This website does readability filtering of other pages. All styles, scripts, forms and ads are stripped. If you want your website excluded or have other feedback, use this form.

Schneier on Security

success fail Jan FEB Mar 02 2006 2007 2008 1,803 captures 09 Oct 2004 - 11 Dec 2018 About this capture COLLECTED BY Organization: Alexa Crawls Starting in 1996, Alexa Internet has been donating their crawl data to the Internet Archive. Flowing in every day, these data are added to the Wayback Machine after an embargo period. Collection: 38_crawl this data is currently not publicly accessible. TIMESTAMPS

Bruce Schneier

Home

Weblog

Crypto-Gram Newsletter

Books

Essays and Op Eds

Computer Security Articles

News and Interviews

Speaking Schedule

Password Safe

Cryptography and Computer Security Resources

Contact Information

Schneier on Security

A weblog covering security and security technology.

Bloggers on Blogging

Rebecca Blood interviewed me for her "Bloggers on Blogging" series.

Posted on February 02, 2007 at 12:57 PM14 Comments


Excessive Secrecy and Security Helps Terrorists

I've said it, and now so has the director of the Canadian Security Intelligence Service:

Canada's spy master, of all people, is warning that excessive government secrecy and draconian counterterrorism measures will only play into the hands of terrorists.

"The response to the terrorist threat, whether now or in the future, should follow the long-standing principle of 'in all things moderation,'" Jim Judd, director of the Canadian Security Intelligence Service, said in a recent Toronto speech.

Posted on February 02, 2007 at 07:25 AM14 Comments


Non-Terrorist Embarrassment in Boston

The story is almost too funny to write about seriously. To advertise the Cartoon Network show "Aqua Teen Hunger Force," the network put up 38 blinking signs (kind of like Lite Brites) around the Boston area. The Boston police decided -- with absolutely no supporting evidence -- that these were bombs and shut down parts of the city.

Now the police look stupid, but they're trying really not hard not to act humiliated:

Governor Deval Patrick told the Associated Press: "It's a hoax -- and it's not funny."

Unfortunately, it is funny. What isn't funny is now the Boston government is trying to prosecute the artist and the network instead of owning up to their own stupidity. The police now claim that they were "hoax" explosive devices. I don't think you can claim they are hoax explosive devices unless they were intended to look like explosive devices, which merely a cursory look at any of them shows that they weren't.

But it's much easier to blame others than to admit that you were wrong:

"It is outrageous, in a post 9/11 world, that a company would use this type of marketing scheme," Mayor Thomas Menino said. "I am prepared to take any and all legal action against Turner Broadcasting and its affiliates for any and all expenses incurred."

And:

Rep. Ed Markey, a Boston-area congressman, said, "Whoever thought this up needs to find another job."

"Scaring an entire region, tying up the T and major roadways, and forcing first responders to spend 12 hours chasing down trinkets instead of terrorists is marketing run amok," Markey, a Democrat, said in a written statement. "It would be hard to dream up a more appalling publicity stunt."

And:

"It had a very sinister appearance," [Massachusetts Attorney General Martha] Coakley told reporters. "It had a battery behind it, and wires."

For heavens sake, don't let her inside a Radio Shack.

I like this comment:

They consisted of magnetic signs with blinking lights in the shape of a cartoon character.

And everyone knows that bombs have blinking lights on ‘em. Every single movie bomb you’ve ever seen has a blinking light.

Triumph for Homeland Security, guys.

And this one:

"It's almost too easy to be a terrorist these days," said Jennifer Mason, 26. "You stick a box on a corner and you can shut down a city."

And this one, by one of the artists who installed the signs:

"I find it kind of ridiculous that they're making these statements on TV that we must not be safe from terrorism, because they were up there for three weeks and no one noticed. It's pretty commonsensical to look at them and say this is a piece of art and installation," he said.

Right. If this wasn't a ridiculous overreaction to a non-existent threat, then how come the devices were in place for weeks without anyone noticing them? What does that say about the Boston police?

Maybe if the Boston police stopped wasting time and money searching bags on subways....

Of the 2,449 inspections between Oct. 10 and Dec. 31, the bags of 27 riders tested positive in the initial screening for explosives, prompting further searches, the Globe found in an analysis of daily inspection reports obtained under the state's Freedom of Information Act.

In the additional screening, 11 passengers had their bags checked by explosive-sniffing dogs, and 16 underwent a physical search. Nothing was found.

