Friday, February 15, 2013

This is beyond everyone's attantion span, but you would find every bit of it interesting.

On Thu, Feb 14, 2013 at 10:06 PM, Bruce Schneier <> wrote:

          February 15, 2013

         by Bruce Schneier
   Chief Security Technology Officer, BT

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <>.

You can read this issue on the web at <>. These same essays and news items appear in the "Schneier on Security" blog at <>, along with a lively comment section. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
     Power and the Internet
     Who Does Skype Let Spy?
     Our New Regimes of Trust
     TSA Removing Rapiscan Full-Body Scanners from U.S. Airports
     Dangerous Security Theater: Scrambling Fighter Jets
     Massive Police Shootout in Cleveland Despite Lack of Criminals
     "New York Times" Hacked by China
     Schneier News
     Jared Diamond on Common Risks
     Man-in-the-Middle Attacks Against Browser Encryption
     "People, Process, and Technology"

** *** ***** ******* *********** *************

     Power and the Internet

All disruptive technologies upset traditional power balances, and the Internet is no exception. The standard story is that it empowers the powerless, but that's only half the story. The Internet empowers everyone. Powerful institutions might be slow to make use of that new power, but since they are powerful, they can use it more effectively. Governments and corporations have woken up to the fact that not only can they use the Internet, they can control it for their interests. Unless we start deliberately debating the future we want to live in, and the role of information technology in enabling that world, we will end up with an Internet that benefits existing power structures and not society in general.

We've all lived through the Internet's disruptive history. Entire industries, like travel agencies and video rental stores, disappeared. Traditional publishing -- books, newspapers, encyclopedias, music -- lost power, while Amazon and others gained. Advertising-based companies like Google and Facebook gained a lot of power. Microsoft lost power (as hard as that is to believe).

The Internet changed political power as well. Some governments lost power as citizens organized online. Political movements became easier, helping to topple governments. The Obama campaign made revolutionary use of the Internet, both in 2008 and 2012.

And the Internet changed social power, as we collected hundreds of "friends" on Facebook, tweeted our way to fame, and found communities for the most obscure hobbies and interests. And some crimes became easier: impersonation fraud became identity theft, copyright violation became file sharing, and accessing censored materials -- political, sexual, cultural -- became trivially easy.

Now powerful interests are looking to deliberately steer this influence to their advantage. Some corporations are creating Internet environments that maximize their profitability: Facebook and Google, among many others. Some industries are lobbying for laws that make their particular business models more profitable: telecom carriers want to be able to discriminate between different types of Internet traffic, entertainment companies want to crack down on file sharing, advertisers want unfettered access to data about our habits and preferences.

On the government side, more countries censor the Internet -- and do so more effectively -- than ever before. Police forces around the world are using Internet data for surveillance, with less judicial oversight and sometimes in advance of any crime. Militaries are fomenting a cyberwar arms race. Internet surveillance -- both governmental and commercial -- is on the rise, not just in totalitarian states but in Western democracies as well. Both companies and governments rely more on propaganda to create false impressions of public opinion.

In 1996, cyber-libertarian John Perry Barlow issued his "Declaration of the Independence of Cyberspace." He told governments: "You have no moral right to rule us, nor do you possess any methods of enforcement that we have true reason to fear." It was a utopian ideal, and many of us believed him. We believed that the Internet generation, those quick to embrace the social changes this new technology brought, would swiftly outmaneuver the more ponderous institutions of the previous era.

Reality turned out to be much more complicated. What we forgot is that technology magnifies power in both directions. When the powerless found the Internet, suddenly they had power. But while the unorganized and nimble were the first to make use of the new technologies, eventually the powerful behemoths woke up to the potential -- and they have more power to magnify. And not only does the Internet change power balances, but the powerful can also change the Internet. Does anyone else remember how incompetent the FBI was at investigating Internet crimes in the early 1990s? Or how Internet users ran rings around China's censors and Middle Eastern secret police? Or how digital cash was going to make government currencies obsolete, and Internet organizing was going to make political parties obsolete? Now all that feels like ancient history.

