May 15, 2014

by Bruce Schneier
CTO, Co3 Systems, Inc.
schneier@schneier.com
http://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <http://www.schneier.com/crypto-gram-1405.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively and intelligent comment section. An RSS feed is available.


In this issue:


Internet Subversion

In addition to turning the Internet into a worldwide surveillance platform, the NSA has surreptitiously weakened the products, protocols, and standards we all use to protect ourselves. By doing so, it has destroyed the trust that underlies the Internet. We need that trust back.

Trust is inherently social. It is personal, relative, situational, and fluid. It is not uniquely human, but it is the underpinning of everything we have accomplished as a species. We trust other people, but we also trust organizations and processes. The psychology is complex, but when we trust a technology, we basically believe that it will work as intended.

This is how we technologists trusted the security of the Internet. We didn't have any illusions that the Internet was secure, or that governments, criminals, hackers, and others couldn't break into systems and networks if they were sufficiently skilled and motivated. We didn't trust that the programmers were perfect, that the code was bug-free, or even that our crypto math was unbreakable. We knew that Internet security was an arms race, and the attackers had most of the advantages.

What we trusted was that the technologies would stand or fall on their own merits.

We now know that trust was misplaced. Through cooperation, bribery, threats, and compulsion, the NSA -- and the United Kingdom's GCHQ -- forced companies to weaken the security of their products and services, then lie about it to their customers.

We know of a few examples of this weakening. The NSA convinced Microsoft to make some unknown changes to Skype in order to make eavesdropping on conversations easier. The NSA also inserted a degraded random number generator into a common standard, then worked to get that generator used more widely.

I have heard engineers working for the NSA, FBI, and other government agencies delicately talk around the topic of inserting a "backdoor" into security products to allow for government access. One of them told me, "It's like going on a date. Sex is never explicitly mentioned, but you know it's on the table." The NSA's SIGINT Enabling Project has a $250 million annual budget; presumably it has more to show for itself than the fragments that have become public. Reed Hundt calls for the government to support a secure Internet, but given its history of installing backdoors, why would we trust claims that it has turned the page?

We also have to assume that other countries have been doing the same things. We have long believed that networking products from the Chinese company Huawei have been backdoored by the Chinese government. Do we trust hardware and software from Russia? France? Israel? Anywhere?

This mistrust is poison. Because we don't know, we can't trust any of them. Internet governance was largely left to the benign dictatorship of the United States because everyone more or less believed that we were working for the security of the Internet instead of against it. But now that system is in turmoil. Foreign companies are fleeing US suppliers because they don't trust American firms' security claims. Far worse governments are using these revelations to push for a more isolationist Internet, giving them more control over what their citizens see and say.

All so we could eavesdrop better.

There is a term in the NSA: "nobus," short for "nobody but us." The NSA believes it can subvert security in such a way that only it can take advantage of that subversion. But that is hubris. There is no way to determine if or when someone else will discover a vulnerability. These subverted systems become part of our infrastructure; the harms to everyone, once the flaws are discovered, far outweigh the benefits to the NSA while they are secret.

We can't both weaken the enemy's networks and protect our own. Because we all use the same products, technologies, protocols, and standards, we either allow everyone to spy on everyone, or prevent anyone from spying on anyone. By weakening security, we are weakening it against all attackers. By inserting vulnerabilities, we are making everyone vulnerable. The same vulnerabilities used by intelligence agencies to spy on each other are used by criminals to steal your passwords. It is surveillance versus security, and we all rise and fall together.

Security needs to win. The Internet is too important to the world -- and trust is too important to the Internet -- to squander it like this. We'll never get every power in the world to agree not to subvert the parts of the Internet they control, but we can stop subverting the parts we control. Most of the high-tech companies that make the Internet work are US companies, so our influence is disproportionate. And once we stop subverting, we can credibly devote our resources to detecting and preventing subversion by others.

This essay previously appeared in the "Boston Review."
http://www.bostonreview.net/mayjune-2014


New Al Qaeda Encryption Software

The Web intelligence company Recorded Future is reporting that al Qaeda is using new encryption software in the wake of the Snowden stories. I've been fielding press queries, asking me how this will adversely affect US intelligence efforts.

I think the reverse is true. I think this will help US intelligence efforts. Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight. Last fall, Matt Blaze said to me that he thought that the Snowden documents will usher in a new dark age of cryptography, as people abandon good algorithms and software for snake oil of their own devising. My guess is that this an example of that.

https://www.recordedfuture.com/...
http://blogs.wsj.com/cio/2014/05/09/...

