February 15, 2012

by Bruce Schneier
Chief Security Technology Officer, BT

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <>.

You can read this issue on the web at <>. These same essays and news items appear in the "Schneier on Security" blog at <>, along with a lively comment section. An RSS feed is available.

In this issue:

Liars and Outliers Update

Liars and Outliers is available. Amazon and Barnes & Noble have been shipping the book since the beginning of the month. Both the Kindle and the Nook versions are available for download. (Yes, Amazon's webpage claims that the book will be published on February 21, 2012, but they ship copies as soon as they get them -- this ain't Harry Potter.) I have received 250 books myself. Everyone who read and commented on a draft will get a copy in the mail. And as of today, I have shipped books to everyone who ordered a signed copy.

I've seen five more reviews. And there's one print and one audio (there's also a transcript) interview about the book.

A bunch of people on Twitter have announced that they're enjoying the book. Right now, there are only three reviews on Amazon. Please, leave a review on Amazon. (I'll write about the problem of fake reviews on these sorts of sites in another post.)

I'm not sure, but I think the Kindle price is going to increase. So if you want the book at the current $10 price, now is the time to buy it.

At the end of February, I'll be at the RSA Conference in San Francisco. In addition to my other speaking events, Davi Ottenheimer will interview me about the book at something called The Author's Studio. I'll be doing two one-hour book signings at the conference bookstore. And, and this is the best news of all, HP has bought 1,000 copies of the book and will be giving them away at their booth. I'll be doing a couple of signings there as well.

The book's webpage:

Ordering a signed copy:


Possibly the Most Incompetent TSA Story Yet

The storyline:

1. TSA screener finds two pipes in passenger's bags.

2. Screener determines that they're not a threat.

3. Screener confiscates them anyway, because of their "material and appearance."

4. Because they're not actually a threat, screener leaves them at the checkpoint.

5. Everyone forgets about them.

6. Six hours later, the next shift of TSA screeners notices the pipes and -- not being able to explain how they got there and, presumably, because of their "material and appearance" -- calls the police bomb squad to remove the pipes.

7. TSA does not evacuate the airport, or even close the checkpoint, because -- well, we don't know why.

I don't even know where to begin.


A merchant is suing his bank, claiming that the PCI standard "force[s] merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized." The PCI standards are probably the biggest non-government security standard. It'll be interesting to see how this turns out.

Thankfully, this doesn't happen very often: "A US man who had been convicted on a second-degree murder charge will get a new trial after a computer virus destroyed transcripts of court proceedings."
Good operational security guide to Tor.

I wrote about the technique of using false alarms to disable security in my book, "Beyond Fear." Here it is being used to rob an art gallery.
Funny Onion news video on Facebook and the CIA.

Continuing the militarization of the U.S. police, the state of Texas gets an armed patrol boat.
I guess armed drones weren't enough for them.
Turns out you can create unique signatures from plant DNA. The idea is to spray this stuff on military components in order to verify authentic items and detect counterfeits, similar to SmartWater. It's a good idea in theory, but my guess is that the security is not going to center around counterfeiting the plant DNA, but rather in subverting the systems that apply, detect, and verify the chemicals.

The NSF is funding research on giving organizations information-security risk ratings, similar to credit ratings for individuals.
I have no idea if this is snake oil or if it actually works, but note that this is a Phase II award. There was already a Phase I award, and the NSF must have liked the results from that.

Supreme Court rules about GPS tracking without a warrant. I originally wrote that the ruling forces the police to get a warrant before placing a GPS tracking device on a car. Actually, the ruling is much more complicated and nuanced.
Readers of Crypto-Gram will know that I like the works of Max Abrams, and regularly link to them. He has a new paper in "Defence and Peace Economics", 22:6 (2011), 583-94, "Does Terrorism Really Work? Evolution in the Conventional Wisdom since 9/11, Defence and Peace Economics".
Interesting article on password sharing among American teens as a show of affection.
Ethnologist danah boyd discusses what's happening:
Related: a profile of danah boyd.
Pretty good essay on the nature of cyberwar:

On my blog, there was an interesting story about two British tourists detained at the U.S. border for their tweets.

Some errors in forensic science may be the result of the biases of the examiners.

The Idaho Loophole is -- if you believe the theory -- "a 50-square-mile swath of Idaho in which one can commit felonies with impunity."

Really good article on the huge incarceration rate in the U.S., its causes, its effects, and its value.
VeriSign hacked, successfully and repeatedly, in 2010. Reuters discovered the information.

The problems of too much information sharing. Yes, it's fake. But it's funny.
The error rate for hand-counted ballots can be as high as two percent.
All voting systems have nonzero error rates. This doesn't surprise technologists, but does surprise the general public. There's a myth out there that elections are perfectly accurate, down to the single vote. They're not. If the vote is within a few percentage points, they're likely a statistical tie. (The problem, of course, is that elections must produce a single winner.)

"Solving the Underlying Economic Problem of Internet Piracy"
This essay is definitely thinking along the correct directions.

Interesting paper about the security risks of smaller aircraft.
Interesting blog post about locking down iPads so students can take exams on them.

Funny essay on captchas.
Adam Shostack explains to VeriSign that trust requires transparency.
This is a lesson Path should have learned.
SSL traffic analysis on Google Maps.
This writer wrestles with the costs and benefits of tighter controls on pseudoephedrine, a key chemical used to make methamphetamine.
I like seeing the debate framed as a security trade-off.

Dumb risk of the day: geotagged images of children:

What Happens When the Court Demands You Decrypt a

Document and You Forget the Key?

Last month, a U.S. court demanded that a defendant surrender the encryption key to a laptop so the police could examine it.

Now it seems that she's forgotten the key.

What happens now? It seems as if this excuse would always be available to someone who doesn't want the police to decrypt her files. On the other hand, it might be hard to realistically forget a key. It's less credible for someone to say "I have no idea what my password is," and more likely to say something like "it was the word 'telephone' with a zero for the o and then some number following -- four digits, with a six in it -- and then a punctuation mark like a period." And then a brute-force password search could be targeted. I suppose someone could say "it was a random alphanumeric password created by an automatic program; I really have no idea," but I'm not sure a judge would believe it.

U.S ruling:
The ruling:
Good analysis:
Forgotten key:

Authentication by "Cognitive Footprint"

DARPA is funding research into new forms of biometrics that authenticate people as they use their computer: things like keystroke patterns, eye movements, mouse behavior, reading speed, and surfing and e-mail response behavior. The idea -- and I think this is a good one -- is that the computer can continuously authenticate people, and not just authenticate them once when they first start using their computers.

I remember reading a science fiction story about a computer worm that searched for people this way: going from computer to computer, trying to identify a specific individual.

Schneier News

I am the Hal Clement Science Speaker at Boskone 49, Feb 17-19, in Boston.

I am speaking at the Messaging Anti-Abuse Working Group 24th General Meeting, Feb 22, in San Francisco.

I am speaking at the RSA Conference 2012, Feb 27-Mar 2, in San Francisco.

The Failure of Two-Factor Authentication

In 2005, I wrote an essay called "The Failure of Two-Factor Authentication," where I predicted that attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint.

This article describes exactly that.

My 2005 essay:

The solution is to authenticate the transaction, not the person.

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.

Copyright (c) 2012 by Bruce Schneier.

Sidebar photo of Bruce Schneier by Joe MacInnis.