It's not all one-sided. The masses can occasionally organize around a specific issue -- SOPA/PIPA, the Arab Spring, and so on -- and can block some actions by the powerful. But it doesn't last. The unorganized go back to being unorganized, and powerful interests take back the reins.

Debates over the future of the Internet are morally and politically complex. How do we balance personal privacy against what law enforcement needs to prevent copyright violations? Or child pornography? Is it acceptable to be judged by invisible computer algorithms when being served search results? When being served news articles? When being selected for additional scrutiny by airport security? Do we have a right to correct data about us? To delete it? Do we want computer systems that forget things after some number of years? These are complicated issues that require meaningful debate, international cooperation, and iterative solutions. Does anyone believe we're up to the task?

We're not, and that's the worry. Because if we're not trying to understand how to shape the Internet so that its good effects outweigh the bad, powerful interests will do all the shaping. The Internet's design isn't fixed by natural laws. Its history is a fortuitous accident: an initial lack of commercial interests, governmental benign neglect, military requirements for survivability and resilience, and the natural inclination of computer engineers to build open systems that work simply and easily. This mix of forces that created yesterday's Internet will not be trusted to create tomorrow's. Battles over the future of the Internet are going on right now: in legislatures around the world, in international organizations like the International Telecommunications Union and the World Trade Organization, and in Internet standards bodies. The Internet is what we make it, and is constantly being recreated by organizations, companies, and countries with specific interests and agendas. Either we fight for a seat at the table, or the future of the Internet becomes something that is done to us.

This essay appeared as a response to Edge's annual question, "What *Should* We Be Worried About?"

** *** ***** ******* *********** *************

     Who Does Skype Let Spy?

Lately I've been thinking a lot about power and the Internet, and what I call the feudal model of IT security that is becoming more and more pervasive.  Basically, between cloud services and locked-down end-user devices, we have less control and visibility over our security -- and have no point but to trust those in power to keep us safe.

The effects of this model were in the news last week, when privacy activists pleaded with Skype to tell them who is spying on Skype calls.

    "Many of its users rely on Skype for secure communications --
    whether they are activists operating in countries governed by
    authoritarian regimes, journalists communicating with sensitive
    sources, or users who wish to talk privately in confidence with
    business associates, family, or friends," the letter explains.

    Among the group's concerns is that although Skype was founded in
    Europe, its acquisition by a US-based company -- Microsoft -- may
    mean it is now subject to different eavesdropping and
    data-disclosure requirements than it was before.

    The group claims that both Microsoft and Skype have refused to
    answer questions about what kinds of user data the service
    retains, whether it discloses such data to governments, and
    whether Skype conversations can be intercepted.

    The letter calls upon Microsoft to publish a regular Transparency
    Report outlining what kind of data Skype collects, what third
    parties might be able to intercept or retain, and how Skype
    interprets its responsibilities under the laws that pertain to it.
    In addition it asks for quantitative data about when, why, and how
    Skype shares data with third parties, including governments.

That's security in today's world.  We have no choice but to trust Microsoft.  Microsoft has reasons to be trustworthy, but they also have reasons to betray our trust in favor of other interests.  And all we can do is ask them nicely to tell us first. or

Feudal security:

** *** ***** ******* *********** *************

     Our New Regimes of Trust

Society runs on trust. Over the millennia, we've developed a variety of mechanisms to induce trustworthy behavior in society. These range from a sense of guilt when we cheat, to societal disapproval when we lie, to laws that arrest fraudsters, to door locks and burglar alarms that keep thieves out of our homes. They're complicated and interrelated, but they tend to keep society humming along.

The information age is transforming our society. We're shifting from evolved social systems to deliberately created socio-technical systems. Instead of having conversations in offices, we use Facebook. Instead of meeting friends, we IM. We shop online. We let various companies and governments collect comprehensive dossiers on our movements, our friendships, and our interests. We let others censor what we see and read. I could go on for pages.

