Back to newsletter list
CRYPTO-GRAM
May 15, 2008
by Bruce Schneier
Founder and CTO
BT Counterpane
schneier@schneier.com
http://www.schneier.com
http://www.counterpane.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
You can read this issue on the web at
appear in the "Schneier on Security" blog:
** *** ***** ******* *********** *************
In this issue:
Happy Ten-Year Anniversary
Dual-Use Technologies and the Equities Issue
Crossing Borders with Laptops and PDAs
News
Third Annual Movie-Plot Threat Contest Winner
The RSA Conference
Risk Preferences in Chimpanzees and Bonobos
Schneier/BT News
The Doghouse: Passwordsafe.com
The Ethics of Vulnerability Research
Our Data, Ourselves
Comments from Readers
** *** ***** ******* *********** *************
Happy Ten-Year Anniversary
Ten years ago I started Crypto-Gram. It was a monthly newsletter
written entirely by me. No guest columns. No advertising. Nothing but
me writing about security, published the 15th of the month every month.
Now, 120 issues later, none of that has changed.
I started Crypto-Gram because I had a lot to say about security, and
book-length commentaries were too slow and too infrequent. Sure, I was
writing the occasional column in the occasional magazine, but those were
also too slow and infrequent. Crypto-Gram was supposed to be my
personal voice on security, sent directly to those who wanted to read it.
I originally thought about charging for Crypto-Gram. I knew of several
newsletters that funded themselves through subscription fees, and
figured that a couple of hundred subscribers at $150 or so would sustain
itself very nicely. I don't remember why I decided not to -- did
someone convince me, or did I figure it out myself -- but it was easily
the smartest decision I made about this newsletter. If I'd charged
money for the thing, no one would have read it. Since I didn't, lots of
people subscribed.
There were 457 subscribers by the end of the first day. After that,
circulation climbed slowly and steadily. Here are the totals for May of
each year:
1999 15964
2000 33827
2001 45832
2002 58046
2003 66368
2004 75907
2005 83835
2006 87839
2007 92488
2008 98618
Those numbers hide a lot of readers, like the tens of thousands that
read Crypto-Gram via the Web. I also know of people that forward my
newsletter to hundreds of others. There are many foreign translations
that have their own subscription list. These days I estimate that I
have about 25,000 newsletter readers not included in those numbers.
I have no idea where the initial batch of subscribers came from. Nor do
I remember how people subscribed before the webpage form was done. I do
remember my first big burst of subscribers, though. It was following my
special issue after 9/11. I wrote something short for the September
issue, but I found that I couldn't stop writing. Two weeks later, I
published a special issue on the terrorist attacks. Readers forwarded
that issue again and again, and I ended up with many new subscribers as
a result.
Reader comments began earlier, in December 1998. I found I was getting
some really intelligent comments from my readers -- especially those
that disagreed with me -- and I wanted to publish some of them. Some of
the disagreements were nasty. In October 1998, I started a column
called "The Doghouse," where I made fun of snake-oil security products.
Some of the companies didn't like being so characterized, and sent me
threatening legal letters.
Turns out that publishing those sorts of threats as letters to
Crypto-Gram was the best defense, even though my lawyers always
discouraged it. None of these incidents ever went past the threatening
stage, even though court papers were occasionally filed.
Over the years, Crypto-Gram's focus has changed. Initially, it was all
cryptography. Then, more computer and network security. Then --
especially after 9/11 -- more general security: terrorism, airp***s, ID
cards, voting machines, and so on. And now, more economics and
psychology of security. My career has been a progression from the
specific to the general, and Crypto-Gram has generalized to reflect that.
The next big change to Crypto-Gram came in October 2004. I had been
reading about blogging, and wondered for several months if switching
Crypto-Gram over to blog format was a good idea or not. Again, it was
about speed and frequency. I found that others were commenting on
security stories faster, and that by the time Crypto-Gram would come
out, people had already linked to other stories. A blog would allow me
to get my commentary out even faster, and to be part of the initial
discussions.
I went back and forth. Several people advised me to change, that
blogging was the format of the future. I was skeptical, preferring to
push my newsletter into my readers' mailboxes every month. I sent a
survey to 400 of my subscribers -- 200 random subscribers and 200 people
who had subscribed within the past month -- asking. My eventual
solution was the second smartest thing I did with this newsletter: to do
both.
The Schneier on Security blog started out as Crypto-Gram entries,
delivered daily. And the early blog entries looked a lot like
Crypto-Gram articles, with links at the end. Over the following months
I learned more about the blogging style, and the entries started looking
more like blog entries. Now the blog is primary, and on the 15th of
every month I take the previous month's blog entries and reconfigure
them into Crypto-Gram format. Even today, most readers prefer to
receive Crypto-Gram in their e-mail box every month -- even if they also
read the blog online.
These days, I like both. I like the immediacy of the blog, and I like
the e-mail format of Crypto-Gram. And even after ten years, I still
like the writing.
People often ask me where I find the time to do all of that writing.
It's an odd question for me, because it's what I enjoy doing. I find
time at home, on airp***s, in hotel rooms, everywhere. Writing isn't a
chore -- okay, maybe sometimes it is -- it's something that relaxes me.
I enjoy putting my ideas down in a coherent narrative flow. And
there's nothing that pleases me more than the fact that people read it.
