Page 18 of 21
Creative Home Engineering can make secret doors and hidden passageways for your home.
Pull a favorite book from your library shelf and watch a cabinet section recess to reveal a hidden passageway.
Twist a candlestick and your fireplace rotates, granting access to a hidden room.
Who cares about the security properties? I want one.
Really good article by a reporter who has been covering improvised explosive devices in Iraq:
Last summer, a U.S. Colonel in Baghdad told me that I was America’s enemy, or very close to it. For months, I had been covering the U.S. military’s efforts to deal with the threat of IEDs, improvised explosive devices. And my writing, he told me, was going too far—especially this January 2005 Wired News story, in which I described some of the Pentagon’s more exotic attempts to counter these bombs.
None of the material in the story—the stuff about microwave blasters or radio frequency jammers—was classified, he admitted. Most of it had been taken from open source materials. And many of the systems were years and years from being fielded. But by bundling it all together, I was doing a “world class job of doing the enemy’s research for him, for free.” So watch your step, he said, as I went back to my ride-alongs with the Baghdad Bomb Squad—the American soldiers defusing IEDs in the area.
Today, I hear that the President and the Pentagon’s higher-ups are trotting out the same argument. “News coverage of this topic has provided a rich source of information for the enemy, and we inadvertently contribute to our enemies’ collection efforts through our responses to media interest,” states a draft Defense Department memo, obtained by Inside Defense. “Individual pieces of information, though possibly insignificant taken alone, when aggregated provide robust information about our capabilities and weaknesses.”
In other words, Al Qaeda hasn’t discovered how to Google, yet. Don’t help ’em out.
It’s easy to blow the cover of CIA agents using the Internet:
The CIA asked the Tribune not to publish her name because she is a covert operative, and the newspaper agreed. But unbeknown to the CIA, her affiliation and those of hundreds of men and women like her have somehow become a matter of public record, thanks to the Internet.
When the Tribune searched a commercial online data service, the result was a virtual directory of more than 2,600 CIA employees, 50 internal agency telephone numbers and the locations of some two dozen secret CIA facilities around the United States.
Only recently has the CIA recognized that in the Internet age its traditional system of providing cover for clandestine employees working overseas is fraught with holes, a discovery that is said to have “horrified” CIA Director Porter Goss.
Seems to be serious:
Not all of the 2,653 employees whose names were produced by the Tribune search are supposed to be working under cover. More than 160 are intelligence analysts, an occupation that is not considered a covert position, and senior CIA executives such as Tenet are included on the list.
Covert employees discovered
But an undisclosed number of those on the list—the CIA would not say how many—are covert employees, and some are known to hold jobs that could make them terrorist targets.
Other potential targets include at least some of the two dozen CIA facilities uncovered by the Tribune search. Most are in northern Virginia, within a few miles of the agency’s headquarters. Several are in Florida, Ohio, Pennsylvania, Utah and Washington state. There is one in Chicago.
Some are heavily guarded. Others appear to be unguarded private residences that bear no outward indication of any affiliation with the CIA.
A senior U.S. official, reacting to the computer searches that produced the names and addresses, said, “I don’t know whether Al Qaeda could do this, but the Chinese could.”
Interesting paper.
Both the Microsoft Word document format (MS Word) and Adobe Portable Document (PDF) are complex, sophisticated computer data formats. They can contain many kinds of information such as text, graphics, tables, images, meta-data, and more all mixed together. The complexity makes them potential vehicles for exposing information unintentionally, especially when downgrading or sanitizing classified materials. Although the focus is on MS Word, the general guidance applies to other word processors and office tools, such as WordPerfect, PowerPoint, Excel, Star Office, etc.
This document does not address all the issues that can arise when distributing or downgrading original document formats such as MS Word or MS PowerPoint. Using original source formats, such as MS Word, for downgrading can entail exceptional risks; the lengthy and complicated procedures for mitigating such risks are outside the scope of this note.
EDITED TO ADD (2/1): The NSA page for the redaction document, and other “Security Configuration Guides,” is here.
If you have a moment, take this survey.
This research project seeks to understand how secrecy and openness can be balanced in the analysis and alerting of security vulnerabilities to protect critical national infrastructures. To answer this question, this thesis will investigate:
- How vulnerabilities are analyzed, understood and managed throughout the vulnerability lifecycle process.
