December CRYPTO-GRAM newsletter [LWN.net]

From:		Bruce Schneier <schneier-AT-counterpane.com>
To:		crypto-gram-AT-chaparraltree.com
Subject:		CRYPTO-GRAM, December 15, 2003
Date:		Mon, 15 Dec 2003 02:29:42 -0600
                  CRYPTO-GRAM

               December 15, 2003

               by Bruce Schneier
                Founder and CTO
       Counterpane Internet Security, Inc.
            schneier@counterpane.com
            <http://www.schneier.com>
           <http://www.counterpane.com>


A free monthly newsletter providing summaries, analyses, insights, and 
commentaries on security: computer and otherwise.

Back issues are available at 
<http://www.schneier.com/crypto-gram.html>.  To subscribe, visit 
<http://www.schneier.com/crypto-gram.html> or send a blank message to 
crypto-gram-subscribe@chaparraltree.com.


** *** ***** ******* *********** *************

In this issue:
      Blaster and the August 14th Blackout
      Counterpane News
      Crypto-Phone
      The Doghouse:  Amit Yoran
      Crypto-Gram Reprints
      Quantum Cryptography
      News
      Beyond Fear News
      Computerized and Electronic Voting
      Comments from Readers


** *** ***** ******* *********** *************

      Blaster and the August 14th Blackout



Did Blaster cause the August 14th blackout?  The official analysis says 
"no," but I'm not so sure.

According to the "Interim Report: Causes of the August 14th Blackout in 
the United States and Canada," published in November and based on 
detailed research by a panel of government and industry officials, the 
blackout was caused by a series of failures.

The chain of events began at FirstEnergy, a power company in 
Ohio.  There, a series of human and computer failures turned a small 
problem into a major one.  And because critical alarm systems failed, 
workers at FirstEnergy did not stop the cascade because they did not 
know what was happening.

This is where I think Blaster may have been involved.  The report gives 
a specific timeline for the failures.  At 14:14 EDT, the "alarm and 
logging software" at FirstEnergy's control room failed.  This alarm 
software "provided audible and visual indications when a significant 
piece of equipment changed from an acceptable to problematic 
condition."  Of course, no one knew that it failed.

Six minutes later, "several" remote control consoles failed.  At 14:41, 
the primary server computer that hosted the alarm function failed.  Its 
functions were passed to a backup computer, which failed at 14:54.

Doesn't this sound like a computer worm wending its way through 
FirstEnergy's operational computers?

According to the report, "...for over an hour no one in FE's control 
room grasped that their computer systems were not operating properly, 
even though FE's Information Technology support staff knew of the 
problems and were working to solve them..."

Doesn't this sound like IT working to clean a worm out of its network?

This massive computer failure was critical to the cascading power 
failure.  The report continues:  "Power system operators rely heavily 
on audible and on-screen alarms, plus alarm logs, to reveal any 
significant changes in their system's conditions. After 14:14 EDT on 
August 14, FE's operators were working under a significant handicap 
without these tools. However, they were in further jeopardy because 
they did not know that they were operating without alarms, so that they 
did not realize that system conditions were changing."

Other computer glitches are mentioned in the report.  At the Midwest 
Independent Transmission System Operator, a regional agency that 
oversees power distribution, there's something called a "state 
estimator."  It's a computer used to determine whether the power grid 
is in trouble.  This computer also failed, at 12:15.  According to the 
report, a technician tried to repair it and forgot to turn it back on 
when he went to lunch.

The Blaster worm first appeared on August 11, and infected more than a 
million computers in the days following.  It targeted a vulnerability 
in the Microsoft operating system.  Infected computers, in turn, tried 
to infect other computers, and in this way the worm automatically 
spread from computer to computer and network to network.  Although the 
worm didn't perform any malicious actions on the computers it infected, 
its mere existence drained resources and often caused the host computer 
to crash.  To remove the worm a system administrator had to run a 
program that erased the malicious code; then the administrator had to 
patch the vulnerability so that the computer would not get re-infected.

