Text 23873, 1159 rader
Skriven 2006-10-15 15:51:16 av Sean Dennis (1:18/200.0)
Ärende: Cybersecurity and other computer security risks
=======================================================
Hello, All.

Since we like to chew on all things political, I'm posting a monthly digest I
get called Cypto-Gram by one of the foremost computer security experts in the
field, Bruce Schneier.  This is a LONG (over 1200 lines) post, so I apologize
in advance for this if it breaks readers.

However, it contains lots of good information that I'm sure all of you will
find a position on and even some rather frightening things occuring in the name
of security.  It's an excellent read.

If this bothers anyone with its length, I won't post it in here again.  I just
wanted to try it to see if anyone else found this interesting.

===Cut===
                  CRYPTO-GRAM

                October 15, 2006

               by Bruce Schneier
                Founder and CTO
       Counterpane Internet Security, Inc.
            schneier@counterpane.com
             http://www.schneier.com
            http://www.counterpane.com


A free monthly newsletter providing summaries, analyses, insights, and 
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit 
<http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at 
<http://www.schneier.com/crypto-gram-0610.html>.  These same essays 
appear in the "Schneier on Security" blog: 
<http://www.schneier.com/blog>.  An RSS feed is available.


** *** ***** ******* *********** *************

In this issue:
      Screening People with Clearances
      Did Hezbollah Crack Israeli Secure Radio?
      Renew Your Passport Now!
      Faulty Data and the Arar Case
      Crypto-Gram Reprints
      Expensive Cameras in Checked Luggage
      Facebook and Data Control
      Indexes to NSA Publications Declassified and Online
      News
      Pupillometer
      On-Card Displays
      Screaming Cell Phones
      Counterpane News
      FairUse4WM News
      Voting Software and Secrecy
      Torture Bill as C Code
      The Doghouse: SecureRF
      Bureau of Industry and Security Hacked
      University Networks and Data Security
      Comments from Readers


** *** ***** ******* *********** *************

      Screening People with Clearances



Why should we waste time at airport security, screening people with U.S. 
government security clearances? This perfectly reasonable question was 
asked recently by Robert Poole, director of transportation studies at 
The Reason Foundation, as he and I were interviewed by WOSU Radio in Ohio.

Poole argued that people with government security clearances, people who 
are entrusted with U.S. national security secrets, are trusted enough to 
be allowed through airport security with only a cursory screening. 
They've already gone through background checks, he said, and it would be 
more efficient to concentrate screening resources on everyone else.

To someone not steeped in security, it makes perfect sense. But it's a 
terrible idea, and understanding why teaches us some important security 
lessons.

The first lesson is that security is a system. Identifying someone's 
security clearance is a complicated process. People with clearances 
don't have special ID cards, and they can't just walk into any secured 
facility. A clearance is held by a particular organization -- usually 
the organization the person works for -- and is transferred by a 
classified message to other organizations when that person travels on 
official business.

Airport security checkpoints are not set up to receive these clearance 
messages, so some other system would have to be developed.

Of course, it makes no sense for the cleared person to have his office 
send a message to every airport he's visiting, at the time of travel. 
Far easier is to have a centralized database of people who are cleared. 
But now you have to build this database. And secure it. And ensure that 
it's kept up to date.

Or maybe we can create a new type of ID card: one that identifies people 
with security clearances. But that also requires a backend database and 
a card that can't be forged. And clearances can be revoked at any time, 
so there needs to be some way of invalidating cards automatically and 
remotely.

Whatever you do, you need to implement a new set of security procedures 
at airport security checkpoints to deal with these people. The 
procedures need to be good enough that people can't spoof it. Screeners 
need to be trained. The system needs to be tested.

What starts out as a simple idea -- don't waste time searching people 
with government security clearances -- rapidly becomes a complicated 
security system with all sorts of new vulnerabilities.

The second lesson is that security is a trade-off. We don't have 
infinite dollars to spend on security. We need to choose where to spend 
our money, and we're best off if we spend it in ways that give us the 
most security for our dollar.

Given that very few Americans have security clearances, and that 
speeding them through security wouldn't make much of a difference to 
anyone else standing in line, wouldn't it be smarter to spend the money 
elsewhere? Even if you're just making trade-offs about airport security 
checkpoints, I would rather take the hundreds of millions of dollars 
this kind of system could cost and spend it on more security screeners 
and better training for existing security screeners. We could both speed 
up the lines and make them more effective.

The third lesson is that security decisions are often based on 
subjective agenda. My guess is that Poole has a security clearance -- he 
was a member of the Bush-Cheney transition team in 2000 -- and is 
annoyed that he is being subjected to the same screening procedures as 
the other (clearly less trusted) people he is forced to stand in line 
with. From his perspective, not screening people like him is obvious. 
But objectively it's not.

This issue is no different than searching airplane pilots, something 
that regularly elicits howls of laughter among amateur security 
watchers. What they don't realize is that the issue is not whether we 
should trust pilots, airplane maintenance technicians or people with 
clearances. The issue is whether we should trust people who are dressed 
as pilots, wear airplane-maintenance-tech IDs or claim to have clearances.

We have two choices: Either build an infrastructure to verify their 
claims, or assume that they're false. And with apologies to pilots, 
maintenance techs and people with clearances, it's cheaper, easier and 
more secure to search you all.

This essay originally appeared on Wired.com.
http://www.wired.com/news/columns/1,71906-0.html


** *** ***** ******* *********** *************

      Did Hezbollah Crack Israeli Secure Radio?



According to Newsday:

"Hezbollah guerrillas were able to hack into Israeli radio 
communications during last month's battles in south Lebanon, an 
intelligence breakthrough that helped them thwart Israeli tank assaults, 
according to Hezbollah and Lebanese officials.

