Professional Documents
Culture Documents
by Bruce Schneier
Founder and CTO
BT Counterpane
schneier@schneier.com
http://www.schneier.com
http://www.counterpane.com
In this issue:
Security vs. Privacy
MySpace and U.S. Attorneys General Agree to Fight Sexual
Predators
Anti-Missile Technology on Commercial Aircraft
News
Lock-In
Hacking Power Networks
Schneier/BT Counterpane News
Mujahideen Secrets 2
TSA News
DHS Warns of Female Suicide Bombers
Giving Drivers Licenses to Illegal Immigrants
I'm sure they have that saying in their business. And it's precisely
why, when people in their business are in charge of government, it
becomes a police state. If privacy and security really were a zero-sum
game, we would have seen mass immigration into the former East Germany
and modern-day China. While it's true that police states like those have
less street crime, no one argues that their citizens are fundamentally
more secure.
We've been told we have to trade off security and privacy so often -- in
debates on security versus privacy, writing contests, polls, reasoned
essays and political rhetoric -- that most of us don't even question the
fundamental dichotomy.
Security and privacy are not opposite ends of a seesaw; you don't have
to accept less of one to get more of the other. Think of a door lock, a
burglar alarm and a tall fence. Think of guns, anti-counterfeiting
measures on currency and that dumb liquid ban at airports. Security
affects privacy only when it's based on identity, and there are
limitations to that sort of approach.
The debate isn't security versus privacy. It's liberty versus control.
If you set up the false dichotomy, of course people will choose security
over privacy -- especially if you scare them first. But it's still a
false dichotomy. There is no security without privacy. And liberty
requires both security and privacy. The famous quote attributed to
Benjamin Franklin reads: "Those who would give up essential liberty to
purchase a little temporary safety, deserve neither liberty nor safety."
It's also true that those who would give up privacy for security are
likely to end up with neither.
False dichotomy:
http://www.schneier.com/crypto-gram-0109a.html#8
http://www.wired.com/politics/law/commentary/circuitcourt/2006/05/70971
Related essays:
http://www.schneier.com/essay-008.html
http://www.schneier.com/essay-096.html
http://www.schneier.com/essay-036.html
http://www.schneier.com/essay-160.html
http://www.schneier.com/essay-100.html
http://www.schneier.com/essay-108.html
http://www.schneier.com/essay-163.html
http://arstechnica.com/news.ars/post/20080119-analysis-metcalfes-law-real-id-more-
crime-less-safety.html
or http://tinyurl.com/23h88d
http://www.schneier.com/blog/archives/2007/09/more_on_the_ger_1.html
http://www.schneier.com/blog/archives/2007/06/portrait_of_the_1.html
http://www.schneier.com/blog/archives/2006/05/the_value_of_pr.html"
http://www.reuters.com/article/technology-media-telco-SP/idUSN1441132520080115
or http://tinyurl.com/28hunb
http://www.nytimes.com/2008/01/15/us/15myspace.html
http://www.huffingtonpost.com/anastasia-goodstein/myspaces-missed-
opportun_b_81637.html
or http://tinyurl.com/yuyk8v
http://www.informationweek.com/blog/main/archives/2008/01/myspace_child_p.html
or http://tinyurl.com/294l9m
http://www.news.com/8301-13577_3-9850057-36.html?tag=newsmap
http://www.myfoxstl.com/myfox/pages/News/Detail?contentId=5485524&version=1&locale
=EN-US&layoutCode=TSTY&pageId=3.2.1
or http://tinyurl.com/273hxu
http://www.techliberation.com/archives/043224.php
http://www.techcrunch.com/2008/01/14/what-does-myspaces-child-protection-deal-
mean-for-facebook-bebo-and-google/
or http://tinyurl.com/3ba2sd
There have been stories previously but this time it looks like it will
actually happen. From MSNBC: "The technology is intended to stop a
missile attack by detecting heat given off from the rocket, then firing
a laser beam that jams the missile's guidance system."
I have several feelings about this. One, it's security theater against
a movie-plot threat. Two, given that that's true, attaching an empty
box to the belly of the plane and writing "Laser Anti-Missile System" on
it would be just as effective a deterrent at a fraction of the cost.