- The ways that the critical infrastructure security community interact to exchange security-related information and the outcome of such interactions to date.
- The nature of and influences upon collaboration and information-sharing within the critical infrastructure protection community, particularly those handling internet security concerns.
- The relationship between secrecy and openness in providing and exchanging security-related information.
This looks interesting.
My eighth Wired column:
How would you feel if you invested millions of dollars in quantum cryptography, and then learned that you could do the same thing with a few 25-cent Radio Shack components?
I’m exaggerating a little here, but if a new idea out of Texas A&M University turns out to be secure, we’ve come close.
Earlier this month, Laszlo Kish proposed securing a communications link, like a phone or computer line, with a pair of resistors. By adding electronic noise, or using the natural thermal noise of the resistors—called “Johnson noise”—Kish can prevent eavesdroppers from listening in.
In the blue-sky field of quantum cryptography, the strange physics of the subatomic world are harnessed to create a secure, unbreakable communications channel between two points. Kish’s research is intriguing, in part, because it uses the simpler properties of classic physics—the stuff you learned in high school—to achieve the same results.
At least, that’s the theory.
I go on to describe how the system works, and then discuss the security:
There hasn’t been enough analysis. I certainly don’t know enough electrical engineering to know whether there is any clever way to eavesdrop on Kish’s scheme. And I’m sure Kish doesn’t know enough security to know that, either. The physics and stochastic mathematics look good, but all sorts of security problems crop up when you try to actually build and operate something like this.
It’s definitely an idea worth exploring, and it’ll take people with expertise in both security and electrical engineering to fully vet the system.
There are practical problems with the system, though. The bandwidth the system can handle appears very limited. The paper gives the bandwidth-distance product as 2 x 106 meter-Hz. This means that over a 1-kilometer link, you can only send at 2,000 bps. A dialup modem from 1985 is faster. Even with a fat 500-pair cable you’re still limited to 1 million bps over 1 kilometer.
And multi-wire cables have their own problems; there are all sorts of cable-capacitance and cross-talk issues with that sort of link. Phone companies really hate those high-density cables, because of how long it takes to terminate or splice them.
Even more basic: It’s vulnerable to man-in-the-middle attacks. Someone who can intercept and modify messages in transit can break the security. This means you need an authenticated channel to make it work—a link that guarantees you’re talking to the person you think you’re talking to. How often in the real world do we have a wire that is authenticated but not confidential? Not very often.
Generally, if you can eavesdrop you can also mount active attacks. But this scheme only defends against passive eavesdropping.
For those keeping score, that’s four practical problems: It’s only link encryption and not end-to-end, it’s bandwidth-limited (but may be enough for key exchange), it works best for short ranges and it requires authentication to make it work. I can envision some specialized circumstances where this might be useful, but they’re few and far between.
But quantum key distributions have the same problems. Basically, if Kish’s scheme is secure, it’s superior to quantum communications in every respect: price, maintenance, speed, vibration, thermal resistance and so on.
Both this and the quantum solution share another problem, however; they’re solutions looking for a problem. In the realm of security, encryption is the one thing we already do pretty well. Focusing on encryption is like sticking a tall stake in the ground and hoping the enemy runs right into it, instead of building a wide wall.
Arguing about whether this kind of thing is more secure than AES—the United States’ national encryption standard—is like arguing about whether the stake should be a mile tall or a mile and a half tall. However tall it is, the enemy is going to go around the stake.
Software security, network security, operating system security, user interface—these are the hard security problems. Replacing AES with this kind of thing won’t make anything more secure, because all the other parts of the security system are so much worse.
This is not to belittle the research. I think information-theoretic security is important, regardless of practicality. And I’m thrilled that an easy-to-build classical system can work as well as a sexy, media-hyped quantum cryptosystem. But don’t throw away your crypto software yet.
Here’s the press release, here’s the paper, and here’s the Slashdot thread.
EDITED TO ADD (1/31): Here’s an interesting rebuttal.
“CIA Realizes It’s Been Using Black Highlighters All These Years“:
A report released Tuesday by the CIA’s Office of the Inspector General revealed that the CIA has mistakenly obscured hundreds of thousands of pages of critical intelligence information with black highlighters.
