May 15, 2009
by Bruce Schneier
Chief Security Technology Officer, BT
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at <http://www.schneier.com/crypto-gram-0905.html>. These same essays appear in the "Schneier on Security" blog: <http://www.schneier.com/blog>. An RSS feed is available.
In this issue:
- Fourth Annual Movie-Plot Threat Contest Winner
- Book Review: The Science of Fear
- An Expectation of Online Privacy
- Malicious Contamination of the Food Supply
- Unfair and Deceptive Data Trade Practices
- Schneier News
- Mathematical Illiteracy
- Comments from Readers
For this contest, the goal was "to find an existing event somewhere in the industrialized world -- Third World events are just too easy -- and provide a conspiracy theory to explain how the terrorists were really responsible."
I thought it was straightforward enough, but, honestly, I wasn't very impressed with the submissions. Nothing surprised me with its cleverness. There were scary entries and there were plausible entries, but hardly any were both at the same time. And I was amazed by how many people didn't bother to read the rules at all, and just submitted movie-plot threats.
But after reading through the entries, I have chosen a winner. It's HJohn, for his kidnap-blackmail-terrorist connection: "Though recent shooting sprees in churches, nursing homes, and at family outings appear unrelated, a terrifying link has been discovered. All perpetrators had small children who were abducted by terrorists, and perpetrators received a video of their children with hooded terrorists warning that their children would be beheaded if they do not engage in the suicidal rampage. The terror threat level has been raised to red as profiling, known associations, and criminal history are now useless in detecting who will be the next terrorist sniper or airline hijacker. Anyone who loves their children may be a potential terrorist."
Fairly plausible, and definitely scary. Congratulations, HJohn.
A copy of this article, with all embedded links, is here:
Daniel Gardner's The Science of Fear was published last July, but I've only just gotten around to reading it. That was a big mistake. It's a fantastic look at how humans deal with fear: exactly the kind of thing I have been reading and writing about for the past couple of years. It's the book I wanted to write, and it's a great read.
Gardner writes about how the brain processes fear and risk, how it assesses probability and likelihood, and how it makes decisions under uncertainty. The book talks about all the interesting psychological studies -- cognitive psychology, evolutionary psychology, behavioral economics, experimental philosophy -- that illuminate how we think and act regarding fear. The book also talks about how fear is used to influence people, by marketers, by politicians, by the media. And lastly, the book talks about different areas where fear plays a part: health, crime, terrorism.
There have been a lot of books published recently that apply these new paradigms of human psychology to different domains -- to randomness, to traffic, to rationality, to art, to religion, and etc. -- but after you read a few you start seeing the same dozen psychology experiments over and over again. Even I did it, when I wrote about the psychology of security. But Gardner's book is different: he goes further, explains more, demonstrates his point with the more obscure experiments that most authors don't bother seeking out. His writing style is both easy to read and informative, a nice mix of data an anecdote. The flow of the book makes sense. And his analysis is spot-on.
My only problem with the book is that Gardner doesn't use standard names for the various brain heuristics he talks about. Yes, his names are more intuitive and evocative, but they're wrong. If you have already read other books in the field, this is annoying because you have to constantly translate into standard terminology. And if you haven't read anything else in the field, this is a real problem because you'll be needlessly confused when you read about these things in other books and articles.
So here's a handy conversion chart. Print it out and tape it to the inside front cover. Print another copy out and use it as a bookmark.
Rule of Typical Things = representativeness heuristic
Example Rule = availability heuristic
Good-Bad Rule = affect heuristic
confirmation bias = confirmation bias
That's it. That's the only thing I didn't like about the book. Otherwise, it's perfect. It's the book I wish I had written. Only I don't think I would have done as good a job as Gardner did. The Science of Fear should be required reading for...well, for everyone.
The paperback will be published in June.
A copy of this essay, with all embedded links, is here:
If your data is online, it is not private. Oh, maybe it seems private. Certainly, only you have access to your e-mail. Well, you and your ISP. And the sender's ISP. And any backbone provider who happens to route that mail from the sender to you. And, if you read your personal mail from work, your company. And, if they have taps at the correct points, the NSA and any other sufficiently well-funded government intelligence organization -- domestic and international.