"Using technology most likely supplied by Iran, special Hezbollah teams 
monitored the constantly changing radio frequencies of Israeli troops on 
the ground. That gave guerrillas a picture of Israeli movements, 
casualty reports and supply routes. It also allowed Hezbollah anti-tank 
units to more effectively target advancing Israeli armor, according to 
the officials."

Read the article.  Basically, the problem is operational error:

"With frequency-hopping and encryption, most radio communications become 
very difficult to hack. But troops in the battlefield sometimes make 
mistakes in following secure radio procedures and can give an enemy a 
way to break into the frequency-hopping patterns. That might have 
happened during some battles between Israel and Hezbollah, according to 
the Lebanese official. Hezbollah teams likely also had sophisticated 
reconnaissance devices that could intercept radio signals even while 
they were frequency-hopping."

I agree with The Register:  "Claims that Hezbollah fighters were able to 
use this intelligence to get some intelligence on troop movement and 
supply routes are plausible, at least to the layman, but ought to be 
treated with an appropriate degree of caution as they are substantially 
corroborated by anonymous sources."

But I have even more skepticism.  If indeed Hezbollah was able to do 
this, the last thing they want is for it to appear in the press.  But if 
Hezbollah can't do this, then a few good disinformation stories are a 
good thing.

http://www.newsday.com/news/printedition/stories/ny-wocode184896831sep18,0,709
19 66,print.story 
or http://tinyurl.com/jncdk
http://www.theregister.co.uk/2006/09/20/hezbollah_cracks_israeli_radio/


** *** ***** ******* *********** *************

      Renew Your Passport Now!



If you have a passport, now is the time to renew it -- even if it's not 
set to expire anytime soon. If you don't have a passport and think you 
might need one, now is the time to get it. In many countries, including 
the United States, passports will soon be equipped with RFID chips. And 
you don't want one of these chips in your passport.

RFID stands for "radio-frequency identification." Passports with RFID 
chips store an electronic copy of the passport information: your name, a 
digitized picture, etc. And in the future, the chip might store 
fingerprints or digital visas from various countries.

By itself, this is no problem. But RFID chips don't have to be plugged 
in to a reader to operate. Like the chips used for automatic toll 
collection on roads or automatic fare collection on subways, these chips 
operate via proximity. The risk to you is the possibility of 
surreptitious access: Your passport information might be read without 
your knowledge or consent by a government trying to track your 
movements, a criminal trying to steal your identity or someone just 
curious about your citizenship.

At first the State Department belittled those risks, but in response to 
criticism from experts it has implemented some security features. 
Passports will come with a shielded cover, making it much harder to read 
the chip when the passport is closed. And there are now access-control 
and encryption mechanisms, making it much harder for an unauthorized 
reader to collect, understand and alter the data.

Although those measures help, they don't go far enough. The shielding 
does no good when the passport is open. Travel abroad and you'll notice 
how often you have to show your passport: at hotels, banks, Internet 
cafes. Anyone intent on harvesting passport data could set up a reader 
at one of those places. And although the State Department insists that 
the chip can be read only by a reader that is inches away, the chips 
have been read from many feet away.

The other security mechanisms are also vulnerable, and several security 
researchers have already discovered flaws. One found that he could 
identify individual chips via unique characteristics of the radio 
transmissions. Another successfully cloned a chip. The State Department 
called this a "meaningless stunt," pointing out that the researcher 
could not read or change the data. But the researcher spent only two 
weeks trying; the security of your passport has to be strong enough to 
last 10 years.

This is perhaps the greatest risk. The security mechanisms on your 
passport chip have to last the lifetime of your passport. It is as 
ridiculous to think that passport security will remain secure for that 
long as it would be to think that you won't see another security update 
for Microsoft Windows in that time. Improvements in antenna technology 
will certainly increase the distance at which they can be read and might 
even allow unauthorized readers to penetrate the shielding.

Whatever happens, if you have a passport with an RFID chip, you're 
stuck. Although popping your passport in the microwave will disable the 
chip, the shielding will cause all kinds of sparking. And although the 
United States has said that a nonworking chip will not invalidate a 
passport, it is unclear if one with a deliberately damaged chip will be 
honored.

The Colorado passport office is already issuing RFID passports, and the 
State Department expects all U.S. passport offices to be doing so by the 
end of the year. Many other countries are in the process of changing 
over. So get a passport before it's too late. With your new passport you 
can wait another 10 years for an RFID passport, when the technology will 
be more mature, when we will have a better understanding of the security 
risks and when there will be other technologies we can use to cut the 
risks. You don't want to be a guinea pig on this one.

This op-ed originally appeared in the Washington Post.
http://www.washingtonpost.com/wp-dyn/content/article/2006/09/15/AR200609150092
3. html

Rebuttal:
http://www.mercurynews.com/mld/mercurynews/news/opinion/15637460.htm

My previous writings on RFID passports:
http://www.schneier.com/blog/archives/2006/08/hackers_clone_r.html
http://www.schneier.com/blog/archives/2004/10/rfid_passports.html
http://www.schneier.com/blog/archives/2005/04/rfid_passport_s.html
http://www.schneier.com/essay-060.html 
http://www.schneier.com/blog/archives/2005/08/rfid_passport_s_1.html


** *** ***** ******* *********** *************

      Faulty Data and the Arar Case



Maher Arar is a Syrian-born Canadian citizen.  On September 26, 2002, he 
tried to fly from Switzerland to Toronto.  Changing planes in New York, 
he was detained by the U.S. authorities, and eventually shipped to Syria 
where he was tortured.  He's 100% innocent.