Me on snake oil:
https://www.schneier.com/crypto-gram-9902.html#snakeoil


News

Nice article on the Tails stateless operating system. I use it. Initially I would boot my regular computer with Tails on a USB stick, but I went out and bought a remaindered computer from Best Buy for $250 and now use that.
http://www.wired.com/2014/04/tails/
https://tails.boum.org/
https://www.schneier.com/blog/archives/2013/10/...

This is a crazy overreaction: "A 19-year-old man was caught on camera urinating in a reservoir that holds Portland's drinking water Wednesday, according to city officials. Now the city must drain 38 million gallons of water from Reservoir 5 at Mount Tabor Park in southeast Portland." I understand the natural human disgust reaction, but do these people actually think that their normal drinking water is any more pure? That a single human is that much worse than all the normal birds and other animals? A few ounces distributed amongst 38 million gallons is negligible. I suppose I should be happy he wasn't charged with terrorism.
http://www.kptv.com/story/25262461/...
http://www.oregonlive.com/portland/index.ssf/2014/...
They didn't flush the reservoir after all, but they did move the water.
http://www.kgw.com/news/...

Heartbleed can affect clients as well as servers.
http://blog.meldium.com/home/2014/4/10/...

There's a new study looking at the metaphors we use to describe surveillance. "Over 9 percent of the articles in our study contained metaphors related to the act of collection; 8 percent to literature...; about 6 percent to nautical themes; and more than 3 percent to authoritarian regimes." The only literature metaphor used is the book "1984."
http://www.pen.org/blog/...
This is sad. I agree with Daniel Solove that Kafka's "The Trial" is a much better literary metaphor.
http://papers.ssrn.com/sol3/papers.cfm?...
This article suggests some other literary metaphors, most notably Philip K. Dick.
http://www.theatlantic.com/entertainment/archive/...
And this one suggests the Eye of Sauron.
http://www.slate.com/articles/news_and_politics/...

Good information on Russia's bulk surveillance programs.
http://csis.org/publication/...
And this article is also excellent.
http://www.worldpolicy.org/journal/fall2013/...

Dan Geer on Heartbleed and software monocultures.
http://www.lawfareblog.com/2014/04/...

Interesting research on the security of code written in different programming languages. We don't know whether the security is a result of inherent properties of the language, or the relative skill of the typical programmers of that language.
http://www.net-security.org/secworld.php?id=16694
https://info.whitehatsec.com/...
http://info.whitehatsec.com/rs/whitehatsecurity/...

Conversnitch: a surveillance device resembling a light bulb that surreptitiously listens in on nearby conversations and posts snippets to Twitter. This is meant as an art project to raise awareness, but the technology is getting cheaper all the time.
http://www.wired.com/2014/04/...
Consumer spy devices are now affordable by the masses. For $54, you can buy a camera hidden in a smoke detector. For $80, you can buy one hidden in an alarm clock. There are many more options.
http://www.amazon.com/...
http://www.amazon.com/...
http://www.safetybasement.com/...

Interesting essay about how Google's lack of transparency is hurting its trust:
http://www.infoworld.com/print/239815

Handycipher is a new pencil-and-paper symmetric encryption algorithm. I'd bet a gazillion dollars that it's not secure, although I haven't done the cryptanalysis myself.
http://eprint.iacr.org/2014/257.pdf

Details of the iOS fingerprint recognition system.
http://www.reddit.com/r/apple/comments/23qeqf/...

Good essay on the Quantified Toilet hoax, and the difference between public surveillance and private self-surveillance.
http://www.theatlantic.com/technology/archive/2014/...
http://quantifiedtoilets.com/

It's been long known that individual analog devices have their own fingerprints. Decades ago, individual radio transmitters were identifiable and trackable. Now, researchers have found that accelerometers in smartphones are unique enough to be identifiable.
http://www.eurekalert.org/pub_releases/2014-04/...

Interesting article on the cybersecurity branch of the Federal Reserve System.
http://www.foreignpolicy.com/articles/2014/04/28/...

Comedian John Oliver interviewed now-retired NSA director General Keith Alexander. It's truly weird.
https://www.youtube.com/watch?v=k8lJ85pfb_E
http://www.theatlantic.com/politics/archive/2014/04/...