None of this is news to anyone. But what's important, and much harder to predict, are the social changes resulting from these technological changes. With the rapid proliferation of computers -- both fixed and mobile -- computing devices and in-the-cloud processing, new ways of socialization have emerged. Facebook friends are fundamentally different than in-person friends. IM conversations are fundamentally different than voice conversations. Twitter has no pre-Internet analog. More social changes are coming. These social changes affect trust, and trust affects everything.

This isn't just academic. There has always been a balance in society between the honest and the dishonest, and technology continually upsets that balance. Online banking results in new types of cyberfraud. Facebook posts become evidence in employment and legal disputes. Cell phone location tracking can be used to round up political dissidents. Random blogs and websites become trusted sources, abetting propaganda. Crime has changed: easier impersonation, action at a greater distance, automation, and so on. The more our nation's infrastructure relies on cyberspace, the more vulnerable we are to cyberattack.

Think of this as a "security gap": the time lag between when the bad guys figure out how to exploit a new technology and when the good guys figure out how to restore society's balance.

Critically, the security gap is larger when there's more technology, and especially in times of rapid technological change. More importantly, it's larger in times of rapid social change due to the increased use of technology. This is our world today. We don't know *how* the proliferation of networked, mobile devices will affect the systems we have in place to enable trust, but we do know it *will* affect them.

Trust is as old as our species. It's something we do naturally, and informally. We don't trust doctors because we've vetted their credentials, but because they sound learned. We don't trust politicians because we've analyzed their positions, but because we generally agree with their political philosophy -- or the buzzwords they use. We trust many things because our friends trust them. It's the same with corporations, government organizations, strangers on the street: this thing that's critical to society's smooth functioning occurs largely through intuition and relationship. Unfortunately, these traditional and low-tech mechanisms are increasingly failing us. Understanding how trust is being, and will be, affected -- probably not by predicting, but rather by recognizing effects as quickly as possible -- and then deliberately creating mechanisms to induce trustworthiness and enable trust, is the only thing that will enable society to adapt.

If there's anything I've learned in all my years working at the intersection of security and technology, it's that technology is rarely more than a small piece of the solution. People are always the issue and we need to think as broadly as possible about solutions. So while laws are important, they don't work in isolation. Much of our security comes from the informal mechanisms we've evolved over the millennia: systems of morals and reputation.

There will exist new regimes of trust in the information age. They simply must evolve, or society will suffer unpredictably. We have already begun fleshing out such regimes, albeit in an ad hoc manner. It's time for us to deliberately think about how trust works in the information age, and use legal, social, and technological tools to enable this trust. We might get it right by accident, but it'll be a long and ugly iterative process getting there if we do.

This essay was originally published in "The SciTech Lawyer," Winter/Spring 2013.

** *** ***** ******* *********** *************


There's a fascinating story about a probable tournament chess cheat.  No one knows how he does it; there's only the facts that 1) historically he's not nearly as good as his recent record, and 2) his moves correlate almost perfectly with one of best computer chess programs.  The general question is how valid statistical evidence is when there is no other corroborating evidence.
It reminds me of this story of a marathon runner who arguably has figured out how to cheat undetectably.

Good essay on FBI-mandated back doors by Matt Blaze and Susan Landau.

This essay about obscurity is worth reading: or

Google is working on non-password authentication techniques. or

Ever since the launch of Kim Dotcom's file-sharing service, I have been asked about the unorthodox encryption and security system.  I have not reviewed it, and don't have an opinion.  All I know is what I read. or or or or or

Identifying people from their DNA. or

Identifying people from their writing style is called stylometry, and it's based on the analysis of things like word choice, sentence structure, syntax, and punctuation.  In one experiment, researchers were able to identify 80% of users with a 5,000-word writing sample. or or

Janesville, Wisconsin, has published information about repeated drunk driving offenders since 2010.  The idea is that the public shame will reduce future incidents. or

Violence as a contagious disease.
I am reminded of this paper on the effects of bystanders on escalating and de-escalating potentially violent situations.