These blinking signs have been up for weeks in ten cities -- Boston, New York, Los Angeles, Chicago, Atlanta, Seattle, Portland, Austin, San Francisco, and Philadelphia -- and no one else has managed to panic so completely. Refuse to be terrorized, people!

EDITED TO ADD (2/2): Here's some good information about whether the stunt broke the law or not.

Posted on February 01, 2007 at 01:08 PM181 Comments


Recognizing a Suicide Bomber

Fascinating story of an Israeli taxi driver who picked up a suicide bomber. What's interesting to me is how the driver comes to realize his passenger is a suicide bomber. It wasn't anything that comes up on a profile, but a feeling that something is wrong:

Mr Woltinsky said he realised straight away that something was not quite right.

"When he got into my car, I had a bad feeling because he did not behave normally -- his eyes, his nerves -- and the fact he was wearing a big red jacket even though it was hot.

"I asked him where he wanted to go but he didn't say anything, just waved his hand.

"When I asked him again, he said only one word, "Haifa", in an Arab accent. Haifa is hundreds of kilometres away, so now I was almost 100% sure he was a suicide bomber."

In other words, his passanger was acting hinky.

EDITED TO ADD (2/1): The Israeli was not a taxi driver. Apologies.

Posted on February 01, 2007 at 06:26 AM38 Comments


Cameras Protecting Other Cameras

There is a proposal in Scotland to protect automatic speed-trap cameras from vandals by monitoring them with other cameras.

Then, I suppose we need still other cameras to protect the camera-watching cameras.

I am reminded of a certain building corner in York. Centuries ago it was getting banged up by carts and whatnot, so the owners stuck a post in the ground a couple of feet away from the corner to protect it. Time passed, and the post itself became historically significant. So now there is another post a couple of feet away from the first one to protect it.

When will it end?

Posted on January 31, 2007 at 02:05 PM61 Comments


How Vulnerable Was Internet Explorer?

The title of the article says it all: "Internet Explorer Unsafe for 284 Days in 2006." Here's a chart.

Posted on January 31, 2007 at 07:21 AM31 Comments


Airport Security Game

Play online; see if you can keep up with the ever-changing arbitrary rules.

Posted on January 30, 2007 at 02:22 PM16 Comments


Real-ID: Costs and Benefits

The argument was so obvious it hardly needed repeating. Some thought we would all be safer -- ­from terrorism, from crime, even from inconvenience -- ­if we had a better ID card. A good, hard-to-forge national ID is a no-brainer (or so the argument goes), and it’s ridiculous that a modern country like the United States doesn’t have one.

Still, most Americans have been and continue to be opposed to a national ID card. Even just after 9/11, polls showed a bare majority (51 percent) in favor­and that quickly became a minority opinion again. As such, both political parties came out against the card, which meant that the only way it could become law was to sneak it through.

Republican Cong. F. James Sensenbrenner of Wisconsin did just that. In February 2005, he attached the Real ID Act to a defense appropriations bill. No one was willing to risk not supporting the troops by holding up the bill, and it became law. No hearings. No floor debate. With nary a whisper, the United States had a national ID.

By forcing all states to conform to common and more stringent rules for issuing driver’s licenses, the Real ID Act turns these licenses into a de facto national ID. It’s a massive, unfunded mandate imposed on the states, and -- ­naturally -- ­the states have resisted. The detailed rules and timetables are still being worked out by the Department of Homeland Security, and it’s the details that will determine exactly how expensive and onerous the program actually is.

It is against this backdrop that the National Governors Association, the National Conference of State Legislatures, and the American Association of Motor Vehicle Administrators together tried to estimate the cost of this initiative. “The Real ID Act: National Impact Analysis” is a methodical and detailed report, and everything after the executive summary is likely to bore anyone but the most dedicated bean counters. But rigor is important because states want to use this document to influence both the technical details and timetable of Real ID. The estimates are conservative, leaving no room for problems, delays, or unforeseen costs, and yet the total cost is $11 billion over the first five years of the program.

If anything, it’s surprisingly cheap: Only $37 each for an estimated 295 million people who would get a new ID under this program. But it’s still an enormous amount of money. The question to ask is, of course: Is the security benefit we all get worth the $11 billion price tag? We have a cost estimate; all we need now is a security estimate.

I’m going to take a crack at it.

