January 15, 2012

by Bruce Schneier
Chief Security Technology Officer, BT

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <>.

You can read this issue on the web at <>. These same essays and news items appear in the "Schneier on Security" blog at <>, along with a lively comment section. An RSS feed is available.

In this issue:

The TSA Proves its Own Irrelevance

Have you wondered what $1.2 billion in airport security gets you? The TSA has compiled its own "Top 10 Good Catches of 2011":

10) Snakes, turtles, and birds were found at Miami (MIA) and Los Angeles (LAX). I'm just happy there weren't any lions, tigers, and bears...
3) Over 1,200 firearms were discovered at TSA checkpoints across the nation in 2011. Many guns are found loaded with rounds in the chamber. Most passengers simply state they forgot they had a gun in their bag.
2) A loaded .380 pistol was found strapped to passenger's ankle with the body scanner at Detroit (DTW). You guessed it, he forgot it was there...
1) Small chunks of C4 explosives were found in passenger's checked luggage in Yuma (YUM). Believe it or not, he was bringing it home to show his family.

That's right; not a single terrorist on the list. Mostly forgetful, and entirely innocent, people. Note that they fail to point out that the firearms and knives would have been just as easily caught by pre-9/11 screening procedures. And that the C4 -- their #1 "good catch" -- was on the return flight; they missed it the first time. So only 1 for 2 on that one.

And the TSA decided not to mention its stupidest confiscations:

TSA confiscates a butter knife from an airline pilot. TSA confiscates a teenage girl's purse with an embroidered handgun design. TSA confiscates a 4-inch plastic rifle from a GI Joe action doll on the grounds that it's a "replica weapon." TSA confiscates a liquid-filled baby rattle from airline pilot's infant daughter. TSA confiscates a plastic "Star Wars" lightsaber from a toddler.

The TSA's Top 10 Good Catches of 2011:

The TSA missed the C4 the first time.

TSA stupid confiscations:
The Vanity Fair article:

Abolishing the Department of Homeland Security

I have a love/hate relationship with the Cato Institute. Most of their analysis I strongly disagree with, but some of it I equally strongly agree with. Last September 11 -- the tenth anniversary of 9/11 -- Cato's David Rittgers published "Abolish the Department of Homeland Security":

DHS has too many subdivisions in too many disparate fields to operate effectively. Agencies with responsibilities for counterfeiting investigations, border security, disaster preparedness, federal law enforcement training, biological warfare defense, and computer incident response find themselves under the same cabinet official. This arrangement has not enhanced the government's competence. Americans are not safer because the head of DHS is simultaneously responsible for airport security and governmental efforts to counter potential flu epidemics.
National defense is a key governmental responsibility, but focusing too many resources on trying to defend every potential terrorist target is a recipe for wasteful spending. Our limited resources are better spent on investigating and arresting aspiring terrorists. DHS responsibilities for aviation security, domestic surveillance, and port security have made it too easy for politicians to disguise pork barrel spending in red, white, and blue. Politicians want to bring money home to their districts, and as a result, DHS appropriations too often differ from what ought to be DHS priorities.

I agree with that. In fact, in 2003, when the country was debating a single organization that would be responsible for most (not all, since the Justice Department, the State Department, and the Department of Defense were too powerful to lose any pieces of themselves) of the country's counterterrorism efforts, I wrote:

Our nation may actually be less secure if the Department of Homeland Security eventually takes over the responsibilities of existing agencies. The last thing we want is for the Department of Energy, the Department of Commerce, and the Department of State to say: "Security; that's the responsibility of the DHS."
Security is the responsibility of everyone in government. We won't defeat terrorism by finding a single thing that works all the time. We'll defeat terrorism when every little thing works in its own way, and together provides an immune system for our society. Unless the DHS distributes security responsibility even as it centralizes coordination, it won't improve our nation's security.

Back to the Cato report:

The Department of Homeland Security should be abolished and its components reorganized into more practical groupings. The agencies tasked with immigration, border security, and customs enforcement belong under the same oversight agency, which could appropriately be called the Border Security Administration. The Transportation Security Administration and Federal Air Marshals Service should be abolished, and the federal government should end support for fusion centers. The remaining DHS organizations should return to their former parent agencies.

Hard to argue with most of that, although abolishing the TSA isn't a good idea. Airport security should be rolled back to pre-9/11 levels, but someone is going to have to be in charge of it. Putting the airlines in charge of it doesn't make sense; their incentives are going to be passenger service rather than security. Some government agency either has to hire the screeners and staff the checkpoints, or make and enforce rules for contractor-staffed checkpoints to follow.

Last November, the U.S. Congressional Republicans published a report very critical of the TSA: "A Decade Later: A Call for TSA Reform."