I have written about complexity and security for over a decade now. (For example, from 1999.)  Here's the results of a survey that confirms this. or
Usual caveats for this sort of thing apply.  The survey is only among 127 people -- I can't find data on what percentage replied.  The numbers are skewed because only those that chose to reply were counted.  And the results are based on self-reported replies: no way to verify them.  But still.

Backdoors built in to Barracuda Networks equipment: or or
Don't we know enough not to do this anymore?

Dan Farmer has an interesting paper discussing the Baseboard Management Controller on server motherboards. Basically, it's a perfect spying platform.  You can't control it.  You can't patch it.  It can completely control your computer's hardware and software.  And its *purpose* is remote monitoring.  At the very least, we need to be able to look into these devices and see what's running on them.  I'm amazed we haven't seen any talk about this before now.

Pentagon staffs Up U.S. Cyber Command from 900 to 4900.  This is a big deal: more stoking of cyber fears, another step toward the militarization of cyberspace, and another ratchet in the cyberwar arms race. or
Stoking cyber fears:
Cyberwar arms race:
Glenn Greenwald has a good essay on this. or

Using imagery to avoid censorship. or

I don't see a lot written about security seals, despite how common they are.  This article is a very basic overview of the technologies.

I just printed this out:  "Proactive Defense for Evolving Cyber Threats," a Sandia Report by Richard Colbaugh and Kristin Glass.  It's a collection of academic papers, and it looks interesting.

Clothing designed to thwart drones. or

Why is quantum computing so hard?  Blog post (and two papers) by Ross Anderson and Robert Brady.  Note that I do not have the physics to evaluate these claims. or or

Google's contest at the CanSecWest conference offers over $3M in prizes for Chrome hacks: or

Basically, Tide detergent is a popular product with a very small profit margin.  So small non-chain grocery and convenience stores are happy to buy it cheaply, no questions asked.  This makes it easy to sell if you steal it.  And drug dealers have started taking it as currency, large bottles being worth about $5.
Snopes rates this as undetermined:

A first-person account of the security surrounding the second inauguration of President Obama.  Read it more for the details than for the author's reaction to them.

This long report looks at risky online behavior among the Millennial generation, and finds that they respond positively to automatic reminders and prodding.  No surprise, really. or

Interesting article about the difficulty Google has pushing security updates onto Android phones.  The problem is that the phone manufacturer is in charge, and there are a lot of different phone manufacturers of varying ability and interest. or

This is an extremely clever man-in-the-middle timing attack against TLS that exploits the interaction between how the protocol implements AES in CBC mode for encryption, and HMAC-SHA1 for authentication.  (And this is a really good plain-language description of it.) or

There's not a lot of information -- and quite a lot of hyperbole -- in this article about a new al Qaeda encryption tool. or

There's a real Prisoner's Dilemma going on in France right now.  A pair of identical twins who are suspected in a crime.  There is there is CCTV and DNA evidence that could implicate either suspect.  Detailed DNA testing that could resolve the guilty twin is prohibitively expensive. So both have been arrested in the hope that one may confess or implicate the other.

Long article on anti-cheating security in casinos:

Usability engineer Bruce Tognazzini talks about how an iWatch -- which seems to be either a mythical Apple product or one actually in development -- can make authentication easier.

Guessing smart-phone PINs by monitoring the accelerometer.

This keynote speech by Jacob Appelbaum from last December's 29C3 (29th Chaos Communication Congress) is worth listening to.  He talks about what we can do in the face of oppressive power on the Internet.  I'm not sure his answers are right, but am glad to hear someone talking about the real problems.

