CRYPTO-GRAM

February 15, 2008

by Bruce Schneier
Founder and CTO
BT Counterpane
schneier@schneier.com
http://www.schneier.com
http://www.counterpane.com

A free monthly newsletter providing summaries, analyses, insights, and

commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit

<http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at

<http://www.schneier.com/crypto-gram-0802.html>. These same essays
appear in the "Schneier on Security" blog:
<http://www.schneier.com/blog>. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
Security vs. Privacy
MySpace and U.S. Attorneys General Agree to Fight Sexual
Predators
Anti-Missile Technology on Commercial Aircraft
News
Lock-In
Hacking Power Networks
Schneier/BT Counterpane News
Mujahideen Secrets 2
TSA News
DHS Warns of Female Suicide Bombers
Giving Drivers Licenses to Illegal Immigrants

** *** ***** ******* *********** *************

Security vs. Privacy

If there's a debate that sums up post-9/11 politics, it's security

versus privacy. Which is more important? How much privacy are you
willing to give up for security? Can we even afford privacy in this age
of insecurity? Security versus privacy: It's the battle of the century,
or at least its first decade.

In a Jan. 21 "New Yorker" article, Director of National Intelligence

Michael McConnell discusses a proposed plan to monitor all -- that's
right, *all* -- Internet communications for security purposes, an idea
so extreme that the word "Orwellian" feels too mild.
The article contains this passage: "In order for cyberspace to be
policed, Internet activity will have to be closely monitored. Ed
Giorgio, who is working with McConnell on the plan, said that would mean
giving the government the authority to examine the content of any
e-mail, file transfer or Web search. 'Google has records that could help
in a cyber-investigation,' he said. Giorgio warned me, 'We have a saying
in this business: "Privacy and security are a zero-sum game."'"

I'm sure they have that saying in their business. And it's precisely
why, when people in their business are in charge of government, it
becomes a police state. If privacy and security really were a zero-sum
game, we would have seen mass immigration into the former East Germany
and modern-day China. While it's true that police states like those have
less street crime, no one argues that their citizens are fundamentally
more secure.

We've been told we have to trade off security and privacy so often -- in
debates on security versus privacy, writing contests, polls, reasoned
essays and political rhetoric -- that most of us don't even question the
fundamental dichotomy.

But it's a false one.

Security and privacy are not opposite ends of a seesaw; you don't have
to accept less of one to get more of the other. Think of a door lock, a
burglar alarm and a tall fence. Think of guns, anti-counterfeiting
measures on currency and that dumb liquid ban at airports. Security
affects privacy only when it's based on identity, and there are
limitations to that sort of approach.

Since 9/11, approximately three things have potentially improved airline

security: reinforcing the cockpit doors, passengers realizing they have
to fight back, and -- possibly -- sky marshals. Everything else -- all
the security measures that affect privacy -- is just security theater
and a waste of effort.

By the same token, many of the anti-privacy "security" measures we're

seeing -- national ID cards, warrantless eavesdropping, massive data
mining, and so on -- do little to improve, and in some cases harm,
security. And government claims of their success are either wrong, or
against fake threats.

The debate isn't security versus privacy. It's liberty versus control.

You can see it in comments by government officials: "Privacy no longer

can mean anonymity," says Donald Kerr, principal deputy director of
national intelligence. "Instead, it should mean that government and
businesses properly safeguard people's private communications and
financial information." Did you catch that? You're expected to give up
control of your privacy to others, who -- presumably -- get to decide
how much of it you deserve. That's what loss of liberty looks like.

It should be no surprise that people choose security over privacy: 51 to

29 percent in a recent poll. Even if you don't subscribe to Maslow's
hierarchy of needs, it's obvious that security is more important.
Security is vital to survival, not just of people but of every living
thing. Privacy is unique to humans, but it's a social need. It's vital
to personal dignity, to family life, to society -- to what makes us
uniquely human -- but not to survival.

If you set up the false dichotomy, of course people will choose security
over privacy -- especially if you scare them first. But it's still a
false dichotomy. There is no security without privacy. And liberty
requires both security and privacy. The famous quote attributed to
Benjamin Franklin reads: "Those who would give up essential liberty to
purchase a little temporary safety, deserve neither liberty nor safety."
It's also true that those who would give up privacy for security are
likely to end up with neither.

McConnell article from "New Yorker":

http://www.newyorker.com/reporting/2008/01/21/080121fa_fact_wright
http://arstechnica.com/news.ars/post/20080117-us-intel-chief-wants-carte-blanche-
to-peep-all-net-traffic.html
or http://tinyurl.com/2xkwvu
http://blog.wired.com/27bstroke6/2008/01/feds-must-exami.html

Trading off security and privacy:

http://www.huffingtonpost.com/ka-taipale/privacy-vs-security-se_b_71785.html
or http://tinyurl.com/2gdqbn
http://www.huffingtonpost.com/marc-rotenberg/privacy-vs-security-pr_b_71806.html
or http://tinyurl.com/2hozm8
http://findarticles.com/p/articles/mi_m0GER/is_2002_Winter/ai_97116472/pg_1
or http://tinyurl.com/2yk23v
http://www.rasmussenreports.com/public_content/politics/current_events/general_cur
rent_events/51_say_security_more_important_than_privacy
or http://tinyurl.com/ypcen8
http://www.scu.edu/ethics/publications/briefings/privacy.html
http://www.csmonitor.com/2002/1015/p11s02-coop.html

