Cryptography Rap
The rapper MC Plus+ has written a song about cryptography, “Alice and Bob.” It mentions DES, AES, Blowfish, RSA, SHA-1, and more. And me!
EDITED TO ADD (5/8): An article about “geeksta rap.”
Entries Tagged "Schneier news"
Page 39 of 42
Man Sues Compaq for False Advertising
Convicted felon Michael Crooker is suing Compaq (now HP) for false advertising. He bought a computer promised to be secure, but the FBI got his data anyway:
He bought it in September 2002, expressly because it had a feature called DriveLock, which freezes up the hard drive if you don’t have the proper password.
The computer’s manual claims that “if one were to lose his Master Password and his User Password, then the hard drive is useless and the data cannot be resurrected even by Compaq’s headquarters staff,” Crooker wrote in the suit.
Crooker has a copy of an ATF search warrant for files on the computer, which includes a handwritten notation: “Computer lock not able to be broken/disabled. Computer forwarded to FBI lab.” Crooker says he refused to give investigators the password, and was told the computer would be broken into “through a backdoor provided by Compaq,” which is now part of HP.
It’s unclear what was done with the laptop, but Crooker says a subsequent search warrant for his e-mail account, issued in January 2005, showed investigators had somehow gained access to his 40 gigabyte hard drive. The FBI had broken through DriveLock and accessed his e-mails (both deleted and not) as well as lists of websites he’d visited and other information. The only files they couldn’t read were ones he’d encrypted using Wexcrypt, a software program freely available on the Internet.
I think this is great. It’s about time that computer companies were held liable for their advertising claims.
But his lawsuit against HP may be a long shot. Crooker appears to face strong counterarguments to his claim that HP is guilty of breach of contract, especially if the FBI made the company provide a backdoor.
“If they had a warrant, then I don’t see how his case has any merit at all,” said Steven Certilman, a Stamford attorney who heads the Technology Law section of the Connecticut Bar Association. “Whatever means they used, if it’s covered by the warrant, it’s legitimate.”
If HP claimed DriveLock was unbreakable when the company knew it was not, that might be a kind of false advertising.
But while documents on HP’s web site do claim that without the correct passwords, a DriveLock’ed hard drive is “permanently unusable,” such warnings may not constitute actual legal guarantees.
According to Certilman and other computer security experts, hardware and software makers are careful not to make themselves liable for the performance of their products.
“I haven’t heard of manufacturers, at least for the consumer market, making a promise of computer security. Usually you buy naked hardware and you’re on your own,” Certilman said. In general, computer warrantees are “limited only to replacement and repair of the component, and not to incidental consequential damages such as the exposure of the underlying data to snooping third parties,” he said. “So I would be quite surprised if there were a gaping hole in their warranty that would allow that kind of claim.”
That point meets with agreement from the noted computer security skeptic Bruce Schneier, the chief technology officer at Counterpane Internet Security in Mountain View, Calif.
“I mean, the computer industry promises nothing,” he said last week. “Did you ever read a shrink-wrapped license agreement? You should read one. It basically says, if this product deliberately kills your children, and we knew it would, and we decided not to tell you because it might harm sales, we’re not liable. I mean, it says stuff like that. They’re absurd documents. You have no rights.”
My final quote in the article:
“Unfortunately, this probably isn’t a great case,” Schneier said. “Here’s a man who’s not going to get much sympathy. You want a defendant who bought the Compaq computer, and then, you know, his competitor, or a rogue employee, or someone who broke into his office, got the data. That’s a much more sympathetic defendant.”
Da Vinci Code Ruling Code
There is a code embedded in the ruling in The Da Vinci Code plagiarism case.
You can find it by searching for the characters in italic and boldface scattered throughout the ruling. The first characters spell out “SMITHCODE”: that’s the name of the judge who wrote the ruling The rest remains unsolved.
According to The Times, the remaining letters are: J, a, e, i, e, x, t, o, s, t, p, s, a, c, g, r, e, a, m, q, w, f, k, a, d, p, m, q, z.
According to The Register, the remaining letters are: j a e i e x t o s t g p s a c g r e a m q w f k a d p m q z v.
According to one of my readers, who says he “may have missed some letters,” it’s: SMITHYCODEJAEIEXTOSTGPSACGREAMQWFKADPMQZV.
