April CRYPTO-GRAM newsletter [LWN.net]

From:		Bruce Schneier <schneier-AT-counterpane.com>
To:		crypto-gram-AT-chaparraltree.com
Subject:		CRYPTO-GRAM, April 15, 2004
Date:		Thu, 15 Apr 2004 00:38:40 -0500
                  CRYPTO-GRAM

                 April 15, 2004

               by Bruce Schneier
                Founder and CTO
       Counterpane Internet Security, Inc.
            schneier@counterpane.com
            <http://www.schneier.com>
           <http://www.counterpane.com>


A free monthly newsletter providing summaries, analyses, insights, and 
commentaries on security: computer and otherwise.

Back issues are available at 
<http://www.schneier.com/crypto-gram.html>.  To subscribe, visit 
<http://www.schneier.com/crypto-gram.html> or send a blank message to 
crypto-gram-subscribe@chaparraltree.com.


** *** ***** ******* *********** *************

In this issue:
      National ID Cards
      TSA-Approved Locks
      Crypto-Gram Reprints
      Stealing an Election
      Counterpane News
      Security Notes from All Over:
        Man-in-the-Middle Attack
      BeepCard
      Bluetooth Privacy Hack
      News
      Virus Wars
      Comments from Readers


** *** ***** ******* *********** *************

               National ID Cards



As a security technologist, I regularly encounter people who say the 
United States should adopt a national ID card.  How could such a 
program not make us more secure, they ask?

The suggestion, when it's made by a thoughtful civic-minded person like 
Nicholas Kristof in the New York Times, often takes on a tone that is 
regretful and ambivalent: Yes, indeed, the card would be a minor 
invasion of our privacy, and undoubtedly it would add to the growing 
list of interruptions and delays we encounter every day; but we live in 
dangerous times, we live in a new world....

It all sounds so reasonable, but there's a lot to disagree with in such 
an attitude.

The potential privacy encroachments of an ID card system are far from 
minor.  And the interruptions and delays caused by incessant ID checks 
could easily proliferate into a persistent traffic jam in office 
lobbies and airports and hospital waiting rooms and shopping malls.

But my primary objection isn't the totalitarian potential of national 
IDs, nor the likelihood that they'll create a whole immense new class 
of social and economic dislocations.  Nor is it the opportunities they 
will create for colossal boondoggles by government contractors.  My 
objection to the national ID card, at least for the purposes of this 
essay, is much simpler.

It won't work.  It won't make us more secure.

In fact, everything I've learned about security over the last 20 years 
tells me that once it is put in place, a national ID card program will 
actually make us less secure.

My argument may not be obvious, but it's not hard to follow, 
either.  It centers around the notion that security must be evaluated 
not based on how it works, but on how it fails.

It doesn't really matter how well an ID card works when used by the 
hundreds of millions of honest people that would carry it.  What 
matters is how the system might fail when used by someone intent on 
subverting that system: how it fails naturally, how it can be made to 
fail, and how failures might be exploited.

The first problem is the card itself.  No matter how unforgeable we 
make it, it will be forged.  And even worse, people will get legitimate 
cards in fraudulent names.

Two of the 9/11 terrorists had valid Virginia driver's licenses in fake 
names.  And even if we could guarantee that everyone who issued 
national ID cards couldn't be bribed, initial cardholder identity would 
be determined by other identity documents... all of which would be 
easier to forge.

Not that there would ever be such thing as a single ID card.  Currently 
about 20 percent of all identity documents are lost per year.  An 
entirely separate security system would have to be developed for people 
who lost their card, a system that itself is capable of abuse.

Additionally, any ID system involves people... people who regularly 
make mistakes.  We all have stories of bartenders falling for obviously 
fake IDs, or sloppy ID checks at airports and government 
buildings.  It's not simply a matter of training; checking IDs is a 
mind-numbingly boring task, one that is guaranteed to have 
failures.  Biometrics such as thumbprints show some promise here, but 
bring with them their own set of exploitable failure modes.

But the main problem with any ID system is that it requires the 
existence of a database.  In this case it would have to be an immense 
database of private and sensitive information on every American -- one 
widely and instantaneously accessible from airline check-in stations, 
police cars, schools, and so on.

The security risks are enormous.  Such a database would be a kludge of 
existing databases; databases that are incompatible, full of erroneous 
data, and unreliable.  As computer scientists, we do not know how to 
keep a database of this magnitude secure, whether from outside hackers 
or the thousands of insiders authorized to access it.

