Schneier on Security

Page 492

I Seem to Be a Verb

Bruce Schneiered: (V, ints) When a passenger uses logic in order to confound and perplex an officer into submission. Ex: “A TSA officer took my Swiss army knife, but let my scissors go. I then asked him wouldn’t it be more dangerous if I were to make my scissors into two blades, or to go into the bathroom on the secure side and sharpen my grandmother’s walking stick with one of the scissor blades into a terror spear. Then after I pointed out that all of our bodies contain a lot more than 3.4 ounces of liquids, the TSA guy got all pissed and asked me if I wanted to fly today. I totally Schneirered [sic] his ass.”

Supposedly the site is by a former TSA employee. I have no idea if that’s true.

Tags: air travel, DHS, homeland security, TSA

Posted on December 28, 2012 at 12:34 PM • View Comments

Becoming a Police Informant in Exchange for a Lighter Sentence

Fascinating article.

Snitching has become so commonplace that in the past five years at least 48,895 federal convicts—one of every eight—had their prison sentences reduced in exchange for helping government investigators, a USA TODAY examination of hundreds of thousands of court cases found. The deals can chop a decade or more off of their sentences.

How often informants pay to acquire information from brokers such as Watkins is impossible to know, in part because judges routinely seal court records that could identify them. It almost certainly represents an extreme result of a system that puts strong pressure on defendants to cooperate. Still, Watkins’ case is at least the fourth such scheme to be uncovered in Atlanta alone over the past 20 years.

Those schemes are generally illegal because the people who buy information usually lie to federal agents about where they got it. They also show how staggeringly valuable good information has become— prices ran into tens of thousands of dollars, or up to $250,000 in one case, court records show.

There are all sorts of complexities and unintended consequences in this system. This is just a small part of it:

The risks are obvious. If the government rewards paid-for information, wealthy defendants could potentially buy early freedom. Because such a system further muddies the question of how informants—already widely viewed as untrustworthy —know what they claim to know, “individual cases can be undermined and the system itself is compromised,” U.S. Justice Department lawyers said in a 2010 court filing.

Plea bargaining is illegal in many countries precisely because of the perverse incentives it sets up. I talk about this more in Liars and Outliers.

Tags: courts, law enforcement, police, police informants

Posted on December 28, 2012 at 6:37 AM • View Comments

Breaking Hard-Disk Encryption

The newly announced ElcomSoft Forensic Disk Decryptor can decrypt BitLocker, PGP, and TrueCrypt. And it’s only $300. How does it work?

Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. You’ll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes mounted, via a standard forensic product or via a FireWire attack. Alternatively, decryption keys can also be derived from hibernation files if a target PC is turned off.

This isn’t new. I wrote about AccessData doing the same thing in 2007:

Even so, none of this might actually matter. AccessData sells another program, Forensic Toolkit, that, among other things, scans a hard drive for every printable character string. It looks in documents, in the Registry, in e-mail, in swap files, in deleted space on the hard drive … everywhere. And it creates a dictionary from that, and feeds it into PRTK.

And PRTK breaks more than 50 percent of passwords from this dictionary alone.

It’s getting harder and harder to maintain good file security.

Tags: cryptanalysis, cryptography, encryption, full-disk encryption, PGP, side-channel attacks, TrueCrypt

Posted on December 27, 2012 at 1:02 PM • View Comments

Public Shaming as a Security Measure

In Liars and Outliers, I talk a lot about the more social forms of security. One of them is reputational. This post is about that squishy sociological security measure: public shaming as a way to punish bigotry (and, by extension, to reduce the incidence of bigotry).

It’s a pretty rambling post, first listing some of the public shaming sites, then trying to figure out whether they’re a good idea or not, and finally coming to the conclusion that shaming doesn’t do very much good and—in many cases—unjustly rewards the shamer.