According to research by Stuart Staniford, Blaster was a random-start 
sequential-scanner, and scanned at about 11 IPs/second.  A given 
scanner would cover a Class B network in about 1 hour and 40 
minutes.  The FirstEnergy computer-failure times are fairly consistent 
with a series of computers with addresses dotted around a class B being 
compromised by a scan of the class B, probably by an infected instance 
on the same network.  (Note that it was not necessary for the 
FirstEnergy network to be on the Internet; Blaster infected many 
internal networks.)

The coincidence of the timing is too obvious to ignore.  At 14:14 EDT, 
the Blaster Worm was dropping systems all across North America.  The 
report doesn't explain why so many computers--both primary and backup 
systems--at FirstEnergy were failing at around the same time, but 
Blaster is certainly a reasonable suspect.

Unfortunately, the report doesn't directly address the Blaster worm and 
its effects on FirstEnergy's computers.  The closest I could find was 
this paragraph, on page 99: "Although there were a number of worms and 
viruses impacting the Internet and Internet connected systems and 
networks in North America before and during the outage, the SWG's 
preliminary analysis provides no indication that worm/virus activity 
had a significant effect on the power generation and delivery 
systems.  Further SWG analysis will test this finding."

Why the tortured prose?  The writers take pains to assure us that "the 
power generation and delivery systems" were not affected by 
Blaster.  But what about the alarm systems?  Clearly they were all 
affected by something, and all at the same time.

This wouldn't be the first time a Windows epidemic swept through 
FirstEnergy.  The company has admitted that they were hit by Slammer in 
January.

Let's be fair.  I don't know that Blaster caused the blackout.  The 
report doesn't say that Blaster caused the blackout.  Conventional 
wisdom is that Blaster did not cause the blackout.  But it seems more 
and more likely that Blaster was one of the many causes of the blackout.

Regardless of the answer, there's a very important moral here.  As 
networked computers infiltrate more and more of our critical 
infrastructure, that infrastructure is vulnerable not only to attacks 
but also to sloppy software and sloppy operations.  And these 
vulnerabilities are invariably not the obvious ones.  The computers 
that directly control the power grid are well-protected.  It's the 
peripheral systems that are less protected and more likely to be 
vulnerable.  And a direct attack is unlikely to cause our 
infrastructure to fail, because the connections are too complex and too 
obscure.  It's only by accident--Blaster affecting systems at just the 
wrong time, allowing a minor failure to become a major one--that these 
massive failures occur.

We've seen worms knock out 911 telephone service.  We've seen worms 
disable ATMs.  None of this was predictable beforehand, but all of it 
is preventable.  I believe that this sort of thing will become even 
more common in the future.


A preliminary version of this essay appeared on news.com:
<http://news.com.com/2010-7343-5117862.html>

Interim Report: Causes of the August 14th Blackout in the United States 
and Canada
<https://reports.energy.gov/814BlackoutReport.pdf>
The relevant data is on pages 28-29 of the report.

FirstEnergy was hit by Slammer:
<http://www.securityfocus.com/news/6868>
<http://www.computerworld.com/securitytopics/security/recovery/story/0,1 
0801,84203,00.html> or <http://tinyurl.com/z9to>

How worms can infect internal networks:
<http://www.networm.org/faq/#enterprise>

Blackout not caused by worm:
<http://news.com.com/2100-7355_3-5111816.html>

News article on the report:
<http://www.iht.com/articles/118457.html>

Geoff Shively talked about possible Blaster/blackout links just a few 
days after the blackout:
<http://seclists.org/lists/bugtraq/2003/Sep/0053.html>


** *** ***** ******* *********** *************

                Counterpane News



Over four years ago I founded Counterpane Internet Security, Inc., to 
be the world's leading provider of Managed Security Services, and we 
still are.  Every day we defend hundreds of networks all over the world 
against insider and outsider attacks.  We help companies meet 
compliance demands.  We make the Internet safer.  Recently we announced 
our Enterprise Protection Suite, which combines Managed Security 
Monitoring with Managed Vulnerability Scanning, fully outsourced Device 
Management, and Security Consulting services. Receive a 15% discount 
off your first year's service here:
<http://www.counterpane.com/cgi-bin/enterprise.cgi>