And when the inevitable worms, viruses, or random failures happen and 
the database goes down, what then? Is America supposed to shut down 
until it's restored?

Proponents of national ID cards want us to assume all these problems, 
and the tens of billions of dollars such a system would cost -- for 
what? For the promise of being able to identify someone?

What good would it have been to know the names of Timothy McVeigh, the 
Unabomber, or the DC snipers before they were arrested? Palestinian 
suicide bombers generally have no history of terrorism.  The goal is 
here is to know someone's intentions, and their identity has very 
little to do with that.

And there are security benefits in having a variety of different ID 
documents.  A single national ID is an exceedingly valuable document, 
and accordingly there's greater incentive to forge it.  There is more 
security in alert guards paying attention to subtle social cues than 
bored minimum-wage guards blindly checking IDs.

That's why, when someone asks me to rate the security of a national ID 
card on a scale of one to 10, I can't give an answer.  It doesn't even 
belong on a scale.

This essay originally appeared in the Minneapolis Star Tribune:
<http://www.startribune.com/stories/1519/4698350.html>

Kristof's essay in the New York Times:
<http://www.nytimes.com/2004/03/17/opinion/17KRIS.html?ex=1394946000&en= 
938b60e9bdb051f7&ei=5007&partner=USERLAND> or <http://tinyurl.com/26fg2>

My earlier essay on National ID cards:
<http://www.schneier.com/crypto-gram-0112.html#1>

My essay on identification and security:
<http://www.schneier.com/crypto-gram-0402.html#6>


** *** ***** ******* *********** *************

              TSA-Approved Locks



Way back in 1993, the Clinton Administration proposed the Clipper 
Chip.  The government was concerned that the bad guys would start using 
encryption, so they had a solution.  The Clipper Chip would provide 
strong encryption that could not be broken, but there was a secret key 
-- known only by the government -- that could decrypt the 
traffic.  That way legitimate users could be secure, but the bad guys 
could have their messages read by the government.

As you can imagine, this didn't go over very well.

People didn't like the idea of the government having a back door into 
their cryptography.  Experts like me didn't believe that the "back 
door" would remain secret, and didn't think that deliberately crippled 
cryptography was a good idea.  The general concept, known as key 
escrow, key recovery, or trusted third-party encryption, hung around 
for a few years and was eventually forgotten.

Who would have thought it would come back in the form of a luggage lock?

Since 9/11, airport security has started opening checked luggage 
more.  If they find a locked suitcase, they break the lock.  But some 
travelers lock their suitcases, as they don't want the bags either 
accidentally opening up in transit or being opened up by some baggage 
handler looking for something to filch.  In an attempt to satisfy both 
of these requirements, there's now a key escrow lock.  You lock and 
unlock your suitcase normally, but there's a special TSA key that 
allows airport security to unlock it, too.

There are a couple of reasons why this is different.  First, there's no 
other option.  Either you use one of these special locks, or you leave 
your suitcase unlocked.  In this case, the solution might be better 
than nothing.

Second, it's only a suitcase.  We're not trying to defend against a 
criminal cutting into it with a knife, or walking away with the entire 
bag.  We're trying to defend against an opportunist sticking his hand 
into the bag and grabbing something.

Sure, the bad guys will get copies of the special TSA keys and be able 
to unlock your suitcase, but they were able to open that sorry-ass 
luggage lock already.

I have never locked my suitcase, even when traveling in the Third 
World.  The risk seems pretty small to me.  But if someone is worried, 
I recommend this lock.  Security theater plus a little bit of real 
security seems like a good combination in this case.


Lock website:
<http://www.travelsentry.org/travelers.htm>

News articles:
<http://www.pittsburghlive.com/x/tribune-review/news/s_172071.html>
<http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2003/12/07/TRGM239RJB1 
.DTL> or <http://tinyurl.com/2azte>

My old writings on key recovery:
<http://www.schneier.com/essay-infosec-scrambled-ft.html>
<http://www.schneier.com/paper-key-escrow.html>


** *** ***** ******* *********** *************

              Crypto-Gram Reprints



Crypto-Gram is currently in its seventh year of publication.  Back 
issues cover a variety of security-related topics, and can all be found 
on <http://www.schneier.com/crypto-gram.html>.  These are a selection 
of articles that appeared in this calendar month in other years.