When most people think of ID cards, they think of a small plastic card with their name and photograph. This isn’t wrong, but it’s only a small piece of any ID program. What starts out as a seemingly simple security device -- ­a card that binds a photograph with a name -- ­rapidly becomes a complex security system.

It doesn’t really matter how well a Real ID works when used by the hundreds of millions of honest people who would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.

The first problem is the card itself. No matter how unforgeable we make it, it will be forged. We can raise the price of forgery, but we can’t make it impossible. Real IDs will be forged.

Even worse, people will get legitimate cards in fraudulent names. Two of the 9/11 terrorists had valid Virginia driver’s licenses in fake names. And even if we could guarantee that everyone who issued national ID cards couldn’t be bribed, cards are issued based on other identity documents -- ­all of which are easier to forge.

And we can’t assume that everyone will always have a Real ID. Currently about 20 percent of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself would be susceptible to abuse.

Additionally, any ID system involves people: people who regularly make mistakes. We’ve all heard stories of bartenders falling for obviously fake IDs, or sloppy ID checks at airports and government buildings. It’s not simply a matter of training; checking IDs is a mind-numbingly boring task, one that is guaranteed to have failures. Biometrics such as thumbprints could help but bring with them their own set of exploitable failure modes.

All of these problems demonstrate that identification checks based on Real ID won’t be nearly as secure as we might hope. But the main problem with any strong identification system is that it requires the existence of a database. In this case, it would have to be 50 linked databases of private and sensitive information on every American -- ­one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.

The security risks of this database are enormous. It would be a kludge of existing databases that are incompatible, full of erroneous data, and unreliable. Computer scientists don’t know how to keep a database of this magnitude secure, whether from outside hackers or the thousands of insiders authorized to access it.

But even if we could solve all these problems, and within the putative $11 billion budget, we still wouldn’t be getting very much security. A reliance on ID cards is based on a dangerous security myth, that if only we knew who everyone was, we could pick the bad guys out of the crowd.

In an ideal world, what we would want is some kind of ID that denoted intention. We'd want all terrorists to carry a card that said “evildoer” and everyone else to carry a card that said “honest person who won't try to hijack or blow up anything.” Then security would be easy. We could just look at people’s IDs, and, if they were evildoers, we wouldn’t let them on the airplane or into the building.

This is, of course, ridiculous; so we rely on identity as a substitute. In theory, if we know who you are, and if we have enough information about you, we can somehow predict whether you’re likely to be an evildoer. But that’s almost as ridiculous.

Even worse, as soon as you divide people into two categories -- ­more trusted and less trusted people -- ­you create a third, and very dangerous, category: untrustworthy people whom we have no reason to mistrust. Oklahoma City bomber Timothy McVeigh; the Washington, DC, snipers; the London subway bombers; and many of the 9/11 terrorists had no previous links to terrorism. Evildoers can also steal the identity -- ­and profile -- ­of an honest person. Profiling can result in less security by giving certain people an easy way to skirt security.

There’s another, even more dangerous, failure mode for these systems: honest people who fit the evildoer profile. Because evildoers are so rare, almost everyone who fits the profile will turn out to be a false alarm. Think of all the problems with the government’s no-fly list. That list, which is what Real IDs will be checked against, not only wastes investigative resources that might be better spent elsewhere, but it also causes grave harm to those innocents who fit the profile.

Enough of terrorism; what about more mundane concerns like identity theft? Perversely, a hard-to-forge ID card can actually increase the risk of identity theft. A single ubiquitous ID card will be trusted more and used in more applications. Therefore, someone who does manage to forge one -- ­or get one issued in someone else’s name -- ­can commit much more fraud with it. A centralized ID system is a far greater security risk than a decentralized one with various organizations issuing ID cards according to their own rules for their own purposes.

Security is always a trade-off; it must be balanced with the cost. We all do this intuitively. Few of us walk around wearing bulletproof vests. It’s not because they’re ineffective, it’s because for most of us the trade-off isn’t worth it. It’s not worth the cost, the inconvenience, or the loss of fashion sense. If we were living in a war-torn country like Iraq, we might make a different trade-off.

Real ID is another lousy security trade-off. It’ll cost the United States at least $11 billion, and we won’t get much security in return. The report suggests a variety of measures designed to ease the financial burden on the states: extend compliance deadlines, allow manual verification systems, and so on. But what it doesn’t suggest is the simple change that would do the most good: scrap the Real ID program altogether. For the price, we’re not getting anywhere near the security we should.

