March 15, 2010

by Bruce Schneier
Chief Security Technology Officer, BT

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <>.

You can read this issue on the web at <>. These same essays and news items appear in the "Schneier on Security" blog at <>, along with a lively comment section. An RSS feed is available.

In this issue:

Al-Mabhouh Assassination

I've been fascinated by the assassination of Hamas leader Mahmoud al-Mabhouh -- not the politics, but the tactics -- mostly because the Dubai police released surveillance video of the assassins moving around the city. (The actual assassination took place in a hotel room, and there's no video of that.)

I used the story as a news hook for a essay on surveillance cameras. Here's the first paragraph:

On January 19, a team of at least 15 people assassinated Hamas leader Mahmoud al-Mabhouh. The Dubai police released video footage of 11 of them. While it was obviously a very professional operation, the 27 minutes of video is fascinating in its banality. Team members walk through the airport, check in and out of hotels, get in and out of taxis. They make no effort to hide themselves from the cameras, sometimes seeming to stare directly into them. They obviously don't care that they're being recorded, and -- in fact -- the cameras didn't prevent the assassination, nor as far as we know have they helped as yet in identifying the killers.

A former CIA field officer wrote an interesting essay on the al-Mabhouh assassination:

The truth is that Mr. Mabhouh's assassination was conducted according to the book -- a military operation in which the environment is completely controlled by the assassins. At least 25 people are needed to carry off something like this. You need "eyes on" the target 24 hours a day to ensure that when the time comes he is alone. You need coverage of the police -- assassinations go very wrong when the police stumble into the middle of one. You need coverage of the hotel security staff, the maids, the outside of the hotel. You even need people in back-up accommodations in the event the team needs a place to hide.

I found this conclusion of his incredible:

I can only speculate about where exactly the hit went wrong. But I would guess the assassins failed to account for the marked advance in technology.


Not completely understanding advances in technology may be one explanation for the assassins nonchalantly exposing their faces to the closed-circuit TV cameras, one female assassin even smiling at one.... The other explanation -- the assassins didn't care whether their faces were identified -- doesn't seem plausible at all.

Does he really think that this professional a team simply didn't realize that there were security cameras in airports and hotels? I think that the "other explanation" is not only plausible, it's obvious.

The number of suspects is now at 27, by the way. And:

Also Monday, the sources said the UAE central bank is working with other nations to track funding and 14 credit cards -- issued mostly by a United States bank -- used by the suspects in different places, including the United States.

We'll see how well these people covered their tracks.

This is my first blog post, which got a lot of reader speculation:

The surveillance video, in three parts

My essay:
The surveillance camera industry rebuttal:
More speculation on how the assassins got into al-Mabhouh's hotel room:

The former CIA's officer's essay:
More commentary on the tactics:
Speculation that it's Egypt or Jordan. I don't believe it.


Small Planes and Lone Terrorist Nutcases

A "Washington Post" article concludes that small planes are not the next terror threat. What this analysis misses is our ability to terrorize ourselves. After all, who thought that a failed terrorist incident -- nobody hurt, no plane crash, terrorist in custody -- could cause so much terror?

On the face of it, Joseph Stack flying a private plane into the Austin, TX IRS office is no different than Nidal Hasan shooting up Ft. Hood: a lone extremist nutcase. If one is a terrorist and the other is a criminal, the difference is more political or religious than anything else.

Personally, I wouldn't call either a terrorist. Nor would I call Amy Bishop, who opened fire on her department after she was denied tenure, a terrorist.

I consider both Theodore Kaczynski (the Unabomber) and Bruce Ivins (the anthrax mailer) to be terrorists, but John Muhammad and Lee Malvo (the DC snipers) to be criminals. Clearly there is a grey area.

I note that the primary counterterrorist measures I advocate -- investigation and intelligence -- can't possibly make a difference against any of these people. Lone nuts are pretty much impossible to detect in advance, and thus pretty much impossible to defend against: a point Cato's Jim Harper made in a smart series of posts. And once they attack, conventional police work is how we capture those that simply don't care if they're caught or killed.

Washington Post article:
Joseph Stack:,2933,586929,00.html

Nidal Hasan:

Discussing the difference:
Amy Bishop:
Theodore Kaczynski:

Bruce Ivins:

John Muhammad and Lee Malvo:

Jim Harper's blog posts:


I had no idea this was being done, but erased answers are now analyzed on standardized tests. Schools with a high number of wrong-to-right changes across multiple tests are presumed to have cheated: teachers changing the answers after the students are done.

A new Trojan Horse named Spy Eye has code that kills Zeus, a rival botnet.
Interesting blog post, with video demonstration, about an improved tool to open high security locks with a key that will just "form itself" if you insert it into the lock and wiggle it a little. The basic technique is a few years old, but the improvements discussed here allow the tool to open a wider variety of locks than before.

There was a big U.S. cyberattack exercise last month. We didn't do so well.
This debit card skimmer is installed inside gas pumps. There's nothing the customer can detect.
"LVMPD found that one of these skimmers can be installed in eight minutes flat." Also, pictures.