The Canadian government has completed its "Commission of Inquiry into 
the Actions of Canadian Officials in Relation to Maher Arar," the 
results of which are public.  From their press release:  "On Maher Arar, 
the Commissioner comes to one important conclusion: 'I am able to say 
categorically that there is no evidence to indicate that Mr. Arar has 
committed any offence or that his activities constitute a threat to the 
security of Canada.'"

Certainly something that everyone who supports the U.S.'s right to 
detain and torture people without having to demonstrate their guilt 
should think about.  But what's more interesting to readers of this blog 
is the role that inaccurate data played in the deportation and 
ultimately torture of an innocent man.

Privacy International summarizes the report.  These are among their 
bullet points:

"The RCMP provided the U.S. with an entire database of information 
relating to a terrorism investigation (three CDs of information), in a 
way that did not comply with RCMP policies that require screening for 
relevance, reliability, and personal information. In fact, this action 
was without precedent.

"The RCMP provided the U.S. with inaccurate information about Arar that 
portrayed him in an infairly negative fashion and overstated his 
importance to a RCMP investigation. They included some 'erroneous notes.'

"While he was detained in the U.S., the RCMP provided information 
regarding him to the U.S. Federal Bureau of Investigation (FBI), 'some 
of which portrayed him in an inaccurate and unfair way.' The RCMP 
provided inaccurate information to the U.S. authorities that tended to 
link Arar to other terrorist suspects; and told the U.S. authorities 
that Arar had previously refused to be interviewed, which was also 
incorrect; and the RCMP also said that soon after refusing the interview 
he suddenly left Canada for Tunisia. 'The statement about the refusal to 
be interviewed had the potential to arouse suspicion, especially among 
law enforcement officers, that Mr. Arar had something to hide.' The 
RCMP's information to the U.S. authorities also placed Arar in the 
vicinity of Washington DC on September 11, 2001 when he was instead in 
California."

Judicial oversight is a security mechanism.  It prevents the police from 
incarcerating the wrong person.  The point of habeas corpus is that the 
police need to present their evidence in front of a neutral third party, 
and not indefinitely detain or torture people just because they believe 
they're guilty.  We are all less secure if we water down these security 
measures.

Background:
http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-543297 
or http://tinyurl.com/yl4s9y

Government report:
http://www.ararcommission.ca/eng/index.htm
http://www.ararcommission.ca/eng/ReleaseFinal_Sept18.pdf

Privacy International:
http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-543296 
or http://tinyurl.com/yfd6zb

Judicial oversight:
http://www.schneier.com/essay-045.html


** *** ***** ******* *********** *************

      Crypto-Gram Reprints



Crypto-Gram is currently in its ninth year of publication.  Back issues 
cover a variety of security-related topics, and can all be found on 
<http://www.schneier.com/crypto-gram-back.html>.  These are a selection 
of articles that appeared in this calendar month in other years.

Phishing:
http://www.schneier.com/crypto-gram-0510.html#1

Secure Flight Working Group Report:
http://www.schneier.com/crypto-gram-0510.html#10

Judge Roberts, Privacy, and the Future:
http://www.schneier.com/crypto-gram-0510.html#16

Keeping Network Outages Secret:
http://www.schneier.com/crypto-gram-0410.html#2

RFID Passports:
http://www.schneier.com/crypto-gram-0410.html#3

The Legacy of DES:
http://www.schneier.com/crypto-gram-0410.html#8

Wholesale Surveillance:
http://www.schneier.com/crypto-gram-0410.html#10
http://www.schneier.com/crypto-gram-0410.html#11

Academic Freedom and Security:
http://www.schneier.com/crypto-gram-0410.html#13

The Future of Surveillance:
http://www.schneier.com/crypto-gram-0310.html#1

National Strategy to Secure Cyberspace:
http://www.schneier.com./crypto-gram-0210.html#1

Cyberterrorism:
http://www.schneier.com/crypto-gram-0110.html#1

Dangers of Port 80
http://www.schneier.com/crypto-gram-0110.html#9

Semantic Attacks:
http://www.schneier.com/crypto-gram-0010.html#1

NSA on Security:
http://www.schneier.com/crypto-gram-0010.html#7

So, You Want to be a Cryptographer:
http://www.schneier.com/crypto-gram-9910.html#SoYouWanttobeaCryptographer 
or http://tinyurl.com/8tk8t

Key Length and Security:
http://www.schneier.com/crypto-gram-9910.html#KeyLengthandSecurity

Steganography: Truths and Fictions:
http://www.schneier.com/crypto-gram-9810.html#steganography

Memo to the Amateur Cipher Designer:
http://www.schneier.com/crypto-gram-9810.html#cipherdesign


** *** ***** ******* *********** *************

      Expensive Cameras in Checked Luggage



This is a blog post about the problems of being forced to check 
expensive camera equipment on airplanes:

"Well, having lived in Kashmir for 12+ years I am well accustomed to 
this type of security. We haven't been able to have hand carries since 
1990. We also cannot have batteries in any of our equipment checked or 
otherwise. At least we have been able to carry our laptops on and 
recently been able to actually use them (with the batteries). But, if 
things keep moving in this direction, and I'm sure it will, we need to 
start thinking now about checking our cameras and computers and how to 
do it safely. This is a very unpleasant idea. Two years ago I ordered a 
Canon 20D and had it "hand carried" over to meet me in England by a 
friend. My friend put it in their checked bag. The bag never showed up. 
She did not have insurance and all I got $100 from British Airways for 
the camera and $500 from American Express (buyers protection) that was 
it. So now it looks as if we are going to have to check our cameras and 
our computers involuntarily. OK here are a few thoughts."