False dichotomy:
http://www.schneier.com/crypto-gram-0109a.html#8
http://www.wired.com/politics/law/commentary/circuitcourt/2006/05/70971

Donald Kerr's comments:

http://www.schneier.com/blog/archives/2007/11/redefining_priv.html

Related essays:
http://www.schneier.com/essay-008.html
http://www.schneier.com/essay-096.html
http://www.schneier.com/essay-036.html
http://www.schneier.com/essay-160.html
http://www.schneier.com/essay-100.html
http://www.schneier.com/essay-108.html
http://www.schneier.com/essay-163.html
http://arstechnica.com/news.ars/post/20080119-analysis-metcalfes-law-real-id-more-
crime-less-safety.html
or http://tinyurl.com/23h88d
http://www.schneier.com/blog/archives/2007/09/more_on_the_ger_1.html
http://www.schneier.com/blog/archives/2007/06/portrait_of_the_1.html
http://www.schneier.com/blog/archives/2006/05/the_value_of_pr.html"

This essay originally appeared on Wired.com.

http://www.wired.com/politics/security/commentary/securitymatters/2008/01/security
matters_0124
or http://tinyurl.com/yr98nf
** *** ***** ******* *********** *************

MySpace and U.S. Attorneys General Agree to Fight Sexual Predators

MySpace has reached an agreement with the attorneys general of 49 states

-- Texas sat out -- to protect children from sexual predators on the site.

The attorneys general are all congratulating themselves, as is MySpace

-- and there's a lot of commentary out there. To me, this all seems
like much ado about nothing.

The measures won't do anything to stop child predators on MySpace. But

on the other hand, there isn't really any problem with child predators
-- just a tiny handful of highly publicized stories -- on MySpace. It's
just security theater against a movie-plot threat. But we humans have a
well-established cognitive bias that overestimates threats against our
children, so it all makes sense.

http://www.reuters.com/article/technology-media-telco-SP/idUSN1441132520080115
or http://tinyurl.com/28hunb
http://www.nytimes.com/2008/01/15/us/15myspace.html
http://www.huffingtonpost.com/anastasia-goodstein/myspaces-missed-
opportun_b_81637.html
or http://tinyurl.com/yuyk8v
http://www.informationweek.com/blog/main/archives/2008/01/myspace_child_p.html
or http://tinyurl.com/294l9m
http://www.news.com/8301-13577_3-9850057-36.html?tag=newsmap
http://www.myfoxstl.com/myfox/pages/News/Detail?contentId=5485524&version=1&locale
=EN-US&layoutCode=TSTY&pageId=3.2.1
or http://tinyurl.com/273hxu
http://www.techliberation.com/archives/043224.php
http://www.techcrunch.com/2008/01/14/what-does-myspaces-child-protection-deal-
mean-for-facebook-bebo-and-google/
or http://tinyurl.com/3ba2sd

Details of the measures:

http://ago.mo.gov/newsreleases/2008/pdf/MySpace-JointStatement0108.pdf

** *** ***** ******* *********** *************

Anti-Missile Technology on Commercial Aircraft

There have been stories previously but this time it looks like it will
actually happen. From MSNBC: "The technology is intended to stop a
missile attack by detecting heat given off from the rocket, then firing
a laser beam that jams the missile's guidance system."

I have several feelings about this. One, it's security theater against
a movie-plot threat. Two, given that that's true, attaching an empty
box to the belly of the plane and writing "Laser Anti-Missile System" on
it would be just as effective a deterrent at a fraction of the cost.
And three, how do we know that's not what they're doing?
http://www.msnbc.msn.com/id/22507209/
http://blog.wired.com/27bstroke6/2008/01/dhs-testing-thr.html

Previous stories:
http://www.schneier.com/blog/archives/2005/07/anti-missile_de.html
http://www.schneier.com/blog/archives/2006/08/antimissile_def.html

Blog entry URL:

http://www.schneier.com/blog/archives/2008/01/antimissile_tec.html

** *** ***** ******* *********** *************

News

Social-engineering bank robberies in the DC area:

http://www.schneier.com/blog/archives/2008/01/socialengineeri.html

This is a good article on a new trend in corporate spying: companies

like Wal-Mart and Sears have resorted to covert surveillance of
employees, partners, journalists, and even Internet users to protect
itself from "global threats."
http://www.ciozone.com/index.php/Management/Wal-Mart-Spying-Good-Bad-Or-Just-The-
Wave-Of-The-Futureu.html
or http://tinyurl.com/24pud9

Rudy Giuliani on terrorism security:

http://www.city-journal.org/2008/18_1_homeland_security.html
http://padraic2112.wordpress.com/2008/01/17/why-rudy-giuliani-should-not-be-the-
next-president-part-i/
http://padraic2112.wordpress.com/2008/01/18/why-rudy-giuliani-should-not-be-the-
next-president-part-ii/
or http://tinyurl.com/23vzpc

"The New York Times" writes about a plausible connection between fear
and heart disease.
http://www.nytimes.com/2008/01/15/science/15tier.html