We had a great third quarter:
<http://www.counterpane.com/pr-20031006.html>

We are hiring:
<http://www.counterpane.com/jobs.html>

Essay by Schneier on computer security and liability:
<http://www.heise.de/security/artikel/42195>

Interview with Schneier on computer security and monoculture:
<http://www.computerworld.com/printthis/2003/0,4814,87470,00.html>


** *** ***** ******* *********** *************

                    Crypto-Phone



Many people have asked me about this product: whether it is secure, 
whether it is worth buying, etc.

Honestly, I don't know.  I haven't evaluated the product.  I haven't 
looked at the source code.  I don't know anything more about the 
product and its security than what I can read on their website.

At first read, though, it looks okay.  It looks like they've thought 
about the security and the cryptography.  The fact that they publish 
their source code is a good sign (but not any guarantee of security).

If I find any analyses, I will write about them in Crypto-Gram.  Until 
then, this is no different from any other security product: you need to 
trust the vendor.

Website:
<http://www.cryptophone.de/>

News articles:
<http://www.nbr.co.nz/home/column_article.asp?id=7586&cid=3&cname=Techno 
logy> or <http://tinyurl.com/z9tq>
<http://www.theregister.co.uk/content/68/34096.html>
<http://star-techcentral.com/tech/story.asp?file=/2003/11/19/technology/ 
6747626&sec=technology> or <http://tinyurl.com/z9tr>
<http://economictimes.indiatimes.com/cms.dll/articleshow?msid=290188>

Raseac, another company that makes encrypted phones:
<http://www.raseac.com.br/>


** *** ***** ******* *********** *************

             The Doghouse:  Amit Yoran



Here's a question: if you don't think it's possible to improve the 
security of computer code, what are you doing in the computer security 
industry?

"Amit Yoran, the new head of the Department of Homeland Security's 
national cybersecurity division, said the administration is assessing 
the impact of various regulatory proposals. One of them calls for 
companies to report, through the Securities and Exchange Commission, 
their preparedness for attacks on their computer networks. Mr. Yoran, 
formerly a vice president of Symantec Corp., said the department is 
considering other measures, though it leans toward private-sector 
approaches.

"'For example, should we hold software vendors accountable for the 
security of their code or for flaws in their code?' Mr. Yoran asked in 
an interview. 'In concept, that may make sense. But in practice, do 
they have the capability, the tools to produce more secure code?'"

The sheer idiocy of this quote amazes me.  Does he really think that 
writing more secure code is too hard for companies to manage?  Does he 
really think that companies are doing absolutely the best they possibly 
can?

I can handle blatant pandering to industry, but this is just too stupid 
to ignore.


The article:
<http://online.wsj.com/article/0,,SB107040249488089600,00.html>
<http://news.com.com/2008-7355-5112350.html>


** *** ***** ******* *********** *************

               Crypto-Gram Reprints


Crypto-Gram is currently in its sixth year of publication. Back issues 
cover a variety of security-related topics, and can all be found on 
<http://www.schneier.com/crypto-gram.html>. These are a selection of 
articles that appeared in this calendar month in other years.