Pretty basic stuff, and we all know about the risks of putting expensive 
stuff in your checked luggage.

The interesting part is one of the blog comments, about halfway down. 
Another photographer wonders if the TSA rules for firearms could be 
extended to camera equipment:

"Why not just have the TSA adopt the same check in rules for 
photographic and video equipment as they do for firearms?

"All firearms must be in checked baggage, no carry on.

"All firearms must be transported in a locked, hard sided case using a 
non-TSA approved lock. This is to prevent anyone from opening the case 
after its been screened.

"After bringing the equipment to the airline counter and declaring and 
showing the contents to the airline representative, you take it over to 
the TSA screening area where it is checked by a screener, relocked in 
front of you, your key or keys returned to you (if it's not a 
combination lock) and put directly on the conveyor belt for loading onto 
the plane.

"No markings, stickers or labels identifying what's inside are put on 
the outside of the case or, if packed inside something else, the bag.

"Might this solve the problem? I've never lost a firearm when flying."

Then someone has the brilliant suggestion of putting a firearm in your 
camera-equipment case:

"A 'weapons' is defined as a rifle, shotgun, pistol, airgun, and STARTER 
PISTOL. Yes, starter pistols -- those little guns that fire blanks at 
track and swim meets -- are considered weapons...and do NOT have to be 
registered in any state in the United States.

"I have a starter pistol for all my cases. All I have to do upon 
check-in is tell the airline ticket agent that I have a weapon to 
declare...I'm given a little card to sign, the card is put in the case, 
the case is given to a TSA official who takes my key and locks the case, 
and gives my key back to me.

"That's the procedure. The case is extra-tracked...TSA does not want to 
lose a weapons case. This reduces the chance of the case being lost to 
virtually zero.

"It's a great way to travel with camera gear...I've been doing this 
since Dec 2001 and have had no problems whatsoever."

I have to admit that I am impressed with this solution.

http://blogs.lexar.com/mattbrandon/2006/08/tighter_securit.html


** *** ***** ******* *********** *************

      Facebook and Data Control



Earlier this month, the popular social networking site Facebook learned 
a hard lesson in privacy.  It introduced a new feature called "News 
Feeds" that shows an aggregation of everything members do on the site: 
added and deleted friends, a change in relationship status, a new 
favorite song, a new interest, etc.  Instead of a member's friends 
having to go to his page to view any changes, these changes are all 
presented to them automatically.

The outrage was enormous.  One group, Students Against Facebook News 
Feeds, amassed over 700,000 members.  Members planned to protest at the 
company's headquarters.  Facebook's founder was completely stunned, and 
the company scrambled to add some privacy options.

Welcome to the complicated and confusing world of privacy in the 
information age.  Facebook didn't think there would be any problem; all 
it did was take available data and aggregate it in a novel way for what 
it perceived was its customers' benefit.  Facebook members instinctively 
understood that making this information easier to display was an 
enormous difference, and that privacy is more about control than about 
secrecy.

But on the other hand, Facebook members are just fooling themselves if 
they think they can control information they give to third parties.

Privacy used to be about secrecy.  Someone defending himself in court 
against the charge of revealing someone else's personal information 
could use as a defense the fact that it was not secret.  But clearly, 
privacy is more complicated than that.  Just because you tell your 
insurance company something doesn't mean you don't feel violated when 
that information is sold to a data broker.  Just because you tell your 
friend a secret doesn't mean you're happy when he tells others.  Same 
with your employer, your bank, or any company you do business with.

But as the Facebook example illustrates, privacy is much more complex. 
It's about who you choose to disclose information to, how, and for what 
purpose.  And the key word there is "choose."  People are willing to 
share all sorts of information, as long as they are in control.

When Facebook unilaterally changed the rules about how personal 
information was revealed, it reminded people that they weren't in 
control.  Its eight million members put their personal information on 
the site based on a set of rules about how that information would be 
used.  It's no wonder those members -- high school and college kids who 
traditionally don't care much about their own privacy -- felt violated 
when Facebook changed the rules.

Unfortunately, Facebook can change the rules whenever it wants.  Its 
Privacy Policy is 2,800 words long, and ends with a notice that it can 
change at any time.  How many members ever read that policy, let alone 
read it regularly and check for changes?  Not that a Privacy Policy is 
the same as a contract.  Legally, Facebook owns all data members upload 
to the site.  It can sell the data to advertisers, marketers, and data 
brokers.  (Note: there is no evidence that Facebook does any of this.) 
It can allow the police to search its databases upon request.  It can 
add new features that change who can access what personal data, and how.

But public perception is important.  The lesson here for Facebook and 
other companies -- for Google and MySpace and AOL and everyone else who 
hosts our e-mails and webpages and chat sessions -- is that people 
believe they own their data.  Even though the user agreement might 
technically give companies the right to sell the data, change the access 
rules to that data, or otherwise own that data, we -- the users -- 
believe otherwise.  And when we who are affected by those actions start 
expressing our views -- watch out.

What Facebook should have done was add the feature as an option, and 
allow members to opt in if they wanted to.  Then, members who wanted to 
share their information via News Feeds could do so, and everyone else 
wouldn't have felt that they had no say in the matter.  This is 
definitely a gray area, and it's hard to know beforehand which changes 
need to be implemented slowly and which won't matter.  Facebook, and 
others, need to talk to its members openly about new features. 
Remember: members want control.

The lesson for Facebook members might be even more jarring: if they 
think they have control over their data, they're only deluding 
themselves.  They can rebel against Facebook for changing the rules, but 
the rules have changed, regardless of what the company does.

