Essays: 2003 Archives

Better get used to routine loss of personal privacy

  • Bruce Schneier
  • Minneapolis Star Tribune
  • December 21, 2003

At a gas station in British Columbia, two employees installed a camera in the ceiling in front of an ATM machine. They recorded thousands of people as they typed in their PIN numbers. Combined with a false front on the ATM that recorded account numbers from the cards, the pair were able to steal millions before they were caught.

In at least 14 Kinko’s copy shops in New York City, Juju Jiang installed keystroke loggers on the rentable computers. For over a year he eavesdropped on people, capturing more than 450 user names and passwords and using them to access and open bank accounts online…

Are you sophisticated enough to recognize an Internet scam?

  • Bruce Schneier
  • The Mercury News
  • December 19, 2003

Recently I have been receiving e-mails from PayPal. At least, they look like they’re from PayPal. They send me to a Web site that looks like it’s from PayPal. And it asks for my password, just like PayPal. The problem is that it’s not from PayPal, and if I do what the Web site says, some criminal is going to siphon money out of my bank account.

Welcome to the third wave of network attacks, what I have named “semantic attacks.” They are much more serious and harder to defend against because they attack the user and not the computers. And they’re the future of fraud on the Internet…

Blaster and the Great Blackout

  • Bruce Schneier
  • Salon
  • December 16, 2003

Ten years ago our critical infrastructure was run by a series of specialized systems, both computerized and manual, on dedicated networks. Today, many of these computers have been replaced with standard mass-market computers connected via the Internet. This shift brings with it all sorts of cost savings, but it also brings additional risks. The same worms and viruses, the same vulnerabilities, the same Trojans and hacking tools that have so successfully ravaged the Internet can now affect our critical infrastructure.

For example, in late January 2003, the Slammer worm knocked out 911 emergency telephone service in Bellevue, Wash. The 911 data-entry terminals weren’t directly connected to the Internet, but they used the same servers that the rest of the city used, and when the servers started to fail (because the connected parts were hit by Slammer), the failure affected the 911 terminals…

Internet Worms and Critical Infrastructure

  • Bruce Schneier
  • CNET News.com
  • December 9, 2003

Did MSBlast cause the Aug. 14 blackout? The official analysis says “no,” but I’m not so sure. A November interim report a panel of government and industry officials issued concluded that the blackout was caused by a series of failures with the chain of events starting at FirstEnergy, a power company in Ohio. A series of human and computer failures then turned a small problem into a major one. And because critical alarm systems failed, workers at FirstEnergy did not stop the cascade, because they did not know what was happening.

This is where I think MSBlast, also known as Blaster, may have been involved…

Festung Amerika

  • Bruce Schneier
  • Financial Times Deutschland
  • November 11, 2003

Im Jahr 2004 werden die USA viele Milliarden Dollar für Sicherheit ausgeben. Leider ist das meiste davon zum Fenster herausgeworfen – wirklichen Schutz bringt diese Aufrüstung nicht
VON BRUCE SCHNEIER

Der 11. September 2001 hat ein Trauma hinterlassen. Seit den Terroranschlägen brauchen die Amerikaner das Gefühl von mehr Sicherheit. An Flughäfen wurden Soldaten der Nationalgarde stationiert, an vielen öffentlichen und gewerb-lichen Gebäuden wurden intensi-vere Passkontrollen eingeführt, die Polizei überwacht wichtige Brücken und Tunnels…

Liability changes everything

  • Bruce Schneier
  • Heise Security
  • November 2003

German translation

Computer security is not a problem that technology can solve. Security solutions have a technological component, but security is fundamentally a people problem. Businesses approach security as they do any other business uncertainty: in terms of risk management. Organizations optimize their activities to minimize their cost-risk product, and understanding those motivations is key to understanding computer security today.

It makes no sense to spend more on security than the original cost of the problem, just as it makes no sense to pay liability compensation for damage done when spending money on security is cheaper. Businesses look for financial sweet spots — -adequate security for a reasonable cost, for example — and if a security solution doesn’t make business sense, a company won’t do it…

Airplane Hackers

  • Bruce Schneier
  • IEEE Security & Privacy
  • November/December 2003

Nathaniel Heatwole is a student at Guilford College. Several times between 7 February and 15 September 2003, he tested airline security. First, he smuggled in box cutters, clay resembling plastic explosives, and bleach simulating bomb-making chemicals through security. Then he hid these things in airplane lavatories, along with notes. Finally, he sent an email to the US Transportation Security Administration (TSA) titled “Information Regarding Six Recent Security Breaches.”