Automated Denial-of-Service Attacks Using the U.S. Post Office:
<http://www.schneier.com/crypto-gram-0304.html#1>

National Crime Information Center (NCIC) Database Accuracy:
<http://www.schneier.com/crypto-gram-0304.html#7>

How to Think About Security:
<http://www.schneier.com/crypto-gram-0204.html#1>

Is 1028 Bits Enough?
<http://www.schneier.com/crypto-gram-0204.html#3>

Liability and Security
<http://www.schneier.com/crypto-gram-0204.html#6>

Natural Advantages of Defense: What Military History Can Teach Network 
Security, Part 1
<http://www.schneier.com/crypto-gram-0104.html#1>

UCITA:
<http://www.schneier.com/crypto-gram-0004.html#ucita>

Cryptography: The Importance of Not Being Different:
<http://www.schneier.com/crypto-gram-9904.html#different>

Threats Against Smart Cards:
<http://www.schneier.com/crypto-gram-9904.html#smartcards>

Attacking Certificates with Computer Viruses:
<http://www.schneier.com/crypto-gram-9904.html#certificates>


** *** ***** ******* *********** *************

             Stealing an Election



There are major efforts by computer security professionals to convince 
government officials that paper audit trails are essential in any 
computerized voting machine.  They have conducted actual examination of 
software, engaged in letter writing campaigns, testified before 
government bodies, and collectively, have maintained visibility and 
public awareness of the issue.

The track record of the computerized voting machines used to date has 
been abysmal; stories of errors are legion.  Here's another way to look 
at the issue: what are the economics of trying to steal an election?

Let's look at the 2002 election results for the 435 seats in the House 
of Representatives.  In order to gain control of the House, the 
Democrats would have needed to win 23 more seats.  According to actual 
voting data (pulled off the ABC News website), the Democrats could have 
won these 23 seats by swinging 163,953 votes from Republican to 
Democrat, out of the total 65,812,545 cast for both parties.  (The 
total number of votes cast is actually a bit higher; this analysis only 
uses data for the winning and second-place candidates.)

This means that the Democrats could have gained the majority in the 
House by switching less than 1/4 of one percent of the total votes -- 
less than one in 250 votes.

Of course, this analysis is done in hindsight.  In practice, more 
cheating would be required to be reasonably certain of winning.  Even 
so, the Democrats could have won the house by shifting well below 0.5% 
of the total votes cast across the election.

Let's try another analysis: What is it worth to compromise a voting 
machine?  In contested House races in 2002, candidates typically spent 
$3M to $4M, although the highest was over $8M.  The outcomes of the 20 
closest races would have changed by swinging an average of 2,593 votes 
each.  Assuming (conservatively) a candidate would pay $1M to switch 
5,000 votes, votes are worth $200 each.  The actual value is probably 
closer to $500, but I figured conservatively here to reflect the 
additional risk of breaking the law.

If a voting machine collects 250 votes (about 125 for each candidate), 
rigging the machine to swing all of its votes would be worth 
$25,000.  That's going to be detected, so is unlikely to 
happen.  Swinging 10% of the votes on any given machine would be worth 
$2500.

This suggests that it is necessary to assume that attacks against 
individual voting machines are a serious risk.

Computerized voting machines have software, which means we need to 
figure out what it's worth to compromise a voting machine software 
design or code, and not just individual machines.  Any voting machine 
type deployed in 25% of precincts would register enough votes that 
malicious software could swing the balance of power without creating 
terribly obvious statistical abnormalities.

In 2002, all the Congressional candidates together raised over 
$500M.  As a result, one can conservatively conclude that affecting the 
balance of power in the House of Representatives is worth at least 
$100M to the party who would otherwise be losing.  So when designing 
the security behind the software, one must assume an attacker with a 
$100M budget.

Conclusion:  The risks to electronic voting machine software are even 
greater than first appears.


This essay was written with Paul Kocher.


** *** ***** ******* *********** *************

                Counterpane News



Schneier is speaking at the CSO Perspectives Conference in San Diego on 
April 19th.
<http://www.csoonline.com/perspectives/april2004/>

Counterpane is exhibiting at NetWorld + Interop, taking place at the 
Las Vegas Convention Center, May 11 - 13.  Visit us in booth #2021.