Whenever you put data on a computer, you lose some control over it. And 
when you put it on the internet, you lose a lot of control over it. 
News Feeds brought Facebook members face to face with the full 
implications of putting their personal information on Facebook. It had 
just been an accident of the user interface that it was difficult to 
aggregate the data from multiple friends into a single place.  And even 
if Facebook eliminates News Feeds entirely, a third party could easily 
write a program that does the same thing.  Facebook could try to block 
the program, but would lose that technical battle in the end.

We're all still wrestling with the privacy implications of the Internet, 
but the balance has tipped in favor of more openness.  Digital data is 
just too easy to move, copy, aggregate, and display.  Companies like 
Facebook need to respect the social rules of their sites, to think 
carefully about their default settings -- they have an enormous impact 
on the privacy mores of the online world -- and to give users as much 
control over their personal information as they can.

But we all need to remember that much of that control is illusory.

This essay originally appeared on Wired.com.
http://www.wired.com/news/columns/0,71815-0.html

http://www.danah.org/papers/FacebookAndPrivacy.html
http://www.motherjones.com/interview/2006/09/facebook.html
http://www.nytimes.com/2006/09/10/fashion/10FACE.html?ei=5090&en=ccb86e3d53ca6
71
f&ex=1315540800&adxnnl=1&partner=rssuserland&emc=rss&adxnnlx=1160759797-MRZvPT
2R gJLviJ0Z11NuRQ 
or http://tinyurl.com/ycwl6o
http://berkeley.facebook.com/group.php?gid=2208288769
http://blog.facebook.com/blog.php?post=2208197130
http://blog.facebook.com/blog.php?post=2208562130
http://mashable.com/2006/08/25/facebook-profile

Facebook privacy policy:
http://www.facebook.com/policy.php


** *** ***** ******* *********** *************

      Indexes to NSA Publications Declassified and Online



In May 2003, Michael Ravnitzky submitted a Freedom of Information Act 
(FOIA) request to the National Security Agency for a copy of the index 
to their historical reports at the Center for Cryptologic History and 
the index to certain journals:  the NSA Technical Journal and the 
Cryptographic Quarterly.  These journals had been mentioned in the 
literature but are not available to the public.  Because he thought NSA 
might be reluctant to release the bibliographic indexes, he also asked 
for the table of contents to each issue.

The request took more than three years for them to process and 
declassify -- sadly, not atypical -- and during the process they asked 
if he would accept the indexes in lieu of the tables of contents pages: 
specifically, the cumulative indices that included all the previous 
material in the earlier indices.  He agreed, and got them last month. 
The results are online.

This is just a sampling of some of the article titles from the NSA 
Technical Journal:  "The Arithmetic of a Generation Principle for an 
Electronic Key Generator" - "CATNIP: Computer Analysis - Target Networks 
Intercept Probability" - "Chatter Patterns: A Last Resort" - "COMINT 
Satellites - A Space Problem" - "Computers and Advanced Weapons Systems" 
- "Coupon Collecting and Cryptology" - "Cranks, Nuts, and Screwballs" - 
"A Cryptologic Fairy Tale" - "Don't Be Too Smart" - "Earliest 
Applications of the Computer at NSA" - "Emergency Destruction of 
Documents" - "Extraterrestrial Intelligence" - "The Fallacy of the 
One-Time-Pad Excuse" - "GEE WHIZZER" - "The Gweeks Had a Gwoup for It" - 
"How to Visualize a Matrix" - "Key to the Extraterrestrial Messages" - 
"A Mechanical Treatment of Fibonacci Sequences" - "Q.E.D.- 2 Hours, 41 
Minutes" - "SlGINT Implications of Military Oceanography" - "Some 
Problems and Techniques in Bookbreaking" - "Upgrading Selected US Codes 
and Ciphers with a Cover and Deception Capability" - "Weather: Its Role 
in Communications Intelligence" - "Worldwide Language Problems at NSA"

In the materials the NSA provided, they also included indices to two 
other publications: Cryptologic Spectrum and Cryptologic Almanac.

The indices to Cryptologic Quarterly and NSA Technical Journal have 
indices by title, author, and keyword. The index to Cryptologic Spectrum 
has indices by author, title, and issue.

Consider these bibliographic tools as stepping stones.  If you want an 
article, send a FOIA request for it.  Send a FOIA request for a dozen. 
There's a lot of stuff here that would help elucidate the early history 
of the agency and some interesting cryptographic topics.

Thanks, Mike, for doing this work.

http://www.thememoryhole.org/nsa/bibs.htm


** *** ***** ******* *********** *************

      News


More on the HP spying scandal:
http://www.schneier.com/blog/archives/2006/09/more_on_the_hp.html

Cybercrime is moving up in the criminal food chain: more organized crime 
syndicates are getting involved:
http://www.wired.com/news/wireservice/0,71793-0.html
I've been saying this sort of thing for years, and have long complained 
that cyberterrorism gets all the press, while cybercrime is the real 
threat.  I don't think this article is fear and hype; it's a real problem.