Counterattack:
<http://www.schneier.com./crypto-gram-0212.html#1>

Comments on the Department of Homeland Security:
<http://www.schneier.com./crypto-gram-0212.html#3>

Crime: The Internet's Next Big Thing:
<http://www.schneier.com./crypto-gram-0212.html#7>

National ID Cards:
<http://www.schneier.com/crypto-gram-0112.html#1>

Judges Punish Bad Security:
<http://www.schneier.com/crypto-gram-0112.html#2>

Computer Security and Liabilities:
<http://www.schneier.com/crypto-gram-0112.html#4>

Fun with Vulnerability Scanners:
<http://www.schneier.com/crypto-gram-0112.html#9>

Voting and Technology:
<http://www.schneier.com/crypto-gram-0012.html#1>

"Security Is Not a Product; It's a Process"
<http://www.schneier.com/crypto-gram-9912.html#1>

Echelon Technology:
<http://www.schneier.com/crypto-gram-9912.html#3>

European Digital Cellular Algorithms:
<http://www.schneier.com/crypto-gram-9912.html#10>

The Fallacy of Cracking Contests:
<http://www.schneier.com/crypto-gram-9812.html#contests>

How to Recognize Plaintext:
<http://www.schneier.com/crypto-gram-9812.html#plaintext>


** *** ***** ******* *********** *************

             Quantum Cryptography



MagiQ Technologies is now selling an actual product that uses single 
photons to exchange keys over fiber optic lines.  Navajo systems use 
photons to transmit encryption keys over fiber-optic lines, and the 
security is based on the quantum law that an observer--an eavesdropper 
in this case--perturbs the system by observing it.

This isn't new.  The basic science was developed in the early 1980s, 
and there have been steady advances in engineering since then.  I 
describe how it all works--basically--in Applied Cryptography, 2nd 
Edition (pages 554-557).

I don't have any hope for this sort of product.  I don't have any hope 
for the commercialization of quantum cryptography in general; I don't 
believe it solves any security problem that needs solving.  I don't 
believe that it's worth paying for, and I can't imagine anyone but a 
few technophiles buying and deploying it.

It's not that quantum cryptography might be insecure; it's that we 
don't need cryptography to be any more secure.

Security is a chain; it's a strong as the weakest link.  Mathematical 
cryptography, as bad as it sometimes is, is the strongest link in most 
security chains.  The computer security, the network security, the 
people security--these are all much worse.

Cryptography is the one area of security that we can get right.  We 
know how to make that link strong.  Maybe quantum cryptography can make 
that link stronger, but why would anyone bother?  There are far more 
serious security problems to worry about, and it makes much more sense 
to spend money securing those.

It's like defending yourself against an approaching attacker by putting 
a huge stake in the ground.  It's useless to argue about whether the 
stake should be fifty feet tall or a hundred feet tall, because the 
attacker is going to go around it.  Even quantum cryptography doesn't 
"solve" all of cryptography: the keys are exchanged with photons, but a 
conventional mathematical algorithm takes over for the actual encryption.

I'm always in favor of security research, and I have enjoyed following 
the developments in quantum cryptography.  But as a product, it has no 
future.


News articles:
<http://www.theage.com.au/articles/2003/11/28/1069825960663.html>
<http://www.lightreading.com/document.asp?site=lightreading&doc_id=42929>
<http://zdnet.com.com/2100-1105_2-5103373.html>
<http://www.lightreading.com/document.asp?site=lightreading&doc_id=43459>
<http://www.globetechnology.com/servlet/story/RTGAM.20031117.gtcrypt1117 
/BNStory/Technology/> or <http://tinyurl.com/vdue>


** *** ***** ******* *********** *************

                      News



Another article saying that cyberterrorism is a myth:
<http://news.com.com/2100-7355_3-5105732.html>

Banking scam targets Citibank customers:
<http://www.securityfocus.com/infocus/1745>

The economics of spam:
<http://www.theregister.co.uk/content/55/34063.html>

This is an old scam.  A man uses a computer virus to change Internet 
dial-up numbers of victims' computers to special premium rates, in an 
attempt to make a pile of money.  How he thought that he wouldn't get 
caught is beyond me.
<http://www.theregister.co.uk/content/56/33801.html>
This is the 1997 version of same attack.  Note that the virus turned 
the volume of the modem down, to reduce the chance of detection:
<http://www.ftc.gov/opa/1997/11/audiot-2.htm>

A very entertaining (and anonymous) story of someone's interview with 
the National Security Agency:
<http://www.fas.org/irp/eprint/nsa-interview.pdf>