You could encrypt your mail, of course, but few of us do that. Most of us now use webmail. The general problem is that, for the most part, your online data is not under your control. Cloud computing and software as a service exacerbate this problem even more.
Your webmail is less under your control than it would be if you downloaded your mail to your computer. If you use Salesforce.com, you're relying on that company to keep your data private. If you use Google Docs, you're relying on Google. This is why the Electronic Privacy Information Center recently filed a complaint with the Federal Trade Commission: many of us are relying on Google's security, but we don't know what it is.
This is new. Twenty years ago, if someone wanted to look through your correspondence, he had to break into your house. Now, he can just break into your ISP. Ten years ago, your voicemail was on an answering machine in your office; now it's on a computer owned by a telephone company. Your financial accounts are on remote websites protected only by passwords; your credit history is collected, stored, and sold by companies you don't even know exist.
And more data is being generated. Lists of books you buy, as well as the books you look at, are stored in the computers of online booksellers. Your affinity card tells your supermarket what foods you like. What were cash transactions are now credit card transactions. What used to be an anonymous coin tossed into a toll booth is now an EZ Pass record of which highway you were on, and when. What used to be a face-to-face chat is now an e-mail, IM, or SMS conversation -- or maybe a conversation inside Facebook.
Remember when Facebook recently changed its terms of service to take further control over your data? They can do that whenever they want, you know.
We have no choice but to trust these companies with our security and privacy, even though they have little incentive to protect them. Neither ChoicePoint, Lexis Nexis, Bank of America, nor T-Mobile bears the costs of privacy violations or any resultant identity theft.
This loss of control over our data has other effects, too. Our protections against police abuse have been severely watered down. The courts have ruled that the police can search your data without a warrant, as long as others hold that data. If the police want to read the e-mail on your computer, they need a warrant; but they don't need one to read it from the backup tapes at your ISP.
This isn't a technological problem; it's a legal problem. The courts need to recognize that in the information age, virtual privacy and physical privacy don't have the same boundaries. We should be able to control our own data, regardless of where it is stored. We should be able to make decisions about the security and privacy of that data, and have legal recourse should companies fail to honor those decisions. And just as the Supreme Court eventually ruled that tapping a telephone was a Fourth Amendment search, requiring a warrant -- even though it occurred at the phone company switching office and not in the target's home or office -- the Supreme Court must recognize that reading personal e-mail at an ISP is no different.
This essay was originally published on the SearchSecurity.com website, as the second half of a point/counterpoint with Marcus Ranum.
Hacking a Time Magazine poll. Not particularly subtle, but clever nonetheless:
Department of Homeland Security recruitment drive:
Funny "war on photography" anecdote:
I was going to write a commentary on NSA Director General Alexander's keynote speech at the RSA Conference, but he didn't actually *say* anything.
Low-tech impersonation trick at restaurants:
Encrypting your USB drive is smart. Writing the encryption key down is smart. Writing it on a piece of paper and attaching it to the USB drive is not.
Hacking U.S. military satellites is more widespread than you might think:
Fake facts on Twitter: the medium makes authentication hard.
Remember those terrorism arrests that the UK government conducted, after a secret document was accidentally photographed? No one was charged:
Cell phones and hostage situations:
This apparently non-ironic video warns that people might impersonate census workers in an effort to rob you. But while you shouldn't trust the ID of a stranger, you should trust that same stranger to give you a phone number where you can verify that ID. This, of course, makes no sense.
Preventing impersonation is hard.
"No-fly" also means "no-flyover": plane from Paris to Mexico isn't allowed to fly over the United States.
Lessons from the Columbine school shooting: it's not the high-tech gear, but trained and alert staff that actually make a difference:
Ireland does away with electronic voting, returning to paper ballots again. Smart country.
A sad tale of fingerprint biometrics gone wrong. Amusing and interesting:
Interesting article from The New York Times on preparing for cyberwar:
And yet another New York Times cyberwar article, from two days later:
I was particularly disturbed by the last paragraph of the newspaper article: "Introducing the possibility of a nuclear response to a catastrophic cyberattack would be expected to serve the same purpose." Nuclear war is not a suitable response to a cyberattack.