I think a bunch of us need to check for ourselves, and then compare notes.
And then we have to start working on solving the thing.
From the BBC:
Although he would not be drawn on his code and its meaning, Mr Justice Smith said he would probably confirm it if someone cracked it, which was “not a difficult thing to do”.
As an aside, I am mentioned in Da Vinci Code. No, really. Page 199 of the American hardcover edition. “Da Vinci had been a cryptography pioneer, Sophie knew, although he was seldom given credit. Sophie’s university instructors, while presenting computer encryption methods for securing data, praised modern cryptologists like Zimmermann and Schneier but failed to mention that it was Leonardo who had invented one of the first rudimentary forms of public key encryption centuries ago.”
That’s right. I am a realistic background detail.
EDITED TO ADD (4/28): The code is broken. Details are in The New York Times:
Among Justice Smith’s hints, he told decoders to look at page 255 in the British paperback edition of “The Da Vinci Code,” where the protagonists discuss the Fibonacci Sequence, a famous numerical series in which each number is the sum of the two preceding ones. Omitting the zero as Dan Brown, “The Da Vinci Code” author, does the series begins 1, 1, 2, 3, 5, 8, 13, 21.
Solving the judge’s code requires repeatedly applying the Fibonacci Sequence, through the number 21, to the apparently random coded letters that appear in boldfaced italics in the text of his ruling: JAEIEXTOSTGPSACGREAMQWFKADPMQZVZ.
For example, the fourth letter of the coded message is I. The fourth number of the Fibonacci Sequence, as used in “The Da Vinci Code,” is 3. Therefore, decoding the I requires an alphabet that starts at the third letter of the regular alphabet, C. I is the ninth letter regularly; the ninth letter of the alphabet starting with C is K; thus, the I in the coded message stands for the letter K.
The judge inserted two twists to confound codebreakers. One is a typographical error: a letter that should have been an H in both the coded message and its translation is instead a T. The other is drawn from “Holy Blood, Holy Grail,” the other book in the copy right case. It concerns the number 2 in the Fibonacci series, which becomes a requirement to count two letters back in the regular alphabet rather than a signal to use an alphabet that begins with B. For instance, the first E in the coded message, which corresponds to a 2 in the Fibonacci series, becomes a C in the answer.
The message reads: “Jackie Fisher who are you Dreadnought.”
I’m disappointed, actually. That was a whopper of a hint, and I would have preferred the judge to keep quiet.
EDITED TO ADD (5/8): Commentary on my name being in The Da Vinci Code.
Movie Plot Threat Contest: Status Report
On the first of this month, I announced my (possibly First) Movie-Plot Threat Contest.
Entrants are invited to submit the most unlikely, yet still plausible, terrorist attack scenarios they can come up with.
Your goal: cause terror. Make the American people notice. Inflict lasting damage on the U.S. economy. Change the political landscape, or the culture. The more grandiose the goal, the better.
Assume an attacker profile on the order of 9/11: 20 to 30 unskilled people, and about $500,000 with which to buy skills, equipment, etc.
As of this morning, the blog post has 580 comments. I expected a lot of submissions, but the response has blown me away.
Looking over the different terrorist plots, they seem to fall into several broad categories. The first category consists of attacks against our infrastructure: the food supply, the water supply, the power infrastructure, the telephone system, etc. The idea is to cripple the country by targeting one of the basic systems that make it work.
The second category consists of big-ticket plots. Either they have very public targets—blowing up the Super Bowl, the Oscars, etc.—or they have high-tech components: nuclear waste, anthrax, chlorine gas, a full oil tanker, etc. And they are often complex and hard to pull off. This is the 9/11 idea: a single huge event that affects the entire nation.
The third category consists of low-tech attacks that go on and on. Several people imagined a version of the DC sniper scenario, but with multiple teams. The teams would slowly move around the country, perhaps each team starting up after the previous one was captured or killed. Other people suggested a variant of this with small bombs in random public locations around the country.
(There’s a fourth category: actual movie plots. Some entries are comical, unrealistic, have science fiction premises, etc. I’m not even considering those.)
The better ideas tap directly into public fears. In my book, Beyond Fear, I discusse five different tendencies people have to exaggerate risks: to believe that something is more risky than it actually is.