Counterpane has sponsored a webcast with Gartner.  Both Gartner and 
Counterpane talk about network security and Managed Security Services.
<http://www.accelacomm.com/jlp/cryptogram/0/10001788/>

More Beyond Fear reviews:
<http://netsecurity.about.com/cs/bookreviews/gr/aapr032104.htm>
<http://victoria.tc.ca/int-grps/books/techrev/bkbyndfr.rvw>
<http://www.securitymanagement.com/library/001598.html>


** *** ***** ******* *********** *************

      Security Notes from All Over:  Man-in-the-Middle Attack



The phrase "man-in-the-middle attack" is used to describe a computer 
attack where the adversary sits in the middle of a communications 
channel between two people, fooling them both.  It is an important 
attack, and causes all sorts of design considerations in communications 
protocols.

But it's a real-life attack, too.  Here's a story of a woman who posts 
an ad requesting a nanny.  When a potential nanny responds, she asks 
for references for a background check.  Then she places another ad, 
using the reference material as a fake identity.  She gets a job with 
the good references -- they're real, although for another person -- and 
then robs the family who hires her.  And then she repeats the process.

Look what's going on here.  She inserts herself in the middle of a 
communication between the real nanny and the real employer, pretending 
to be one to the other.  The nanny sends her references to someone she 
assumes to be a potential employer, not realizing that it is a 
criminal.  The employer receives the references and checks them, not 
realizing that they don't actually belong to the person who is sending 
them.

It's a nasty piece of crime.


<http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2004/ 
03/18/BAG6S5MUEO1.DTL> or <http://tinyurl.com/333dj>


** *** ***** ******* *********** *************

                   BeepCard



BeepCard is a technology company.  They sell a sound authenticator for 
credit cards.  The demo looks like a credit card -- an actual credit 
card that passes all the credit card specs for bendability and 
reliability and everything -- and contains a speaker and a sound 
chip.  When you press a certain part of the card -- the "button" -- it 
spits out an audible 128-bit random string.

It's a non-repeating string that's reproduced in software at the other 
end, similar to a SecurID card, so an attacker can't record one audible 
string and deduce the rest of them.

This is perhaps the coolest security idea I've seen in a long 
time.  They have a demo application where you go to a website and 
purchase something with a credit card.  To authenticate the 
transaction, you have to put the card up to your computer's microphone 
and press the button.  The sound is captured using a Java or ActiveX 
control -- no plug-in required -- and acts as an authenticator.  It 
proves that the person making the transaction has the card in his 
hands, and doesn't just know the number.  In credit-card language, it 
changes the transaction from "card not present" to "card present."

Even cooler, they are making an enhancement to the system that also 
includes a microphone on the card.  This system will require the user 
to speak a password into the card before pressing the button.

Why do I like this?  It's a physical authentication system that doesn't 
require any special reader hardware.  You can use it on a random 
computer at an Internet cafe.  You can use it on a telephone.  I can 
think of all sorts of really easy, really cool applications.  If the 
price is cheap enough, BeepCard has a winner here.

<http://www.beepcard.com>


** *** ***** ******* *********** *************

            Bluetooth Privacy Hack



Seems that Bluetooth cell phones are vulnerable to snooping: not the 
conversations, the contents of the phones.

Adam Laurie, a security researcher in the U.K. discovered the flaw, the 
the London Times broke the story yesterday.  The hack is called 
"Bluesnarfing," and allows a hacker to remotely download the contacts 
list, diary, and stored pictures in Bluetooth-enabled telephones.

I don't have any of the technical details, but the implications are 
pretty scary.  You could take your Bluetooth-enabled laptop into a 
trade show and download the contact list of your rivals' salespeople's 
cell phones.  You could walk into a Congressional Press Conference and 
download information from the cell phones of Congressmen.  This story 
broke in the UK; I know that reporters would love to know who is on 
Tony Blair's, or Prince Charles's, speed dial.

It's unclear how many phones are affected -- whether this is a 
Bluetooth problem or an implementation problem with some Bluetooth 
phones -- or whether the problem is fixable.  But it's a big 
problem.  People treat cell phones like their wallets; they keep all 
kind of sensitive information in them.  For someone else to have the 
ability, remotely, of downloading the contents of the phone is disturbing.


