September 15, 2011

by Bruce Schneier
Chief Security Technology Officer, BT

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <>.

You can read this issue on the web at <>. These same essays and news items appear in the "Schneier on Security" blog at <>, along with a lively comment section. An RSS feed is available.

In this issue:

Ten-Year Anniversary of 9/11

There have been lots of articles and essays related to the tenth anniversary of the 9/11 terrorist attacks. Here's what I think is worth reading:

This ACLU report is really good: "A Call to Courage: Reclaiming Our Liberties Ten Years After 9/11."
From Foreign Policy: "Why Is It So Hard to Find a Suicide Bomber These Days?"
From Stratfor: "Why al Qaeda is Unlikely to Execute Another 9/11."
Me from May 2010: "Where Are All the Terrorist Attacks?"

Steven Pinker on Terrorism

Nice essay on the danger of too much security:

Joseph Stiglitz on the price of 9/11.

How 9/11 changed surveillance.

New scientific research as a result of 9/11.
A good controversial piece.

The day we lost our privacy and power.
The probability of another 9/11-magnitude terrorist attack.

"Let's Cancel 9/11."

"How to Beat Terrorism: Refuse to Be Terrorized" from Wired.

"Ten Things I Want My Children To Learn from 9/11"

The creator of the TSA says it should be dismantled and privatized:

Pat Buchanan on Bush after 9/11:

9/11: Was There an Alternative? by Noam Chomsky

Comments from Al-Jazeera:

The Onion's comment:

I didn't write anything to commemorate the 9/11 anniversary. I couldn't think of anything to say that I haven't said a gazillion times already.

Terrorism in the U.S. Since 9/11

John Mueller and his students analyze the 33 cases of attempted Islamic extremist terrorism in the U.S. since 9/11. So few of them are actually real, and so many of them were created or otherwise facilitated by law enforcement.

The death toll of all these is fourteen: thirteen at Ft. Hood and one in Little Rock. I think it's fair to add to this the 2002 incident at Los Angeles Airport where a lone gunman killed two people at the El Al ticket counter, so that's sixteen deaths in the U.S. to terrorism in the past ten years.

Given the credible estimate that we've spent $1 trillion on anti-terrorism security (this does not include our many foreign wars), that's $62.5 billion per life lost. Is there any other risk that we are even remotely as crazy about?

Note that everyone who died was shot with a gun. No Islamic extremist has been able to successfully detonate a bomb in the U.S. in the past ten years, not even a Molotov cocktail. (In the U.K. there has only been one successful terrorist bombing in the last ten years; the 2005 London Underground attacks.) And almost all of the 33 incidents (34 if you add LAX) have been lone actors, with no ties to al Qaeda.

Looking over the incidents, some of them would make pretty good movie plots. The point of my "movie-plot threat" phrase is not that terrorist attacks are never like that, but that concentrating defensive resources against them is pointless because 1) there are too many of them and 2) it is too easy for the terrorists to change tactics or targets.

I remember the government fear mongering after 9/11. How there were hundreds of sleeper cells in the U.S. How terrorism would become the new normal unless we implemented all sorts of Draconian security measures. You'd think that -- if this were even remotely true -- we would have seen more attempted terrorism in the U.S. over the past decade.

And I think arguments like "the government has secretly stopped lots of plots" don't hold any water. Just look at the list, and remember how the Bush administration would hype even the most tenuous terrorist incident. Stoking fear was the policy. If the government stopped any other plots, they would have made as much of a big deal of them as they did of these 33 incidents.

Mueller's work:

$1 trillion spent on terrorism security.

To justify the current U.S. spending on homeland security -- not including our various official and unofficial wars -- we'd have to foil 1,667 Times Square-style plots per year.

Here's data on terrorist incidents from 1970 to 2004.

And here's Nate Silver with data showing that the 1970s and 1980s were more dangerous with respect to airplane terrorism than the 2000s.

According to the State Department's recent report, fifteen American private citizens died in terrorist attacks in 2010: thirteen in Afghanistan and one each in Iraq and Uganda. Worldwide, 13,186 people died from terrorism in 2010. These numbers pale even in comparison to things that aren't very risky.