A 14-year-old modified a TV remote control to switch trains on tracks in

the Polish city of Lodz. The lesson here is that security by obscurity,
combined with physical security of the equipment, wasn't enough. This
kid jumped whatever fences there were, and reverse-engineered the IR
control protocol. Then he was able to play "trains" with real trains.
http://www.theregister.co.uk/2008/01/11/tram_hack/
http://www.cs.columbia.edu/~smb/blog/2008-01/2008-01-11.html
http://www.telegraph.co.uk/news/main.jhtml;jsessionid=Y5X3DLZOSFSAPQFIQMFSFFOAVCBQ
0IV0?xml=/news/2008/01/11/wschool111.xml
or http://tinyurl.com/3af8uh

In the late 1800s, fire alarm boxes were kept locked to prevent false
alarms; this exacerbated the Great Chicago Fire of 1871. Compare this
with a proposed law in New York City that will require people to get a
license before they can buy chemical, biological, or radiological attack
detectors.
http://www.schneier.com/blog/archives/2008/01/locked_fire_box.html
The Dutch RFID public transit card, which has already cost the
government $2B -- no, that's not a typo -- has been hacked even before
it has been deployed. By some students. My guess is the system was
designed by people who don't understand security, and therefore thought
it was easy.
http://www.cs.vu.nl/~ast/ov-chip-card
http://www.freedom-to-tinker.com/?p=1250

More on SmartWater:
http://www.schneier.com/blog/archives/2008/01/smartwater_work.html

Combined taser and MP3 player. Not a joke, apparently.

http://www.guardian.co.uk/business/2008/jan/08/technology.gadgets

I have absolutely no doubt that there will be security flaws in remotely

controllable thermostats, allowing hackers to seize control of them. Do
this on a too-hot day, and you might even cause a large blackout.
http://www.nytimes.com/2008/01/11/us/11control.html?ex=1357707600&en=608b7b5bb2921
934&ei=5088
or http://tinyurl.com/2f8cqs
The proposal has been withdrawn:
http://www.energy.ca.gov/title24/2008standards/faq.html
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/01/17/BARNUGIKF.DTL
or http://tinyurl.com/yp6ft7

Unshredding documents with software. The context is shredded and torn

East German Stasi documents, but the technology is more general.
http://www.wired.com/politics/security/magazine/16-02/ff_stasi?currentPage=all
or http://tinyurl.com/38talc

Fear-mongering story about non-Muslims being recruited as terrorists in

the UK.
http://www.schneier.com/blog/archives/2008/01/al_qaeda_recrui.html

A gun slips through a TSA airport checkpoint, and when the owner reports
the mistake, he's arrested. What's that supposed to teach?
http://www.cnn.com/2008/US/01/23/airport.gun/index.html

Continuing battles in the War on the Unexpected:

A suitcase in New Zealand.
http://www.stuff.co.nz//4366917a11.html
An American photographing all 50 state capitols.
http://www.nytimes.com/2008/01/20/arts/design/20shat.html
Offshore oil rig evacuated after someone dreamed of a bomb.
http://news.scotsman.com/scotland/Rig-worker39s-39dream39-sparked-bomb.3763123.jp
http://www.timesonline.co.uk/tol/news/uk/article3346196.ece
http://www.guardian.co.uk/uk/2008/feb/11/uksecurityandterrorism
http://www.metro.co.uk/news/article.html?in_article_id=98289&in_page_id=34
Sheridan College under lock-down because someone notices a tripod.
http://video.msn.com/?mkt=en-ca&brand=sympatico&fg=rss&vid=1e18560e-eab4-4cd7-
a1e3-d2e45e2f465f&from=37
http://blogto.com/city/2008/02/tripod_prompts_lockdown_at_sheridan_college/
http://www1.sheridaninstitute.ca/corporate/news/2008/post_lockdown.cfm
Man arrested for posession of an MP3 player.
http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=513875
&in_page_id=1770
An update on cameras in the New York City subways:
http://blog.wired.com/defense/2008/01/nycs-subway-spy.html

The ethics of autonomous military robots:

http://www.cc.gatech.edu/ai/robot-lab/online-publications/formalizationv35.pdf

Remember the "cyberwar" in Estonia last year? When asked about it, I
generally say that it's unclear that it wasn't just kids playing
politics. The reality is even more mundane: "...the attacker...isn't a
member of the Russian military, nor is he an embittered cyber warrior in
Putin's secret service. He doesn't even live in Russia. He's an
[20-year-old] ethnic Russian who lives in Estonia, who was pissed off
over that whole statue thing."
http://blog.wired.com/27bstroke6/2008/01/we-traced-the-c.html

Two Ethiopian cabin cleaners were found hiding in the ceiling of an

aircraft after it landed at Dulles. Presumably they were allowed on the
plane at Addis Abbaba, but no one checked to make sure they got off.
http://www.wusa9.com/news/local/story.aspx?storyid=67662

Interesting article on terrorist tradecraft:

http://www.washingtonpost.com/wp-
dyn/content/article/2008/01/04/AR2008010403573_pf.html

Data as pollution:
http://www.schneier.com/blog/archives/2008/01/data_as_polluti.html

Does the FBI know the identity of the Storm worm writers?
http://www.schneier.com/blog/archives/2008/01/fbi_knows_ident.html

"Psychology Today" on risk assessment and why we're so bad at it:

http://www.psychologytoday.com/articles/pto-20071228-000005.html

A leaked document shows the UK government has plans to coerce its

citizens into a national ID database.
http://www.boingboing.net/2008/01/29/leaked-uk-govt-doc-r.html
http://craphound.com/NIS_Options_Analysis_Outcome.pdf