Republican Senator Orrin Hatch suspended a member of his staff for 
hacking into the computers of two Democratic senators.
<http://www.sfgate.com/cgi-bin/article.cgi?f=/news/archive/2003/11/25/na 
tional1948EST0744.DTL> or <http://tinyurl.com/wnt0>
<http://www.washingtonpost.com/ac2/wp-dyn/A17502-2003Nov27>
<http://informationweek.securitypipeline.com/news/showArticle.jhtml?arti 
cleId=16401094> or <http://tinyurl.com/z9u7>

Here's a story of a computer error causing losses on the NASDAQ stock 
exchange.  It illustrates a serious problem: not all financial 
transactions can be undone.  The error was a large sell order that 
caused a stock's price to plunge.  Many people acted on that 
information, and when it turned out to be false they were stuck with 
large losses themselves.
<http://www.herald.ns.ca/stories/2003/12/07/fBusiness109.raw.html>

List of famous unsolved codes and ciphers:
<http://www.elonka.com/UnsolvedCodes.html>

Good collection of links on faking fingerprint readers:
<http://www.optel.pl/top.htm>


** *** ***** ******* *********** *************

               Beyond Fear News



Schneier is giving a talk at the 92nd St Y in New York on January 11th 
at 7:30 PM:
<http://www.92y.org/shop/event_detail.asp?catalog=92y%5Fcatalog&producti 
d=T%2DLC5CM09> or <http://tinyurl.com/z9u8>

Schneier is doing a series of lectures and signings to promote Beyond Fear:
Raleigh-Durham, NC - January 12th, 7:00 pm, Market Street Books
San Jose, CA - January 13th, 7:30 PM, Kepler's Books
Portland, OR - January 14th, 7:30 PM, Powell's Technical Books
San Diego, CA - January 16th, 7:00 PM, San Diego Technical Books

Book homepage:
<http://www.schneier.com/bf.html>


** *** ***** ******* *********** *************

       Computerized and Electronic Voting



There are dozens of stories about computerized voting machines 
producing erroneous results.  Votes mysteriously appear or 
disappear.  Votes cast for one person are credited to another.  Here 
are two from the most recent election:  One candidate in Virginia found 
that the computerized election machines failed to register votes for 
her, and in fact subtracted a vote for her, in about "one out of a 
hundred tries."  And in Indiana, 5,352 voters in an district of 19,000 
managed to cast 144,000 ballots on a computerized machine.

These problems were only caught because their effects were obvious--and 
obviously wrong.  Subtle problems remain undetected, and for every 
problem we catch--even though their effects often can't be 
undone--there are probably dozens that escape our notice.

Computers are fallible and software is unreliable; election machines 
are no different than your home computer.

Even more frightening than software mistakes is the potential for 
fraud.  The companies producing voting machine software use poor 
computer-security practices.  They leave sensitive code unprotected on 
networks.  They install patches and updates without proper security 
auditing.  And they use the law to prohibit public scrutiny of their 
practices.  When damning memos from Diebold became public, the company 
sued to suppress them.  Given these shoddy security practices, what 
confidence do we have that someone didn't break into the company's 
network and modify the voting software?

And because elections happen all at once, there would be no means of 
recovery.  Imagine if, in the next presidential election, someone 
hacked the vote in New York.  Would we let New York vote again in a 
week?  Would we redo the entire national election?  Would we tell New 
York that their votes didn't count?

Any discussion of computerized voting necessarily leads to Internet 
voting.  Why not just do away with voting machines entirely, and let 
everyone vote remotely?

Online voting schemes have even more potential for failure and 
abuse.  Internet systems are extremely difficult to secure, as 
evidenced by the never-ending stream of computer vulnerabilities and 
the widespread effect of Internet worms and viruses.  It might be 
convenient to vote from your home computer, but it would also open new 
opportunities for people to play Hack the Vote.

