counted his wife’s teeth without her knowing about it, while she was asleep. A good bad hacker might remove some of them, just to prove a point.)
“When I was in college, I knew a group similar to hackers: the key freaks. They wanted access, and their goal was to have a key to every lock on campus. They would study lockpicking and learn new techniques, trade maps of the steam tunnels and where they led, and exchange copies of keys with each other. A locked door was a challenge, a personal affront to their ability. These people weren’t out to do damage — stealing stuff wasn’t their objective — although they certainly could have. Their hobby was the power to go anywhere they wanted to.
“Remember the phone phreaks of yesteryear, the ones who could whistle into payphones and make free phone calls. Sure, they stole phone service. But it wasn’t like they needed to make eight-hour calls to Manila or McMurdo. And their real work was secret knowledge: The phone network was a vast maze of information. They wanted to know the system better than the designers, and they wanted the ability to modify it to their will. Understanding how the phone system worked — that was the true prize. Other early hackers were ham-radio hobbyists and model-train enthusiasts.
“Richard Feynman was a hacker; read any of his books.
“Computer hackers follow these evolutionary lines. Or, they are the same genus operating on a new system. Computers, and networks in particular, are the new landscape to be explored. Networks provide the ultimate maze of steam tunnels, where a new hacking technique becomes a key that can open computer after computer. And inside is knowledge, understanding. Access. How things work. Why things work. It’s all out there, waiting to be discovered.”
Computers are the perfect playground for hackers. Computers, and computer networks, are vast treasure troves of secret knowledge. The Internet is an immense landscape of undiscovered information. The more you know, the more you can do.
And it should be no surprise that many hackers have focused their skills on computer security. Not only is it often the obstacle between the hacker and knowledge, and therefore something to be defeated, but also the very mindset necessary to be good at security is exactly the same mindset that hackers have: thinking outside the box, breaking the rules, exploring the limitations of a system. The easiest way to break a security system is to figure out what the system’s designers hadn’t thought of: that’s security hacking.
Hackers cheat. And breaking security regularly involves cheating. It’s figuring out a smart card’s RSA key by looking at the power fluctuations, because the designers of the card never realized anyone could do that. It’s self-signing a piece of code, because the signature-verification system didn’t think someone might try that. It’s using a piece of a protocol to break a completely different protocol, because all previous security analysis only looked at protocols individually and not in pairs.
That’s security hacking: breaking a system by thinking differently.
It all sounds criminal: recovering encrypted text, fooling signature algorithms, breaking protocols. But honestly, that’s just the way we security people talk. Hacking isn’t criminal. All the examples two paragraphs above were performed by respected security professionals, and all were presented at security conferences.
I remember one conversation I had at a Crypto conference, early in my career. It was outside amongst the jumbo shrimp, chocolate-covered strawberries, and other delectables. A bunch of us were talking about some cryptographic system, including Brian Snow of the NSA. Someone described an unconventional attack, one that didn’t follow the normal rules of cryptanalysis. I don’t remember any of the details, but I remember my response after hearing the description of the attack.
“That’s cheating,” I said.
Because it was.
I also remember Brian turning to look at me. He didn’t say anything, but his look conveyed everything. “There’s no such thing as cheating in this business.”
Because there isn’t.
Hacking is cheating, and it’s how we get better at security. It’s only after someone invents a new attack that the rest of us can figure out how to defend against it.
For years I have refused to play the semantic “hacker” vs. “cracker” game. There are good hackers and bad hackers, just as there are good electricians and bad electricians. “Hacker” is a mindset and a skill set; what you do with it is a different issue.
And I believe the best computer security experts have the hacker mindset. When I look to hire people, I look for someone who can’t walk into a store without figuring out how to shoplift. I look for someone who can’t test a computer security program without trying to get around it. I look for someone who, when told that things work in a particular way, immediately asks how things stop working if you do something else.
We need these people in security, and we need them on our side. Criminals are always trying to figure out how to break security systems. Field a new system — an ATM, an online banking system, a gambling machine — and criminals will try to make an illegal profit off it. They’ll figure it out eventually, because some hackers are also criminals. But if we have hackers working for us, they’ll figure it out first — and then we can defend ourselves.
It’s our only hope for security in this fast-moving technological world of ours.
This essay appeared in the Summer 2006 issue of “2600.”
Counterpane has a new application security assessment service:
Schneier is speaking via teleconference at the Hack-in-the-Box Conference, September 20, in Kuala Lumpur, Malaysia:
Schneier is speaking at the University of Southern California, September 26, in Los Angeles:
Schneier is speaking at the ACLU National Capital Area President’s Committee Dinner, September 27, in Washington, DC.
Schneier is speaking at Michigan Technical University, October 2, in Houghton, MI.
Schneier is speaking at Sandia National Laboratories, October 5, in Livermore, CA.
Schneier is speaking at “Security Takes Off,” October 9, in Malmoe, Sweden.