This essay will appear in the March/April issue of The Bulletin of Atomic Scientists.

EDITED TO ADD (1/30): There's REAL-ID news this week. Maine became the first state to reject REAL-ID. This means that a Maine state drivers license will not be recognized as a valid for federal purposes, although I'm sure the Feds will back down over this. And other states will follow:

"As Maine goes, so goes the nation," said Charlie Mitchell, director of the ACLU State Legislative Department. "Already bills have been filed in Montana, New Hampshire, New Mexico, Georgia and Washington, which would follow Maine's lead in saying no to Real ID, with many mores states on the verge of similar action. Across the nation, local lawmakers are rejecting the federal government's demand that they curtail their constituents' privacy through this giant unfunded boondoggle."

More info on REAL-ID here.

EDITED TO ADD (1/31): More information on Montana. My guess is that Montana will become the second state ro reject REAL-ID, and that New Mexico will be the third.

Posted on January 30, 2007 at 06:33 AM62 Comments


Iraqi Gunmen Dressing Up in American Military Uniforms

I've previously written about how official uniforms are inherent authentication tokens, even though they shouldn't be (see also this and this for some less deadly anecdotes).

Now we see this tactic being used in Baghdad:

The armored sport utility vehicles whisked into a government compound in the city of Karbala with speed and urgency, the way most Americans and foreign dignitaries travel along Iraq's treacherous roads these days.

Iraqi guards at checkpoints waved them through Saturday afternoon because the men wore what appeared to be legitimate U.S. military uniforms and badges, and drove cars commonly used by foreigners, the provincial governor said.

Once inside, however, the men unleashed one of the deadliest and most brazen ambushes of U.S. forces in a secure, official area. Five American service members were killed in a hail of grenades and gunfire in a breach of security that Iraqi officials called unprecedented.

Uniforms are no substitute for real authentication. They're just too easy to steal or forge.

Posted on January 29, 2007 at 01:37 PM42 Comments


Islam on Trial

"Prophetic Justice," by Amy Waldman (The Atlantic Monthly, Oct 2006) is a fascinating article about terrorism trials in the U.S. where the prosecution attempts to prove that the defendant was planning on committing an act of terrorism. Very often, the trials hinge on different interpretations of Islam, Islamic scripture, and Islamic belief -- and often we are essentially putting the religion on trial.

Reading it, I was struck with the eliminationist rhetoric coming out of the Christian Right in the U.S. today, and how it would fare under the same level of scrutiny.

It's a long article, but well worth reading. There are many problems with prosecuting people for thoughtcrimes, and the article discusses some of them.

Posted on January 29, 2007 at 06:55 AM116 Comments


Friday Squid Blogging: "Squid-Inspired Design"

From the University of Colorado: "Squid-inspired design could mean better handling of underwater vehicles":

Inspired by the sleek and efficient propulsion of squid, jellyfish and other cephalopods, a University of Colorado at Boulder researcher has designed a new generation of compact vortex generators that could make it easier for scientists to maneuver and dock underwater vehicles at low speeds and with greater precision.

Another article here.

Posted on January 26, 2007 at 04:28 PM9 Comments


Blu-Ray Cracked

The Blu-ray DRM system has been broken, although details are scant. It's the same person who broke the HD DVD system last month. (Both use AACS.)

As I've written previously, both of these systems are supposed to be designed in such a way as to recover from hacks like this. We're going to find out of the recovery feature works.

Blu-ray and HD DVD both allow for decryption keys to be updated in reaction to attacks, for example by making it impossible to play high-definition movies via playback software known to be weak or flawed. So muslix64 work has effectively sparked off a cat-and-mouse game between hackers and the entertainment industry, where consumers are likely to face compatibility problems while footing the bill for the entertainment industry's insistence on pushing ultimately flawed DRM technology on an unwilling public.

EDITED TO ADD (1/29): You should read this seven part series on the topic.

Posted on January 26, 2007 at 12:47 PM26 Comments


Powered by Movable Type 3.2. Photo at top by Steve Woit.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT Counterpane.

Weblog Menu

Search

Recent Entries

Comments

Archives

Syndication RSS 1.0 (full text)
RSS 2.0 (excerpts) Crypto-Gram Newsletter If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more Books