Bavarian government wants to intercept Skype calls:

http://wikileaks.org/wiki/Bavarian_trojan_for_non-germans
http://www.boingboing.net/2008/01/26/german-govt-caught-b.html

Detecting nuclear weapons using the cell phone network. I'm not
convinced it's a good idea to deploy such a system, but I like the idea
of piggy-backing a nationwide sensor network on top of our already
existing cell phone infrastructure.
http://news.uns.purdue.edu/x/2008a/080122FischbachNuclear.html

Think Illegal Downloading Is Free?

http://www.flickr.com/photos/68708714@N00/2219282175/sizes/l/

I have mixed feelings about the NSA monitoring U.S. government Internet
traffic, but in general I think it's a good idea.
http://www.washingtonpost.com/wp-
dyn/content/article/2008/01/25/AR2008012503261.html
or http://tinyurl.com/2avcq2

Little people are hiding in luggage on Swedish buses, and stealing

things while the bags are in the cargo holds. Weird, but clever.
http://www.theregister.co.uk/2008/01/23/dwarf_coach_robberies/

The DHS is paying for open source software to be scanned for security
bugs, and then fixing them. They find, on average, one security flaw
per 1,000 lines of code. And when the flaw is fixed, everyone's
security improves.
http://www.informationweek.com/story/showArticle.jhtml?articleID=205600229&cid=RSS
feed_IWK_All
or http://tinyurl.com/2gdbst
http://www.pcworld.com/businesscenter/article/141226/open_source_security_bugs_unc
overed.html
or http://tinyurl.com/yqua3t

UK's two-tier tax security system: poor security for everyone except the
rich and powerful:
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2008/01/26/ntax126.xml
or http://tinyurl.com/2xamfq

Undersea cable failures in the Middle East. What's going on?

http://www.schneier.com/blog/archives/2008/02/fourth_undersea.html

"The Top 5 VoIP Security Threats of 2008": a nice little list of things
to worry about.
http://www.voip-news.com/feature/top-security-threats-2008-012408/

Criminals are using cloned trucks to bypass security:

http://abcnews.go.com/Blotter/story?id=4156618&page=1
This is the same problem as fake uniforms, and the more general problem
of fake credentials. It's very hard to solve.
http://www.schneier.com/blog/archives/2007/10/photo_id_requir_1.html
http://www.schneier.com/blog/archives/2006/01/forged_credenti.html

Here's someone who puts on a red shirt and pretends to be a Target

employee so he can steal stuff:
http://cbs4.com/local/target.fake.clerk.2.645377.html

Why does anyone think that heavily armed officers on New York City
subways is a good idea? What does it accomplish besides intimidating
innocent commuters?
http://www.nytimes.com/2008/02/02/nyregion/02machinegun.html

Recently the Associated Press obtained hundreds of pages of documents

related to the 2006 "Cyber Storm" exercise. Most interesting is the
part where the participants attacked the game computers and pissed the
referees off.
http://www.siliconvalley.com/security/ci_8126437
http://news.wired.com/dynamic/stories/C/CYBER_STORM?SITE=WIRE&SECTION=HOME&TEMPLAT
E=DEFAULT&CTIME=2008-01-31-07-38-13
or http://tinyurl.com/3a4ffs
Cyber Storm report:
http://www.dhs.gov/xlibrary/assets/prep_cyberstormreport_sep06.pdf

"The Onion" on Terror: "We must all do whatever we can to preserve

America by refocusing our priorities back on the contemplation of lethal
threats -- invisible nightmarish forces plotting to destroy us in a
number of horrific ways. It is only through the vigilance and
determination of every patriot that we can maintain the sense of total
dread vital to the prolonged existence of a thriving, quivering America."
http://www.theonion.com/content/opinion/we_must_all_do_our_part_to?utm_source=onio
n_rss_daily
or http://tinyurl.com/23l3rj

Improvements in face recognition

http://www.schneier.com/blog/archives/2008/02/improvements_in.html

Interesting speculation from Nicholas Weaver on how the MPAA might

enforce copyright on the Internet:
http://nweaver.blogspot.com/2008/01/security-thought-at-copyright-fighting.html
or http://tinyurl.com/2gmp8z
http://www.nnsquad.org/archives/nnsquad/msg00439.html

U.S. Customs seizing laptops at the border: if you travel abroad, this
is important:
http://www.schneier.com/blog/archives/2008/02/us_customs_seiz.html

Canon has filed a patent on embedding an iris scan of the photographer

in the metadata of photographs, presumably secured with a digital signature.
http://www.photographybay.com/2008/02/09/canon-iris-registration-watermark/

Cryptographer Stefan Brands has a new company, Credentica, that allows

people to disclose personal information while maintaining privacy and
minimizing the threat of identity theft.
http://www.credentica.com/
http://www.wired.com/politics/security/news/2008/02/credentica
I know Stefan; he's good. The cryptography behind this system is almost
certainly impeccable. I like systems like this, and I want them to
succeed. I just don't see a viable business model. I'd like to be
proven wrong.