There has been an enormous amount written about the suicide of Aaron Swartz.  This is primarily a collection of links, starting with those that use his death to talk about the broader issues at play. or or or or or or
Here are obituaries. or or
Here are articles and essays, mostly about the prosecutor's statement after the death and the problems with plea bargaining in general. or or or or
Representative Zoe Lofgren is introducing a bill to prevent this from happening again. or or
More links: or or

** *** ***** ******* *********** *************

     TSA Removing Rapiscan Full-Body Scanners from U.S. Airports

This is big news:

    The U.S. Transportation Security Administration will remove
    airport body scanners that privacy advocates likened to strip
    searches after OSI Systems Inc. (OSIS) couldn't write software to
    make passenger images less revealing.

This doesn't mean the end of full-body scanning.  There are two categories of these devices: backscatter X-ray and millimeter wave.

    The government said Friday it is abandoning its deployment of
    so-called backscatter technology machines produced by Rapiscan
    because the company could not meet deadlines to switch to generic
    imaging with so-called Automated Target Recognition software, the
    TSA said. Instead, the TSA will continue to use and deploy more
    millimeter wave technology scanners produced by L-3
    Communications,which has adopted the generic-outline standard.


    Rapiscan had a contract to produce 500 machines for the TSA at a
    cost of about $180,000 each. The company could be fined and barred
    from participating in government contracts, or employees could
    face prison terms if it is found to have defrauded the government.
    In all, the 250 Rapiscan machines already deployed are to be
    phased out of airports nationwide and will be replaced with
    machines produced by L-3 Communications.

And there are still backscatter X-ray machines being deployed, but I don't think there are very many of them.

    TSA has contracted with L-3, Smiths Group Plc (SMIN) and American
    Science & Engineering Inc. (ASEI) for new body-image scanners, all
    of which must have privacy software. L-3 and Smiths used
    millimeter-wave technology. American Science uses backscatter.

This is a big win for privacy.  But, more importantly, it's a big win because the TSA is actually taking privacy seriously.  Yes, Congress ordered them to do so.   But they didn't defy Congress; they did it. The machines will be gone by June. or or

** *** ***** ******* *********** *************

     Dangerous Security Theater: Scrambling Fighter Jets

This story exemplifies everything that's wrong with our see-something-say-something war on terror: a perfectly innocent person on an airplane, a random person identifying him as a terrorist threat, and a complete overreaction on the part of the authorities.

Typical overreaction, but in this case -- as in several others over the past decade -- F-15 fighter jets were scrambled to escort the airplane to the ground.  *Very* expensive, and potentially catastrophically fatal.

This blog post makes the point well:

    What bothers me about this is not so much that they interrogated
    the wrong person -- that happens all the time, not that it's okay
    -- but rather the fighter jets. I think most people probably
    understand this, but just to make it totally clear, if they send
    up fighters that is not because they are bringing the first-class
    passengers some more of those little hot towels. It is so they can
    be ready to SHOOT YOU DOWN if necessary. Now, I realize the odds
    that would ever happen, even accidentally, are very tiny. I still
    question whether it's wise to put fighters next to a passenger
    plane at the drop of a hat, or in this case because of an
    anonymous tip about a sleeping passenger.


    According to the Seattle Times report, though, interceptions like
    this are apparently much more common than I thought. Citing a
    NORAD spokesman, it says this has happened "thousands of times"
    since 9/11. In this press release NORAD says there have been "over
    fifteen hundred" since 9/11, most apparently involving planes that
    violated "temporary flight restriction" areas. Either way, while
    this is a small percentage of all flights, of course, it still
    seems like one hell of a lot of interceptions -- especially since
    in every single case, it has been unnecessary, and is (as NORAD
    admits) "at great expense to the taxpayer." or

Blog post: or

** *** ***** ******* *********** *************

     Massive Police Shootout in Cleveland Despite Lack of Criminals

This is an amazing story.  I urge you to read the whole thing, but here's the basics:

    A November car chase ended in a "full blown-out" firefight, with
    glass and bullets flying, according to Cleveland police officers
    who described for investigators t

No comments:

Post a Comment