Look at Table 3 on page 16 of this document. The risk of dying in the U.S. from terrorism is substantially less than the risk of drowning in your bathtub, the risk of a home appliance killing you, or the risk of dying in an accident caused by a deer. Remember that more people die every month in automobile crashes than died in 9/11.

In my blog post, I accidentally typed "lives saved" when I meant to type "lives lost." I've corrected that above. We generally have a regulatory safety goal of $1-$10M per life saved. In order for the $100B we have spent per year on counterterrorism to be worth it, it would need to have saved 10,000 lives per year.
$1-$10M per life saved:

The Efficacy of Post-9/11 Counterterrorism

This is an interesting article. The authors argue that the whole war-on-terror nonsense is useless -- that's not new -- but that the security establishment knows it doesn't work and abandoned many of the draconian security measures years ago, long before Obama became president. All that's left of the war on terror is political, as lawmakers fund unwanted projects in an effort to be tough on crime.

I wish it were true, but I don't buy it. The war on terror is an enormous cash cow, and law enforcement is spending the money as fast as it can get it. It's also a great stalking horse for increases in police powers, and I see no signs of agencies like the FBI or the TSA not grabbing all the power they can.

The second half of the article is better. The authors argue that openness, not secrecy, improves security
Here's the report the article was based on.
Counterterrorism as an enormous cash cow:


Interesting research on search-redirection attacks and the illicit online prescription drug trade:
Nice essay by Christopher Soghoian on why cell phone and Internet providers need to enable security options by default.
A prison in Brazil uses geese as part of its alarm system.
There's a long tradition of this. Circa 400 BC, alarm geese alerted a Roman citadel to a Gaul attack.

New attack on AES:

Any institution delegated with the task of preventing terrorism has a dilemma: they can either do their best to prevent terrorism, or they can do their best to make sure they're not blamed for any terrorist attacks. I've talked about this dilemma for a while now, and it's nice to see some research results that demonstrate its effects.
Think about this with respect to the TSA. Are they doing their best to mitigate terrorism, or are they doing their best to ensure that if there's a terrorist attack the public doesn't blame the TSA for missing it?

Long essay on the value of pseudonymity.
This is, of a course, a response to the Google+ names policy.

How Microsoft develops security patches:

James Fallows has a nice debunking of a movie-plot threat: open airplane cockpit doors during bathroom breaks.
Cheating at casinos with hidden sleeve cameras.
Worried about someone hacking your implanted medical devices? Here's a signal-jamming device you can wear.

Smartphone keystroke logging using the motion sensor.
Stealing ATM PINs with a thermal camera:
The security risks of not teaching malware:

The security problems associated with moving $12B in gold from London to Venezuela.
Nice essay on the problems with talking about cyberspace risks using "Cold War" metaphors:
This is a picture of a pair of wire cutters secured to a table with a wire. Someone isn't thinking this through....
Screenshots of a Chinese hacking tool. It's hard to know how serious this really is.

We finally have some details of the RSA attack, even though the company isn't talking. It was a not-very-sophisticated phishing attack.

This Facebook Privacy Guide is actually pretty good.
Also note that the site is redesigning its privacy. As we learned from Microsoft, nothing motivates a company to improve its security like competition.

Social networking sites make it very difficult, if not impossible, to have undercover police officers.
There's another side to this issue as well. Social networking sites can help undercover officers with their backstory, by building a fictional history. Some of this might require help from the company that owns the social networking site, but that seems like a reasonable request by the police. I am in the middle of reading Diego Gambetta's book "Codes of the Underworld: How Criminals Communicate." He talks about the lengthy vetting process organized crime uses to vet new members -- often relying on people who knew the person since birth, or people who served time with him in jail -- to protect against police informants. I agree that social networking sites can make undercover work even harder, but it's gotten pretty hard even without that.

Job opening: TSA Public Affairs Specialist.

There's been a forged Google certificate out in the wild for the past month and a half. Whoever has it -- evidence points to the Iranian government -- can, if they're in the right place, launch man-in-the-middle attacks against Gmail users and read their mail. This isn't Google's mistake; the certificate was issued by a Dutch CA that has nothing to do with Google.