You can program an ATM to believe that $20 bills are $5 bills, and then 
withdraw four times the money you're entitled to.  It's surprisingly 
easy, actually.
http://www.schneier.com/blog/archives/2006/09/programming_atm.html

People applying for a U.S. visa have to answer this question:  "Have you 
ever been arrested of convicted for any offense or crime, even through 
subject of a pardon, amnesty or other similar legal action?  Have you 
ever unlawfully distributed or sold a controlled substance (drug), or 
been a prostitute or procurer for prostitutes?"
And this question:  "Did you seek to enter the United States to engage 
in export control violations, subversive or terrorist activities, or any 
other unlawful purpose? Are you a member or representative of a 
terrorist organization as currently designated by the U.S. Secretary of 
State?  Have you ever participated in persecutions directed by the Nazi 
government or Germany; or have you ever participated in genocide?"
http://www.schneier.com/blog/archives/2006/09/us_visa_applica.html

Germans are spying on British trash.  You just can't make this stuff up:
http://www.thisislondon.co.uk/news/article-23364736-details/Spy+in+your+wheeli
e+ bin/article.do 
or http://tinyurl.com/f9fx4

An anonymous note in the Harvard Law Review argues that there is a 
significant benefit from Internet attacks:
http://www.harvardlawreview.org/issues/119/june06/note/immunizing_the_internet
.p df 
or http://tinyurl.com/e7pkf

You can open a car door in only 3,129 button presses.  On the average, 
it should take half that. (Article is from 2004.)
http://everything2.com/index.pl?node_id=1520430

Torpark is a free anonymous web browser.  It's based on a portable 
version of Firefox, runs on a USB drive so it leaves no traces on the 
PC, and uses the TOR network for anonymous web browsing.
http://www.darkreading.com/document.asp?doc_id=104381
http://www.torrify.com/
http://www.boingboing.net/2006/09/19/torpark_is_out_offer.html

Funny future history: "19 Year Old Diebold Technician Wins U.S. Presidency."
http://www.avantnews.com/modules/news/article.php?storyid=281

Steganographic squid can hide messages in their skin:
http://www.sciencedaily.com/releases/2006/09/060920191616.htm

The Onion on TSA's liquid ban:
http://www.theonion.com/content/node/53536?utm_source=onion_rss_daily

Clever new voting protocol from Ron Rivest:
http://theory.csail.mit.edu/~rivest/Rivest-TheThreeBallotVotingSystem.pdf 
or http://tinyurl.com/hrjmq

Interesting story on the risks of dying without telling anyone your 
computer passwords.
http://news.com.com/Taking+passwords+to+the+grave/2100-1025_3-6118314.html 
or http://tinyurl.com/gfdzh

Scary airplane security false alarm.  This is what vigilantism looks like:
http://www.schneier.com/blog/archives/2006/10/this_is_what_vi.html

Hoax flaw in Firefox JavaScript:
http://www.schneier.com/blog/archives/2006/10/firefox_javascr.html

This is a really interesting post about someone finding SQL injection 
vulnerabilities with Google.  His result is that 11.3% of websites are 
vulnerable to this attack.
http://portal.spidynamics.com/blogs/msutton/archive/2006/09/26/How-Prevalent-A
re -SQL-Injection-Vulnerabilities_3F00_.aspx 
or http://tinyurl.com/lw98p

"PhishTank is a collaborative clearing house for data and information 
about phishing on the Internet. Also, PhishTank provides an open API for 
developers and researchers to integrate anti-phishing data into their 
applications at no charge."
http://www.phishtank.com

60 Minutes got a copy of the TSA no-fly list.  The errors and problems 
are enormous.
http://rawstory.com/showoutarticle.php?src=http%3A%2F%2Fwww.cbsnews.com%2Fstor
ie s%2F2006%2F10%2F05%2F60minutes%2Fmain2066624.shtml 
or http://tinyurl.com/ymc6ov

The DHS is funding the development of software that monitors opinions in 
newspapers world-wide.  One can easily imagine the chilling effect this 
would have on worldwide freedom of the press.
http://www.schneier.com/blog/archives/2006/10/opinion_monitor.html

You can use Google's new code search feature to find usernames and 
passwords, confidential code, buffer overflows, and all sorts of other 
things.
http://www.kottke.org/06/10/google-code-search
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articl
eI d=9003938&source=NLT_SEC&nlid=38 
or http://tinyurl.com/zg5ae
http://monkey.org/~jose/blog/viewpage.php?page=google_code_search_stats

Airport security confiscated a rock.
http://www.courant.com/news/opinion/op_ed/hc-thorson1005.artoct05,0,777555.col
um n?coll=hc-headlines-oped 
or http://tinyurl.com/zkz43
They already take away scissors.  Can paper be far behind?

Continued terrorist paranoia causes yet another ridiculous story, as a 
HAZMAT team is called in to deal with Jell-O by the side of the road.
http://news.bbc.co.uk/1/hi/world/europe/6035821.stm

In an effort to deal with the problem of imposters in fake uniforms, 
Iraqi policemen now have a new, harder-to-counterfeit uniform.  I'm sure 
it will help, but I don't see what kind of difference it will make to a 
normal citizen faced with someone in a police uniform breaking down his 
door at night.  Or when gunmen dressed in police uniforms execute the 
brother of Iraqi Vice President Tariq al-Hashimi.
http://english.aljazeera.net/NR/exeres/A1853C26-1620-4BE4-A819-4BF569B9394A.ht
m 
or http://tinyurl.com/ykr4nl
http://www.swissinfo.org/eng/international/ticker/detail/Gunmen_kill_brother_o
f_ Iraq_s_VP.html?siteSect=143&sid=7143598&cKey=1160413744000 
or http://tinyurl.com/s97qp

Fukuyama on secrecy:
http://www.nytimes.com/2006/10/08/books/review/Fukuyama.t.html?_r=1&8bu&emc=bu
&o ref=slogin 
or http://tinyurl.com/y52t5m

Nice essay on the idiocy of the "ticking time bomb" theory of torture:
http://balkin.blogspot.com/2006/10/torture-and-ticking-time-bomb.html
See also:
http://fafblog.blogspot.com/2005/03/would-you-could-you-in-box-theres-bomb.htm
l 
or http://tinyurl.com/ybsnzf

