December 15, 2011

by Bruce Schneier
Chief Security Technology Officer, BT

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <>.

You can read this issue on the web at <>. These same essays and news items appear in the "Schneier on Security" blog at <>, along with a lively comment section. An RSS feed is available.

In this issue:

Status Report: Liars and Outliers

After a long and hard year, Liars and Outliers is done. I submitted the manuscript to the publisher on November 1, got edits back from both an outside editor and a copyeditor about a week later, spent another week integrating the comments and edits, and submitted the final manuscript to the publisher just before Thanksgiving. I had a chance to proofread the laid-out pages in early December, and now it's off to the printers.

It really feels great to be done. This is the hardest book I've written, and the most ambitious. Now I have to see how it's received. I know I should be thinking about creating a talk based on the book, but I want some time away from the ideas. I'll get back to that task in January.

Meanwhile, the publisher and I have been working on the cover. We settled on the art and layout months ago, but there's the back cover copy, the inside flaps copy, the author's bio, and the blurbs. I'm really happy with the blurbs I've received, and we're deciding what goes on the front cover, what goes on the back cover, and what goes inside on the first couple of pages of the book. Much of this text will also be used at various online bookstores as well, and at my own webpage for the book. I'll post the whole cover when it's final.

After that, the publisher will create the various e-book formats. I'm not sure how the figures and tables will translate, but I'll figure it out. Publication is still scheduled for mid-February, in time for the RSA Conference in San Francisco at the end of the month. I'll be doing a short interview about my book in something called the "Author's Studio" on Wednesday, and will have a book signing at the conference bookstore sometime that week.

Meanwhile, my publisher is printing galley copies. If anyone out there has a legitimate reason to get one, like writing book reviews for a newspaper, magazine, popular blog, etc., send me an e-mail and I'll forward your request to Wiley's PR department. I think they'll be ready in a week or so, although it might be after the new year.

Additionally, I'm going to get 10 to 20 copies that I'd like to give away to readers of Crypto-Gram and my blog. I'm not sure how to do it, though. Offering copies to "the first N people who leave a comment" would discriminate based on time zone. Giving copies away randomly to commenters seems, well, too easy. The person in charge of PR at Wiley wants me to give copies away randomly to people who "like" me on Facebook or tweet about me to their friends, or do some other sort of fake distributed marketing thing, but I'm not going to do that.

So to start, I've decided to give away a free galley copy of Liars and Outliers to the person who can come up with the best way to give away free galley copies of Liars and Outliers. Leave your suggestions in blog comments.

Leave suggestions for a galley-copy give-away:

Malware on Smart Phones

Two articles of note here. The first is about the prevalence of malware on Android phones. I'm not surprised by this at all. The Android platform is where the malware action is. I believe that smart phones are going to become the primary platform of attack for cybercriminals in the coming years. As the phones become more integrated into people's lives -- smart phone banking, electronic wallets -- they're simply going to become the most valuable device for criminals to go after. And I don't believe the iPhone will be more secure because of Apple's rigid policies for the app store.

The second article is a good debunking of the first article. The author is right. Malware on portable devices isn't going to look or act the same way as malware on traditional computers. It isn't going to spread from phone to phone. I'm more worried about Trojans, either on legitimate or illegitimate apps, malware embedded in webpages, fake updates, and so on. A lot of this will involve social engineering the user, but I don't see that as much of a problem.

But I do see mobile devices as the new target of choice. And I worry much more about privacy violations. Your phone knows your location. Your phone knows who you talk to and -- with a recorder -- what you say. And when your phone becomes your digital wallet, your phone is going to know a lot more intimate things about you. All of this will be useful to both criminals and marketers, and we're going to see all sorts of illegal and quasi-legal ways both of those groups will go after that information.

And securing those devices is going to be hard, because we don't have the same low-level access to these devices we have with computers.

Anti-virus companies are using FUD to sell their products, but there are real risks here. And the time to start figuring out how to solve them is now.


I thought this article on self-defense was very interesting. Sam Harris's three principles are: 1) Avoid dangerous people and dangerous places, 2) Do not defend your property, and 3) Respond immediately and escape.

Really nice article on cryptographer Paul Kocher and his company, Cryptography Research, Inc.

Detecting psychopaths by their speech patterns:
I worry about people being judged by these criteria. Psychopaths make up about 1% of the population, so even a small false-positive rate can be a significant problem.

The European Union has banned X-ray full body scanners at airports. Millimeter wave scanners are allowed as long as they conform to privacy guidelines.
Dan Boneh of Stanford University is teaching a free cryptography class starting in January.