HotPlug allows you to seize and move a computer without losing power.
http://www.wiebetech.com/products/HotPlug.php
http://www.youtube.com/watch?v=erq4TO_a3z8
http://www.youtube.com/watch?v=-G8sEYCOv-o
See also: MouseJiggler.
http://www.wiebetech.com/products/MouseJiggler.php

DHS in "The Onion." Funny.

http://www.theonion.com/content/news/dept_of_homeland_security_has

** *** ***** ******* *********** *************

Lock-In

Buying an iPhone isn't the same as buying a car or a toaster. Your

iPhone comes with a complicated list of rules about what you can and
can't do with it. You can't install unapproved third-party applications
on it. You can't unlock it and use it with the cell phone carrier of
your choice. And Apple is serious about these rules: a software update
released in September 2007 erased unauthorized software and -- in some
cases -- rendered unlocked phones unusable.

"Bricked" is the term, and Apple isn't the least bit apologetic about it.
Computer companies want more control over the products they sell you,
and they're resorting to increasingly draconian security measures to get
that control. The reasons are economic.

Control allows a company to limit competition for ancillary products.

With Mac computers, anyone can sell software that does anything. But
Apple gets to decide who can sell what on the iPhone. It can foster
competition when it wants, and reserve itself a monopoly position when
it wants. And it can dictate terms to any company that wants to sell
iPhone software and accessories.

This increases Apple's bottom line. But the primary benefit of all this
control for Apple is that it increases lock-in. "Lock-in" is an economic
term for the difficulty of switching to a competing product. For some
products -- cola, for example -- there's no lock-in. I can drink a Coke
today and a Pepsi tomorrow: no big deal. But for other products, it's
harder.

Switching word processors, for example, requires installing a new

application, learning a new interface and a new set of commands,
converting all the files (which may not convert cleanly) and custom
software (which will certainly require rewriting), and possibly even
buying new hardware. If Coke stops satisfying me for even a moment, I'll
switch: something Coke learned the hard way in 1985 when it changed the
formula and started marketing New Coke. But my word processor has to
really piss me off for a good long time before I'll even consider going
through all that work and expense.

Lock-in isn't new. It's why all gaming-console manufacturers make sure
that their game cartridges don't work on any other console, and how they
can price the consoles at a loss and make the profit up by selling
games. It's why Microsoft never wants to open up its file formats so
other applications can read them. It's why music purchased from Apple
for your iPod won't work on other brands of music players. It's why
every U.S. cell phone company fought against phone number portability.
It's why Facebook sues any company that tries to scrape its data and put
it on a competing website. It explains airline frequent flyer programs,
supermarket affinity cards and the new My Coke Rewards program.

With enough lock-in, a company can protect its market share even as it
reduces customer service, raises prices, refuses to innovate and
otherwise abuses its customer base. It should be no surprise that this
sounds like pretty much every experience you've had with IT companies:
once the industry discovered lock-in, everyone started figuring out how
to get as much of it as they can.

Economists Carl Shapiro and Hal Varian even proved that the value of a
software company is the total lock-in. Here's the logic: Assume, for
example, that you have 100 people in a company using MS Office at a cost
of $500 each. If it cost the company less than $50,000 to switch to Open
Office, they would. If it cost the company more than $50,000, Microsoft
would increase its prices.

Mostly, companies increase their lock-in through security mechanisms.

Sometimes patents preserve lock-in, but more often it's copy protection,
digital rights management (DRM), code signing or other security
mechanisms. These security features aren't what we normally think of as
security: They don't protect us from some outside threat, they protect
the companies from *us*.

Microsoft has been planning this sort of control-based security

mechanism for years. First called Palladium and now NGSCB
(Next-Generation Secure Computing Base), the idea is to build a
control-based security system into the computing hardware. The details
are complicated, but the results range from only allowing a computer to
boot from an authorized copy of the OS to prohibiting the user from
accessing "unauthorized" files or running unauthorized software. The
competitive benefits to Microsoft are enormous,

Of course, that's not how Microsoft advertises NGSCB. The company has
positioned it as a security measure, protecting users from worms,
Trojans and other malware. But control does not equal security; and this
sort of control-based security is very difficult to get right, and
sometimes makes us more vulnerable to other threats. Perhaps this is why
Microsoft is quietly killing NGSCB -- we've gotten BitLocker, and we
might get some other security features down the line -- despite the huge
investment hardware manufacturers made when incorporating special
security hardware into their motherboards.

Earlier in this issue of Crypto-Gram, I talked about the

security-versus-privacy debate, and how it's actually a debate about
liberty versus control. Here we see the same dynamic, but in a
commercial setting. By confusing control and security, companies are
able to force control measures that work against our interests by
convincing us they are doing it for our own safety.

As for Apple and the iPhone, I don't know what they're going to do. On
the one hand, there's this analyst report that claims there are over a
million unlocked iPhones, costing Apple between $300 million and $400
million in revenue. On the other hand, Apple is planning to release a
software development kit this month, reversing its earlier restriction
and allowing third-party vendors to write iPhone applications. Apple
will attempt to keep control through a secret application key that will
be required by all "official" third-party applications, but of course
it's already been leaked.

And the security arms race goes on...