How's this for a dumb idea?  Tagging all passengers at airports.
http://news.bbc.co.uk/1/hi/technology/6044310.stm
http://www.theregister.co.uk/2006/10/12/airport_rfid/

The Rand Corporation published A Million Random Digits with 100,000 
Normal Deviates back in 1955, when generating random numbers was hard. 
I have a copy of the original book; it's one of my library's prize 
possessions. I had no idea that the book was reprinted in 2002; it's 
available on Amazon. But even if you don't buy it, go to the Amazon page 
and read the user reviews. They're hysterical.
http://www.amazon.com/Million-Random-Digits-Normal-Deviates/dp/0833030477/sr=8
-1 /qid=1160657548/ref=pd_bbs_1/102-7977781-1757709?ie=UTF8
http://www.schneier.com/blog/archives/2006/10/a_million_rando.html


** *** ***** ******* *********** *************

      Pupillometer



Does this EyeCheck device sound like anything other than snake oil: 
"The device looks like binoculars, and in seconds it scans an 
individuals pupils to detect a problem.

"'They'll be able to tell if they're on drugs, and what kind, whether 
marijuana, cocaine, or alcohol. Or even in the case of a tractor trailer 
driver, is he too tired to drive his rig?' said Ohio County Sheriff Tom 
Burgoyne.

"The device can also detect abnormalities from chemical and biological 
effects, as well as natural disasters."

The device is called a pupillometer, and -- according to the company 
website -- "uses patented technologies to deliver reliable pupil 
measurements in less than five minutes for the detection of drugs and 
fatigue."  And despite what the article implied, the device doesn't do 
this at a distance.

I'm not impressed with the research, but this is not my area of expertise.

http://www.officer.com/article/article.jsp?id=32602&siteSection=1
http://www.mcjeyecheck.com/index.htm
http://www.mcjeyecheck.com/research.htm


** *** ***** ******* *********** *************

      On-Card Displays



This is impressive: a display that works on a flexible credit card.

One of the major security problems with smart cards is that they don't 
have their own I/O.  That is, you have to trust whatever card 
reader/writer you stick the card in to faithfully send what you type 
into the card, and display whatever the card spits back out.  Way back 
in 1999, Adam Shostack and I wrote a paper about this general class of 
security problem.

Think WYSIWTCS: What You See Is What The Card Says.  That's what an 
on-card display does.

No, it doesn't protect against tampering with the card.  That's part of 
a completely different set of threats.

http://www.cr80news.com/library/2006/09/16/on-card-displays-become-reality-mak
in g-cards-more-secure/ 
or http://tinyurl.com/r7e6y
http://www.schneier.com/paper-smart-card-threats.html


** *** ***** ******* *********** *************

      Screaming Cell Phones



Wired has the story:

"Does it pay to scream if your cell phone is stolen? Synchronica, a 
mobile device management company, thinks so. If you use the company's 
Mobile Manager service and your handset is stolen, the company, once 
contacted, will remotely lockdown your phone, erase all its data and 
trigger it to emit a blood-curdling scream to scare the bejesus out of 
the thief."

The general category of this sort of security countermeasure is "benefit 
denial."  It's like those dye tags on expensive clothing; if you 
shoplift the clothing and try to remove the tag, dye spills all over the 
clothes and makes them unwearable.  The effectiveness of this kind of 
thing relies on the thief knowing that the security measure is there, or 
is reasonably likely to be there.  It's an effective shoplifting 
deterrent; my guess is that it will be less effective against cell phone 
thieves.

Remotely erasing data on stolen cell phones is a good idea regardless, 
though.  And since cell phones are far more often lost than stolen, how 
about the phone calmly announcing that it is lost and it would like to 
be returned to its owner?

http://blog.wired.com/gadgets/index.blog?entry_id=1558434


** *** ***** ******* *********** *************

      Counterpane News



The Associated Press ran a profile about me.
http://apnews.excite.com/article/20060925/D8KBIJ480.html

Last month I gave a lecture on "The Future of Privacy" at the University 
of Southern California.  The audio is online.
http://uscpublicdiplomacy.org/index.php/events/events_detail/1925/

Schneier is speaking at the InfoSecurity Conference in Chicago on 
October 20:
http://infosecurityconference.techtarget.com/

Schneier is speaking at RSA Europe in Nice, France on October 24:
http://2006.rsaconference.com/europe/

Schneier is speaking at Rendez-vous de la Securite de l'Information in 
Montreal on October 30:
http://rsec-info.com/

Schneier is speaking at the ACLU Delaware Membership Conference in 
Wilmington on November 10:
http://www.aclu-de.org/Paranoid%20Society%20Conference.htm

Schneier is speaking at the ACLU Rhode Island in Providence on November 16:
http://www.riaclu.org/events.html

Counterpane announced new data security solutions supporting IBM, SAP, 
Oracle and MSSQL platforms to help customers defend against unauthorized 
activity and improve compliance:
http://www.counterpane.com/pr-20061009.html
http://www.counterpane.com/pr-20061002.html
http://www.counterpane.com/pr-20060918.html

Current Counterpane job openings:
http://www.counterpane.com/jobs.html


** *** ***** ******* *********** *************

      FairUse4WM News



A couple of weeks I ago I wrote about the battle between Microsoft's DRM 
system and FairUse4WM, which breaks it.  The new news is that Microsoft 
has patched its security against FairUseWM 1.2 and filed a lawsuit 
against the program's anonymous authors, and those same anonymous 
authors have released FairUse4WM 1.3, which breaks the latest Microsoft 
patch.