News stories (paid access required):
<http://www.timesonline.co.uk/article/0,,2-1073484,00.html?submit.x=47&s 
ubmit.y=6>
<http://www.timesonline.co.uk/printFriendly/0,,1-7-1072761,00.html>

My 2000 essay on Bluetooth security:
<http://www.schneier.com/crypto-gram-0008.html#8>


** *** ***** ******* *********** *************

                      News



It's possible -- easy, even -- to use Google to search for vulnerable 
computers to hack.  Here are some of the possibilities:
<http://johnny.ihackstuff.com/index.php?module=prodreviews>

Once again, the U.S. Department of Interior has been told by the court 
to take its computers off the Internet because it cannot secure 
personal data:
<http://www.techweb.com/wire/story/TWB20040317S0005>

Worried about automatic cameras snapping a picture of your license 
plate as you speed through red lights?  Here's a company that sells a 
license plate cover that makes it hard to read at angles of more than 
five degrees.  Not sure if it's legal to use one, though.
<http://www.phantomplate.com>

A security breach at Equifax Canada leaked personal info about 1400 
people.  The criminals were "posing as legitimate credit 
grantors."  Sounds like a non-technical attack to me.
<http://www.cbc.ca/stories/2004/03/16/canada/credittheft040316>
<http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1079408743242_24/?h 
ub=TopStories> or <http://tinyurl.com/2ejcr>
Equifax Canada's response:
<http://www.equifax.com/EFX_Canada/news_and_perspective/press_e.html#Sec 
uritybreach> or <http://tinyurl.com/3aeht>

CSO Magazine grades government information security:
<http://www.csoonline.com/read/020104/grade.html>

Here's a story of a man in the UK who flew to Italy and back, having 
his passport checked several times.  However, he'd mistakenly picked up 
his wife's passport.  No one 
noticed.  <http://news.bbc.co.uk/1/hi/england/oxfordshire/3495299.stm>

The four big accounting companies, plus an insurance company, are 
working together on a cybersecurity risk measurement framework.  Could 
be interesting.
<http://www.computerworld.com/securitytopics/security/story/0,10801,9145 
0,00.html?nas=SEC-91450> or <http://tinyurl.com/2huxo>

Political activists are on the U.S. government "no fly" list:
<http://www.commondreams.org/headlines02/0927-01.htm>
<http://www.truthout.org/docs_04/020904E.shtml>

ATMs outfitted with equipment to steal debit card numbers and PINs:
<http://www.utexas.edu/admin/utpd/atm.html>

Interesting article about anti-counterfeiting technologies in 
banknotes.  The author expresses surprise that the general public 
doesn't check banknotes for authenticity very much.  To me this is 
perfectly reasonable.  It's not in anyone's best interest to find 
counterfeit money in his wallet.  Any anti-counterfeiting technology 
that relies on citizens checking money for authenticity is going to 
fail, because people just won't do it.  Now if banks gave 1.5x reward 
for counterfeit bills, citizens would get very good at spotting fake 
notes.  But that would cause another set of problems.
<http://www.rbnz.govt.nz/currency/money/0116878.html>
Banks and governments need to detect counterfeits:
<http://www.bis.org/press/p040309.htm>
Different countries' regulations on the use of images of money:
<http://www.rulesforuse.org>

A self-described psychic calls in a bomb tip and grounds an 
airplane.  Guess you don't have to be a terrorist to disrupt airline 
travel.
<http://www.cnn.com/2004/US/West/03/27/psychic.plane.ap/index.html>
<http://www.mercurynews.com/mld/mercurynews/8293055.htm>

Citing anonymous sources in the British intelligence community, the 
Sunday Times reported that an e-mail message intercepted by NSA spies 
precipitated a massive terrorism investigation.
<http://www.globetechnology.com/servlet/story/RTGAM.20040406.gtterror06/ 
BNStory/Technology/> or <http://tinyurl.com/2675t>

Interesting interview with Gene Spafford:
<http://grep.law.harvard.edu/article.pl?sid=04/04/05/0353235&mode=nested 
 > or <http://tinyurl.com/2yhgd>

Interesting, but long, essay on spam:
<http://www.colinfahey.com/spam_topics/spam_the_phenomenon.htm>

A couple of years I wrote about the security problems created by arming 
airplane pilots.  Here's an interesting related story: a sky marshal 
accidentally left his handgun in an airport bathroom...inside 
security.  This isn't a big deal.  The chance that a terrorist would 
have found and used the gun is essentially zero.  The chance that a 
random nutcase would have found and used the gun is larger, but still 
close enough to zero not to matter.  But the story is a good lesson 
that even well-thought-out security systems fail sometimes.
<http://www.reuters.com/newsArticle.jhtml?type=topNews&storyID=4803867> 
or <http://tinyurl.com/38kbv>


** *** ***** ******* *********** *************

                    Virus Wars



We're in the middle of a huge virus/worm epidemic.  Dozens and dozens 
of different ones have been found in the past few weeks.  Most of these 
are not new, but variants on others.