Apple and the iPhone;

http://www.nytimes.com/2007/09/29/technology/29iphone.html
http://www.bloomberg.com/apps/news?pid=20601087&sid=aWmgi08ZjbpM
http://www.engadget.com/2007/10/17/apple-planning-iphone-sdk-for-february/
or http://tinyurl.com/yvx5hr
http://www.engadget.com/2008/01/28/iphone-sdk-key-leaked/

Shapiro and Varian's book:

http://www.amazon.com/Information-Rules-Strategic-Network-
Economy/dp/087584863X/ref=sr_1_1?ie=UTF8&s=books&qid=1202236504&sr=1-1
or http://tinyurl.com/2eo23e

Microsoft and Trusted Computing

http://schneier.com/crypto-gram-0208.html#1
http://www.cl.cam.ac.uk/~rja14/Papers/tcpa.pdf
http://www.microsoft.com/technet/archive/security/news/ngscb.mspx
http://www.schneier.com/blog/archives/2005/08/trusted_computi.html
Commentary:
http://yro.slashdot.org/yro/08/02/07/2138201.shtml
http://stumble.kapowaz.net/post/25792347
http://www.kryogenix.org/days/2008/02/08/there-can-be-no-fud
http://girtby.net/archives/2008/2/8/vendor-lock-in

This essay previously appeared on Wired.com.

http://www.wired.com/politics/security/commentary/securitymatters/2008/02/security
matters_0207
or http://tinyurl.com/2mf82q

** *** ***** ******* *********** *************

Hacking Power Networks

The CIA unleashed a big one at a SANS conference: "On Wednesday, in New
Orleans, US Central Intelligence Agency senior analyst Tom Donahue told
a gathering of 300 US, UK, Swedish, and Dutch government officials and
engineers and security managers from electric, water, oil & gas and
other critical industry asset owners from all across North America, that
'We have information, from multiple regions outside the United States,
of cyber intrusions into utilities, followed by extortion demands. We
suspect, but cannot confirm, that some of these attackers had the
benefit of inside knowledge. We have information that cyber attacks have
been used to disrupt power equipment in several regions outside the
United States. In at least one case, the disruption caused a power
outage affecting multiple cities. We do not know who executed these
attacks or why, but all involved intrusions through the Internet.'

"According to Mr. Donahue, the CIA actively and thoroughly considered

the benefits and risks of making this information public, and came down
on the side of disclosure."

I'll bet. There's nothing like a vague unsubstantiated rumor to

forestall reasoned discussion. But, of course, everyone is writing
about it anyway.

SANS's Alan Paller is happy to add details. From Forbes.com: "In the
past two years, hackers have in fact successfully penetrated and
extorted multiple utility companies that use SCADA systems, says Alan
Paller, director of the SANS Institute, an organization that hosts a
crisis center for hacked companies. 'Hundreds of millions of dollars
have been extorted, and possibly more. It's difficult to know, because
they pay to keep it a secret,' Paller says. 'This kind of extortion is
the biggest untold story of the cybercrime industry.'"

And to up the fear factor. "Information Week": "The prospect of

cyberattacks crippling multicity regions appears to have prompted the
government to make this information public. The issue 'went from "we
should be concerned about to this" to "this is something we should fix
now, "' said Paller. 'That's why, I think, the government decided to
disclose this.'"

More rumor from ibls.com: "An attendee of the meeting said that the
attack was not well-known through the industry and came as a surprise to
many there. Said the person who asked to remain anonymous, 'There were
apparently a couple of incidents where extortionists cut off power to
several cities using some sort of attack on the power grid, and it does
not appear to be a physical attack.'"

And more hyperbole from someone in the industry in "The Washington

Post": "Over the past year to 18 months, there has been 'a huge
increase in focused attacks on our national infrastructure networks, . .
. and they have been coming from outside the United States,' said Ralph
Logan, principal of the Logan Group, a cybersecurity firm.

"It is difficult to track the sources of such attacks, because they are
usually made by people who have disguised themselves by worming into
three or four other computer networks, Logan said. He said he thinks the
attacks were launched from computers belonging to foreign governments or
militaries, not terrorist groups."

I'm more than a bit skeptical here. To be sure -- fake staged attacks
aside -- there are serious risks to SCADA systems (Ganesh Devarajan gave
a talk at DefCon this year about some potential attack vectors),
although at this point I think they're more a future threat than present
danger. But this CIA tidbit tells us nothing about how the attacks
happened. Were they against SCADA systems? Were they against
general-purpose computers, maybe Windows machines? Insiders may have
been involved, so was this a computer security vulnerability at all? We
have no idea.

Cyber-extortion is certainly on the rise; we see it at Counterpane.

Primarily it's against fringe industries -- online gambling, online
gaming, online porn -- operating offshore in countries like Bermuda and
the Cayman Islands. It is going mainstream, but this is the first I've
heard of it targeting power companies. Certainly possible, but is that
part of the CIA rumor or was it tacked on afterwards?

And Wikipedia has a list of power outages. Which ones were hacker
caused? Some details would be nice.

I'd like a little bit more information before I start panicking.