The best fan mail I get from a reader says something like: "You changed
the way I think." That's what I want to do. I want to change the way
you think about security. I want to change the way you think about
threats, and risk, and trade-offs, about security products and services,
about security rhetoric in politics. It matters less if you agree with
me or disagree, only that you're thinking differently.
Thank you. Thank you on this 10th anniversary issue. Thank you,
long-time readers. Thank you, new readers. Thank you for continuing to
read what I have to write. This is still a lot of fun -- and
interesting and thought provoking -- for me. I hope it continues to be
interesting, thought provoking, and fun for you.
Crypto-Gram page, including information about translations:
http://www.schneier.com/crypto-gram.html
Crypto-Gram back issues:
http://www.schneier.com/crypto-gram-back.html
First blog post:
http://www.schneier.com/blog/archives/2004/10/new_blog_and_ch.html
** *** ***** ******* *********** *************
Dual-Use Technologies and the Equities Issue
On April 27, 2007, Estonia was attacked in cyberspace. Following a
diplomatic incident with Russia about the relocation of a Soviet World
War II memorial, the networks of many Estonian organizations, including
the Estonian parliament, banks, ministries, newspapers and broadcasters,
were attacked and -- in many cases -- shut down. Estonia was quick to
blame Russia, which was equally quick to deny any involvement.
It was hyped as the first cyberwar: Russia attacking Estonia in
cyberspace. But nearly a year later, evidence that the Russian
government was involved in the denial-of-service attacks still hasn't
emerged. Though Russian hackers were indisputably the major instigators
of the attack, the only individuals positively identified have been
young ethnic Russians living inside Estonia, who were pissed off over
the statue incident.
You know you've got a problem when you can't tell a hostile attack by
another nation from bored kids with an axe to grind.
Separating cyberwar, cyberterrorism and cybercrime isn't easy; these
days you need a scorecard to tell the difference. It's not just that
it's hard to trace people in cyberspace, it's that military and civilian
attacks -- and defenses -- look the same.
The traditional term for technology the military shares with civilians
is "dual use." Unlike hand grenades and tanks and missile targeting
systems, dual-use technologies have both military and civilian
applications. Dual-use technologies used to be exceptions; even things
you'd expect to be dual use, like radar systems and toilets, were
designed differently for the military. But today, almost all
information technology is dual use. We both use the same operating
systems, the same networking protocols, the same applications, and even
the same security software.
And attack technologies are the same. The recent spurt of targeted
hacks against U.S. military networks, commonly attributed to China,
exploit the same vulnerabilities and use the same techniques as criminal
attacks against corporate networks. Internet worms make the jump to
classified military networks in less than 24 hours, even if those
networks are physically separate. The Navy Cyber Defense Operations
Command uses the same tools against the same threats as any large
corporation.
Because attackers and defenders use the same IT technology, there is a
fundamental tension between cyberattack and cyberdefense. The National
Security Agency has referred to this as the "equities issue," and it can
be summarized as follows: when a military discovers a vulnerability in a
dual-use technology, they can do one of two things. They can alert the
manufacturer and fix the vulnerability, thereby protecting both the good
guys and the bad guys. Or they can keep quiet about the vulnerability
and not tell anyone, thereby leaving the good guys insecure but also
leaving the bad guys insecure.
The equities issue has long been hotly debated inside the NSA.
Basically, the NSA has two roles: eavesdrop on their stuff, and protect
our stuff. When both sides use the same stuff, the agency has to decide
whether to exploit vulnerabilities to eavesdrop on their stuff or close
the same vulnerabilities to protect our stuff.
In the 1980s and before, the tendency of the NSA was to keep
vulnerabilities to themselves. In the 1990s, the tide shifted, and the
NSA was starting to open up and help us all improve our security
defense. But after the attacks of 9/11, the NSA shifted back to the
attack: vulnerabilities were to be hoarded in secret. Slowly, things in
the U.S. are shifting back again.
So now we're seeing the NSA help secure Windows Vista and releasing
their own version of Linux. The DHS, meanwhile, is funding a project to
secure popular open source software packages, and across the Atlantic
the UK's GCHQ is finding bugs in PGPDisk and reporting them back to the
company. (NSA is rumored to be doing the same thing with BitLocker.)
I'm in favor of this trend, because my security improves for free.
Whenever the NSA finds a security problem and gets the vendor to fix it,
our security gets better. It's a side-benefit of dual-use technologies.
But I want governments to do more. I want them to use their buying
power to improve my security. I want them to offer countrywide
contracts for software, both security and non-security, that have
explicit security requirements. If these contracts are big enough,
companies will work to modify their products to meet those requirements.
And again, we all benefit from the security improvements.
The only example of this model I know about is a U.S. government-wide
procurement competition for full-disk encryption, but this can certainly
be done with firewalls, intrusion detection systems, databases,
networking hardware, even operating systems.
When it comes to IT technologies, the equities issue should be a
no-brainer. The good uses of our common hardware, software, operating
systems, network protocols, and everything else vastly outweigh the bad
uses. It's time that the government used its immense knowledge and
experience, as well as its buying power, to improve cybersecurity for
all of us.
