secrecy Archives - Page 9 of 21 - Schneier on Security

Entries Tagged "secrecy"

Page 9 of 21

Kahn, Diffie, Clark, and Me at Bletchley Park

Saturday, I visited Bletchley Park to speak at the Annual ACCU Security Fundraising Conference. They had a stellar line of speakers this year, and I was pleased to be a part of the day.

Talk #1: “The Art of Forensic Warfare,” Andy Clark. Riffing on Sun Tzu’s The Art of War, Clark discussed the war—the back and forth—between cyber attackers and cyber forensics. This isn’t to say that we’re at war, but today’s attacker tactics are increasingly sophisticated and warlike. Additionally, the pace is greater, the scale of impact is greater, and the subjects of attack are broader. To defend ourselves, we need to be equally sophisticated and—possibly—more warlike.

Clark drew parallels from some of the chapters of Sun Tzu’s book combined with examples of the work at Bletchley Park. Laying plans: when faced with an attacker—especially one of unknown capabilities, tactics, and motives—it’s important to both plan ahead and plan for the unexpected. Attack by stratagem: increasingly, attackers are employing complex and long-term strategies; defenders need to do the same. Energy: attacks increasingly start off simple and get more complex over time; while it’s easier to defect primary attacks, secondary techniques tend to be more subtle and harder to detect. Terrain: modern attacks take place across a very broad range of terrain, including hardware, OSs, networks, communication protocols, and applications. The business environment under attack is another example of terrain, equally complex. The use of spies: not only human spies, but also keyloggers and other embedded eavesdropping malware. There’s a great World War II double-agent story about Eddie Chapman, codenamed ZIGZAG.

Talk #2: “How the Allies Suppressed the Second Greatest Secret of World War II,” David Kahn. This talk is from Kahn’s article of the same name, published in the Oct 2010 issue of The Journal of Military History. The greatest secret of World War II was the atom bomb; the second greatest secret was that the Allies were reading the German codes. But while there was a lot of public information in the years after World War II about Japanese codebreaking and its value, there was almost nothing about German codebreaking. Kahn discussed how this information was suppressed, and how historians writing World War II histories never figured it out. No one imagined as large and complex an operation as Bletchley Park; it was the first time in history that something like this had ever happened. Most of Kahn’s time was spent in a very interesting Q&A about the history of Bletchley Park and World War II codebreaking.

Talk #3: “DNSSec, A System for Improving Security of the Internet Domain Name System,” Whitfield Diffie. Whit talked about three watersheds in modern communications security. The first was the invention of the radio. Pre-radio, the most common communications security device was the code book. This was no longer enough when radio caused the amount of communications to explode. In response, inventors took the research in Vigenère ciphers and automated them. This automation led to an explosion of designs and an enormous increase in complexity—and the rise of modern cryptography.

The second watershed was shared computing. Before the 1960s, the security of computers was the physical security of computer rooms. Timesharing changed that. The result was computer security, a much harder problem than cryptography. Computer security is primarily the problem of writing good code. But writing good code is hard and expensive, so functional computer security is primarily the problem of dealing with code that isn’t good. Networking—and the Internet—isn’t just an expansion of computing capacity. The real difference is how cheap it is to set up communications connections. Setting up these connections requires naming: both IP addresses and domain names. Security, of course, is essential for this all to work; DNSSec is a critical part of that.

The third watershed is cloud computing, or whatever you want to call the general trend of outsourcing computation. Google is a good example. Every organization uses Google search all the time, which probably makes it the most valuable intelligence stream on the planet. How can you protect yourself? You can’t, just as you can’t whenever you hand over your data for storage or processing—you just have to trust your outsourcer. There are two solutions. The first is legal: an enforceable contract that protects you and your data. The second is technical, but mostly theoretical: homomorphic encryption that allows you to outsource computation of data without having to trust that outsourcer.

Diffie’s final point is that we’re entering an era of unprecedented surveillance possibilities. It doesn’t matter if people encrypt their communications, or if they encrypt their data in storage. As long as they have to give their data to other people for processing, it will be possible to eavesdrop on. Of course the methods will change, but the result will be an enormous trove of information about everybody.

Talk #4: “Reconceptualizing Security,” me. It was similar to this essay and this video.

Posted on November 9, 2010 at 6:01 AM • View Comments

Declassified NSA Documents

It’s a long list. These items are not online; they’re at the National Archives and Records Administration in College Park, MD. You can either ask for copies by mail under FOIA (at a 75 cents per page) or come in in person. There, you can read and scan them for free, or photocopy them for about 20 cents a page.

Posted on October 25, 2010 at 6:21 AM • View Comments

NSA Publications

There is an interesting list of NSA publications in this document, pages 30–36. This document is a bunch of pages from the NSA intranet.

Posted on September 29, 2010 at 7:18 AM • View Comments

Details Removed from Book at Request of U.S. Department of Defense

From the AFP:

A publisher has agreed to remove US intelligence details from a memoir by a former army officer in Afghanistan after the Pentagon raised last-minute objections, officials said Friday.