- People exaggerate spectacular but rare risks and downplay common risks.
- People have trouble estimating risks for anything not exactly like their normal situation.
- Personified risks are perceived to be greater than anonymous risks.
- People underestimate risks they willingly take and overestimate risks in situations they can’t control.
- People overestimate risks that are being talked about and remain an object of public scrutiny.
The best plot ideas leverage one or more of those tendencies. Big-ticket attacks leverage the first. Infrastructure and low-tech attacks leverage the fourth. And every attack tries to leverage the fifth, especially those attacks that go on and on. I’m willing to bet that when I find a winner, it will be the plot that leverages the greatest number of those tendencies to the best possible advantage.
I also got a bunch of e-mails from people with ideas they thought too terrifying to post publicly. Some of them wouldn’t even tell them to me. I also received e-mails from people accusing me of helping the terrorists by giving them ideas.
But if there’s one thing this contest demonstrates, it’s that good terrorist ideas are a dime a dozen. Anyone can figure out how to cause terror. The hard part is execution.
Some of the submitted plots require minimal skill and equipment. Twenty guys with cars and guns—that sort of thing. Reading through them, you have to wonder why there have been no terrorist attacks in the U.S. since 9/11. I don’t believe the “flypaper theory,” that the terrorists are all in Iraq instead of in the U.S. And despite all the ineffectual security we’ve put in place since 9/11, I’m sure we have had some successes in intelligence and investigation—and have made it harder for terrorists to operate both in the U.S. and abroad.
But mostly, I think terrorist attacks are much harder than most of us think. It’s harder to find willing recruits than we think. It’s harder to coordinate plans. It’s harder to execute those plans. Terrorism is rare, and for all we’ve heard about 9/11 changing the world, it’s still rare.
The submission deadline is the end of this month, so there’s still time to submit your entry. And please read through some of the others and comment on them; I’m curious as to what other people think are the most interesting, compelling, realistic, or effective scenarios.
EDITED TO ADD (4/23): The contest made The New York Times.
Speaking at ACLU Washington Event
The Seattle Times wrote about my keynote address at the ACLU Washington Annual Membership Conference yesterday.
RSA Conference
Next week is the RSA Conference in San Jose, CA. I will speak on “The Economics of Security” at 4:30 PM on the 14th, and again on “Why Security Has So Little to Do with Security” at 2:00 PM on the 15th. I will also participate in a main-stage panel on ID cards at 8:00 AM on the 16th.
Also, my wife and I have written a 110-page restaurant guidebook for the downtown San Jose area. It’s a fun read, even if you aren’t looking for a San Jose restaurant. (Do people know that I write restaurant reviews for the Minneapolis Star Tribune?)
The restaurant guide will be available at the conference—and of course you can download it—but I have a few hundred to give away here. I’ll send a copy to anyone who wants one, in exchange for postage. (It’s not about the money, but I need some sort of gating function so that only those actually interested get a copy.)
Cost is $2.50 if you live in the U.S., $3.00 for Canada/Mexico, and $6.00 elsewhere. I’ll accept PayPal to my e-mail address—schneier@counterpane.com—or a check to Bruce Schneier, Counterpane Internet Security, Inc., 1090A La Avenida, Mountain View, CA 94043. Sorry, but I can’t accept credit cards directly.
Passlogix Misquotes Me in Their PR Material
I recently received a PR e-mail from a company called Passlogix:
Password security is still a very prevalent threat, 2005 had security gurus like Bruce Schneier publicly suggest that you actually write them down on sticky-notes. A recent survey stated 78% of employees use passwords as their primary forms of security, 52% use the same password for their accounts—yet 77% struggle to remember their passwords.
Actually, I don’t. I recommend writing your passwords down and keeping them in your wallet.
I know nothing about this company, but I am unhappy at their misrepresentation of what I said.
Twofish Cryptanalysis Rumors
Recently I have been hearing some odd “Twofish has been broken” rumors. I thought I’d quell them once and for all.
Rumors of the death of Twofish has been greatly exaggerated.
The analysis in question is by Shiho Moriai and Yiqun Lisa Yin, who published their results in Japan in 2000. Recently, someone either got a copy of the paper or heard about the results, and rumors started spreading.