 From Engaget:  "We asked Viodentia about Redmond's accusation that he 
and/or his associates broke into its systems in order to obtain the IP 
necessary to crack PlaysForSure; Vio replied that he's 'utterly shocked' 
by the charge. 'I didn't use any Microsoft source code. However, I 
believe that this lawsuit is a fishing expedition to get identity 
information, which can then be used to either bring more targeted 
lawsuits, or to cause other trouble.' We're sure Microsoft would like 
its partners and the public to think that its DRM is generally 
infallible and could only be cracked by stealing its IP, so Viodentia's 
conclusion about its legal tactics seems pretty fair, obvious, and 
logical to us."

What's interesting about this continuing saga is how different it is 
from the normal find-vulnerability-then-patch sequence.  The authors of 
FairUse4WM aren't finding bugs and figuring out how to exploit them, 
forcing Microsoft to patch them.  This is a sequence of crack, fix, 
re-crack, re-fix, etc.

The reason we're seeing this -- and this is going to be the norm for DRM 
systems -- is that DRM is fundamentally an impossible problem.  Making 
it work at all involves tricks, and breaking DRM is akin to "fixing" the 
software so the tricks don't work.  Anyone looking for a demonstration 
that technical DRM is doomed should watch this story unfold.  (If 
Microsoft has any chance of winning at all, it's via the legal route.)

http://www.schneier.com/blog/archives/2006/09/microsoft_and_f.html
http://www.engadget.com/2006/09/25/microsoft-claims-successful-patch-against-f
ai ruse4wm-1-2/ 
or http://tinyurl.com/rndpv
http://arstechnica.com/news.ars/post/20060927-7849.html
http://www.engadget.com/2006/09/27/viodentia-responds-to-microsoft-releases-fa
ir use4wm-1-3/ 
or http://tinyurl.com/p3osv


** *** ***** ******* *********** *************

      Voting Software and Secrecy



Here's a quote from an elections official in Los Angeles:  "The software 
developed for InkaVote is proprietary software. All the software 
developed by vendors is proprietary. I think it's odd that some people 
don't want it to be proprietary. If you give people the open source 
code, they would have the directions on how to hack into it. We think 
the proprietary nature of the software is good for security."

It's funny, really.  What she meant, and should be saying, is something 
like:  "I think it's odd that everyone who has any expertise in computer 
security doesn't want the software to be proprietary.  Speaking as 
someone who knows nothing about computer security, I think that secrecy 
is an asset."  That's a more realistic quote.

As I've said many times, secrecy is not the same as security.  And in 
many cases, secrecy hurts security.

http://www.dailynews.com/news/ci_4407865?source=email

Secrecy and security:
http://www.schneier.com/crypto-gram-0205.html#1


** *** ***** ******* *********** *************

      Torture Bill as C Code



Kevin Poulsen boils down the new terrorist (and others) 
arrest/detainment/torture bill into a small piece of C code:

if (person = terrorist) {
      punish_severely();
} else {
      exit(-1);
}

There's one obvious error, but there are other problems with the code. 
Anyone care to comment?

http://blog.wired.com/27bstroke6/2006/09/bad_code.html
http://www.boingboing.net/2006/10/02/the_us_torture_bill_.html
http://www.schneier.com/blog/archives/2006/10/torture_bill_as.html

U.S. bill:
http://thomas.loc.gov/cgi-bin/query/z?c109:S.3930.ES:


** *** ***** ******* *********** *************

      The Doghouse: SecureRF



SecureRF:  "Claims to offer the first feasible security for RFIDs. 
Conventional public key cryptography (such as RSA) is far too 
computationally intensive for an RFID. SecureRF provides a similar 
technology at far lower footprint by harnessing a relatively obscure 
area of mathematics: infinite group theory, which comes (of all places) 
from knot theory, a branch of topology."

Their website claims to have "white papers" on the theory, but you have 
to give them your personal information to get it.  Of course, they 
reference no actual published cryptography papers.  "New mathematics" is 
my Snake-Oil Warning Sign #2 -- and I strongly suspect their 
documentation displays several other of the warning signs, too.  I'd 
stay away from this one.

http://www.oreillynet.com/etel/blog/2006/09/embedded_systems_conference_20.htm
l 
or http://tinyurl.com/yz9e2k
http://www.securerf.com/

Snake-oil warning signs:
http://www.schneier.com/crypto-gram-9902.html#snakeoil


** *** ***** ******* *********** *************

      Bureau of Industry and Security Hacked



The BIS is the part of the U.S. Department of Commerce responsible for 
export control.  If you have a dual-use technology that you need special 
approval in order to export outside the U.S., or to export it to 
specific countries, BIS is what you submit the paperwork to.

It's been hacked by "hackers working through Chinese servers," and has 
been shut down.  This may very well have been a targeted attack.

Manufacturers of hardware crypto devices -- mass-market software is 
exempted -- must submit detailed design information to BIS in order to 
get an export license.  There's a lot of detailed information on crypto 
products in the BIS computers.

Of course, I have no way of knowing if this information was breached or 
if that's what the hackers were after, but it is interesting.  On the 
other hand, any crypto product that relied on this information being 
secret doesn't deserve to be on the market anyway.

http://www.techweb.com/showArticle.jhtml;jsessionid=OM4E5LCHY4W0WQSNDLRCKHSCJU
NN 2JVN?articleID=193105174 
or http://tinyurl.com/epsq2


** *** ***** ******* *********** *************

      University Networks and Data Security



In general, the problems of securing a university network are no 
different than those of securing any other large corporate network. But 
when it comes to data security, universities have their own unique 
problems. It's easy to point fingers at students -- a large number of 
potentially adversarial transient insiders. Yet that's really n