Estonia's cyberwar:
http://www.wired.com/politics/security/magazine/15-09/ff_estonia
http://blog.wired.com/27bstroke6/2008/01/we-traced-the-c.html
Cyberwar, cyberterrorism, etc.
http://www.schneier.com/blog/archives/2007/06/cyberwar.html
NSA and DHS cybersecurity initiatives:
http://www.schneier.com/blog/archives/2007/01/nsa_helps_micro_1.html
http://www.nsa.gov/selinux/
http://www.eweek.com/c/a/Security/DHS-Funds-OpenSource-Security-Project/
or http://tinyurl.com/3ggg5g
http://www.schneier.com/blog/archives/2007/01/us_government_t.html
This essay originally appeared on Wired.com.
http://www.wired.com/politics/security/commentary/securitymatters/2008/05/blog_securitymatters_0501
or http://tinyurl.com/68zj7m
** *** ***** ******* *********** *************
Crossing Borders with Laptops and PDAs
Last month a US court ruled that border agents can search your laptop,
or any other electronic device, when you're entering the country. They
can take your computer and download its entire contents, or keep it for
several days. Customs and Border Patrol has not published any rules
regarding this practice, and I and others have written a letter to
Congress urging it to investigate and regulate this practice.
But the US is not alone. British customs agents search laptops for
pornography. And there are reports on the internet of this sort of thing
happening at other borders, too. You might not like it, but it's a fact.
So how do you protect yourself?
Encrypting your entire hard drive, something you should certainly do for
security in case your computer is lost or stolen, won't work here. The
border agent is likely to start this whole process with a "please type
in your password." Of course you can refuse, but the agent can search
you further, detain you longer, refuse you entry into the country and
otherwise ruin your day.
You're going to have to hide your data. Set a portion of your hard drive
to be encrypted with a different key - even if you also encrypt your
entire hard drive - and keep your sensitive data there. Lots of programs
allow you to do this. I use PGP Disk (from pgp.com). TrueCrypt
(truecrypt.org) is also good, and free.
While customs agents might poke around on your laptop, they're unlikely
to find the encrypted partition. (You can make the icon invisible, for
some added protection.) And if they download the contents of your hard
drive to examine later, you won't care.
Be sure to choose a strong encryption password. Details are too
complicated for a quick tip, but basically anything easy to remember is
easy to guess. Unfortunately, this isn't a perfect solution. Your
computer might have left a copy of the password on the disk somewhere,
and smart forensic software will find it.
So your best defence is to clean up your laptop. A customs agent can't
read what you don't have. You don't need five years' worth of email and
client data. You don't need your old love letters and those photos (you
know the ones I'm talking about). Delete everything you don't absolutely
need. And use a secure file erasure program to do it. While you're at
it, delete your browser's cookies, cache and browsing history. It's
nobody's business what websites you've visited. And turn your computer
off - don't just put it to sleep - before you go through customs; that
deletes other things. Think of all this as the last thing to do before
you stow your electronic devices for landing. Some companies now give
their employees forensically clean laptops for travel, and have them
download any sensitive data over a virtual private network once they've
entered the country. They send any work back the same way, and delete
everything again before crossing the border to go home. This is a good
idea if you can do it.
If you can't, consider putting your sensitive data on a USB drive or
even a camera memory card: even 16GB cards are reasonably priced these
days. Encrypt it, of course, because it's easy to lose something that
small. Slip it in your pocket, and it's likely to remain unnoticed even
if the customs agent pokes through your laptop. If someone does discover
it, you can try saying: "I don't know what's on there. My boss told me
to give it to the head of the New York office." If you've chosen a
strong encryption password, you won't care if he confiscates it.
Lastly, don't forget your phone and PDA. Customs agents can search those
too: emails, your phone book, your calendar. Unfortunately, there's
nothing you can do here except delete things.
I know this all sounds like work, and that it's easier to just ignore
everything here and hope you don't get searched. Today, the odds are in
your favour. But new forensic tools are making automatic searches easier
and easier, and the recent US court ruling is likely to embolden other
countries. It's better to be safe than sorry.
My advice on choosing secure passwords:
http://www.schneier.com/essay-148.html
This essay originally appeared in The Guardian:
http://www.guardian.co.uk/technology/2008/may/15/computing.security
** *** ***** ******* *********** *************
News
I previously wrote about the UK's Regulation of Investigatory Powers Act
(RIPA), which was sold as a means to tackle terrorism and other serious
crimes, being used against animal rights protestors. The latest news
from the UK is that a local council has used provisions of the act to
put a couple and their children under surveillance, for "suspected
fraudulent school place applications":
http://news.bbc.co.uk/1/hi/england/dorset/7341179.stm
http://www.theregister.co.uk/2008/04/11/poole_council_ripa/
http://news.bbc.co.uk/1/hi/england/dorset/7343445.stm
http://www.schneier.com/blog/archives/2007/11/animal_rights_a.html
A researcher talks about humans' inherent capability for evil:
http://www.independent.co.uk/news/people/maverick-academic-philip-zimbardo-says-we-are-all-capable-of-evil-is-he-right-789161.html
or http://tinyurl.com/36jqwh
Comparing cybersecurity to early 1800s security on the high seas:
http://www.csoonline.com/article/print/329164
Usually I don't bother writing about these, but this data leak in
Oklahoma is particularly bad. Anyone with basic SQL knowledge could
have registered anyone he wanted as a sex offender.
http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx
or http://tinyurl.com/4ycfdj
Funny surveillance camera photos:
http://www.flickr.com/photos/spiggycat/2393460671/in/pool-dcist/
http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=559547&in_page_id=1770
or http://tinyurl.com/4rs34u
http://www.banksy.co.uk/outdoors/images/landscapes/camera-girl-4.jpg
http://www.artofthestate.co.uk/photos/banksy_one_nation_under_CCTV_day.jpg
or http://tinyurl.com/4aztnk
Homeland Security Secretary Michael Chertoff says fingerprints aren't
personal data.
http://thinkprogress.org/2008/04/16/chertoff-fingerprints/
Sounds like he's confusing secret data with personal data. Lots of
personal data isn't particularly secret.