Here’s the actual paper. It presents no cryptanalytic attacks, only some hypothesized differential characteristics. Moriai and Yin discovered byte-sized truncated differentials for 12- and 16-round Twofish (the full cipher has 16 rounds), but were unable to use them in any sort of attack. They also discovered a larger, 5-round truncated differential. No one has been able to convert these differentials into an attack, and Twofish is nowhere near broken. On the other hand, they are excellent and interesting results—and it’s a really good paper.
In more detail, here are the paper’s three results:
- The authors show a 12-round truncated differential characteristic that predicts that the 2nd byte of the ciphertext difference will be 0 when the plaintext difference is all-zeros except for its last byte. They say the characteristic holds with probability 2-40.9. Note that for an ideal cipher, we expect the 2nd byte of ciphertext to be 0 with probability 2-8, just by chance. Of course, 2-8 is much, much larger than 2-40.9. Therefore, this is not particularly useful in a distinguishing attack.
One possible interpretation of their result would be to conjecture that the 2nd byte of ciphertext difference will be 0 with probability 2-8 + 2-40.9 for Twofish, but only 2-8 for an ideal cipher. Their characteristic is just one path. If one is lucky, perhaps all other paths behave randomly and contribute an additional 2-8 factor to the total probability of getting a 0 in the 2nd byte of ciphertext difference. Perhaps. One might conjecture that, anyway.
It is not at all clear whether this conjecture is true, and the authors are careful not to claim it. If it were true, it might lead to a theoretical distinguishing attack using 275 chosen plaintexts or so (very rough estimate). But I’m not at all sure that the conjecture is true.
- They show a 16-round truncated differential that predicts that the 2nd byte of the ciphertext difference will be 0 (under the same input difference). Their characteristic holds with probability 2-57.3 (they say). Again, this is not very useful.
Analogously to the first result, one might conjecture that the 2nd byte of the ciphertext difference will be 0 with probability 2-8 + 2-57.3 for Twofish, but probability 2-8 for an ideal cipher. If this were true, one might be able to mount a distinguishing attack with 2100 chosen plaintexts or so (another very rough estimate). But I have no idea whether the conjecture is true.
- They also show a 5-round truncated differential characteristic that predicts that the input difference that is non-zero everywhere except in its 9th byte will lead to an output difference of the same form. This characteristic has probability 2-119.988896, they say (but they also say that they have made some approximations, and the actual probabilities can be a little smaller or a little larger). Compared to an ideal cipher, where one would expect this to happen by chance with probability 2-120, this isn’t very interesting. It’s hard to imagine how this could be useful in a distinguishing attack.
The paper theorizes that all of these characteristics might be useful in an attack, but I would be very careful about drawing any conclusions. It can be very tricky to go from single-path characteristics whose probability is much smaller than the chances of it happening by chance in an ideal cipher, to a real attack. The problem is in the part where you say “let’s just assume all other paths behave randomly.” Often the other paths do not behave randomly, and attacks that look promising fall flat on their faces.
We simply don’t know whether these truncated differentials would be useful in a distinguishing attack. But what we do know is that even if everything works out perfectly to the cryptanalyst’s benefit, and if an attack is possible, then such an attack is likely to require a totally unrealistic number of chosen plaintexts. 2100 plaintexts is something like a billion billion DVDs’ worth of data, or a T1 line running for a million times the age of the universe. (Note that these numbers might be off by a factor of 1,000 or so. But honestly, who cares? The numbers are so huge as to be irrelevent.) And even with all that data, a distinguishing attack is not the same as a key recovery attack.
Again, I am not trying to belittle the results. Moriai and Yin did some great work here, and they deserve all kinds of credit for it. But even from a theoretical perspective, Twofish isn’t even remotely broken. There have been no extensions to these results since they were published five years ago. The best Twofish cryptanalysis is still the work we did during the design process: available on the Twofish home page.
Password Safe in the News
Password Safe is my freeware program to help you manage all the passwords you’re expected to remember.
There’s a nice article in The Washington Post about it.
Code Signing
There’s a discussion on Slashdot about the security of code signing, and particularly my comments on the topic in the book Secrets and Lies.
Sidebar photo of Bruce Schneier by Joe MacInnis.