And any remote voting scheme has its own problems.  The voting booth 
provides security against coercion.  I may be bribed or threatened to 
vote a certain way, but when I enter the privacy of the voting booth I 
can vote the way I want.  Remote voting, whether by mail or by 
Internet, removes that security.  The person buying my vote can be sure 
that he's buying a vote by taking my blank ballot from me and 
completing it himself.

In the U.S., we believe that allowing absentees to vote is more 
important than this added security, and that it is probably a good 
trade-off.  And people like the convenience.  In California, for 
example, over 25% vote by mail.

Voting is particularly difficult in the United States for two 
reasons.  One, we vote on dozens of different things at one time.  And 
two, we demand final results before going to sleep at night.

What we need are simple voting systems--paper ballots that can be 
counted even in a blackout.  We need technology to make voting easier, 
but it has to be reliable and verifiable.

My suggestion is simple, and it's one echoed by many computer security 
researchers.  All computerized voting machines need a paper audit 
trail.  Build any computerized machine you want.  Have it work any way 
you want.  The voter votes on it, and when he's done the machine prints 
out a paper receipt, much like an ATM does.  The receipt is the voter's 
real ballot.  He looks it over, and then drops it into a ballot 
box.  The ballot box contains the official votes, which are used for 
any recount.  The voting machine has the quick initial tally.

This system isn't perfect, and doesn't address many security issues 
surrounding voting.  It's still possible to deny individuals the right 
to vote, stuff machines and ballot boxes with pre-cast votes, lose 
machines and ballot boxes, intimidate voters, etc.  Computerized 
machines don't make voting completely secure, but machines with paper 
audit trails prevent all sorts of new avenues of error and fraud.

CRS Report on Electronic Voting:
<http://www.epic.org/privacy/voting/crsreport.pdf>

Voting resource pages:
<http://www.epic.org/privacy/voting/>
<http://www.eff.org/Activism/E-voting/>
<http://www.verifiedvoting.org/>
<http://electioncentral.blog-city.com/index.cfm>

Bills in U.S. Congress to force auditable balloting:
<http://graham.senate.gov/pr120903.html>
<http://holt.house.gov/issues2.cfm?id=5996>

Virginia story:
<http://www.washingtonpost.com/ac2/wp-dyn?pagename=article&node=&content 
Id=A6291-2003Nov5> or <http://tinyurl.com/z9uc>

Indiana story:
<http://www.indystar.com/articles/1/089939-1241-014.html>

Nevada story:
<http://www.lasvegassun.com/sunbin/stories/lv-gov/2003/dec/10/515999082. 
html> or <http://tinyurl.com/z9ud>

California Secretary of State statement on e-voting paper trail 
requirement:
<http://www.ss.ca.gov/executive/press_releases/2003/03_106.pdf>

Maryland story:
<http://www.gazette.net/200350/montgomerycty/state/191617-1.html>

More opinions:
<http://www.pbs.org/cringely/pulpit/pulpit20031204.html>
<http://www.securityfocus.com/columnists/198>
<http://www.sacbee.com/content/opinion/story/7837475p-8778055c.html>

Voter Confidence and Increased Accessibility Act of 2003
<http://www.wired.com/news/print/0,1294,61298,00.html>
<http://www.theorator.com/bills108/hr2239.html>

My older essays on this topic:
<http://www.schneier.com./crypto-gram-0012.html#1>
<http://www.schneier.com./crypto-gram-0102.html#10>


** *** ***** ******* *********** *************

               Comments from Readers



From: "Preston L. Bannster <preston.bannister@cox.net>
Subject: Airplane Hackers

There is, I think, an important distinction between a hacker who breaks 
into someone else's computer system, and the actions of this "airplane 
hacker."  When you break into someone else's computer system, you are, 
in effect, invading someone else's property.  Perhaps you have no 
intent to cause harm. Perhaps you will cause harm unintended.  In any 
case you were not invited, are unwelcome, and should not be there.