I am sick of the story that people are willing to reveal their passwords
for a bar of chocolate. I haven't seen any indication they actually
verified that the passwords are real. I would certainly give up a fake
password for a bar of chocolate.
http://blogs.wsj.com/biztech/2008/04/16/security-is-no-match-for-chocolate-and-good-looking-women/?mod=WSJBlog
or http://tinyurl.com/6baob2
Airport security game:
http://www.shockwave.com/gamelanding/airportsecurity.jsp
The TSA wants a tool that will assess risks against transportation
networks.
http://www.gsnmagazine.com/cms/resources/business-opportunities/701.html
or http://tinyurl.com/4mgqjh
I don't think you have to be very good to qualify here. Another
automated system put Boise, ID, on the top of its list of most
vulnerable cities. The bar isn't very high here; I'm just saying.
http://www.washingtonpost.com/wp-dyn/content/article/2008/04/04/AR2008040403022.html
or http://tinyurl.com/3nrudx
This is interesting research: given a security patch, can you
automatically reverse-engineer the security vulnerability that is being
patched and create exploit code to exploit it? Turns out you can.
http://www.cs.cmu.edu/~dbrumley/pubs/apeg.html
Hacking ISP error pages. It's a big deal.
http://blog.wired.com/27bstroke6/2008/04/isps-error-page.html
http://www.theregister.co.uk/2008/04/20/kaminsky_demo_at_toorcon/
This won best-paper award at the First USENIX Workshop on Large-Scale
Exploits and Emergent Threat; it's about maliciously designing
processors to support hacking:
http://www.usenix.org/event/leet08/tech/full_papers/king/king_html/
Theoretical? Sure. But combine this with stories of counterfeit
computer hardware from China, and you've got yourself a potentially
serious problem.
http://www.hardwareanalysis.com/content/article/1874/made-in-china-security-risk/
or http://tinyurl.com/3ukoap
List of deaths, intended to prevent identity theft, is used for identity
theft.
http://blog.wired.com/27bstroke6/2008/04/feds-charge-cal.html
Protect your laptop screen from roving eyes, a low-tech solution:
http://www.engadget.com/2008/04/16/the-body-laptop-interface-is-knitted-from-thneed-which-nobody-n/
or http://tinyurl.com/3s525l
Boring jobs dull the mind. We already knew this, but it's good to
reinforce the lesson.
http://news.bbc.co.uk/2/hi/science/nature/7358863.stm
This video demonstrates the point nicely.
http://www.youtube.com/watch?v=Ahg6qcgoay4
Interesting investigative article from Business Week on Chinese cyber
espionage against the U.S. government, and the government's reaction.
http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm
Will we ever win the war on photographers?
http://www.memphisflyer.com/memphis/Content?oid=oid%3A41348
Virtual kidnapping is a real crime in Mexico:
http://www.nytimes.com/2008/04/29/world/americas/29mexico.html
This picture, demonstrating a SQL injection attack against automatic
license plate scanners, is almost certainly Photoshopped, and a joke,
but it's certainly a clever idea. As automatic license plate scanners
become more common, why not?
http://www.areino.com/hackeando/
http://www.schneier.com/essay-057.html
Reminds me of this xkcd cartoon:
http://xkcd.com/327/
Funny DHS "Neighborhood Watch" hoax:
http://dhsnnw.org/index.html
http://itp.nyu.edu/blogs/ecm292_thesis/
Microsoft is distributing a USB drive filled with Windows forensic
analysis tools for police:
http://www.schneier.com/blog/archives/2008/04/microsoft_has_d.html
Heroin vs. terrorism: A nice essay on security trade-offs.
http://www.timesonline.co.uk/tol/comment/columnists/guest_contributors/article3835351.ece
or http://tinyurl.com/59j2qj
Snarky essay on what to worry about:
http://tencartrain.com/?p=627
Sky marshals on the no-fly list. If it weren't so sad, it would be funny.
http://www.washingtontimes.com/apps/pbcs.dll/article?AID=/20080429/NATION/782525487/-1/RSS_NATION_POLITICS
or http://tinyurl.com/4fbzu2
http://www.economist.com/blogs/gulliver/2008/05/that_pesky_nofly_list.cfm
or http://tinyurl.com/3uw9ak
I just received the second edition of Ross Anderson's "Security
Engineering" in the mail. It's beautiful. This is the best book on the
topic there is, and I recommend it to everyone working in this field --
and not just because I wrote the foreword. You can download the preface
and six chapters. (You can also download the entire first edition.)
http://www.amazon.com/Security-Engineering-Building-Dependable-Distributed/dp/0470068523/ref=pd_bbs_sr_2?ie=UTF8&s=books&qid=1209409426&sr=8-2
or http://tinyurl.com/4prdy2
http://www.cl.cam.ac.uk/~rja14/bruce.html
http://www.cl.cam.ac.uk/~rja14/book.html
U.S. State Department loses hundreds of laptops. Bet you anything they
were not encrypted.
http://www.cqpolitics.com/wmspage.cfm?parm1=5&docID=hsnews-000002716318
or http://tinyurl.com/66ovev
London's cameras don't reduce crime. This is, of course, absolutely no
surprise.