I disagree with a lot of this. I do agree with:

I do think that shame has a role in the way we control our social norms. Shame is a powerful tool, and it’s something that we use to keep our own actions in check all the time. The source of that shame varies immensely. Maybe we are shamed before God, or our parents, or our boss.

But I disagree with the author’s insistence that “shame, ultimately, has to come from ourselves. We cannot be forced to feel shame.” While technically it’s true, operationally it’s not. Shame comes from others’ reactions to our actions. Yes, we feel it inside—but it originates from out lifelong inculcation into the norms of our social group. And throughout the history of our species, social groups have used shame to effectively punish those who violate social norms. No one wants a bad reputation.

It’s also true that we all have defenses against shame. One of them is to have an alternate social group for whom the shameful behavior is not shameful at all. Another is to simply not care what the group thinks. But none of this makes shame a less valuable tool of societal pressure.

Like all forms of security that society uses to control its members, shame is both useful and valuable. And I’m sure it is effective against bigotry. It might not be obvious how to deploy it effectively in the international and sometimes anonymous world of the Internet, but that’s another discussion entirely.

Tags: reputation, shame

Posted on December 27, 2012 at 6:21 AM • View Comments

Cryptography Engineering Available as an eBook

Finally, Cryptography Engineering is available as an ebook. Even better, it’s today’s deal of the day at O’Reilly: $27.50 (50% off) and no copy protection. (The discount won’t show until you add the book to your cart.)

Tags: books, Cryptography Engineering, DRM, ebooks

Posted on December 26, 2012 at 11:50 AM • View Comments

Hackers Use Backdoor to Break System

Industrial control system comes with a backdoor:

Although the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. “[Th]e published backdoor URL provided the same level of access to the company’s control system as the password-protected administrator login,” said the memo.

The security of this backdoor is secrecy. Of course, that never lasts:

Hackers broke into the industrial control system of a New Jersey air conditioning company earlier this year, using a backdoor vulnerability in the system, according to an FBI memo made public this week.

Tags: backdoors, hacking, ICS, SCADA

Posted on December 26, 2012 at 6:05 AM • View Comments

Peruvian Spider Species Creates Decoys

Clyclosa spiders create decoys to fool predators.

Tags: decoys, natural security

Posted on December 24, 2012 at 12:59 PM • View Comments

Phishing via Twitter

Interesting firsthand phishing story:

A few nights ago, I got a Twitter direct message (DM) from a friend saying that someone was saying nasty things about me, with a link. The link was a shortened (t.co) link, so it was hard to see exactly what it pointed to. I followed the link on my cell phone, and got to a website that certainly looked legit, and I was foolish enough to login. Pwnd. A few minutes later, my Twitter account was spewing tweetspam about the latest pseudo-scientific weight loss fad.

Tags: phishing, Twitter

Posted on December 24, 2012 at 6:31 AM • View Comments

Friday Squid Blogging: Laughing Squid

The small San Francisco film and video company is celebrating its 17th anniversary.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags: squid

Posted on December 21, 2012 at 4:58 PM • View Comments

This Week's Overreactions

Schools go into lockdown over a thermometer, a car backfiring, a bank robbery a few blocks away, a student alone in a gym, a neighbor on the street, and some vague unfounded rumors. And one high-school kid was arrested for drawing pictures of guns. Everywhere else, post-traumatic stupidity syndrome. (It’s not a new phrase—Google shows hits back to 2001—but it’s new to me. It reminds me of this.) I think of it as: “Something must be done. This is something. Therefore, we must do it.”

I’m not going to write about the Newtown school massacre. I wrote this earlier this year after the Aurora shooting, which was a rewrite of this about the 2007 Virginia Tech shootings. I feel as if I’m endlessly repeating myself. This essay, also from 2007, on the anti-terrorism “War on the Unexpected,” is also relevant. Just remember, we’re the safest we’ve been in 40 years.

Tags: guns, overreactions, shootings

Posted on December 21, 2012 at 12:12 PM • View Comments

← Earlier Entries Later Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.