Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Bruce Schneier (schneier_at_counterpane.com)
Date: Sun Dec 15 2002 - 03:11:26 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


                   December 15, 2002

                   by Bruce Schneier
                    Founder and CTO
           Counterpane Internet Security, Inc.

    A free monthly newsletter providing summaries, analyses, insights, and
    commentaries on computer security and cryptography.

    Back issues are available at
    <http://www.counterpane.com/crypto-gram.html>. To subscribe, visit
    <http://www.counterpane.com/crypto-gram.html> or send a blank message
    to crypto-gram-subscribechaparraltree.com.

    Copyright (c) 2002 by Counterpane Internet Security, Inc.

    ** *** ***** ******* *********** *************

    In this issue:
          Crypto-Gram Reprints
          Comments on the Department of Homeland Security
          Counterpane News
          Security Notes from All Over: Dan Cooper
          Crime: The Internet's Next Big Thing
          Comments from Readers

    ** *** ***** ******* *********** *************


    This must be an idea whose time has come, because I'm seeing it talked
    about everywhere. The entertainment industry floated a bill that would
    give it the ability to break into other people's computers if they are
    suspected of copyright violation. Several articles have been written
    on the notion of automated law enforcement, where both governments and
    private companies use computers to automatically find and target
    suspected criminals. And finally, Tim Mullen and other security
    researchers start talking about "strike back," where the victim of a
    computer assault automatically attacks back at the perpetrator.

    The common theme here is vigilantism: citizens and companies taking the
    law into their own hands and going after their assailants. Viscerally,
    it's an appealing idea. But it's a horrible one, and one that society
    after society has eschewed.

    Our society does not give us the right of revenge, and wouldn't work
    very well if it did. Our laws give us the right to justice, in either
    the criminal or civil context. Justice is all we can expect if we want
    to enjoy our constitutional freedoms, personal safety, and an orderly

    Anyone accused of a crime deserves a fair trial. He deserves the right
    to defend himself, the right to face his accused, the right to an
    attorney, and the right to be held innocent until proven guilty.

    Vigilantism flies in the face of these rights. It punishes people
    before they have been found guilty. Angry mobs lynching someone
    suspected of murder is wrong, even if that person is actually
    guilty. The MPAA disabling someone's computer because he's suspected
    of copying a movie is wrong, even if the movie was copied. Revenge is
    a basic human emotion, but revenge only becomes justice if carried out
    by the State.

    And the State has more motivation to be fair. The RIAA sent a
    cease-and-desist letter to an ISP asking them to remove certain files
    that were the copyrighted works of George Harrison. One of the files:
    "Portrait of mrs. harrison Williams 1943.jpg." The RIAA simply Googled
    for the string "harrison" and went after everyone who turned
    up. Vigilantism is wrong because the vigilante could be wrong. The
    goal of a State legal system is justice; the goal of the RIAA was

    Systems of strike back are much the same. The idea is that if a
    computer is attacking you -- sending you viruses, acting as a DDoS
    zombie, etc. -- you might be able to forcibly shut that computer down
    or remotely install a patch. Again, a nice idea in theory but one
    that's legally and morally wrong.

    Imagine you're a homeowner, and your neighbor has some kind of device
    on the outside of his house that makes noise. A lot of noise. All day
    and all night. Enough noise that any reasonable person would claim it
    to be a public nuisance. Even so, it is not legal for you to take
    matters into your own hand and stop the noise.

    Destroying property is not a recognized remedy for stopping a nuisance,
    even if it is causing you real harm. Your remedies are to: 1) call the
    police and ask them to turn it off, break it, or insist that the
    neighbor turn it off; or 2) sue the neighbor and ask the court to
    enjoin him from using that device unless it is repaired properly, and
    to award you damages for your aggravation. Vigilante justice is simply
    not an option, no matter how right you believe your cause to be.

    This is law, not technology, so there are all sorts of shades of gray
    to this issue. The interests at stake in the original attack, the
    nature of the property, liberty or personal safety taken away by the
    counterattack, the risk of being wrong, and the availability and
    effectiveness of other measures are all factors that go into the
    assessment of whether something is morally or legally right. The RIAA
    bill is at one extreme because copyright is a limited property
    interest, and there is a great risk of wrongful deprivation of use of
    the computer, and of the user's privacy and security. A strikeback
    that disables a dangerous Internet worm is less extreme. Clearly this
    is something that the courts will have to sort out.