Law professor Googles Justice Scalia just to see what he can collect. Scalia isn't amused:
Security considerations in the evolution of the human penis: a fascinating bit of evolutionary biology
The U.S. Air Force is using a secure version of MS Windows:
Lie detector charlatans:
Virginia health data held for ransom:
MI6 and a lost memory stick:
The Zeus Trojan has a self-destruct option:
This is bad. I see it as a sign that the botnet wars are heating up, and botnet designers would rather destroy their networks than have them fall into "enemy" hands.
Using surveillance cameras to detect cashier cheating.
Software problems with a breath alcohol detector.
A Wisconsin appeals court has ruled that the police do not need a warrant to place a GPS tracking device on someone's car:
Terrorists attacking our food supply is a nightmare scenario that has been given new life during the recent swine flu outbreak. Although it seems easy to do, understanding why it hasn't happened is important. G.R. Dalziel, at the Nanyang Technological University in Singapore, has written a report chronicling every confirmed case of malicious food contamination in the world since 1950: 365 cases in all, plus 126 additional unconfirmed cases. What he found demonstrates the reality of terrorist food attacks.
It turns out 72% of the food poisonings occurred at the end of the food supply chain -- at home -- typically by a friend, relative, neighbor, or co-worker trying to kill or injure a specific person. A characteristic example is Heather Mook of York, who in 2007 tried to kill her husband by putting rat poison in his spaghetti.
Most of these cases resulted in fewer than five casualties -- Mook only injured her husband in this incident -- although 16% resulted in five or more. Of the 19 cases that claimed 10 or more lives, four involved serial killers operating over several years.
Another 23% of cases occurred at the retail or food service level. A 1998 incident in Japan, where someone put arsenic in a curry sold at a summer festival, killing four and hospitalizing 63, is a typical example. Only 11% of these incidents resulted in 100 or more casualties, while 44% resulted in none.
There are very few incidents of people contaminating the actual food supply. People deliberately contaminated a water supply seven times, resulting in three deaths. There is only one example of someone deliberately contaminating a crop before harvest -- in Australia in 2006 -- and the crops were recalled before they could be sold. And in the three cases of someone deliberately contaminating food during packaging and distribution, including a 2005 case in the UK where glass and needles were baked into loaves of bread, no one died or was injured.
This isn't the stuff of bioterrorism. The closest example occurred in 1984 in the US, where members of a religious group known as the Rajneeshees contaminated several restaurant salad bars with salmonella enterica typhimurium, sickening 751, hospitalizing 45, but killing no one. In fact, no one knew this was malicious until a year later, when one of the perpetrators admitted it.
Almost all of the food contaminations used conventional poisons such as cyanide, drain cleaner, mercury, or weed killer. There were nine incidents of biological agents, including salmonella, ricin, and fecal matter, and eight cases of radiological matter. The 2006 London poisoning of the former KGB agent Alexander Litvinenko with polonium-210 in his tea is an example of the latter.
And that assassination illustrates the real risk of malicious food poisonings. What is discussed in terrorist training manuals, and what the CIA is worried about, is the use of contaminated food in targeted assassinations. The quantities involved for mass poisonings are too great, the nature of the food supply too vast and the details of any plot too complicated and unpredictable to be a real threat. That becomes crystal clear as you read the details of the different incidents: it's hard to kill one person, and very hard to kill dozens. Hundreds, thousands: it's just not going to happen any time soon. The fear of bioterror is much greater, and the panic from any bioterror scare will injure more people, than bioterrorism itself.
Far more dangerous are accidental contaminations due to negligent industry practices, such as the 2006 spinach E coli and, more recently, peanut salmonella contaminations in the US, the 2008 milk contaminations in China, and the BSE-infected beef from earlier this decade. And the systems we have in place to deal with these accidental contaminations also work to mitigate any intentional ones.
In 2004, the then US secretary of health and human services, Tommy Thompson, said on Fox News: "I cannot understand why terrorists have not attacked our food supply. Because it is so easy to do."
Guess what? It's not at all easy to do.
This essay previously appeared in The Guardian.
Do you know what your data did last night? Almost none of the more than 27 million people who took the RealAge quiz realized that their personal health data was being used by drug companies to develop targeted e-mail marketing campaigns.