http://news.bbc.co.uk/1/hi/uk/7384843.stm
http://www.guardian.co.uk/uk/2008/may/06/ukcrime1
http://www.schneier.com/blog/archives/2008/05/londons_cameras_1.html
Al Qaeda threat overrated:
http://www.newsweek.com/id/135654/
Remember the two men who were exhibiting "unusual behavior" on a
Washington-state ferry last summer? Turns out they were tourists, not
terrorists.
http://www.schneier.com/blog/archives/2008/05/tourists_not_te_1.html
Excellent article chronicling the U.S. surveillance debate from the
mid-1980s until today. Don't expect good coverage of the current
debate, however: the legality of the NSA's recent domestic eavesdropping
program, and the legality of the telcos' assistance.
http://www.govexec.com/dailyfed/0408/042208nj1.htm
A handy guide to cell phone spying:
http://www.geeksaresexy.net/2008/05/05/cell-phone-spying-is-your-life-being-monitored/
or http://tinyurl.com/5adjr6
I don't know what I think of Sweet Dreams Security and its attempts to
make security cuddly.
http://www.deardad.net/sds-html/
http://www.schneier.com/blog/archives/2008/05/making_security.html
Terrorism as a tax -- certainly a good way to look at it.
http://www.schneier.com/blog/archives/2008/05/terrorism_as_a.html
Interesting Microsoft patent application: Guardian Angel.
http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220080082465%22.PGNR.&OS=DN/20080082465&RS=DN/20080082465"
or http://tinyurl.com/4vbpyx
Note that Bill Gates and Ray Ozzie are co-inventers.
The Department of Homeland Security has a new $200 million Comprehensive
National Cybersecurity Inititative (CNCI). Congress is happy to fund it,
but kind of wants to know what it's going to do. I have to admit, I'm
kind of curious myself.
http://blog.wired.com/27bstroke6/2008/05/senate-panel-qu.html
http://arstechnica.com/news.ars/post/20080506-senators-press-dhs-head-for-details-on-cybersecurity-plans.html
The U.S. Air Force considers creating its own botnet. Actually, I think
this is a fine idea -- as long as they only use computers that they
legally own.
http://www.armedforcesjournal.com/2008/05/3375884
http://arstechnica.com/news.ars/post/20080512-preparing-for-cyber-warfare-us-air-force-floats-botnet-plan.html
** *** ***** ******* *********** *************
Third Annual Movie-Plot Threat Contest Winner
On April 7, in my blog -- seven days late -- I announced the Third
Annual Movie-Plot Threat Contest:
"For this contest, the goal is to create fear. Not just any fear, but a
fear that you can alleviate through the sale of your new product idea.
There are lots of risks out there, some of them serious, some of them so
unlikely that we shouldn't worry about them, and some of them completely
made up. And there are lots of products out there that provide security
against those risks.
"Your job is to invent one. First, find a risk or create one. It can be
a terrorism risk, a criminal risk, a natural-disaster risk, a common
household risk -- whatever. The weirder the better. Then, create a
product that everyone simply has to buy to protect him- or herself from
that risk. And finally, write a catalog ad for that product.
Entries are limited to 150 words ... because fear doesn't require a
whole lot of explaining. Tell us why we should be afraid, and why we
should buy your product."
On May 7, I posted five semi-finalists out of the 327 blog comments:
* DNA adulteratometer to detect waiters spitting in your soup.
* Toothpaste test strips.
* SOS device for people locked in car trunks.
* Anti-laser-pointer eyeglasses.
* "Alertness alert" heartbeat monitor.
Sadly, two of those five were above the 150-word limit. Out of the
three remaining, I (with the help of my readers) have chosen a winner.
Presenting, the winner of the Third Annual Movie Plot Threat Contest,
Aaron Massey:
"Tommy Tester Toothpaste Strips:
"Many Americans were shocked to hear the results of the research trials
regarding heavy metals and toothpaste conducted by the New England
Journal of Medicine, which FDA is only now attempting to confirm. This
latest scare comes after hundreds of deaths were linked to toothpaste
contaminated with diethylene glycol, a potentially dangerous chemical
used in antifreeze.
"In light of this continuing health risk, Hamilton Health Labs is proud
to announce Tommy Tester Toothpaste Strips! Just apply a dab of
toothpaste from a fresh tube onto the strip and let it rest for 3
minutes. It's just that easy! If the strip turns blue, rest assured that
your entire tube of toothpaste is safe. However, if the strip turns
pink, dispose of the toothpaste immediately and call the FDA health
emergency number at 301-443-1240.
"Do not let your family become a statistic when the solution is only $2.95!"
Aaron wins, well, nothing really, except the fame and glory afforded by
Crypto-Gram and my blog. So give him some fame and glory. Congratulations.
Announcement:
http://www.schneier.com/blog/archives/2008/04/third_annual_mo.html
Semifinalists:
http://www.schneier.com/blog/archives/2008/05/third_annual_mo_2.html
** *** ***** ******* *********** *************
The RSA Conference
Last week was the RSA Conference, easily the largest information
security conference in the world. Over 17,000 people descended on San
Francisco's Moscone Center to hear some of the over 250 talks, attend
I-didn't-try-to-count parties, and try to evade over 350 exhibitors
vying to sell them stuff.
Talk to the exhibitors, though, and the most common complaint is that
the attendees aren't buying.