Detailed response and analysis of the inspectors general report on the Boston Marathon bombings, and the FBI's failure to prevent it:
http://www.lawfareblog.com/2014/04/...
Inspectors general report:
http://info.publicintelligence.net/...

Rats have destroyed dozens of electronic voting machines by eating the cables. It would have been a better story if the rats had zeroed out the machines after the votes had been cast but before they were counted, but it seems that they just ate the machines while they were in storage.
http://austriantimes.at/news/Around_the_World/...
There's a general thread running through security where high-tech replacements for low-tech systems have new and unexpected failures.

Interesting article on the business of selling enhancements that allow you to cheat in online video games.
http://www.pcgamer.com/2014/04/30/...

Mathias Döpfner writes an open letter explaining why he fears Google:
http://www.faz.net/aktuell/feuilleton/debatten/...
Two reactions:
http://www.faz.net/aktuell/feuilleton/debatten/...
http://www.faz.net/aktuell/feuilleton/debatten/...

Al Jazeera is reporting on e-mails received through FOIA detailing close ties between the NSA and Google. There are no smoking guns in the correspondence -- and the Al Jazeera article makes more of the e-mails than I think is there -- but it does show a closer relationship than either side has admitted to before.
http://america.aljazeera.com/articles/2014/5/6/...
http://www.washingtonpost.com/blogs/the-switch/wp/...
http://www.huffingtonpost.com/2014/05/06/...
http://www.computerworld.com/s/article/9248153/...

Interesting experiment shows that the retelling of stories increases conflict and bias.
http://www.psmag.com/navigation/books-and-culture/...
http://www.ncbi.nlm.nih.gov/pubmed/20550733
http://www.sciencedirect.com/science/article/pii/...
http://www.sendspace.com/file/rs1vhl

Putin requires Russian bloggers to register with the government.
http://www.nytimes.com/2014/05/07/world/europe/...

Steganography in Tweets. Clever, but make sure to heed the caveats in the final two paragraphs.
http://arstechnica.com/security/2014/05/...

Glenn Greenwald's new book, "No Place to Hide," was published this week. There are about 100 pages of NSA documents on the book's website. I haven't gone through them yet. At a quick glance, only a few of them have been published before.
http://glenngreenwald.net/pdf/...
http://glenngreenwald.net/
Here are two book reviews.
http://www.nytimes.com/2014/05/13/books/...
http://www.washingtonpost.com/opinions/...

New television show -- CSI: Cyber. I hope they have some good technical advisers, but I doubt they do.
http://www.latimes.com/entertainment/tv/showtracker/...

Symantec declared antivirus dead.
http://online.wsj.com/news/article_email/...
Brian Krebs writes a good response.
http://krebsonsecurity.com/2014/05/...
He's right: antivirus won't protect you from the ever-increasing percentage of malware that's specifically designed to bypass antivirus software, but it will protect you from all the random unsophisticated attacks out there: the "background radiation" of the Internet.


Seventh Movie-Plot Threat Contest Semifinalists

On April 1, I announced the Seventh Movie Plot Threat Contest:

The NSA has won, but how did it do it? How did it use its ability to conduct ubiquitous surveillance, its massive data centers, and its advanced data analytics capabilities to come out on top? Did it take over the world overtly, or is it just pulling the strings behind everyone's backs? Did it have to force companies to build surveillance into its products, or could it just piggy-back on market trends? How does it deal with liberal democracies and ruthless totalitarian dictatorships at the same time? Is it blackmailing Congress? How does the money flow? What's the story

Submissions are in, and here are the semifinalists.

1. Snowden as an NSA plant to incent homebrew crypto, by Doubleplusunlol.
https://www.schneier.com/blog/archives/2014/04/...

2. The NSA's quantum computer by Joshua Brulé.
https://www.schneier.com/blog/archives/2014/04/...

3. NSA takes over Google, by Jesse Shapiro.
https://www.schneier.com/blog/archives/2014/04/...

4. NSA, working for good, got the world dependent on them, by Guy Macon.
https://www.schneier.com/blog/archives/2014/04/...

5. Homeopathic factoring, by Ian McKellar.
https://www.schneier.com/blog/archives/2014/04/...

Cast your vote by number; voting closes at the end of the month.

Announcement:
https://www.schneier.com/blog/archives/2014/04/...


Schneier News

I'm speaking at the University of Zurich on May 21:
http://www.eiz.uzh.ch/...