    Way back in 1789, the Declaration of the Rights of Man and of the
    Citizen said that: "No person shall be accused, arrested, or imprisoned
    except in the cases and according to the forms prescribed by law. Any
    one soliciting, transmitting, executing, or causing to be executed any
    arbitrary order shall be punished." And also: "As all persons are held
    innocent until they shall have been declared guilty, if arrest shall be
    deemed indispensable, all harshness not essential to the securing of
    the prisoner s person shall be severely repressed by law."

    Neither the interests of sysadmins on the Internet, nor the interests
    of companies like Disney, should be allowed to trump these rights.

    Automated law enforcement:

    Mullen's essay:

    Berman legislation:

    ** *** ***** ******* *********** *************

                 Crypto-Gram Reprints

    Crypto-Gram is currently in its fifth year of publication. Back issues
    cover a variety of security-related topics, and can all be found on
    <http://www.counterpane.com/crypto-gram.html>. These are a selection
    of articles that appeared in this calendar month in other years.

    National ID Cards:

    Judges Punish Bad Security:

    Computer Security and Liabilities:

    Fun with Vulnerability Scanners:

    Voting and Technology:

    "Security Is Not a Product; It's a Process"

    Echelon Technology:

    European Digital Cellular Algorithms:

    The Fallacy of Cracking Contests:

    How to Recognize Plaintext:

    ** *** ***** ******* *********** *************

       Comments on the Department of Homeland Security

    The promise of the newly formed Department of Homeland Security is to
    improve our nation's security from terrorism. Unfortunately, the
    results are far more likely to be the opposite. Centralizing security
    responsibilities has the downside of making our security more brittle,
    by instituting a commonality of approach and a uniformity of
    thinking. Unless the new department distributes security
    responsibility even as it centralizes coordination, it won't improve
    our nation's security. Security has two universal truisms relevant to
    this discussion. One, security decisions need to be made as close to
    the problem as possible. This has many implications: protecting
    potential terrorist targets should be done by people who understand the
    targets; bombing decisions should be made by the generals on the ground
    in the war zone, not by Washington; and investigations should be
    approved by the FBI office that's closest to the investigation. This
    mode of operation has more opportunitie
      s for abuse, so competent oversight is vital. But it is also more
    robust, and is the best way to make security work.

    Two, security analysis needs to happen as far away from the sources as
    possible. Intelligence involves finding relevant information amongst
    enormous reams of irrelevant data, and then organizing all those
    disparate pieces of information into coherent predictions about what
    will happen next. It requires smart people who can see connections,
    and who have access to information from many disparate government
    agencies. It can't be the sole purview of anyone, not the FBI, CIA,
    NSA, or the new Department of Homeland Security. The whole picture is
    larger than any single agency, and each only has access to a small
    slice of it.

    The implication of these two truisms is that security will work better
    if it is centrally coordinated but implemented in a distributed
    manner. We're more secure if every government agency implements its
    own security, within the context of its department, with different
    strengths and weaknesses. Our security is stronger if multiple
    departments overlap each other. To this end, it is a good thing that
    the institutions best funded and equipped to defend our nation against
    terrorism aren't part of this new department: the FBI, the CIA, and the
    military's intelligence organizations.

    But all these organizations have to communicate with each other, and
    that's the primary value of a Department of Homeland Security. One
    organization needs to be a single point for coordination and analysis
    of terrorist threats and responses. One organization needs to see the
    big picture, and make decisions and set policies based on it.

    The human body defends itself through overlapping security systems. It
    has a complex immune system specifically to fight disease, but disease
    fighting is also distributed throughout every organ and every
    cell. The body has all sorts of security systems, ranging from your
    skin to keep harmful things out of your body, to your liver filtering
    harmful things from your bloodstream, to the defenses in your digestive
    system. These systems all do their own thing in their own way. They
    overlap each other, and to a certain extent one can compensate when
    another fails. It might seem redundant and inefficient, but it's more
    robust, reliable, and secure. You're alive and reading this because of it.