It's not the quality of the wares. The show floor is filled with new
security products, new technologies, and new ideas. Many of these are
products that will make the attendees' companies more secure in all
sorts of different ways. The problem is that most of the people
attending the RSA Conference can't understand what the products do or
why they should buy them. So they don't.
I spoke with one person whose trip was paid for by a smallish security
firm. He was one of the company's first customers, and the company was
proud to parade him in front of the press. I asked him if he walked
through the show floor, looking at the company's competitors to see if
there was any benefit to switching.
"I can't figure out what any of those companies do," he replied.
I believe him. The booths are filled with broad product claims,
meaningless security platitudes, and unintelligible marketing
literature. You could walk into a booth, listen to a five-minute sales
pitch by a marketing type, and still not know what the company does.
Even seasoned security professionals are confused.
Commerce requires a meeting of minds between buyer and seller, and it's
just not happening. The sellers can't explain what they're selling to
the buyers, and the buyers don't buy because they don't understand what
the sellers are selling. There's a mismatch between the two; they're so
far apart that they're barely speaking the same language.
This is a bad thing in the near term -- some good companies will go
bankrupt and some good security technologies won't get deployed -- but
it's a good thing in the long run. It demonstrates that the computer
industry is maturing: IT is getting complicated and subtle, and users
are starting to treat it like infrastructure.
For a while now I have predicted the death of the security industry.
Not the death of information security as a vital requirement, of course,
but the death of the end-user security industry that gathers at the RSA
Conference. When something becomes infrastructure -- power, water,
cleaning service, tax preparation -- customers care less about details
and more about results. Technological innovations become something the
infrastructure providers pay attention to, and they package it for their
customers.
No one wants to buy security. They want to buy something truly useful
-- database management systems, Web 2.0 collaboration tools, a
company-wide network -- and they want it to be secure. They don't want
to have to become IT security experts. They don't want to have to go to
the RSA Conference. This is the future of IT security.
You can see it in the large IT outsourcing contracts that companies are
signing -- not security outsourcing contracts, but more general IT
contracts that include security. You can see it in the current wave of
industry consolidation: not large security companies buying small
security companies, but non-security companies buying security
companies. And you can see it in the new popularity of software as a
service: Customers want solutions; who cares about the details?
Imagine if the inventor of antilock brakes -- or any automobile safety
or security feature -- had to sell them directly to the consumer. It
would be an uphill battle convincing the average driver that he needed
to buy them; maybe that technology would have succeeded and maybe it
wouldn't. But that's not what happens. Antilock brakes, airbags, and
that annoying sensor that beeps when you're backing up too close to
another object are sold to automobile companies, and those companies
bundle them together into cars that are sold to consumers. This doesn't
mean that automobile safety isn't important, and often these new
features are touted by the car manufacturers.
The RSA Conference won't die, of course. Security is too important for
that. There will still be new technologies, new products, and new
start-ups. But it will become inward-facing, slowly turning into an
industry conference. It'll be security companies selling to the
companies who sell to corporate and home users -- and will no longer be
a 17,000-person user conference.
"Death of the Security Industry":
http://www.schneier.com/essay-196.html
Industry consolidation:
http://www.schneier.com/essay-209.html
Commentary:
http://www.computerweekly.com/blogs/david_lacey/2008/05/we_cant_have_enough_security_p_1.html
or http://tinyurl.com/4jsejk
This essay originally appeared on Wired.com.
http://www.wired.com/politics/security/news/2008/04/securitymatters_0417
or http://tinyurl.com/5gnmxu
** *** ***** ******* *********** *************
Risk Preferences in Chimpanzees and Bonobos
I've already written about prospect theory, which explains how people
approach risk. People tend to be risk averse when it comes to gains,
and risk seeking when it comes to losses:
"Evolutionarily, presumably it is a better survival strategy to -- all
other things being equal, of course -- accept small gains rather than
risking them for larger ones, and risk larger losses rather than
accepting smaller losses. Lions chase young or wounded wildebeest
because the investment needed to kill them is lower. Mature and healthy
prey would probably be more nutritious, but there's a risk of missing
lunch entirely if it gets away. And a small meal will tide the lion over
until another day. Getting through today is more important than the
possibility of having food tomorrow.
"Similarly, it is evolutionarily better to risk a larger loss than to
accept a smaller loss. Because animals tend to live on the razor's edge
between starvation and reproduction, any loss of food -- whether small
or large -- can be equally bad. That is, both can result in death. If
that's true, the best option is to risk everything for the chance at no
loss at all."
This behavior has been demonstrated in animals as well: "species of
insects, birds and mammals range from risk neutral to risk averse when
making decisions about amounts of food, but are risk seeking towards
delays in receiving food."
A recent study examines the relative risk preferences in two closely
related species: chimanzees and bonobos. "Human and non-human animals
tend to avoid risky prospects. If such patterns of economic choice are
adaptive, risk preferences should reflect the typical decision-making
environments faced by organisms. However, this approach has not been
widely used to examine the risk sensitivity in closely related species
with different ecologies. Here, we experimentally examined
risk-sensitive behaviour in chimpanzees (Pan troglodytes) and bonobos
(Pan paniscus), closely related species whose distinct ecologies are
thought to be the major selective force shaping their unique behavioural
repertoires. Because chimpanzees exploit riskier food sources in the
wild, we predicted that they would exhibit greater tolerance for risk in
choices about food. Results confirmed this prediction: chimpanzees
significantly preferred the risky option, whereas bonobos preferred the
fixed option. These results provide a relatively rare example of
risk-prone behaviour in the context of gains and show how ecological
pressures can sculpt economic decision making."