This report is an examination and critical analysis of the development, evolution, and current status and performance of TSA ten years after its creation. Since its inception, TSA has lost its focus on transportation security. Instead, it has grown into an enormous, inflexible and distracted bureaucracy, more concerned with human resource management and consolidating power, and acting reactively instead of proactively. As discussed more fully in the "Recommendations" section on page 18, TSA must realign its responsibilities as a federal regulator and focus on analyzing intelligence, setting screening and security standards based on risk, auditing passenger and baggage screening operations, and ensuring compliance with national screening standards.

In a related link, there's a response to a petition to abolish the TSA. The response is by TSA administrator John Pistole, so it's not the most objective piece of writing on the topic, and doesn't actually respond to the petition:

Why TSA Exists.
TSA was created two months after the September 11 terrorist attacks, when Congress passed the Aviation and Transportation Security Act (ATSA) [.pdf] to keep the millions of Americans who travel each day safe and secure across numerous modes of transportation.
Over the past 10 years, TSA has strengthened security by creating successful programs and deploying technologies that were not in place prior to September 11, while also taking steps whenever possible to enhance the passenger experience. Here are just a few of the many steps TSA has taken to strengthen our multi-layered approach to security....
Our Nation is safer and better prepared today because of these and other efforts of the Department of Homeland Security, TSA, and our federal, state, local and international partners. TSA is constantly identifying ways to continue to strengthen security and improve the passenger experience and appreciates the feedback of the public.

Pistole just assumes that what his organization is doing is important, and never even mentions how much it costs or whether it's worth it.

The Cato report:

My 2003 essay:

The Congressional Republican report:
The TSA response to the petition:!/response/...


The EFF's Sovereign Key proposal.

When you give out money based on politics, without any accounting, this is what you get: snow cone machines for homeland security:

More on the captured U.S. drone: here's a report that Iran hacked the drones' GPS systems.

Plasmonics anti-counterfeiting technology:
Anti-counterfeiting technologies have a difficult set of requirements. They need to be cheap for legitimate currency printers, and at the same time expensive for counterfeiters. That this technology can encode unique serial numbers -- or even digital signatures of unique serial numbers -- onto paper currency would be a big deal.

How to open a padlock with a soda can.
Human ear biometric. I have no idea how good it actually is.

Santa hacked: a mildly amusing video.

The TSA's cupcake problem, in several parts. Part 1: the TSA confiscates someone's cupcake -- the frosting is a gel -- prompting widespread ridicule.
Part 2: the TSA claims the cupcake was in a jar, which makes their actions less obviously stupid.
Part 3: the cupcake lady claims that the TSA is lying.

The story of how Subway's point-of-sale system was hacked for $3 million.
Really interesting story of the collar-bomb robbery -- and subsequent investigation -- from 2003.

Another new biometric: butt identification based on how you sit.

Hacking Marconi's wireless in 1903: a great story.
There's a service that can be hired to tie up target phone lines indefinitely. The article talks about how this can be used as a diversionary tactic to mask a cyberattack, but that seems a bit odd to me. I'd be more concerned about how this sort of thing could be used to disrupt the operations of a political candidate on the eve of an election.
In 1997, I wrote about something called a "chosen-protocol attack," where an attacker can use one protocol to break another. Here's an example of the same thing in the real world: two different parking garages that mask different digits of credit cards on their receipts. Find two from the same car, and you can reconstruct the entire number. I have to admit this puzzles me, because I thought there was a standard for masking credit card numbers. I only ever see all digits except the final four masked.

Research paper: Alan A. Kirschenbaum, Michele Mariani, Coen Van Gulijk, Sharon Lubasz, Carmit Rapaport, and Hinke Andriessen, "Airport Security: An Ethnographic Study," Journal of Air Transport Management, 18 (January 2012): 68-73 (full article is behind a paywall).

Another research paper: Behzad Zare Moayedi, Mohammad Abdollahi Azgomi, "A Game Theoretic Framework for Evaluation of the Impacts of Hackers Diversity on Security Measures," Reliability Engineering & System Safety, 99 (2012): 45-54 (full article behind paywall).

A third research paper: Alan T. Murray and Tony H. Grubesic, "Critical Infrastructure Protection: The Vulnerability Conundrum," Telematics & Informatics, 29 (February 2012): 56-65 (full article behind paywall).

The history of coded messages in postage-stamp placement. I wonder how prevalent this actually was. My guess is that it was more a clever idea than an actual signaling system. And I notice that a lot of the code systems don't have a placement that indicates "no message; this is just a stamp."

These papers from NSA journals are old, but they have just been released under FOIA.

The author of this article notices that it's often easy to guess a cell phone PIN because of smudge marks on the screen. Those smudge marks indicate the four PIN digits, so an attacker knows that the PIN is one of 24 possible permutations of those digits. Then he points out that if your PIN has only three different digits -- 1231, for example -- the PIN can be one of 36 different possibilities. So it's more security, although not much more secure.
It's time to patch your HP printers. This is a serious vulnerability.
Here's a list of all the printers affected.
Note that this is the research that was mistakenly reported as allowing hackers to set your printer on fire.