The book, “Operation Dark Heart,” had been printed and prepared for release in August but St. Martin’s Press will now issue a revised version of the spy memoir after negotiations with the Pentagon, US and company officials said.

In an unusual step, the Defense Department has agreed to reimburse the company for the cost of the first printing, spokesman Colonel Dave Lapan told AFP.

The original manuscript “contained classified information which had not been properly reviewed” by the military and US spy agencies, he said.

St. Martin’s press will destroy copies from the first printing with Pentagon representatives observing “to ensure it’s done in accordance with our standards,” Lapan said.

The second, revised edition would be ready by the end of next week, said the author’s lawyer, Mark Zaid.

EDITED TO ADD (9/30): An analysis of the redacted material—obtained by comparing the two versions—is amusing.

Posted on September 23, 2010 at 7:19 AM • View Comments

Automatic Document Declassification

DARPA is looking for something that can automatically declassify documents :

I’ll be honest: I’m not exactly sure what kind of technological solution you can build to facilitate declassification. From the way the challenge is structured, it sounds like a semantic-search problem: Plug in keywords that help you comb through deserts of stored information in the bowels of the Pentagon and the intelligence community, and figure out whether the results of the fishing expedition can be tossed out from the depths onto dry land in accordance with declassification policies. But that’s a matter of building an algorithm, something that might be too, well, quotidian for Darpa.

Posted on September 17, 2010 at 10:15 AM • View Comments

NSA and the National Cryptologic Museum

Most people might not be aware of it, but there’s a National Cryptologic Museum at Ft. Meade, at NSA Headquarters. It’s hard to know its exact relationship with the NSA. Is it part of the NSA, or is it a separate organization? Can the NSA reclassify things in its archives? David Kahn has given his papers to the museum; is that a good idea?

A “Memorandum of Understanding (MOU) between The National Security Agency (NSA) and the National Cryptologic Museum Foundation” was recently released. It’s pretty boring, really, but it sheds some light on the relationshp between the museum and the agency.

Posted on August 5, 2010 at 6:36 AM • View Comments

The Washington Post on the U.S. Intelligence Industry

The Washington Post has published a phenomenal piece of investigative journalism: a long, detailed, and very interesting expose on the U.S. intelligence industry (overall website; parts 1, 2, and 3; blog; Washington reactions; top 10 revelations; many many many blog comments and reactions; and so on).

It’s a truly excellent piece of investigative journalism. Pity people don’t care much about investigative journalism—or facts in politics, really—anymore.

EDITED TO ADD (7/25): More commentary.

EDITED TO ADD (7/26): Jay Rosen writes:

Last week, it was the Washington Post’s big series, Top Secret America, two years in the making. It reported on the massive security shadowland that has arisen since 09/11. The Post basically showed that there is no accountability, no knowledge at the center of what the system as a whole is doing, and too much “product” to make intelligent use of. We’re wasting billions upon billions of dollars on an intelligence system that does not work. It’s an explosive finding but the explosive reactions haven’t followed, not because the series didn’t do its job, but rather: the job of fixing what is broken would break the system responsible for such fixes.

The mental model on which most investigative journalism is based states that explosive revelations lead to public outcry; elites get the message and reform the system. But what if elites believe that reform is impossible because the problems are too big, the sacrifices too great, the public too distractible? What if cognitive dissonance has been insufficiently accounted for in our theories of how great journalism works…and often fails to work?

EDITED TO ADD (7/27): More.

Posted on July 23, 2010 at 12:46 PM • View Comments

Skype's Cryptography Reverse-Engineered

Someone claims to have reverse-engineered Skype’s proprietary encryption protocols, and has published pieces of it.

If the crypto is good, this is less of a big deal than you might think. Good cryptography is designed to be made public; it’s only for business reasons that it remains secret.

Posted on July 16, 2010 at 12:08 PM • View Comments

Russian Intelligence Gets Source Code to Windows 7

I don’t think this is a good idea.

Posted on July 15, 2010 at 2:32 PM • View Comments

WikiLeaks

Long, but interesting, profile of WikiLeaks’s Julian Assange from The New Yorker.

Assange is an international trafficker, of sorts. He and his colleagues collect documents and imagery that governments and other institutions regard as confidential and publish them on a Web site called WikiLeaks.org. Since it went online, three and a half years ago, the site has published an extensive catalogue of secret material, ranging from the Standard Operating Procedures at Camp Delta, in Guantánamo Bay, and the “Climategate” e-mails from the University of East Anglia, in England, to the contents of Sarah Palin’s private Yahoo account.

This is only peripherally related, but Bradley Manning—an American soldier—has been arrested for leaking classified documents to WikiLeaks.

Another article from The Guardian, directly related to Manning.

EDITED TO ADD (7/13): More links.

Posted on June 24, 2010 at 1:13 PM •

←Previous 1 … 7 8 9 10 11 … 21 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.