According to the report, sections of the documents—”almost invariably the most crucial passages”—are marred by an indelible black ink that renders the lines impossible to read, due to a top-secret highlighting policy that began at the agency’s inception in 1947.
“Terrorist Has No Idea What To Do With All This Plutonium“:
Yaquub Akhtar, the leader of an eight-man cell linked to a terrorist organization known as the Army Of Martyrs, admitted Tuesday that he “doesn’t have the slightest clue” what to do with the quarter-kilogram of plutonium he recently acquired.
From The New Scientist:
The hyper-secretive US National Security Agency—the government’s eavesdropping arm—appears to be having its patent applications increasingly blocked by the Pentagon. And the grounds for this are for reasons of national security, reveals information obtained under a freedom of information request.
Most Western governments can prevent the granting (and therefore publishing) of patents on inventions deemed to contain sensitive information of use to an enemy or terrorists. They do so by issuing a secrecy order barring publication and even discussion of certain inventions.
Experts at the US Patent and Trademark Office perform an initial security screening of all patent applications and then army, air force and navy staff at the Pentagon’s Defense Technology Security Administration (DTSA) makes the final decision on what is classified and what is not.
Now figures obtained from the USPTO under a freedom of information request by the Federation of American Scientists show that the NSA had nine of its patent applications blocked in the financial year to March 2005 against five in 2004, and none in each of the three years up to 2003.
EDITED TO ADD: This story is wrong.
Since the Patriot Act was passed, administration officials have repeatedly assured the public and Congress that there have not been improper uses of that law. As recently as April 27, 2005, Attorney General Alberto Gonzales testified that “there has not been one verified case of civil liberties abuse.”
Documents obtained by EPIC from the FBI describe thirteen cases of possible misconduct in intelligence investigations. The case numbering suggests that there were at least 153 investigations of misconduct at the FBI in 2003 alone.
These documents reveal that the Intelligence Oversight Board has investigated many instances of alleged abuse, and perhaps most critically, may not have disclosed these facts to the Congressional oversight committees charged with evaluating the Patriot Act.
According to The Washington Post
In one case, FBI agents kept an unidentified target under surveillance for at least five years—including more than 15 months without notifying Justice Department lawyers after the subject had moved from New York to Detroit. An FBI investigation concluded that the delay was a violation of Justice guidelines and prevented the department “from exercising its responsibility for oversight and approval of an ongoing foreign counterintelligence investigation of a U.S. person.”
In other cases, agents obtained e-mails after a warrant expired, seized bank records without proper authority and conducted an improper “unconsented physical search,” according to the documents.
Although heavily censored, the documents provide a rare glimpse into the world of domestic spying, which is governed by a secret court and overseen by a presidential board that does not publicize its deliberations. The records are also emerging as the House and Senate battle over whether to put new restrictions on the controversial USA Patriot Act, which made it easier for the government to conduct secret searches and surveillance but has come under attack from civil liberties groups.
EPIC received these documents under FOIA, and has written to the Senate Judiciary Committee to urge hearings on the matter, and has recommended that the Attorney General be required to report to Congress when the Intelligence Oversight Board receives allegations of unlawful intelligence investigations.
This week marks the four-year anniversary of the enactment of the Patriot Act. Does anyone feel safer because of it?
EDITED TO ADD: There’s a New York Times article on the topic.
There are two bills in Congress that would grant the Pentagon greater rights to spy on Americans in the U.S.:
The Pentagon would be granted new powers to conduct undercover intelligence gathering inside the United States—and then withhold any information about it from the public—under a series of little noticed provisions now winding their way through Congress.
Citing in part the need for “greater latitude” in the war on terror, the Senate Intelligence Committee recently approved broad-ranging legislation that gives the Defense Department a long sought and potentially crucial waiver: it would permit its intelligence agents, such as those working for the Defense Intelligence Agency (DIA), to covertly approach and cultivate “U.S. persons” and even recruit them as informants—without disclosing they are doing so on behalf of the U.S. government.
[…]
At the same time, the Senate intelligence panel also included in the bill two other potentially controversial amendments—one that would allow the Pentagon and other U.S. intelligence agencies greater access to federal government databases on U.S. citizens, and another granting the DIA new exemptions from disclosing any “operational files” under the Freedom of Information Act (FOIA).
Sidebar photo of Bruce Schneier by Joe MacInnis.