Mark Twain on risk analysis, from 1871:

Just declassified by the NSA: "A Reference Guide to Selected Historical Documents Relating to the National Security Agency/Central Security Service, 1931-1985." Formerly "Top Secret UMBRA." From my quick scan, there are minimal redactions.

It's a really creepy story: a school issues laptops to students, and then remotely and surreptitiously turns on the camera.

Hitler and cloud computing: a funny video by Marcus Ranum and Gunnar Peterson.

Nice essay by Tom Engelhardt on fear of terrorism:
Similar sentiment from Newsweek:

Crypto implementation failure? I originally thought this AES-encrypted USB memory stick was one, but a blog reader corrected me.

On March 2, the White House published an unclassified summary of its Comprehensive National Cybersecurity Initiative (CNCI).

Interesting paper: "A Practical Attack to De-Anonymize Social Network Users."
News article:
Moral: anonymity is really, really hard -- but we knew that already:

Good legal paper on the limits of identity cards: Stephen Mason and Nick Bohm, Identity and its Verification."
Eating a flash drive: how not to destroy evidence/

IARPA -- the Intelligence Advanced Research Projects Activity, the U.S. intelligence community's answer to DARPA -- wants a trust detector. It's good to dream.
Interesting commentary by Marc Rotenberg on Google's Italian privacy case:
A hollowed-out U.S. nickel can hold a microSD card.
Pound and euro coins are also available.
Old blog post about this:

Nose biometrics:

A guide to Microsoft police forensic services was leaked online.

Over at Wikibooks, they're trying to write an open source cryptography textbook.

Interesting paper on typosquatting:
Cartoon: why DRM doesn't work:

Google in The Onion:

This USB combination lock is a promotional security product designed by someone who knows nothing about security. The USB drive is "protected" by a combination lock. There are only two dials, so there are only 100 possible combinations. And when the drive is "locked" and the connector is retracted, the contacts are still accessible. Maybe it should be given away by companies that sell security theater.

The Spanish police arrested three people in connection with the 13-million-computer Mariposa botnet.

The Doghouse: Demiurge Consulting

They claim to be "one of the nation's only and most respected security and intelligence providers" -- I've never heard of them -- but their blog consisted entirely of entries copied from my blog since December 24. The posts were credited to "Anonymous," and weren't linked back to my blog. They didn't even cull the posts that were obviously me: posts about interviews I've given, for example.

I contacted them last month and asked that they stop stealing my blog posts. I got an apologetic e-mail in response:

Please accept my apologies about the republishing of your blog posts.

Quite honestly our web development team was tasked with finding some interesting content to keep the blog component of our firm's website compelling and up to date; it is clear that they took my request out of context. Ironically, I rarely even look at my own firm's website!

I have had them stop the republishing immediately. I know of you by reputation, truly respect your work and thank you for being so gracious in your request; you very well could have been obtuse. Again, I personally apologize for this situation.



Karim is Karim Hijazi, whose e-mail sig file identifies him as "Principal/Founder." Despite the nice e-mail, nothing happened for a week. They didn't steal any new posts, but they didn't take down the old ones either. I suppose I could have sued them, but public ridicule seemed more fitting.

So I posted the above information to my blog. The stolen posts immediately came down, with this message in their place:

Speaking to the team that handles the blog component of the Demiurge website, I have learned not only have they been able to find at least 23 other websites syndicating content from Mr. Schneier's blog, but there are more than three websites offering full blog post syndication links including Schneier's blog.

Further, why would you find it offensive if we find your content very interesting to our clientele? If we really were trying to make it look like our content, don't you think we would have scrubbed it? Besides all the links went back to your bloody blog... just more viewers for you. You weren't thinking when you tried to flame us Bruce.

All you had to do was ask us to stop syndicating, which we did.

That's now gone, and there's a reworked website.

Blog entry:

Schneier News

I finally have control of my Facebook page. There'll be nothing on it that isn't on my blog or Crypto-Gram, but some of you might prefer following my writing from there.

I also have a Twitter account, although I've never posted. And a Twitter feed for my blog, which simply announces and links to each post.

I'm speaking via video link at the 2nd Annual Data Protection Conference, in Dublin, Ireland.
I'm speaking at the CACR Higher Education Security Summit in Indianapolis, IN, on April 1.

TSA Logo Contest Winner

In January, I announced a contest to redesign the TSA logo. Last week, I announced the five finalists -- chosen by Patrick Smith from "Ask the Pilot" and myself -- and asked you all to vote on the winner.

Four hundred and seven votes later, we have a tie. No really; we have a tie. Rhys Gibson and "I love to fly and it shows" have 135 votes each. (It's still a tie at 141 votes each if I give half credit for all split votes.) Both are well ahead of the third place winner, with 81 votes. There were a few ambiguous comments that could possibly break the tie, but rather than scrutinize the hanging chad any more closely, I'm going to appeal to the judges to cast the deciding votes.

Although both logos are excellent, both Patrick Smith and I vote for Rhys Gibson.


Contest announcement:



Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.

Copyright (c) 2010 by Bruce Schneier.

Sidebar photo of Bruce Schneier by Joe MacInnis.