The basic argument is that in the natural environment of the chimpanzee,
if you don't take risks you don't get any of the high-value rewards
(e.g., monkey meat). Bonobos "rely more heavily than chimpanzees on
terrestrial herbaceous vegetation, a more temporally and spatially
consistent food source." So chimpanzees are less likely to avoid taking
risks.
Fascinating stuff, but there are at least two problems with this study.
The first one, the researchers explain in their paper. The animals
studied -- five of each species -- were from the Wolfgang Koehler
Primate Research Center at the Leipzig Zoo, and the experimenters were
unable to rule out differences in the "experiences, cultures and
conditions of the two specific groups tested here."
The second problem is more general: we know very little about the life
of bonobos in the wild. There's a lot of popular stereotypes about
bonobos, but they're sloppy at best.
Even so, I like seeing this kind of research. It's fascinating.
Blog entry URL:
http://www.schneier.com/blog/archives/2008/04/risk_preference.html
http://journals.royalsociety.org/content/hj235725w4pp2872/?p=dca3144c481b44358c2fed990c973bc4&pi=5
or http://tinyurl.com/4w9p2w
Prospect theory:
http://www.schneier.com/essay-155.html
Bonobos in the wild:
http://www.newyorker.com/reporting/2007/07/30/070730fa_fact_parker
** *** ***** ******* *********** *************
Schneier/BT News
Audio and video of Schneier's talk from InfoSecurity Europe on
"Reconceptualizing Security," or maybe "The Theater of Security."
http://www.yada-yada.co.uk/podcasts/ReedExhibitions/InfosecurityEurope/audio/Hall_of_Fame_BruceSchneier.mp3
or http://tinyurl.com/4x2j5a
http://www.yada-yada.co.uk/podcasts/ReedExhibitions/InfosecurityEurope/video/BruceSchneier.html
or http://tinyurl.com/44vyww
Schneier was interviewed on Dutch radio. The introduction and questions
are in Dutch, but the answers are in English.
http://www.xs4all.nl/~herbertb/2000+/Radio/BNR-eEeuw/2008/eeuw_20080424_Veiligheid_bestaat_niet.mp3
or http://tinyurl.com/4rygwo
Schneier was interviewed on Anti War Radio. It was an odd interview,
starting from the essay "Portrait of the Modern Terrorist as an Idiot"
and then meandering into the role of government versus corporations in
security.
http://antiwar.com/radio/2008/04/11/bruce-schneier/
This Schneier interview was conducted on video even though it is
presented as text, so it doesn't read as well as the ones I've done via
e-mail.
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security_hardware_and_software&articleId=9079720&taxonomyId=145&intsrc=kc_fe
or http://tinyurl.com/4whyqo
Another Schneier interview, conducted at the RSA Conference:
http://techwebtv.feedroom.com/?fr_story=f0d0cf13252829540dc4e42104b05fe45d9043ca&rf
or http://tinyurl.com/46st9s
Schneier video interview from the UK:
http://www.computerweekly.com/Articles/2008/04/30/230486/video-security-experts-bruce-schneier-and-ray-stanton-on-the-human-side-of.htm
or http://tinyurl.com/628amx
Two Schneier video interviews from Australia:
http://www.builderau.com.au/video/soa/Schneier-The-problem-of-evaluating-risk/0,2000064338,22441085p,00.htm
or http://tinyurl.com/4ua3k5
http://www.builderau.com.au/video/soa/Schneier-The-drama-of-security/0,2000064338,22441082p,00.htm
or http://tinyurl.com/4qz3c9
** *** ***** ******* *********** *************
The Doghouse: Passwordsafe.com
This isn't my Password Safe. This is PasswordSafe.com. Password Safe
is an open-source application that lives on your computer and encrypts
your passwords. PasswordSafe.com lets you store your passwords on their
server. They promise not to look at them.
"Can I trust PasswordSafe? As we mentioned, pretty much every function
is automated, no-one here ever sees your information as it's all taken
care of by the programs and encrypted into the database. Again we'll
remind you, we do not recommend you store sensitive information at
PasswordSafe. In house, we've used this service for many sites, banner
programs, affiliate programs, free email services and much more."
http://www.passwordsafe.com/
My Password Safe:
http://www.schneier.com/passsafe.html
** *** ***** ******* *********** *************
The Ethics of Vulnerability Research
The standard way to take control of someone else's computer is by
exploiting a vulnerability in a software program on it. This was true in
the 1960s when buffer overflows were first exploited to attack
computers. It was true in 1988 when the Morris worm exploited a Unix
vulnerability to attack computers on the Internet, and it's still how
most modern malware works.
Vulnerabilities are software mistakes--mistakes in specification and
design, but mostly mistakes in programming. Any large software package
will have thousands of mistakes. These vulnerabilities lie dormant in
our software systems, waiting to be discovered. Once discovered, they
can be used to attack systems. This is the point of security patching:
eliminating known vulnerabilities. But many systems don't get patched,
so the Internet is filled with known, exploitable vulnerabilities.
New vulnerabilities are hot commodities. A hacker who discovers one can
sell it on the black market, blackmail the vendor with disclosure, or
simply publish it without regard to the consequences. Even if he does
none of these, the mere fact the vulnerability is known by someone
increases the risk to every user of that software. Given that, is it
ethical to research new vulnerabilities?