And three, how do we know that's not what they're doing?
http://www.msnbc.msn.com/id/22507209/
http://blog.wired.com/27bstroke6/2008/01/dhs-testing-thr.html
Previous stories:
http://www.schneier.com/blog/archives/2005/07/anti-missile_de.html
http://www.schneier.com/blog/archives/2006/08/antimissile_def.html
News
"The New York Times" writes about a plausible connection between fear
and heart disease.
http://www.nytimes.com/2008/01/15/science/15tier.html
In the late 1800s, fire alarm boxes were kept locked to prevent false
alarms; this exacerbated the Great Chicago Fire of 1871. Compare this
with a proposed law in New York City that will require people to get a
license before they can buy chemical, biological, or radiological attack
detectors.
http://www.schneier.com/blog/archives/2008/01/locked_fire_box.html
The Dutch RFID public transit card, which has already cost the
government $2B -- no, that's not a typo -- has been hacked even before
it has been deployed. By some students. My guess is the system was
designed by people who don't understand security, and therefore thought
it was easy.
http://www.cs.vu.nl/~ast/ov-chip-card
http://www.freedom-to-tinker.com/?p=1250
More on SmartWater:
http://www.schneier.com/blog/archives/2008/01/smartwater_work.html
A gun slips through a TSA airport checkpoint, and when the owner reports
the mistake, he's arrested. What's that supposed to teach?
http://www.cnn.com/2008/US/01/23/airport.gun/index.html
Remember the "cyberwar" in Estonia last year? When asked about it, I
generally say that it's unclear that it wasn't just kids playing
politics. The reality is even more mundane: "...the attacker...isn't a
member of the Russian military, nor is he an embittered cyber warrior in
Putin's secret service. He doesn't even live in Russia. He's an
[20-year-old] ethnic Russian who lives in Estonia, who was pissed off
over that whole statue thing."
http://blog.wired.com/27bstroke6/2008/01/we-traced-the-c.html
Data as pollution:
http://www.schneier.com/blog/archives/2008/01/data_as_polluti.html
Does the FBI know the identity of the Storm worm writers?
http://www.schneier.com/blog/archives/2008/01/fbi_knows_ident.html
Detecting nuclear weapons using the cell phone network. I'm not
convinced it's a good idea to deploy such a system, but I like the idea
of piggy-backing a nationwide sensor network on top of our already
existing cell phone infrastructure.
http://news.uns.purdue.edu/x/2008a/080122FischbachNuclear.html
I have mixed feelings about the NSA monitoring U.S. government Internet
traffic, but in general I think it's a good idea.
http://www.washingtonpost.com/wp-
dyn/content/article/2008/01/25/AR2008012503261.html
or http://tinyurl.com/2avcq2
The DHS is paying for open source software to be scanned for security
bugs, and then fixing them. They find, on average, one security flaw
per 1,000 lines of code. And when the flaw is fixed, everyone's
security improves.
http://www.informationweek.com/story/showArticle.jhtml?articleID=205600229&cid=RSS
feed_IWK_All
or http://tinyurl.com/2gdbst
http://www.pcworld.com/businesscenter/article/141226/open_source_security_bugs_unc
overed.html
or http://tinyurl.com/yqua3t
UK's two-tier tax security system: poor security for everyone except the
rich and powerful:
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2008/01/26/ntax126.xml
or http://tinyurl.com/2xamfq
"The Top 5 VoIP Security Threats of 2008": a nice little list of things
to worry about.
http://www.voip-news.com/feature/top-security-threats-2008-012408/
Why does anyone think that heavily armed officers on New York City
subways is a good idea? What does it accomplish besides intimidating
innocent commuters?
http://www.nytimes.com/2008/02/02/nyregion/02machinegun.html
U.S. Customs seizing laptops at the border: if you travel abroad, this
is important:
http://www.schneier.com/blog/archives/2008/02/us_customs_seiz.html
HotPlug allows you to seize and move a computer without losing power.
http://www.wiebetech.com/products/HotPlug.php
http://www.youtube.com/watch?v=erq4TO_a3z8
http://www.youtube.com/watch?v=-G8sEYCOv-o
See also: MouseJiggler.
http://www.wiebetech.com/products/MouseJiggler.php
Lock-In
"Bricked" is the term, and Apple isn't the least bit apologetic about it.
Computer companies want more control over the products they sell you,
and they're resorting to increasingly draconian security measures to get
that control. The reasons are economic.
This increases Apple's bottom line. But the primary benefit of all this
control for Apple is that it increases lock-in. "Lock-in" is an economic
term for the difficulty of switching to a competing product. For some
products -- cola, for example -- there's no lock-in. I can drink a Coke
today and a Pepsi tomorrow: no big deal. But for other products, it's
harder.