The DHS partners with Major League Soccer to promote fear:

Spider webs that contain ant poison:

There's a company that is tracking people in shopping malls using their cell phones.
Two malls have shelved the system for now:
If something is protected by heavy security, it's obviously worth stealing. Here's an example from the insect world:

I have no idea if this story about CIA spies in Lebanon is true, and it will almost certainly never be confirmed or denied:
The debate over full disclosure in computer security has been going on for the better part of two decades now. The stakes are much higher in biology.

According to researchers, full-disk encryption is hampering police forensics.

Interesting essay on walls and their effects as security theater:
Seems the press reports about hacking into HP printers and setting them on fire were more hype than reality.

GCHQ is holding a hacking contest to drum up new recruits.
The contest has been cracked, but only because the administrators didn't hide the solution page from search engine spiders.

Invasive U.S. surveillance programs, either illegal like the NSA's wiretapping of AT&T phone lines or legal as authorized by the PATRIOT Act, are causing foreign companies to think twice about putting their data in U.S. cloud systems. I think these are legitimate concerns. I don't trust the U.S. government, law or no law, not to spy on my data if it thought it was a good idea. The more interesting question is: which government should I trust instead?

In Montreal, police marked protesters with invisible ink to be able to identify them later. The next step is going to be a spray that marks people surreptitiously, maybe with SmartWater.

A new Skype security flaw:
DARPA held an unshredding contest, and there's a winner.

Just in time for Christmas, a USB drive housed in a physical combination lock.

Robbing a bank as part of a penetration test: a funny story.

This first-person account by a TSA airport screener is a few years old, but I seem not to have linked to it before.
Dumbest camera ban ever: in London, of course: "While photography bans are pretty common, the station has decided to only ban DSLRs due to 'their combination of high quality sensor and high resolution.' Other cameras are allowed in, as long as they don't look 'big' enough to shoot amazing photos.

This article on airplane security says many of the same things I've been saying for years.
The author is a former Delta advisor. Wired talked to him.

Yet more fear mongering from the DHS: Al Qaeda is sewing bombs into people. Actually, not really. This is an "aspirational" terrorist threat, which basically means that someone mentioned it while drunk in a bar somewhere. Of course, that won't stop the DHS from trying to terrorize people with the idea and the security-industrial complex from selling us an expensive "solution" to reduce our fears. Wired: "So: a disruptive, potentially expensive panic based on a wild aspirational scheme? Actually, that sounds a *lot* like al-Qaida. And the TSA."
Me: "Refuse to be terrorized."

Sparrows have fewer surviving offspring if they feel insecure, regardless of whether they actually are insecure. Seems as if the sparrows could use a little security theater.

This is a really good analysis about the Buckshot Yankee attack against the classified military computer network in 2008. It contains a bunch of details I had not previously known.

The SCADA Attack that Wasn't

Last month, there was a report of a hack against a SCADA system controlling a water pump in Illinois that destroyed the pump. Supposedly the Russians did it. Then it was revealed that it was all a misunderstanding.

The end of the second article makes the most important point, I think:

Joe Weiss says he's shocked that a report like this was put out
without any of the information in it being investigated and
corroborated first.

"If you can't trust the information coming from a fusion center,
what is the purpose of having the fusion center sending anything
out? That's common sense," he said. "When you read what's in
that [report] that is a really, really scary letter. How could DHS
not have put something out saying they got this [information but]
it's preliminary?"

Asked if the fusion center is investigating how information that
was uncorroborated and was based on false assumptions got into a
distributed report, spokeswoman Bond said an investigation of that
sort is the responsibility of DHS and the other agencies who
compiled the report. The center's focus, she said, was on how
Weiss received a copy of the report that he should never have

"We're very concerned about the leak of controlled information,"
Bond said. "Our internal review is looking at how did this
information get passed along, confidential or controlled
information, get disseminated and put into the hands of users that
are not approved to receive that information. That's number one."

Notice that the problem isn't that a non-existent threat was overhyped in a report circulated in secret, but that the report became public. Never mind that if the report hadn't become public, the report would have never been revealed as erroneous. How many other reports like this are being used to justify policies that are as erroneous as the data that supports them?

Carrier IQ Spyware

Spyware on many smart phones monitors your every action, including collecting individual keystrokes. The company that makes and runs this software on behalf of different carriers, Carrier IQ, freaked when a security researcher outed them. It initially claimed it didn't monitor keystrokes -- an easily refuted lie -- and threatened to sue the researcher. It took EFF getting involved to get the company to back down. (A good summary of the details is here. This is pretty good, too.)

Carrier IQ is reacting really badly here. Threatening the researcher was a panic reaction, but I think it's still clinging to the notion that it can keep the details of what it does secret, or hide behind marketing statements and hair-splitting denials.