There seems to be an ongoing war between the people who write the Bagle 
worm and the people who write the Netsky worm.  Many variants of each 
are running around the Internet, and more seem to be found all the 
time.  Embedded in the different versions are comments and taunts to 
the other.

For example, this is what was found in Netsky.R:  "Yes, true, you have 
understand it.  Bagle is a shitty guy, he opens a backdoor, and he 
makes a lot of money.  Netsky not, Netsky is Skynet, a good software, 
Good guys behind it.  Believe me, or not.  We will release thousands of 
our Skynet versions, as long as Bagle is there and the 
people...  Thanks To Bruce Schneider.  And to all people in cz and 
russia.  Best regards.  We are the only Skynet."

(Yes, I used this as an example because I am mentioned.)

Unfortunately, this war shows no sign of ending.  Presumably the 
various participants will eventually grow up and get tired, but until 
then we have to endure more of this nonsense.


News articles:
<http://www.itnews.com.au/storycontent.asp?ID=10&Art_ID=19041>
<http://slashdot.org/article.pl?sid=04/04/06/0024208&mode=thread&tid=126 
&tid=172> or <http://tinyurl.com/yq9jz>

Netsky.R information:
<http://www.sophos.com/virusinfo/analyses/w32netskyr.html>

Bunches of variants described:
<http://www.f-secure.com/weblog/archives/archive-032004.html>


** *** ***** ******* *********** *************

              Comments from Readers



From: Todd Ellner <tellner@cs.pdx.edu>
Subject: Thoughts on striking back

It's always interesting when two things that one knows are in conflict 
with one another.  Not always comfortable but always interesting.

Your essays on hack-back and similar schemes are right.  Right morally 
and ethically, right technically.  But there are parts missing, and I 
think it's those absences which make me uneasy.  Please bear with me here.

The first part is what you call "vigilantism."  You define it as any 
attempt by one party to harm another in response to a perceived 
wrong.  You then combine it with the overlapping but most assuredly not 
identical idea of taking the law into one's own hands.

Vigilantes or the Committee of Vigilance was a historical response to 
lawlessness in times and places where law enforcement was non-existent 
or incapable of responding to crimes.  The vigilantes were groups of 
citizens.  The idea of a "lone vigilante" is semantically 
null.  Vigilantism was an expression of community will and mores for 
better or worse.

Bernard Goetz was not a "vigilante".  He was a guy with a gun.

When my wife was growing up in East Africa there wasn't a lot of money 
for modern policing.  Very often if there were robbers operating in the 
area, the men of the village would get together in a group, track them 
down, and either deliver them to the nearest police or military 
officials or mete out punishment, usually in the form of 
beatings.  That is vigilantism.

You have, I fear, conflated vigilantism -- unofficial and informal 
justice handled directly by a community rather than by the legal system 
-- with something else entirely: self-defense.  Self-defense is not 
about punishment.  It's not about revenge.  It's not about taking on 
the legal system's job.  It's about doing what is necessary at the 
moment to prevent harm to the innocent.

 From what little I can tell from their site and e-mails to their sales 
people, Symbiot is run by a bunch of idiots.  But what they seem to be 
trying to accomplish is self defense.  Stop the person who is trying to 
hurt you by removing his capacity to do harm at the time he is trying 
to inflict damage.

The difference is important and has been a fixture of the law since 
time immemorial.

In my other life, the one where I don't write software and administer 
Linux machines, I do a lot of things related to self-defense -- teach 
women's self defense courses, get abused women out of dangerous 
situations, do firearms instruction, get certified as an expert witness 
for self-protection and use of force cases, that sort of thing.

In the physical world the issues are pretty clear and easy to 
understand.  You can hit him to stop him from hitting you.  You can 
hold him until the police arrives.  You can not hit him if he's not an 
immediate threat.  You can't keep hitting him if he's not going to hit 
you any longer.  You certainly can't put the boot into him an extra 
time just because he deserves it.