Schneier is speaking at Information Security Solutions Europe, October 10, in Rome.
Schneier was interviewed for Martin McKeay’s security podcast.
Bruce Schneier Facts:
Some of these are pretty funny. And no, I had nothing to do with it.
In the wake of AOL’s publication of search data, and the “New York Times” article demonstrating how easy it is to figure out who did the searching, we have TrackMeNot:
“TrackMeNot runs in Firefox as a low-priority background process that periodically issues randomized search-queries to popular search engines, e.g., AOL, Yahoo!, Google, and MSN. It hides users’ actual search trails in a cloud of indistinguishable ‘ghost’ queries, making it difficult, if not impossible, to aggregate such data into accurate or identifying user profiles. TrackMeNot integrates into the Firefox ‘Tools’ menu and includes a variety of user-configurable options.”
Let’s count the ways this doesn’t work.
One, it doesn’t hide your searches. If the government wants to know who’s been searching on “al Qaeda recruitment centers,” it won’t matter that you’ve made ten thousand other searches as well — you’ll be targeted.
Two, it’s too easy to spot. There are only 1,673 search terms in the program’s dictionary. Here, as a random example, are the program’s “G” words: gag, gagged, gagging, gags, gas, gaseous, gases, gassed, gasses, gassing, gen, generate, generated, generates, generating, gens, gig, gigs, gillion, gillions, glass, glasses, glitch, glitched, glitches, glitching, glob, globed, globing, globs, glue, glues, gnarlier, gnarliest, gnarly, gobble, gobbled, gobbles, gobbling, golden, goldener, goldenest, gonk, gonked, gonking, gonks, gonzo, gopher, gophers, gorp, gorps, gotcha, gotchas, gribble, gribbles, grind, grinding, grinds, grok, grokked, grokking, groks, ground, grovel, groveled, groveling, grovelled, grovelling, grovels, grue, grues, grunge, grunges, gun, gunned, gunning, guns, guru, gurus
The program’s authors claim that this list is temporary, and that there will eventually be a TrackMeNot server with an ever-changing word list. Of course, that list can be monitored by any analysis program — as could any queries to that server.
In any case, every twelve seconds — exactly — the program picks a random pair of words and sends it to either AOL, Yahoo, MSN, or Google. My guess is that your searches contain more than two words, you don’t send them out in precise twelve-second intervals, and you favor one search engine over the others.
Three, some of the program’s searches are worse than yours. The dictionary includes: HIV, atomic, bomb, bible, bibles, bombing, bombs, boxes, choke, choked, chokes, choking, chain, crackers, empire, evil, erotics, erotices, fingers, knobs, kicking, harier, hamster, hairs, legal, letterbomb, letterbombs, mailbomb, mailbombing, mailbombs, rapes, raping, rape, raper, rapist, virgin, warez, warezes, whack, whacked, whacker, whacking, whackers, whacks, pistols
Does anyone really think that searches on “erotic rape,” “mailbombing bibles,” and “choking virgins” will make their legitimate searches less noteworthy?
And four, it wastes a whole lot of bandwidth. A query every twelve seconds translates into 2,400 queries a day, assuming an eight-hour workday. A typical Google response is about 25K, so we’re talking 60 megabytes of additional traffic daily. Imagine if everyone in the company used it.
I suppose this kind of thing would stop someone who has a paper printout of your searches and is looking through them manually, but it’s not going to hamper computer analysis very much. Or anyone who isn’t lazy. But it wouldn’t be hard for a computer profiling program to ignore these searches.
As one commentator put it: “Imagine a cop pulls you over for speeding. As he approaches, you realize you left your wallet at home. Without your driver’s license, you could be in a lot of trouble. When he approaches, you roll down your window and shout. “Hello Officer! I don’t have insurance on this vehicle! This car is stolen! I have weed in my glovebox! I don’t have my driver’s license! I just hit an old lady minutes ago! I’ve been running stop lights all morning! I have a dead body in my trunk! This car doesn’t pass the emissions tests! I’m not allowed to drive because I am under house arrest! My gas tank runs on the blood of children!” You stop to catch a breath, confident you have supplied so much information to the cop that you can’t possibly be caught for not having your license now.”
Yes, data mining is a signal-to-noise problem. But artificial noise like this isn’t going to help much. If I were going to improve on this idea, I would make the plugin watch the user’s search patterns. I would make it send queries only to the search engines the user does, only when he is actually online doing things. I would randomize the timing. (There’s a comment to that effect in the code, so presumably this will be fixed in a later version of the program.) And I would make it monitor the web pages the user looks at, and send queries based on keywords it finds on those pages. And I would make it send queries in the form the user tends to use, whether it be single words, pairs of words, or whatever.
But honestly, I don’t know that I would use it even then. The way serious people protect their web-searching privacy is through anonymization. Use Tor for serious web anonymization. Or Black Box Search for simple anonymous searching (there’s a Greasemonkey extension that does that automatically). And set your browser to delete search engine cookies regularly.