Several things matter here: 1) what data the Carrier IQ app collects on the handset, 2) what data the Carrier IQ app routinely transmits to the carriers, and 3) what data can the Carrier IQ app transmit to the carrier if asked. Can the carrier enable the logging of everything in response to a request from the FBI? We have no idea.

Expect this story to unfold considerably in the coming weeks. Everyone is pointing fingers of blame at everyone else, and Sen. Franken has asked the various companies involved for details.

One more detail is worth mentioning. Apple announced it no longer uses Carrier IQ in iOS5. I'm sure this means that they have their own surveillance software running, not that they're no longer conducting surveillance on their users.,2817,2397156,00.asp

Apple and Carrier IQ:
Excellent roundup of everything that's known about Carrier IQ:

Biological Link Between Altruism and Fairness

I write a lot about altruism, fairness, and cooperation in my new book (out in February!), so research on the link between altruism and fairness interests me a lot. This experiment found a correlation in 15-month old babies.

Both psychology and neuroscience have a lot to say about these topics, and the resulting debate reads like a subset of the "Is there such a thing as free will?" debate. I think those who believe there is no free will are misdefining the term.

What does this have to do with security? Everything. It's not until we understand the natural human tendencies of fairness and altruism that we can really understand people who take advantage of those tendencies, and build systems to prevent them from taking advantage.
Essay on free will:
Related research with dogs:

Schneier News

Last weekend, I received an honorary PhD from the University of Westminster, in London. I have had mixed feelings about this since I was asked early this year. The best piece of advice I've read is: "It's a great honor, but it is an honor, not a degree."

Iranians Capture U.S. Drone

Iran has captured a U.S. surveillance drone. No one is sure how it happened. Looking at the pictures of the drone, it wasn't shot down and it didn't crash. The various fail-safe mechanisms on the drone seem to have failed; otherwise, it would have returned home. The U.S. claims that it was a simple "malfunction," but that doesn't make a whole lot of sense.

The Iranians claim they used "electronic warfare" to capture the drone, implying that they somehow took control of it in the air and steered it to the ground. It would be a serious security design failure if they could do that. Two years ago, there was a story about al Qaeda intercepting video signals from drones. The command-and-control channel is different; I assumed that there was some pretty strong encryption protecting that.

Photo analysis of the captured drone:

Recent Developments in Full Disclosure

Last week, I had a long conversation with Robert Lemos over an article he was writing about full disclosure. He had noticed that companies have recently been reacting more negatively to security researchers publishing vulnerabilities about their products.

The debate over full disclosure is as old as computing, and I've written about it before. Disclosing security vulnerabilities is good for security and good for society, but vendors really hate it. It results in bad press, forces them to spend money fixing vulnerabilities, and comes out of nowhere. Over the past decade or so, we've had an uneasy truce between security researchers and product vendors. That truce seems to be breaking down.

Lemos believes the problem is that because today's research targets aren't traditional computer companies -- they're phone companies, or embedded system companies, or whatnot -- they're not aware of the history of the debate or the truce, and are responding more viscerally. For example, Carrier IQ threatened legal action against the researcher that outed it, and only backed down after the EFF got involved. I am reminded of the reaction of locksmiths to Matt Blaze's vulnerability disclosures about lock security; they thought he was evil incarnate for publicizing hundred-year-old security vulnerabilities in lock systems. And just last week, I posted about a full-disclosure debate in the virology community.

I think Lemos has put his finger on part of what's going on, but that there's more. I think that companies, both computer and non-computer, are trying to retain control over the situation. Apple's heavy-handed retaliation against researcher Charlie Miller is an example of that. On one hand, Apple should know better than to do this. On the other hand, it's acting in the best interest of its brand: the fewer researchers looking for vulnerabilities, the fewer vulnerabilities it has to deal with.

It's easy to believe that if only people wouldn't disclose problems, we could pretend they didn't exist, and everything would be better. Certainly this is the position taken by the DHS over terrorism: public information about the problem is worse than the problem itself. It's similar to Americans' willingness to give both Bush and Obama the power to arrest and indefinitely detain any American without any trial whatsoever. It largely explains the common public backlash against whistle-blowers. What we don't know can't hurt us, and what we do know will also be known by those who want to hurt us.

There's some profound psychological denial going on here, and I'm not sure of the implications of it all. It's worth paying attention to, though. Security requires transparency and disclosure, and if we willingly give that up, we're a lot less safe as a society.
My previous essay on full disclosure:

Carrier IQ backing down:
Locks and full disclosure:

Apple's retaliation against Charlie Miller:

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.

Copyright (c) 2011 by Bruce Schneier.

Sidebar photo of Bruce Schneier by Joe MacInnis.