Airport security is a little different.  Post-9/11 we have traded off a 
number of our freedoms, shifted more power into the government, and 
moved at least a bit closer to becoming some form of police state.  The 
promise made to us -- to all of us -- was that in exchange we would 
gain protection, that somehow we would gain security.  Apparently 
Nathaniel Heatwole decided to test that promise.  After all, we have in 
effect been sold and paid for a service.  Nathaniel was simply testing 
to see -- in some minor way -- if we were getting something for what we 
have paid.

Was this all a bit silly?  On some level, certainly.  Doubtless anyone 
who makes a habit of thinking critically about security would have 
decided early on that much of what we were sold was worthless.  Not 
much point in confirming what we already know.  On the other hand, you 
wouldn't have much of a business if the majority of the human race 
thought just as carefully about security :).  This stunt tells a story 
that is very easy to understand.  Tell stories like this often enough, 
and you might change the minds of enough voters.  This is a good thing.

To borrow from your analogy, this is more turning on all the alarms, 
breaking into your own house, and leaving a note for the security company.

Were Nathaniel's actions criminal?  Perhaps - but then how do we charge 
those to whom we have sold our liberty for a false promise of 
security?  Somehow it seems that the second is a far greater crime.



From: "David Wall @ Yozons" <david.wall@yozons.com>
Subject: Airplane Hackers

Your analogy about breaking into your home and leaving a note is quite 
different from what Heatwole did.  He boarded a plane with permission 
and had a ticket that he paid for.  He didn't harm anybody or 
anything.  What he smuggled wasn't even particularly dangerous.

You feel violated if someone enters your home, but only because they 
did so without permission.  If your guest smuggled in a steak when you 
were eating a fish dinner, you wouldn't be that upset.

I'm not saying it was a bright move, but the violation is pretty minor 
and should be treated as a minor offense as you suggest.  The TSA 
should get rid of its window dressing rules since those are the rules 
that you suggest should result in his criminal prosecution.

So a guy who pays to come, creates no real harm, and violates a silly 
law should be prosecuted severely because he's a "hacker"?  The law is 
meant to protect, not harass, so let's hope they don't throw the book 
at him.



From: Doug Greene <gwiz@eTransforms.com>
Subject: Airplane Hackers

Your analogy fails in that air transportation is regulated in the 
public interest and security is the responsibility of the 
government.  Hence, it should be subject to public oversight.  This is 
not the same situation as a private home.  Who feels embarrassed and 
violated here other than the government agency charged with failing to 
insure the level of security it claims it does?

You acknowledge that: "Most of what the TSA does is security theater -- 
window dressing.  It keeps up appearances, and maybe (hopefully) makes 
the terrorists a little less sure they can smuggle their weapons aboard 
airplanes.  Probably not."  Yet, consumers of air transport services 
are harassed daily in the name of security that does not work.  Either 
it should work reasonably well or we should restore the civil liberties 
that have been infringed upon in the name of such fraudulent security 
systems.

You say "the TSA never asked him to test their security."  Of course 
not.  Contractors hired by the TSA to test their security are much more 
likely to keep security failures hidden from public scrutiny.

We need laws that allow limited independent public interest testing of 
such security systems.  Until we do, exploits such as Nathaniel 
Heatwole's are better than self-interested tests that may have been 
contracted by the TSA and were probably not.



From: Brian T. Sniffen <bts@alum.mit.edu>
Subject: Airplane Hackers

I think you made a grave mistake in your article on Heatwole.  There 
are two points you didn't cover, either of which requires serious 
changes to your conclusions.

First, there's the problem of fuzziness: so-called hackers who break 
into other people's computers or homes are committing crimes, 
certainly.  But where's the difference between that and breaking into 
other people's intellectual property?  Should the next researcher who 
discovers security flaws in copyrighted software be 
prosecuted?  Certainly, the company feels like it's been violated.  But 
when Matt Blaze published information that my apartment locks were 
insecure, I didn't consider him a criminal: I thanked him for it.  As I 
recall, so did you.  Meanwhile, Schlage and locksmiths across the 
country were calling for his head.