Quote from SANS:

http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=5

News articles:
http://www.engadget.com/2008/01/19/hackers-reportedly-targeting-cities-power-
systems/
or http://tinyurl.com/35jlap
http://www.forbes.com/2008/01/18/cyber-attack-utilities-tech-intel-
cx_ag_0118attack.html
or http://tinyurl.com/344t3w
http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=1963
or http://tinyurl.com/ypo8fz
http://www.informationweek.com/news/showArticle.jhtml?articleID=205901631
or http://tinyurl.com/34r575
http://www.washingtonpost.com/wp-
dyn/content/article/2008/01/18/AR2008011803277.html
or http://tinyurl.com/2dd3lv
http://www.pcworld.com/article/id,141564-c,hackers/article.html
http://www.forbes.com/2008/01/18/cyber-attack-utilities-tech-intel-
cx_ag_0118attack.html
or http://tinyurl.com/344t3w
http://it.slashdot.org/article.pl?sid=08/01/19/0138209

Fake staged SCADA attack:

http://www.schneier.com/blog/archives/2007/10/staged_attack_c.html

DefCon talk:
http://www.defcon.org/html/defcon-15/dc-15-speakers.html#Devarajan

Wikipedia list of power outages:

http://en.wikipedia.org/wiki/List_of_power_outages

** *** ***** ******* *********** *************

Schneier/BT Counterpane News

An interview with Schneier:

http://searchsecurity.techtarget.com.au/topics/article.asp?DocID=1283751
or http://tinyurl.com/2aj9jw

Schneier given the Norbert Wiener Award by the Computer Professionals

for Social Responsibility:
http://www.cpsr.org/news/press/wiener2008

Schneier gave the keynote talk at Linux.conf.au.

Article on the talk:
http://www.itnews.com.au/News/69146,information-is-our-only-security-weapon-bruce-
schneier.aspx
or http://tinyurl.com/387yyn
Video of the talk:
http://linux.conf.au/programme/presentations
http://mirror.linux.org.au/pub/linux.conf.au/2008/Wed/mel8-305.ogg
http://mirror.linux.org.au/pub/linux.conf.au/2008/Wed/mel8-305.spx
Q&A afterwards:
http://www.itwire.com/content/view/16422/1090/

** *** ***** ******* *********** *************

Mujahideen Secrets 2

Mujahideen Secrets 2 is a new version of an encryption tool, ostensibly

written to help Al Qaeda members encrypt secrets as they communicate on
the Internet.

A bunch of sites have covered this story, and a couple of security

researchers are quoted in the various articles. But quotes like this
from "Computerworld" make you wonder if they have any idea what they're
talking about: "Mujahideen Secrets 2 is a very compelling piece of
software, from an encryption perspective, according to Henry. He said
the new tool is easy to use and provides 2,048-bit encryption, an
improvement over the 256-bit AES encryption supported in the original
version."

No one has explained why a terrorist would use this instead of PGP --
perhaps they simply don't trust anything coming from a U.S. company.
But honestly, this isn't a big deal at all: strong encryption software
has been around for over fifteen years now, either cheap or free. And
the NSA probably breaks most of the stuff by guessing the password,
anyway. Unless the whole program is an NSA plant, that is.

My question: the articles claim that the program uses several encryption
algorithms, including RSA and AES. Does it use Blowfish or Twofish?

http://www.networkworld.com/news/2008/020108-al-qaeda-encryption.html
http://www.networkworld.com/news/2008/012308-al-qaeda-encryption-security.html
or http://tinyurl.com/2g3lju
http://www.techworld.com/security/features/index.cfm?featureID=3950&pagtype=all
or http://tinyurl.com/22rwdf
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId
=16&articleId=9058619&intsrc=hm_topic
or http://tinyurl.com/ypzpuo
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=
9060939
or http://tinyurl.com/2cf9nu
http://www2.csoonline.com/exclusives/column.html?CID=33516
http://blogs.csoonline.com/a_gift_from_the_islamic_faithful_network_mujahedeen_sec
rets_2_program
or http://tinyurl.com/3dn7ja
http://www.informationweek.com/internet/showArticle.jhtml?articleID=205918296
or http://tinyurl.com/yv34um

Me on PGP:
http://www.schneier.com/essay-199.html

Me on password guessing:
http://www.schneier.com/essay-148.html

** *** ***** ******* *********** *************

TSA News

The TSA is checking IDs more carefully, looking for forgeries: "More
than 40 passengers have been arrested since June in cases when TSA
screeners spotted altered passports, fraudulent visas and resident ID
cards, and forged driver's licenses. Many of them were arrested on
immigration charges. " ID checks have nothing to do with airport
security. And even if they did, anyone can fly on a fake ID. And
enforcing immigration laws is not what the TSA does.
http://www.usatoday.com/news/nation/2008-01-20-blacklights_N.htm?csp=34

Read this from the TSA's website: "We screen every passenger; we screen
every bag so that your memories are from where you went, not how you got
there. We're here to help your travel plans be smooth and stress free.
Please take a moment to become familiar with some of our security
measures. Doing so now will help save you time once you arrive at the
airport. " I know they don't mean it that way, but doesn't it sound
like it's saying "We know it doesn't help, but it might make you feel
better"?
http://www.tsa.gov/travelers/airtravel/index.shtm

And why is it news when a test breaches TSA security?

http://www.cnn.com/2008/US/01/28/tsa.bombtest/index.html

"Confessions of a TSA Agent": there is some speculation that this is a hoax.

http://information.travel.aol.com/article/air/_a/confessions-of-a-tsa-
agent/20080123105909990002
or http://tinyurl.com/2ygsjh

I have no idea why Kip Hawley is surprised that the TSA is as unpopular
with Americans as the IRS.
http://www.theaviationnation.com/2007/12/30/tsa-leaked-memo-reveals-frustrated-
chiefs/
or http://tinyurl.com/yr3rwy

The TSA has a blog:

http://www.tsa.gov/blog
http://blog.wired.com/27bstroke6/2008/01/tsa-launches-bl.html
http://arstechnica.com/news.ars/post/20080131-tsa-blog-smackdown-explain-to-me-
about-bomb-juice.html
or http://tinyurl.com/2fldwo
http://it.slashdot.org/it/08/02/01/2152216.shtml
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=
9060458
or http://tinyurl.com/26rajb
I'm even on the blogroll.