Lock-in isn't new. It's why all gaming-console manufacturers make sure
that their game cartridges don't work on any other console, and how they
can price the consoles at a loss and make the profit up by selling
games. It's why Microsoft never wants to open up its file formats so
other applications can read them. It's why music purchased from Apple
for your iPod won't work on other brands of music players. It's why
every U.S. cell phone company fought against phone number portability.
It's why Facebook sues any company that tries to scrape its data and put
it on a competing website. It explains airline frequent flyer programs,
supermarket affinity cards and the new My Coke Rewards program.
With enough lock-in, a company can protect its market share even as it
reduces customer service, raises prices, refuses to innovate and
otherwise abuses its customer base. It should be no surprise that this
sounds like pretty much every experience you've had with IT companies:
once the industry discovered lock-in, everyone started figuring out how
to get as much of it as they can.
Economists Carl Shapiro and Hal Varian even proved that the value of a
software company is the total lock-in. Here's the logic: Assume, for
example, that you have 100 people in a company using MS Office at a cost
of $500 each. If it cost the company less than $50,000 to switch to Open
Office, they would. If it cost the company more than $50,000, Microsoft
would increase its prices.
Of course, that's not how Microsoft advertises NGSCB. The company has
positioned it as a security measure, protecting users from worms,
Trojans and other malware. But control does not equal security; and this
sort of control-based security is very difficult to get right, and
sometimes makes us more vulnerable to other threats. Perhaps this is why
Microsoft is quietly killing NGSCB -- we've gotten BitLocker, and we
might get some other security features down the line -- despite the huge
investment hardware manufacturers made when incorporating special
security hardware into their motherboards.
As for Apple and the iPhone, I don't know what they're going to do. On
the one hand, there's this analyst report that claims there are over a
million unlocked iPhones, costing Apple between $300 million and $400
million in revenue. On the other hand, Apple is planning to release a
software development kit this month, reversing its earlier restriction
and allowing third-party vendors to write iPhone applications. Apple
will attempt to keep control through a secret application key that will
be required by all "official" third-party applications, but of course
it's already been leaked.
The CIA unleashed a big one at a SANS conference: "On Wednesday, in New
Orleans, US Central Intelligence Agency senior analyst Tom Donahue told
a gathering of 300 US, UK, Swedish, and Dutch government officials and
engineers and security managers from electric, water, oil & gas and
other critical industry asset owners from all across North America, that
'We have information, from multiple regions outside the United States,
of cyber intrusions into utilities, followed by extortion demands. We
suspect, but cannot confirm, that some of these attackers had the
benefit of inside knowledge. We have information that cyber attacks have
been used to disrupt power equipment in several regions outside the
United States. In at least one case, the disruption caused a power
outage affecting multiple cities. We do not know who executed these
attacks or why, but all involved intrusions through the Internet.'
SANS's Alan Paller is happy to add details. From Forbes.com: "In the
past two years, hackers have in fact successfully penetrated and
extorted multiple utility companies that use SCADA systems, says Alan
Paller, director of the SANS Institute, an organization that hosts a
crisis center for hacked companies. 'Hundreds of millions of dollars
have been extorted, and possibly more. It's difficult to know, because
they pay to keep it a secret,' Paller says. 'This kind of extortion is
the biggest untold story of the cybercrime industry.'"
More rumor from ibls.com: "An attendee of the meeting said that the
attack was not well-known through the industry and came as a surprise to
many there. Said the person who asked to remain anonymous, 'There were
apparently a couple of incidents where extortionists cut off power to
several cities using some sort of attack on the power grid, and it does
not appear to be a physical attack.'"
"It is difficult to track the sources of such attacks, because they are
usually made by people who have disguised themselves by worming into
three or four other computer networks, Logan said. He said he thinks the
attacks were launched from computers belonging to foreign governments or
militaries, not terrorist groups."
I'm more than a bit skeptical here. To be sure -- fake staged attacks
aside -- there are serious risks to SCADA systems (Ganesh Devarajan gave
a talk at DefCon this year about some potential attack vectors),
although at this point I think they're more a future threat than present
danger. But this CIA tidbit tells us nothing about how the attacks
happened. Were they against SCADA systems? Were they against
general-purpose computers, maybe Windows machines? Insiders may have
been involved, so was this a computer security vulnerability at all? We
have no idea.