Second, there's the problem of social responsibility.  There is a 
difference between breaking into a home, or demonstrating a flaw in a 
public security system that represents itself as defending public 
safety.  From my understanding of what Heatwole did, no crimes were 
committed: he went through the normal TSA boarding process, using the 
rules they set up.  That's very different from picking locks to enter a 
house or circumventing security checks -- in software or in social 
systems.  I consider Heatwole's actions in the same category as those 
who broke the DMCA and other copyright laws to expose flaws in 
Diebold's voting machines: exposing the lies or incompetence of those 
holding the public trust may be in violation of the law, but should 
rarely be treated as a crime.



From: Michael Giagnocavo <mgg@Atrevido.net>
Subject: Airplane Hackers

Surprise was an exploit on a known security hole: cockpit access.  I 
can't touch any controls when I get into a $5000 taxi, but some people 
easily got into the cockpit of a multi-million dollar aircraft.

Like buffer overflows (and mitigation techniques that compilers can 
do), taking away surprise just makes it harder to exploit the known 
hole.  Surprise was just their "exploit code" this time around for that 
hole.

Assuming the hole hasn't been closed (and cockpit access isn't bolted 
down), what's to stop someone from tear-gassing everyone on board and 
gaining control again?



From: Ben Mord <bmord@iconnicholson.com>
Subject: Airplane Hackers

Despite your suggestion that passengers would unite against future 
terrorists, I fear our airplanes remain vulnerable to social 
engineering. I offer the following as evidence:

<http://cspanrm.fplive.net:554/ramgen/cspan/ldrive/ter082102_aviation2.rm>

[Note: this is 2.5 hours of streaming video.]

A single insane individual broke through an "armored" cockpit door in a 
post 9/11 world as a small army of flight attendants offered him water. 
Let us be thankful he was not simply using his insanity as a ruse to 
compromise cockpit security as co-conspirators waited silently to 
launch a second attack. Let us also learn from the fact that as a 
single individual with no preparations, this individual did in fact 
compromise armored cockpit security following 9/11 by many months.

I do recognize, however, that you may be engaging in some social 
engineering of your own. It is advantageous for people to believe that 
they would unite in thwarting any threat against the integrity of the 
cockpit. Due to the network effect, the ubiquity of such a belief 
*might* help it become a reality, and the perception of this as a 
reality might also act as a deterrent. And yet, as a self-governing 
society we must be wary of self-delusion, lest we make bad decisions. 
How should we manipulate the network effect to our common benefit while 
avoiding dangerous delusions? This is a tough balance.


** *** ***** ******* *********** *************


CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, 
insights, and commentaries on security: computer and otherwise.  Back 
issues are available on <http://www.schneier.com/crypto-gram.html>.

To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send 
a blank message to crypto-gram-subscribe@chaparraltree.com.  To 
unsubscribe, visit <http://www.schneier.com/crypto-gram-faq.html>.

Comments on CRYPTO-GRAM should be sent to 
schneier@counterpane.com.  Permission to print comments is assumed 
unless otherwise stated.  Comments may be edited for length and clarity.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who 
will find it valuable.  Permission is granted to reprint CRYPTO-GRAM, 
as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is the author of 
the best sellers "Beyond Fear," "Secrets and Lies," and "Applied 
Cryptography,"  and an inventor of the Blowfish and Twofish 
algorithms.  He is founder and CTO of Counterpane Internet Security 
Inc., and is a member of the Advisory Board of the Electronic Privacy 
Information Center (EPIC).  He is a frequent writer and lecturer on 
security topics.  See <http://www.schneier.com>.

Counterpane Internet Security, Inc. is the world leader in Managed 
Security Monitoring.  Counterpane's expert security analysts protect 
networks for Fortune 1000 companies world-wide.  See 
<http://www.counterpane.com>.

Copyright (c) 2003 by Bruce Schneier.
(Log in to post comments)