I'm speaking at IT Security Inside in Zurich on May 22:
http://www.avantec.ch/ueber-avantec/inside.html

I'm speaking at the University of Oregon at Eugene on May 28, and then Portland on May 29:
http://ohc.uoregon.edu/vulnerable.html

I'm speaking at the Good Exchange in New York on June 3, and in London on June 5:
http://www1.good.com/forms/good-exchange-new-york.html
http://www1.good.com/forms/...

I'm speaking at the IEEE 2014 Conference on Norbert Weiner in the 21st Century in Boston on June 26:
http://www.21stcenturywiener.org/

I'm speaking at the 26th Annual FIRST Conference on Boston on June 27:
http://www.first.org/conference/2014


Espionage vs. Surveillance

According to NSA documents published in Glenn Greenwald's new book "No Place to Hide," we now know that the NSA spies on embassies and missions all over the world, including those of Brazil, Bulgaria, Colombia, the European Union, France, Georgia, Greece, India, Italy, Japan, Mexico, Slovakia, South Africa, South Korea, Taiwan, Venezuela and Vietnam.

This will certainly strain international relations, as happened when it was revealed that the United States is eavesdropping on German Chancellor Angela Merkel's cell phone -- but is anyone really surprised? Spying on foreign governments is what the NSA is supposed to do. Much more problematic, and dangerous, is that the NSA spies on entire populations. It's a mistake to have the same laws and organizations involved with both activities, and it's time we separated the two.

The former is espionage: the traditional mission of the NSA. It's an important military mission, both in peacetime and wartime, and something that's not going to go away. It's targeted. It's focused. Decisions of whom to target are decisions of foreign policy. And secrecy is paramount.

The latter is very different. Terrorists are a different type of enemy; they're individual actors instead of state governments. We know who foreign government officials are and where they're located: in government offices in their home countries, and embassies abroad. Terrorists could be anyone, anywhere in the world. To find them, the NSA has to look for individual bad actors swimming in a sea of innocent people. This is why the NSA turned to broad surveillance of populations, both in the United States and internationally.

If you think about it, this is much more of a law enforcement sort of activity than a military activity. Both involve security, but just as the NSA's traditional focus was governments, the FBI's traditional focus was individuals. Before and after 9/11, both the NSA and the FBI were involved in counterterrorism. The FBI did work in the United States and abroad. After 9/11, the primary mission of counterterrorist surveillance was given to the NSA because it had existing capabilities, but the decision could have gone the other way.

Because the NSA got the mission, both the military norms and the legal framework from the espionage world carried over. Our surveillance efforts against entire populations were kept as secret as our espionage efforts against governments. And we modified our laws accordingly. The 1978 Foreign Intelligence Surveillance Act (FISA) that regulated NSA surveillance required targets to be "agents of a foreign power." When the law was amended in 2008 under the FISA Amendments Act, a target could be any foreigner anywhere.

Government-on-government espionage is as old as governments themselves, and is the proper purview of the military. So let the commander in chief make the determination on whose cell phones to eavesdrop on, and let the NSA carry those orders out.

Surveillance is a large-scale activity, potentially affecting billions of people, and different rules have to apply -- the rules of the police. Any organization doing such surveillance should apply the police norms of probable cause, due process and oversight to population surveillance activities. It should make its activities much less secret and more transparent. It should be accountable in open courts. This is how we and the rest of the world regain the trust in the actions of the United States.

In January, President Obama gave a speech on the NSA where he said two very important things. He said that the NSA would no longer spy on Angela Merkel's cell phone. And while he didn't extend that courtesy to the other 82 million citizens of Germany, he did say that he would extend some U.S. constitutional protections against warrantless surveillance to the rest of the world.

Separating espionage from surveillance, and putting the latter under a law enforcement regime instead of a military regime, is a step toward achieving that.

Book links:
http://glenngreenwald.net/
http://glenngreenwald.net/pdf/...

http://www.nytimes.com/2014/05/13/world/middleeast/...

My previous essays:
https://www.schneier.com/essay-449.html
http://www.theatlantic.com/politics/archive/2013/05/...
http://www.cnn.com/2013/07/31/opinion/...
http://www.cnn.com/2014/02/20/opinion/...

This essay was originally published on CNN.com.
http://www.cnn.com/2014/05/14/opinion/...


Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books -- including "Liars and Outliers: Enabling the Trust Society Needs to Survive" -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Co3 Systems, Inc. See <http://www.schneier.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Co3 Systems, Inc.

Copyright (c) 2014 by Bruce Schneier.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.