And Wikipedia has a list of power outages. Which ones were hacker
caused? Some details would be nice.
News articles:
http://www.engadget.com/2008/01/19/hackers-reportedly-targeting-cities-power-
systems/
or http://tinyurl.com/35jlap
http://www.forbes.com/2008/01/18/cyber-attack-utilities-tech-intel-
cx_ag_0118attack.html
or http://tinyurl.com/344t3w
http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=1963
or http://tinyurl.com/ypo8fz
http://www.informationweek.com/news/showArticle.jhtml?articleID=205901631
or http://tinyurl.com/34r575
http://www.washingtonpost.com/wp-
dyn/content/article/2008/01/18/AR2008011803277.html
or http://tinyurl.com/2dd3lv
http://www.pcworld.com/article/id,141564-c,hackers/article.html
http://www.forbes.com/2008/01/18/cyber-attack-utilities-tech-intel-
cx_ag_0118attack.html
or http://tinyurl.com/344t3w
http://it.slashdot.org/article.pl?sid=08/01/19/0138209
DefCon talk:
http://www.defcon.org/html/defcon-15/dc-15-speakers.html#Devarajan
Mujahideen Secrets 2
No one has explained why a terrorist would use this instead of PGP --
perhaps they simply don't trust anything coming from a U.S. company.
But honestly, this isn't a big deal at all: strong encryption software
has been around for over fifteen years now, either cheap or free. And
the NSA probably breaks most of the stuff by guessing the password,
anyway. Unless the whole program is an NSA plant, that is.
My question: the articles claim that the program uses several encryption
algorithms, including RSA and AES. Does it use Blowfish or Twofish?
http://www.networkworld.com/news/2008/020108-al-qaeda-encryption.html
http://www.networkworld.com/news/2008/012308-al-qaeda-encryption-security.html
or http://tinyurl.com/2g3lju
http://www.techworld.com/security/features/index.cfm?featureID=3950&pagtype=all
or http://tinyurl.com/22rwdf
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId
=16&articleId=9058619&intsrc=hm_topic
or http://tinyurl.com/ypzpuo
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=
9060939
or http://tinyurl.com/2cf9nu
http://www2.csoonline.com/exclusives/column.html?CID=33516
http://blogs.csoonline.com/a_gift_from_the_islamic_faithful_network_mujahedeen_sec
rets_2_program
or http://tinyurl.com/3dn7ja
http://www.informationweek.com/internet/showArticle.jhtml?articleID=205918296
or http://tinyurl.com/yv34um
Me on PGP:
http://www.schneier.com/essay-199.html
Me on password guessing:
http://www.schneier.com/essay-148.html
TSA News
The TSA is checking IDs more carefully, looking for forgeries: "More
than 40 passengers have been arrested since June in cases when TSA
screeners spotted altered passports, fraudulent visas and resident ID
cards, and forged driver's licenses. Many of them were arrested on
immigration charges. " ID checks have nothing to do with airport
security. And even if they did, anyone can fly on a fake ID. And
enforcing immigration laws is not what the TSA does.
http://www.usatoday.com/news/nation/2008-01-20-blacklights_N.htm?csp=34
Read this from the TSA's website: "We screen every passenger; we screen
every bag so that your memories are from where you went, not how you got
there. We're here to help your travel plans be smooth and stress free.
Please take a moment to become familiar with some of our security
measures. Doing so now will help save you time once you arrive at the
airport. " I know they don't mean it that way, but doesn't it sound
like it's saying "We know it doesn't help, but it might make you feel
better"?
http://www.tsa.gov/travelers/airtravel/index.shtm
I have no idea why Kip Hawley is surprised that the TSA is as unpopular
with Americans as the IRS.
http://www.theaviationnation.com/2007/12/30/tsa-leaked-memo-reveals-frustrated-
chiefs/
or http://tinyurl.com/yr3rwy
Photo caption: "Female suicide bombers can use devices to make them
appear pregnant, a security assessment says."
http://edition.cnn.com/2008/US/02/12/suicide.bombers/index.html
Some states have considered a tiered license system, one that explicitly
lists immigration status on the licenses. Of course, this won't work
either. Illegal immigrants are far more likely to take their chances
being caught than admit their immigration status to the DMV.
Whether it's the DHS trying to protect the nation from terrorism, or
local, state and national law enforcement trying to protect the nation
from crime, we are all safer if we encourage every adult in America to
get a driver's license.
http://www.schneier.com/blog