Fidelity National Information Services Inc. (FIS) lost $13M to an ATM theft earlier this year:
This reminds me of the RBS WorldPay theft from a couple of years ago.
New research: Adrian J. Lee and Sheldon H. Jacobson (2011), "The Impact of Aviation Checkpoint Queues on Optimizing Security Screening Effectiveness," Reliability Engineering & System Safety, 96 (August): 900-911.

Interesting article on outing a CIA agent, and how difficult it is to keep an identity secret in the information age.
Mason Rice, Robert Miller, and Sujeet Shenoi (2011), "May the US Government Monitor Private Critical Infrastructure Assets to Combat Foreign Cyberspace Threats?" International Journal of Critical Infrastructure Protection, 4 (April 2011): 3-13.

I've already written about secret questions, the easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password. Here's a new one, courtesy of the National Archives: "What is your preferred internet password?" I have been told that Priceline has the same one, which implies that this is some third-party login service or toolkit.
TSA Administrator John Pistole on the future of airport security. There's a lot here that's worth watching. He talks about expanding behavioral detection. He talks about less screening for "trusted travelers."

Cultural differences in risk tolerance:

Sharing security information and the Prisoner's Dilemma:

Funniest Joke at the Edinburgh Fringe Festival

Nick Helm won an award for the funniest joke at the Edinburgh Fringe Festival:

Nick Helm: "I needed a password with eight characters so I picked
Snow White and the Seven Dwarves."

Note that two other jokes were about security:

Tim Vine: "Crime in multi-storey car parks. That is wrong on so
many different levels."

Andrew Lawrence: "I admire these phone hackers. I think they have
a lot of patience. I can't even be bothered to check my OWN

Schneier News

I'm speaking at the Information Security Forum Annual World Congress, on 19 September in Berlin.

I'm also speaking at the Danish IT Lawyers Conference, on 20 September in Copenhagen.

Unredacted U.S. Diplomatic WikiLeaks Cables Published

It looks as if the entire mass of U.S. diplomatic cables that WikiLeaks had is available online somewhere. How this came about is a good illustration of how security can go wrong in ways you don't expect. It seems that the encrypted file WikiLeaks gave to the Guardian got loose in the wild, and then the Guardian published the encryption key in their tell-all book about WikiLeaks.

From pp 138-9 of "WikiLeaks":

Assange wrote down on a scrap of paper:
ACollectionOfHistorySince_1966_ToThe_PresentDay#. "That's
the password," he said. "But you have to add one extra word when
you type it in. You have to put in the word 'Diplomatic' before
the word 'History'. Can you remember that?"

I think we can all agree that that's a secure encryption key.

Memo to the "Guardian": Publishing encryption keys is almost always a bad idea. Memo to WikiLeaks: Take better care of your encrypted files.

The detailed story.

Finger-pointing between the Guardian and WikiLeaks:

The book:

A Status Report: "Liars and Outliers"

It's been a long hard year, but the book is almost finished. It's certainly the most difficult book I've ever written, mostly because I've had to learn about academic fields I don't have a lot of experience in. But the book is finally coming together as a coherent whole, and I am optimistic that the results will prove to be worth the effort.

Table of contents:

1. Introduction
2. A Natural History of Security
3. The Evolution of Cooperation
4. A Social History of Security
5. Societal Dilemmas
6. Societal Security
7. Moral Societal Security
8. Reputational Societal Security
9. Institutional Societal Security
10. Technological Societal Security
11. Competing Interest
12. Organizations and Societal Dilemmas
13. Corporations and Societal Dilemmas
14. Institutions and Societal Dilemmas
15. Understanding Societal Security Failures
16. Societal Security and the Information Age
17. The Future of Societal Security

The old title, "The Dishonest Minority," has been completely expunged from the book. The phrase appears nowhere in the text -- its only existence is in old blog posts about the book.

Lastly, I want to apologize to all my readers for the scant pickings on my blog and in Crypto-Gram. So much of my attention is going into writing my book that I don't have time for much else. I promise to write more essays and blog posts once the book is finished. That's likely to be the December issue of Crypto-Gram. Thank you for your patience.

The manuscript is due in 45 days; publication is still scheduled for mid-February. Right now, it's 88,000 words long, with another 30,000 words in notes and references.


Older blog posts about the book:

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.

Copyright (c) 2011 by Bruce Schneier.

Sidebar photo of Bruce Schneier by Joe MacInnis.