The problem is that the TSA never asked him to test its security. In this same vein, computer networks have been plagued for years by hackers breaking into them. But these people aren’t breaking into systems for profit; they don’t commit fraud or theft. They’re breaking into systems to satisfy their intellectual curiosity, for the thrill, and just to see if they can…

Terror Profiles by Computers Are Ineffective

  • Bruce Schneier
  • Newsday
  • October 21, 2003

In September 2002, JetBlue Airways secretly turned over data about 1.5 million of its passengers to a company called Torch Concepts, under contract with the Department of Defense.

Torch Concepts merged this data with Social Security numbers, home addresses, income levels and automobile records that it purchased from another company, Acxiom Corp. All this was to test an automatic profiling system to automatically give each person a terrorist threat ranking.

Many JetBlue customers feel angry and betrayed that their data was shared without their consent. JetBlue’s privacy policy clearly states that “the financial and personal information collected on this site is not shared with any third parties.” Several lawsuits against JetBlue are pending. CAPPS II is the new system designed to profile air passengers — a system that would eventually single out certain passengers for extra screening and other passengers who would not be permitted to fly. After this incident, Congress has delayed the entire CAPPS II air passenger profiling system pending further review…

Outside View: Fixing intelligence

  • Bruce Schneier
  • UPI
  • October 14, 2003

A joint congressional intelligence inquiry has concluded that 9/11 could have been prevented if our nation’s intelligence agencies shared information better and coordinated more effectively. This is both a trite platitude and a profound proscription.

Intelligence is easy to understand after the fact. With the benefit of hindsight, it’s easy to draw lines from people in flight school here, to secret meetings in foreign countries there, over to interesting tips from informants, and maybe to INS records. Connecting the dots is child’s play.

Doing it before the fact is another matter entirely and, before 9/11, it wasn’t so easy. There’s a world of difference between intelligence data and intelligence information. Some data did, before the fact, point to 9/11, but it was buried in an enormous amount of irrelevant data leading to blind alleys, false conclusions, and innocent people…

CyberInsecurity: The Cost of Monopoly

How the Dominance of Microsoft's Products Poses a Risk to Security

  • Daniel Geer, Charles P. Pfleeger, Bruce Schneier, John S. Quarterman, Perry Metzger, Rebecca Bace, and Peter Gutmann
  • Computer & Communications Industry Association Report
  • September 24, 2003

Table of Contents

  1. 1. Author Listing
  2. 2. Introduction by Computer & Communications Industry Association (CCIA)
  3. 3. CyberInsecurity Report
  4. 4. Biographies of Authors

Authors of the report

Daniel Geer, Sc.D — Chief Technical Officer, @Stake

Charles P. Pfleeger, Ph.D — Master Security Architect, Exodus Communications, Inc.

Bruce Schneier — Founder, Chief Technical Officer, Counterpane Internet Security

John S. Quarterman — Founder, InternetPerils, Matrix NetSystems, Inc.

Perry Metzger — Independent Consultant

Rebecca Bace — CEO, Infidel

Peter Gutmann…

Voting and Technology: Who Gets to Count Your Vote?

Paperless voting machines threaten the integrity of democratic process by what they don't do.

  • David L. Dill, Bruce Schneier, and Barbara Simons
  • Communications of the ACM
  • August 2003

Voting problems associated with the 2000 U.S. Presidential election have spurred calls for more accurate voting systems. Unfortunately, many of the new computerized voting systems purchased today have major security and reliability problems.

The ideal voting technology would have five attributes: anonymity, scalability, speed, audit, and accuracy (direct mapping from intent to counted vote). In the rush to improve the first four, accuracy is being sacrificed. Accuracy is not how well the ballots are counted; it’s how well the process maps voter intent into counted votes and the final tally. People misread ballots, punch cards don’t tabulate properly, machines break down, ballots get lost. Mistakes, even fraud, happen…

The Speed of Security

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2003

“The Slammer worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes.” (See “Inside the Slammer Worm,” p. 33 of this issue.)For the six months prior to the Sapphire (or SQL Slammer) worm’s release, the particular vulnerability that Slammer exploited was one of literally hundreds already known. Microsoft provided a patch, but many ignored it (so many patches, so little time). However, on 25 January 2003 at 05:30 UTC, installing that one patch suddenly became the most important thing system administrators could do to improve their security. A day later, a system administrator could install hundreds of other patches, but no one knows which patch will become the next vitally important one, or when…

Testimony before the Subcommittee on Cybersecurity, Science, and Research and Development

  • Bruce Schneier
  • June 25, 2003

Testimony and Statement for the Record of Bruce Schneier
Chief Technical Officer, Counterpane Internet Security, Inc.