** *** ***** ******* *********** *************

DHS Warns of Female Suicide Bombers

First paragraph: "Terrorists increasingly favor using women as suicide

bombers to thwart security and draw attention to their causes, a new
FBI-Department of Homeland Security assessment concludes."

Photo caption: "Female suicide bombers can use devices to make them
appear pregnant, a security assessment says."

Second paragraph: "The assessment said the agencies 'have no specific,

credible intelligence indicating that terrorist organizations intend to
utilize female suicide bombers against targets in the homeland.'"

Does the DHS think we're idiots or something?

http://edition.cnn.com/2008/US/02/12/suicide.bombers/index.html

** *** ***** ******* *********** *************

Giving Driver's Licenses to Illegal Immigrants

Many people say that allowing illegal aliens to obtain state driver's
licenses helps them and encourages them to remain illegally in this
country. Michigan Attorney General Mike Cox late last year issued an
opinion that licenses could be issued only to legal state residents,
calling it "one more tool in our initiative to bolster Michigan's border
and document security."

In reality, we are a much more secure nation if we do issue driver's

licenses and/or state IDs to every resident who applies, regardless of
immigration status. Issuing them doesn't make us any less secure, and
refusing puts us at risk.

The state driver's license databases are the only comprehensive

databases of U.S. residents. They're more complete, and contain more
information -- including photographs and, in some cases, fingerprints --
than the IRS database, the Social Security database, or state birth
certificate databases. As such, they are an invaluable police tool --
for investigating crimes, tracking down suspects, and proving guilt.

Removing the 8 million-15 million illegal immigrants from these

databases would only make law enforcement harder. Of course, the
unlicensed won't pack up and leave. They will drive without licenses,
increasing insurance premiums for everyone. They will use fake IDs, buy
real IDs from crooked DMV employees -- as several of the 9/11 terrorists
did -- forge "breeder documents" to get real IDs (another 9/11 terrorist
trick), or resort to identity theft. These millions of people will
continue to live and work in this country, invisible to any government
database and therefore the police.

Assuming that denying licenses to illegals will make them leave is

head-in-the-sand thinking.

Of course, even an attempt to deny licenses to illegal immigrants puts

DMV clerks in the impossible position of verifying immigration status.
This is expensive and time-consuming; furthermore, it won't work. The
law is complicated, and it can take hours to verify someone's status
only to get it wrong. Paperwork can be easy to forge, far easier than
driver's licenses, meaning many illegal immigrants will get these
licenses that now "prove" immigrant status.

Even more legal immigrants will be mistakenly denied licenses, resulting

in lawsuits and additional government expense.

Some states have considered a tiered license system, one that explicitly
lists immigration status on the licenses. Of course, this won't work
either. Illegal immigrants are far more likely to take their chances
being caught than admit their immigration status to the DMV.

We are all safer if everyone in society trusts and respects law

enforcement. A society where illegal immigrants are afraid to talk to
police because of fear of deportation is a society where fewer people
come forward to report crimes, aid police investigations, and testify as
witnesses.

And finally, denying driver's licenses to illegal immigrants will not

protect us from terrorism. Contrary to popular belief, a driver's
license is not required to board a plane. You can use any
government-issued photo ID, including a foreign passport. And if you're
willing to undergo secondary screening, you can board a plane without an
ID at all. This is probably how anybody on the "no fly" list gets around
these days.

A 2003 American Association of Motor Vehicle Administrators report

concludes: "Digital images from driver's licenses have significantly
aided law enforcement agencies charged with homeland security. The 19
(9/11) terrorists obtained driver licenses from several states, and
federal authorities relied heavily on these images for the
identification of the individuals responsible."

Whether it's the DHS trying to protect the nation from terrorism, or
local, state and national law enforcement trying to protect the nation
from crime, we are all safer if we encourage every adult in America to
get a driver's license.

This op-ed originally appeared in the Detroit Free Press.

http://www.schneier.com/essay-205.html

** *** ***** ******* *********** *************

Comments from Readers

There are hundreds of comments -- many of them interesting -- on these

topics on my blog. Search for the story you want to comment on, and join
in.

http://www.schneier.com/blog

** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,

insights, and commentaries on security: computer and otherwise. You can
subscribe, unsubscribe, or change your address on the Web at
<http://www.schneier.com/crypto-gram.html>. Back issues are also
available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to

colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the

best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish algorithms.
He is founder and CTO of BT Counterpane, and is a member of the Board of
Directors of the Electronic Privacy Information Center (EPIC). He is a
frequent writer and lecturer on security topics. See
<http://www.schneier.com>.

BT Counterpane is the world's leading protector of networked information

- the inventor of outsourced security monitoring and the foremost
authority on effective mitigation of emerging IT threats. BT
Counterpane protects networks for Fortune 1000 companies and governments
world-wide. See <http://www.counterpane.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not

necessarily those of BT or BT Counterpane.

Copyright (c) 2008 by Bruce Schneier.