There's a basic consumer protection principle at work here, and it's the concept of "unfair and deceptive" trade practices. Basically, a company shouldn't be able to say one thing and do another: sell used goods as new, lie on ingredients lists, advertise prices that aren't generally available, claim features that don't exist, and so on.
They maintain that when you join the website, you consent to receiving pharmaceutical company spam. But since that isn't spelled out, it's not really informed consent. That's deceptive.
Cloud computing is another technology where users entrust their data to service providers. Salesforce.com, Gmail, and Google Docs are examples; your data isn't on your computer -- it's out in the "cloud" somewhere -- and you access it from your web browser. Cloud computing has significant benefits for customers and huge profit potential for providers. It's one of the fastest growing IT market segments -- 69% of Americans now use some sort of cloud computing services -- but the business is rife with shady, if not outright deceptive, advertising.
Take Google, for example. Last month, the Electronic Privacy Information Center (I'm on its board of directors) filed a complaint with the Federal Trade Commission concerning Google's cloud computing services. On its website, Google repeatedly assures customers that their data is secure and private, while published vulnerabilities demonstrate that it is not. Google's not foolish, though; its Terms of Service explicitly disavow any warranty or any liability for harm that might result from Google's negligence, recklessness, malevolent intent, or even purposeful disregard of existing legal obligations to protect the privacy and security of user data. EPIC claims that's deceptive.
Facebook isn't much better. Its plainly written (and not legally binding) Statement of Principles contains an admirable set of goals, but its denser and more legalistic Statement of Rights and Responsibilities undermines a lot of it. One research group who studies these documents called it "democracy theater": Facebook wants the appearance of involving users in governance, without the messiness of actually having to do so. Deceptive.
These issues are not identical. RealAge is hiding what it does with your data. Google is trying to both assure you that your data is safe and duck any responsibility when it's not. Facebook wants to market a democracy but run a dictatorship. But they all involve trying to deceive the customer.
Cloud computing services like Google Docs, and social networking sites like RealAge and Facebook, bring with them significant privacy and security risks over and above traditional computing models. Unlike data on my own computer, which I can protect to whatever level I believe prudent, I have no control over any of these sites, nor any real knowledge of how these companies protect my privacy and security. I have to trust them.
This may be fine -- the advantages might very well outweigh the risks -- but users often can't weigh the trade-offs because these companies are going out of their way to hide the risks.
Of course, companies don't want people to make informed decisions about where to leave their personal data. RealAge wouldn't get 27 million members if its webpage clearly stated "you are signing up to receive e-mails containing advertising from pharmaceutical companies," and Google Docs wouldn't get five million users if its webpage said "We'll take some steps to protect your privacy, but you can't blame us if something goes wrong."
And of course, trust isn't black and white. If, for example, Amazon tried to use customer credit card info to buy itself office supplies, we'd all agree that that was wrong. If it used customer names to solicit new business from their friends, most of us would consider this wrong. When it uses buying history to try to sell customers new books, many of us appreciate the targeted marketing. Similarly, no one expects Google's security to be perfect. But if it didn't fix known vulnerabilities, most of us would consider that a problem.
This is why understanding is so important. For markets to work, consumers need to be able to make informed buying decisions. They need to understand both the costs and benefits of the products and services they buy. Allowing sellers to manipulate the market by outright lying, or even by hiding vital information, about their products breaks capitalism -- and that's why the government has to step in to ensure markets work smoothly.
Last month, Mary K. Engle, Acting Deputy Director of the FTC's Bureau of Consumer Protection said: "a company's marketing materials must be consistent with the nature of the product being offered. It's not enough to disclose the information only in a fine print of a lengthy online user agreement." She was speaking about Digital Rights Management and, specifically, an incident where Sony used a music copy protection scheme without disclosing that it secretly installed software on customers' computers. DRM is different from cloud computing or even online surveys and quizzes, but the principle is the same.
Engle again: "if your advertising giveth and your EULA [license agreement] taketh away don't be surprised if the FTC comes calling." That's the right response from government.
A version of this article originally appeared on The Wall Street Journal.