Hearing on “Overview of the Cyber Problem-A Nation Dependent and Dealing with Risk”

Before the Subcommittee on Cybersecurity, Science, and Research and Development
Committee on Homeland Security
United States House of Representatives

June 25, 2003
2318 Rayburn House Office Building

Mr. Chairman, members of the Committee, thank you for the opportunity to testify today regarding cybersecurity, particularly in its relation to homeland defense and our nation’s critical infrastructure. My name is Bruce Schneier, and I have worked in the field of computer security for my entire career. I am the author of seven books on the topic, including the best-selling Secrets and Lies: Digital Security in a Networked World [1]. My newest book is entitled Beyond Fear: Thinking Sensibly About Security in an Uncertain World [2], and will be published in September. In 1999, I founded Counterpane Internet Security, Inc., where I hold the position of Chief Technical Officer. Counterpane Internet Security provides real-time security monitoring for hundreds of organizations, including several offices of the federal government…

Walls Don't Work in Cyberspace

  • Bruce Schneier
  • Wired
  • June 2003

Internet security is usually described as a fortress, with the good guys inside the wall and the bad guys outside. Network owners buy products to shore up the barrier, on the logic that a stronger wall will give them better security. Flaws in the network are holes in the barricade, patches the mortar that closes them.

This metaphor might have been appropriate 10 years ago, when the Internet was made up of disparate networks that occasionally communicated, but it’s outdated today. There are too many of us, doing too many things, interacting in too many ways. The Internet is more like a town…

Guilty Until Proven Innocent?

  • Bruce Schneier
  • IEEE Security & Privacy
  • May/June 2003

In April 2003, the US Justice Department administratively discharged the FBI of its statutory duty to ensure the accuracy and completeness of the National Crime Information Center (NCIC) database. This enormous database contains over 39 million criminal records and information on wanted persons, missing persons, and gang members, as well as information about stolen cars and boats. More than 80,000 law enforcement agencies have access to this database. On average, the database processes 2.8 million transactions each day.

The US Privacy Act of 1974 requires the FBI to make reasonable efforts to ensure the database records’ accuracy. However, in April, the Justice Department exempted the system from the law’s accuracy requirements…

American Cyberspace: Can We Fend off Attackers?

Forget It: Bland PR Document Has Only Recommendations

  • Bruce Schneier
  • San Jose Mercury News
  • March 7, 2003

AT 60 pages, the White House’s National Strategy to Secure Cyberspace is an interesting read, but it won’t help to secure cyberspace. It’s a product of consensus, so it doesn’t make any of the hard choices necessary to radically increase cyberspace security. Consensus doesn’t work in security design, and invariably results in bad decisions. It’s the compromises that are harmful, because the more parties you have in the discussion, the more interests there are that conflict with security. Consensus doesn’t work because the one crucial party in these negotiations — the attackers — aren’t sitting around the negotiating table with everyone else. They don’t negotiate, and they won’t abide by any security agreements…

Internet Shield: Secrecy and security

  • Bruce Schneier
  • SF Chronicle
  • March 2, 2003

THERE’S considerable confusion between the concepts of secrecy and security, and it is causing a lot of bad security and some surprising political arguments. Secrecy is not the same as security, and most of the time secrecy contributes to a false feeling of security instead of to real security.

Last month, the SQL Slammer worm ravished the Internet, infecting in some 15 minutes about 13 root servers that direct information traffic, and thus disrupting services as diverse as the 911 network in Seattle and much of Bank of America’s 13,000 ATM machines. The worm took advantage of a software vulnerability in a Microsoft database management program, one that allowed a malicious piece of software to take control of the computer…

Locks and Full Disclosure

  • Bruce Schneier
  • IEEE Security & Privacy
  • March/April 2003

The full disclosure vs bug secrecy debate is a lot larger than computer security. Blaze’s paper on master-key locking systems in this issue is an illustrative case in point. It turns out that the ways we’ve learned to conceptualize security and attacks in the computer world are directly applicable to other areas of security–like door locks. But the most interesting part of this entire story is that the locksmith community went ballistic after learning about what Blaze did.

The technique was known in the locksmithing community and in the criminal community for over a century, but was never discussed in public and remained folklore. Customers who bought these master key systems for over a century were completely oblivious to the security risks. Locksmiths liked it this way, believing that the security of a system is increased by keeping these sorts of vulnerabilities from the general population…

We Are All Security Consumers

  • Bruce Schneier
  • IEEE Security & Privacy
  • January/February 2003

Computer security is vital, and IEEE is launching this new magazine devoted to the topic. But there’s more to security than what this magazine is going to talk about. If we don’t help educate the average computer user about how to be a good security consumer, little of what we do matters.

Dozens of times a day, we are security consumers. Every time we cross the street, we’re buying security. When we brush our teeth in the morning, we’re buying security. We buy security when we lock our door, or our car. When you reach down at a checkout counter to buy a candy bar and notice that the package has been opened, why do you reach for another? It’s because for the price of the candy bar, you want to also buy as much security as you can…

Sidebar photo of Bruce Schneier by Joe MacInnis.