Hackers stole some source code to Symantec's products. We don't know what was stolen or how recent the code is -- the company is, of course, minimizing the story -- but it's hard to get worked up about this. Yes, maybe the bad guys will comb the code looking for vulnerabilities, and maybe there's some smoking gun that proves Symantec's involvement in something sinister, but most likely Symantec's biggest problem is public embarrassment.

Political Science professor John Mueller has been collecting predictions about future terrorist attacks since 9/11, and -- as you'd expect -- most of them are wildly inaccurate. I've never heard this particular quote before, and find it particularly profound: "In 2004, Russell Seitz plausibly proposed that '9/11 could join the Trojan Horse and Pearl Harbor among stratagems so uniquely surprising that their very success precludes their repetition'...."

The EFF has published a good guide about protecting your digital devices at international borders.
My own advice is here.

Apple has a patent on splitting a key between a portable device and its power supply.
A theory of online jihadist sites.
Long (but well-written and interesting) story of someone whose Gmail account was hacked and erased, and eventually restored. Many interesting lessons about the security of largely support-free cloud services.

"Going Dark" vs. a "Golden Age of Surveillance"

It's a policy debate that's been going on since the crypto wars of the early 1990s. The FBI, NSA, and other agencies continue to claim they're losing their ability to engage in surveillance: that it's "going dark." Whether the cause of the problem is encrypted e-mail, digital telephony, or Skype, the bad guys use it to communicate, so we need to pass laws like CALEA to force these services to be made insecure, so that the government can eavesdrop.

The counter-argument is the "Golden Age of Surveillance" -- that the massive increase of online data and Internet communications systems gives the government a far greater ability to eavesdrop on our lives. They can get your e-mail from Google, regardless of whether you use encryption. They can install an eavesdropping program on your computer, regardless of whether you use Skype. They can monitor your Facebook conversations, and learn thing that just weren't online a decade ago. Today we all carry devices that tract our locations 24/7: our cell phones.

In this essay, CDT fellows (and law professors) challenge the "going dark" metaphor and make the case for "the golden age of surveillance." Yes, wiretapping is harder; but so many other types of surveillance are easier.

A simple test can help the reader decide between the "going dark" and "golden age of surveillance" hypotheses. Suppose the agencies had a choice of a 1990-era package or a 2011-era package. The first package would include the wiretap authorities as they existed pre-encryption, but would lack the new techniques for location tracking, confederate identification, access to multiple databases, and data mining. The second package would match current capabilities: some encryption-related obstacles, but increased use of wiretaps, as well as the capabilities for location tracking, confederate tracking and data mining. The second package is clearly superior -- the new surveillance tools assist a vast range of investigations, whereas wiretaps apply only to a small subset of key investigations. The new tools are used far more frequently and provide granular data to assist investigators.

A longer and more detailed version of the same argument can be found in "Encryption and Globalization," forthcoming in the Columbia Science and Technology Law Review.

In a related story, there's a relatively new WikiLeaks data dump of documents related to government surveillance products.

"Chinese Hacking" of iBahn Internet Services

Citing unexplained "intelligence data," an unnamed "senior intelligence official," and an anonymous "privacy security official," Bloomberg News claims that iBahn -- the company that runs Internet services for a bunch of hotel chains -- has been hacked by the Chinese. The rest of the story is pretty obvious: all sorts of private e-mails stolen, corporate networks hacked via iBahn, China does lot of hacking, and so on. iBahn has denied the story.

Come on, people. I know that China hacking stories are plausible, but the bar for actual evidence should be higher than this.

Schneier News

Charles Mann made me the central focus of his article on airport security for "Vanity Fair". The article was supposed to have been in the tenth-anniversary-of-9/11 issue, but got delayed.
Here's a rebuttal to the piece. I agree with the two points at the end of the post; I just don't think it changes any of my analysis.
Mann also wrote about me in 2002 for "The Atlantic."

In 1997, I spoke at the Beyond HOPE Conference in New York. (HOPE stood for "Hackers On Planet Earth.) A video of that talk is available online.
Slides from talk:

In this video, you'll see my first cameo appearance in a transvestite-themed rock video at the 1:46 mark.

Liars and Outliers News

The Liars and Outliers webpage is live. On it, you can find links to order both paper and e-book copies from a variety of online retailers, and signed copies directly from me. I've also posted the jacket copy, the table of contents, the first chapter, the 15 figures from the book, an image of the full wraparound cover, and all the blurbs for the book.

Last month, I chose 10 winners from the 278 people who entered the drawing for a free galley copy. Those copies have all been mailed, as have copies to potential book reviewers.

Several readers suggested that I auction some copies, and I did that last week. Two blog readers won signed galleys, with the proceeds going to EFF and EPIC.

Book website--you can order signed copies here.

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.

Copyright (c) 2012 by Bruce Schneier.

Sidebar photo of Bruce Schneier by Joe MacInnis.