There's another principle in the physical world and the psychological 
one -- deterrence.  To a great degree, physical security and protection 
are a communication process.  As the defender, you have to communicate 
to the attacker in language he understands and believes that whatever 
he wants is not going to be worth what he will have to pay for it.  If 
you've ever had cats or dogs you will know exactly what I am talking about.

So if we de-conflate the two issues I think there's something 
legitimate going on.  Deterrence rests on perceived costs.  The 
standard security measures are pretty much entirely passive.  They 
increase the time it will take before the criminal gets what he wants.

Criminal penalties help.  Highly publicized trials with stiff fines or 
jail sentences will certainly make many black hats think twice.  But 
the law, as any cop will tell you, doesn't act.  It reacts after the 
fact.  And it doesn't do anything about attacks that originate in 
foreign countries.

What I see people like Symbiot reacting to is not just the desire for 
revenge.  It's a recognition of what we all know deep down about 
self-protection and deterrence.  They are addressing a real concern, 
however clumsily, and are aware (even if they aren't aware) of what may 
be an irremediable weakness in electronic security.



From: Drew Johnson <a2johnson@yahoo.co.uk>
Subject: Security Benefits of Centralisation

I thought it was a great idea to try and model the economics of 
centralising security (Cryptogram 15th March 2004), but I would like to 
open some debate on your conclusion.  In reality, security spending is 
constrained.  With this in mind I think the opposite is true:

Centralising is good!

Lets reconsider the two scenarios assuming I have $1000 to protect and 
that I have a security budget of $10 to protect it with.

Scenario 1:

I go to a manufacturer and buy 10 $200-rated virtual vaults costing $1 
each.  I store $100 in each.  Any attacker will need the cash flow to 
find $200 up front if they wish to launch an attack.  After 
successfully attacking the first vault, the attacker is $100 in the 
red.  However, as all the virtual vault computers have identical 
vulnerabilities, the same attack can be replayed at minimal marginal 
cost (e.g. $1).  After attacking the 3rd vault, therefore, the attacker 
is $98 in the black.

Having attacked all 10 vaults the attacker would make a $791 profit.  I 
lose $1010.

Scenario 2:

I spend my entire budget of $10 on one $500-rated virtual vault and 
store $1000 in it.  (Note that this initially appears to be less value 
for money; each $1 only buys $50 of protection vs. $200 in scenario 
1.)   The barrier to entry for the attack has now been raised to 
$500.  Any attacker will also have to consider the operational risks 
inherent in their attack.  The $500-rated safe may have improved 
mechanisms to assist tracking and prosecution.

If successful the attacker would make a $500 profit whilst I again lose 
$1010.

So how has centralising security (on a fixed budget) affected risk?

The impact is identical in both scenarios, but the likelihood has been 
decreased in scenario 2.  This is because the entry cost for the attack 
has increased (reducing the population of attackers) and the motivation 
for an attacker has been decreased by decreasing the profit and 
possibly increasing risk of detection.

I know how I'd spend my budget.



From: "A. L. Papadopoulos" <dp949@tutor.open.ac.uk>
Subject: V-ID

This system is open to abuse and incompetence.  With regard to the 
former, I'm not convinced that everyone with access to potentially 
threatening information will refrain from using that information 
abusively, via blackmail, bigotry, red-lining and so forth.  Abusive 
employees could create false negatives as well as false 
positives.  This is borne out by the actual history of 
background-checking agencies in the UK, where there is currently a 
scandal about the hugely incompetent company that handles background 
checks.  I haven't found the page that details the case of teachers who 
were misidentified as criminals and refused jobs, so I won't make a 
claim as to its veracity, but there are a variety of articles about the 
UK Criminal Records Bureau, and about an IT provider called Capita, all 
in a similar vein.

I think that these two factors -- abuse and incompetence -- are reason 
enough to scrap any system that relies on the strategies of the V-ID as 
reported.