Unequivocally, yes. Despite the risks, vulnerability research is
enormously valuable. Security is a mindset, and looking for
vulnerabilities nurtures that mindset. Deny practitioners this vital
learning tool, and security suffers accordingly.
Security engineers see the world differently than other engineers.
Instead of focusing on how systems work, they focus on how systems fail,
how they can be made to fail, and how to prevent--or protect
against--those failures. Most software vulnerabilities don't ever appear
in normal operations, only when an attacker deliberately exploits them.
So security engineers need to think like attackers.
People without the mindset sometimes think they can design security
products, but they can't. And you see the results all over society--in
snake-oil cryptography, software, Internet protocols, voting machines,
and fare card and other payment systems. Many of these systems had
someone in charge of "security" on their teams, but it wasn't someone
who thought like an attacker.
This mindset is difficult to teach, and may be something you're born
with or not. But in order to train people possessing the mindset, they
need to search for and find security vulnerabilities--again and again
and again. And this is true regardless of the domain. Good
cryptographers discover vulnerabilities in others' algorithms and
protocols. Good software security experts find vulnerabilities in
others' code. Good airport security designers figure out new ways to
subvert airport security. And so on.
This is so important that when someone shows me a security design by
someone I don't know, my first question is, "What has the designer
broken?" Anyone can design a security system that he cannot break. So
when someone announces, "Here's my security system, and I can't break
it," your first reaction should be, "Who are you?" If he's someone who
has broken dozens of similar systems, his system is worth looking at. If
he's never broken anything, the chance is zero that it will be any good.
Vulnerability research is vital because it trains our next generation of
computer security experts. Yes, newly discovered vulnerabilities in
software and airports put us at risk, but they also give us more
realistic information about how good the security actually is. And yes,
there are more and less responsible--and more and less legal--ways to
handle a new vulnerability. But the bad guys are constantly searching
for new vulnerabilities, and if we have any hope of securing our
systems, we need the good guys to be at least as competent. To me, the
question isn't whether it's ethical to do vulnerability research. If
someone has the skill to analyze and provide better insights into the
problem, the question is whether it is ethical for him not to do
vulnerability research.
This was originally published in InfoSecurity Magazine, as part of a
point-counterpoint with Marcus Ranum. You can read Marcus's half here.
http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1313268,00.html
** *** ***** ******* *********** *************
Our Data, Ourselves
In the information age, we all have a data shadow.
We leave data everywhere we go. It's not just our bank accounts and
stock portfolios, or our itemized bills, listing every credit card
purchase and telephone call we make. It's automatic road toll collection
systems, supermarket affinity cards, ATMs, and so on.
It's also our lives. Our love letters and friendly chat. Our personal
e-mails and SMS messages. Our business plans, strategies, and offhand
conversations. Our political leanings and positions. And this is just
the data we interact with. We all have shadow selves living in the data
banks of hundreds of corporations information brokers -- information
about us that is both surprisingly personal and uncannily complete --
except for the errors that you can neither see nor correct.
What happens to our data happens to ourselves.
This shadow self doesn't just sit there: it's constantly touched. It's
examined and judged. When we apply for a bank loan, it's our data that
determines whether or not we get it. When we try to board an airp***,
it's our data that determines how thoroughly we get searched -- or
whether we get to board at all. If the government wants to investigate
us, they're more likely to go through our data than they are to search
our homes; for a lot of that data, they don't even need a warrant.
Who controls our data controls our lives.
It's true. Whoever controls our data can decide whether we can get a
bank loan, on an airp***, or into a country. Or what sort of discount
we get from a merchant, or even how we're treated by customer support. A
potential employer can, illegally in the U.S., examine our medical data
and decide whether or not to offer us a job. The police can mine our
data and decide whether or not we're a terrorist risk. If a criminal can
get hold of enough of our data, he can open credit cards in our names,
siphon money out of our investment accounts, even sell our property.
Identity theft is the ultimate proof that control of our data means
control of our life.
We need to take back our data.
Our data is a part of us. It's intimate and personal, and we have basic
rights to it. It should be protected from unwanted touch.
We need a comprehensive data privacy law. This law should protect all
information about us, and not be limited merely to financial or health
information. It should limit others' ability to buy and sell our
information without our knowledge and consent. It should allow us to see
information about us held by others, and correct any inaccuracies we
find. It should prevent the government from going after our information
without judicial oversight. It should enforce data deletion, and limit
data collection, where necessary. And we need more than token penalties
for deliberate violations.
This is a tall order, and it will take years for us to get there. It's
easy to do nothing and let the market take over. But as we see with
things like grocery store club cards and click-through privacy policies
on websites, most people either don't realize the extent their privacy
is being violated or don't have any real choice. And businesses, of
course, are more than happy to collect, buy, and sell our most intimate
information. But the long-term effects of this on society are toxic; we
give up control of ourselves.
This essay previously appeared on Wired.com.
http://www.wired.com/politics/security/commentary/securitymatters/2008/05/blog_securitymatters_0515
** *** ***** ******* *********** *************
Comments from Readers
There are hundreds of comments -- many of them interesting -- on these
topics on my blog. Search for the story you want to comment on, and join in.
http://www.schneier.com/blog
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on security: computer and otherwise. You can
subscribe, ***, or change your address on the Web at
available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the
best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish algorithms.
He is founder and Chief Security Tecnology Officer of Brtish Telcom
(BT), and is on the Board of Directors of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of BT or BT Counterpane.
Copyright (c) 2008 by Bruce Schneier.