USBDumper is a cute little utility that silently copies the contents of an inserted USB drive onto the PC. The idea is that you install this piece of software on your computer, or on a public PC, and then you collect the files — some of them personal and confidential — from anyone who plugs his USB drive into that computer. (There’s a similar program that downloads a disk image, allowing someone to recover deleted files as well.)
No big deal to anyone who worries about computer security for a living, but probably a rude shock to salespeople, conference presenters, file sharers, and many others who regularly plug their USB drives into strange PCs.
If you really want to see Microsoft scramble to patch a hole in its software, don’t look to vulnerabilities that impact countless Internet Explorer users or give intruders control of thousands of Windows machines. Just crack Redmond’s DRM.
Security patches used to be rare. Software vendors were happy to pretend that vulnerabilities in their products were illusory — and then quietly fix the problem in the next software release.
That changed with the full disclosure movement. Independent security researchers started going public with the holes they found, making vulnerabilities impossible for vendors to ignore. Then worms became more common; patching — and patching quickly — became the norm.
But even now, no software vendor likes to issue patches. Every patch is a public admission that the company made a mistake. Moreover, the process diverts engineering resources from new development. Patches annoy users by making them update their software, and piss them off even more if the update doesn’t work properly.
For the vendor, there’s an economic balancing act: how much more will your users be annoyed by unpatched software than they will be by the patch, and is that reduction in annoyance worth the cost of patching?
Since 2003, Microsoft’s strategy to balance these costs and benefits has been to batch patches: instead of issuing them one at a time, it’s been issuing them all together on the second Tuesday of each month. This decreases Microsoft’s development costs and increases the reliability of its patches.
The user pays for this strategy by remaining open to known vulnerabilities for up to a month. On the other hand, users benefit from a predictable schedule: Microsoft can test all the patches that are going out at the same time, which means that patches are more reliable and users are able to install them faster with more confidence.
In the absence of regulation, software liability, or some other mechanism to make unpatched software costly for the vendor, Patch Tuesday is the best users are likely to get.
Why? Because it makes near-term financial sense to Microsoft. The company is not a public charity, and if the Internet suffers, or if computers are compromised *en masse*, the economic impact on Microsoft is still minimal.
Microsoft is in the business of making money, and keeping users secure by patching its software is only incidental to that goal.
There’s no better example of this of this principle in action than Microsoft’s behavior around the vulnerability in its digital rights management software PlaysForSure.
In August, a hacker developed an application called FairUse4WM that strips the copy protection from Windows Media DRM 10 and 11 files.
Now, this isn’t a “vulnerability” in the normal sense of the word: digital rights management is not a feature that users want. Being able to remove copy protection is a good thing for some users, and completely irrelevant for everyone else. No user is ever going to say: “Oh no. I can now play the music I bought for my computer in my car. I must install a patch so I can’t do that anymore.”
But to Microsoft, this vulnerability is a big deal. It affects the company’s relationship with major record labels. It affects the company’s product offerings. It affects the company’s bottom line. Fixing this “vulnerability” is in the company’s best interest; never mind the customer.
So Microsoft wasted no time; it issued a patch three days after learning about the hack. There’s no month-long wait for copyright holders who rely on Microsoft’s DRM.
This clearly demonstrates that economics is a much more powerful motivator than security.
It should surprise no one that the system didn’t stay patched for long. FairUse4WM 1.2 gets around Microsoft’s patch, and also circumvents the copy protection in Windows Media DRM 9 and 11beta2 files. And four days later, Microsoft issued another patch.
That’s where things stand now. Any guess on how long it will take the FairUse4WM people to update their software? And then how long before Microsoft to patch once again?
Certainly much less time than it will take Microsoft and the recording industry to realize they’re playing a losing game, and that trying to make digital files uncopyable is like trying to make water not wet.
If Microsoft abandoned this Sisyphean effort and put the same development effort into building a fast and reliable patching system, the entire Internet would benefit. But simple economics says it probably never will.
BSkyB halts download service because of the breaks.
A version of this essay originally appeared on Wired.com.
There are hundreds of comments — many of them interesting — on these topics on my blog. Search for the story you want to comment on, and join in.
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Comments on CRYPTO-GRAM should be sent to firstname.lastname@example.org. Permission to print comments is assumed unless otherwise stated. Comments may be edited for length and clarity.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers “Beyond Fear,” “Secrets and Lies,” and “Applied Cryptography,” and an inventor of the Blowfish and Twofish algorithms. He is founder and CTO of Counterpane Internet Security Inc., and is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.
Counterpane is the world’s leading protector of networked information – the inventor of outsourced security monitoring and the foremost authority on effective mitigation of emerging IT threats. Counterpane protects networks for Fortune 1000 companies and governments world-wide. See <http://www.counterpane.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Counterpane Internet Security, Inc.
Copyright (c) 2006 by Bruce Schneier.