From: "Bruce Kaalund" <bakaalund@comcast.net>
Subject: I am not a terrorist cards

This is another case of the haves vs. the have-nots.  The fact that 
someone has a card "verifying" that he is not a terrorist not only 
would be a vehicle for potential bad guys to slip into the system, it 
would also create a large number of suspects.  Because you have to pay 
for the card, you run the risk of making the economically 
less-privileged into even bigger targets of the law enforcement 
community.  You also include the people who are occasional travelers, 
or who only go to one football game a year, because of the cost of the 
ticket.  As much as we may hate to talk about it, such a system would 
further relegate those who are ethnically, racially, socially and/or 
financially on the outside as potential terrorists.  These people now 
become the 21st century members of those "without papers."  Those whose 
jobs require travel would get the card, because their company would 
reimburse them for the cost.  These people tend to be in the more 
economically privileged status, which does cover ethnicity and racial 
categories, but not to the extent that it would be truly 
"color-blind."  I'm also sure that civil libertarians would raise grave 
concerns.



From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Subject: Microsoft Source Code and Security...

We must assume that a truly competent attacker already has access to 
the Windows source code.  The Russian and Chinese governments have 
legitimate access, and therefore their intelligence services have 
access.  A related interesting thought exercise would be how much cost 
would be required by a criminal organization in an attempt to 
exfiltrate the latest copy of the source code from Microsoft.

Physical access seems an obvious one, and probably would take only a 
few-hundred-dollar bribe and a USB key handed to a janitor in order to 
gain a network toehold.  Network attacks also seem a possibility, 
specifically IE attacks.  Corrupt some major banner server and, rather 
than being indiscriminate, respond with a Trojan only to 
Microsoft-owned IP addresses.  In either case, the risk of capture is 
reasonably low, the cost in time is measured in man-months or less, and 
the dollar cost negligible.

Thus, in all cases, the motto is clear: We MUST assume that truly bad 
guys have the latest Windows source code, if the bad guys think they 
would benefit from it.  Not a happy thought, especially when combined 
with the observation that Windows is Critical Infrastructure.



From: "Ian D. Eccles" <ide101@psu.edu>
Subject: The Economics of Spam

In the February issue of Crypto-gram, you printed an article titled 
"The Economics of Spam." You make a good point about spammers 
responding to account shutdown by using stolen accounts.  Because of 
this point, I strongly feel that Gates' third point is perhaps his 
weakest.  While forcing someone to pay for the e-mail they send may 
impose an incidental quality check on the message, it can only work if 
the person sending the e-mail is the one paying for it.  Presumably, 
any form of sendmail that allows for billing would have some form of 
authentication (likely a username/password associated with a user's 
account.) While this may make stealing accounts more difficult, it 
certainly does not make it impossible, or even infeasible; passwords 
are stolen on a fairly regular basis.  So, if Alice's e-mail account is 
hijacked by Bob, who then bulk e-mails the world about his new "natural 
male enhancement" product, Alice may be left footing the bill.  Thus, 
the mass-messaging was still free for Bob, but not for Alice.  The 
economics of spam seem worse off in this case because Alice has paid 
for a service she did not make use of.  Granted, because there is a 
bill involved, Alice is more likely to raise complaints, and maybe get 
some sort of investigation going to find the real culprit.  However, if 
a spammer employs the tactic of stealing multiple accounts and spamming 
only a little from each and costing the victim very little, the damage 
might go unnoticed.  In this case, spamming is still free to the spammer.


** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, 
insights, and commentaries on security: computer and otherwise.  Back 
issues are available on <http://www.schneier.com/crypto-gram.html>.

To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send 
a blank message to crypto-gram-subscribe@chaparraltree.com.  To 
unsubscribe, visit <http://www.schneier.com/crypto-gram-faq.html>.

Comments on CRYPTO-GRAM should be sent to 
schneier@counterpane.com.  Permission to print comments is assumed 
unless otherwise stated.  Comments may be edited for length and clarity.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who 
will find it valuable.  Permission is granted to reprint CRYPTO-GRAM, 
as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is the author of 
the best sellers "Beyond Fear," "Secrets and Lies," and "Applied 
Cryptography,"  and an inventor of the Blowfish and Twofish 
algorithms.  He is founder and CTO of Counterpane Internet Security 
Inc., and is a member of the Advisory Board of the Electronic Privacy 
Information Center (EPIC).  He is a frequent writer and lecturer on 
security topics.  See <http://www.schneier.com>.

Counterpane Internet Security, Inc. is the world leader in Managed 
Security Monitoring.  Counterpane's expert security analysts protect 
networks for Fortune 1000 companies world-wide.  See 
<http://www.counterpane.com>.

Copyright (c) 2004 by Bruce Schneier.
(Log in to post comments)