A copy of this essay, with all embedded links, is here:
I'm speaking at the Computers, Freedom, and Privacy conference on June 2 in Washington DC.
Marcus Ranum and I did a video version of our Face Off column.
Interview with me from ThreatPost:
Slashdot thread on the interview:
San Francisco restaurant reviews for the RSA Conference:
This may be the stupidest example of risk assessment I've ever seen. It's a video clip from a recent Daily Show, about the dangers of the Large Hadron Collider. The segment starts off slowly, but then there's an exchange with high school science teacher Walter L. Wagner, who insists the device has a 50-50 chance of destroying the world:
"If you have something that can happen, and something that won't necessarily happen, it's going to either happen or it's going to not happen, and so the best guess is 1 in 2."
"I'm not sure that's how probability works, Walter."
This is followed by clips of news shows taking the guy seriously.
In related news, almost four-fifths of Americans don't know that a trillion is a million million, and most think it's less than that. Is it any wonder why we're having so much trouble with national budget debates?
Conficker's April Fool's joke -- the huge, menacing build-up and then nothing -- is a good case study on how we think about risks, one whose lessons are applicable far outside computer security. Generally, our brains aren't very good at probability and risk analysis. We tend to use cognitive shortcuts instead of thoughtful analysis. This worked fine for the simple risks we encountered for most of our species' existence, but it's less effective against the complex risks society forces us to face today.
We tend to judge the probability of something happening on how easily we can bring examples to mind. It's why people tend to buy earthquake insurance after an earthquake, when the risk is lowest. It's why those of us who have been the victims of a crime tend to fear crime more than those who haven't. And it's why we fear a repeat of 9/11 more than other types of terrorism.
We fear being murdered, kidnapped, raped and assaulted by strangers, when friends and relatives are far more likely to do those things to us. We worry about plane crashes instead of car crashes, which are far more common. We tend to exaggerate spectacular, strange, and rare events, and downplay more ordinary, familiar, and common ones.
We also respond more to stories than to data. If I show you statistics on crime in New York, you'll probably shrug and continue your vacation planning. But if a close friend gets mugged there, you're more likely to cancel your trip.
And specific stories are more convincing than general ones. That is why we buy more insurance against plane accidents than against travel accidents, or accidents in general. Or why, when surveyed, we are willing to pay more for air travel insurance covering "terrorist acts" than "all possible causes". That is why, in experiments, people judge specific scenarios more likely than more general ones, even if the general ones include the specific.
Conficker's 1 April deadline was precisely the sort of event humans tend to overreact to. It's a specific threat, which convinces us that it's credible. It's a specific date, which focuses our fear. Our natural tendency to exaggerate makes it more spectacular, which further increases our fear. Its repetition by the media makes it even easier to bring to mind. As the story becomes more vivid, it becomes more convincing.
The New York Times called it an "unthinkable disaster", the television news show 60 Minutes said it could "disrupt the entire internet" and we at the Guardian warned that it might be a "deadly threat". Naysayers were few, and drowned out.
The first of April passed without incident, but Conficker is no less dangerous today. About 2.2m computers worldwide, are still infected with Conficker.A and B, and about 1.3m more are infected with the nastier Conficker.C. It's true that on 1 April Conficker.C tried a new trick to update itself, but its authors could have updated the worm using another mechanism any day. In fact, they updated it on 8 April, and can do so again.
And Conficker is just one of many, many dangerous worms being run by criminal organizations. It came with a date and got a lot of press -- that 1 April date was more hype than reality -- but it's not particularly special. In short, there are many criminal organizations on the internet using worms and other forms of malware to infect computers. They then use those computers to send spam, commit fraud, and infect more computers. The risks are real and serious. Luckily, keeping your anti-virus software up-to-date and not clicking on strange attachments can keep you pretty secure. Conficker spreads through a Windows vulnerability that was patched in October. You do have automatic update turned on, right?
But people being people, it takes a specific story for us to protect ourselves.
This essay previously appeared in The Guardian.
A copy of this essay, with all embedded links, is here:
There are hundreds of comments -- many of them interesting -- on these topics on my blog. Search for the story you want to comment on, and join in.
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.
Copyright (c) 2009 by Bruce Schneier.