    The biological metaphor is very apt. Terrorism is hard to defend
    against because it subverts our institutions and turns our own freedoms
    and capabilities against us. It invades our society, festers and
    grows, and then attacks. It's hard to fight, in the same way that
    cancer is hard to fight. If we are to best defend ourselves against
    terrorism, security needs to be pervasive. It can't be in just one
    department; it has to be everywhere. Every federal department needs to
    do its part to secure our nation. Fighting terrorism requires defense
    in depth. This means overlapping responsibilities to reduce single
    points of failures, both for the actual defensive measures and for the
    intelligence functions.

    Our nation would be less secure if the new Department of Homeland
    Security took over all security responsibility from the other
    departments. The last thing we want is for the Department of Energy,
    the Department of Commerce, and the Department of State to say:
    "Security; that's the responsibility of the Department of Homeland
    Security." Security is the responsibility of everyone in
    government. We won't defeat terrorism by finding a single thing that
    works all the time. We'll defeat terrorism when every little thing
    works in its own way, and together provides an immune system for our
    society. The new Department of Homeland Security needs to coordinate
    but not subsume.

    ** *** ***** ******* *********** *************


    Microsoft is saying that it will patch vulnerabilities in older
    versions of its operating systems, even though it may mean breaking
    existing applications in the process. Security vs. functionality is
    one of the basic tensions of our business. Even though I've read some
    essays blasting Microsoft for this pronouncement, I think it's
    great. I think Microsoft should patch everything, no matter how old it
    is. Then, a user whose application breaks because of the patch can
    make his own choice: security vs. functionality. I want Microsoft to
    let users make that choice, rather than deciding for everyone.

    David Kahn's lecture at the 50th anniversary of the NSA:

    "The Peon's Guide to Secure Systems Development." Good essay on the topic.

    Here's a report that claims that the Macintosh OS is the least
    vulnerable to attack, because they have the fewest vulnerabilities.
    Microsoft has cried foul, claiming that because Windows is the most
    popular OS it is attacked more, but that doesn't mean it's less secure.
    Microsoft does have a point, but it's a subtle one. And it's not one
    necessarily in the company's favor. Certainly more exploits are
    written for Windows than for Mac, and hackers tend to target Windows
    more than the Mac. This doesn't necessarily mean that Windows is
    inherently less secure than Mac; there could be zillions of Macintosh
    vulnerabilities that no one has found yet. But it does mean that there
    are more published Windows vulnerabilities, and more widely available
    Windows attack tools. And since most attackers use published
    vulnerabilities and existing attack tools, Windows computers are broken
    into more. If I were choosing an operating system solely on the basis
    of security, I would never choose Windows. Regardless of whether or
    not it is inherently more secure, why would I want to use the popular

    Kevin Mitnick's book, "The Art of Deception," is a good read. The
    missing first chapter, deleted at the last minute by the publisher, is
    on the Internet. The chapter talks about Mitnick's life as a hacker
    and a fugitive, and his arrest and trial. It's very interesting reading.

    109-bit elliptic curve key cracked. I've been trying to get complexity
    estimates of this crack. The best I can find is that it took "massive
    amount of computing power including 10,000 computers (mostly PCs)
    running 24 hours a day for 549 days." Operational systems use 163-bit
    elliptic curve keys (or more), so there's absolutely nothing new to
    worry about because of this result.

    Seems like HP wireless keyboards don't have any built-in
    authentication. Here's a story about one person's keyboard talking to
    another person's computer, through walls 150 meters away.

    NIST and the NSA have published Common Criteria Protection Profiles for
    operating systems, firewalls, intrusion detection systems, tokens and
    public-key infrastructures.

    California law now requires businesses and government agencies to
    report cyber-attacks that may have compromised confidential
    information. There's a large loophole for information that may
    adversely affect an ongoing investigation, so I don't expect much
    change from this.

    Computer sabotage stories:

    Interesting article about getting the first step of security completely
    wrong: not understanding what problem a security system is supposed to
    solve. After 9/11, Ashcroft began enforcing a rule that required
    non-U.S. citizens to notify the federal government whenever they
    move. Change of address cards have been pouring into the government
    office by the hundreds of thousands. There's no staff to enter the
    address changes into a computer, and they're sitting in boxes in
    storage. And even if someone did enter the data, so what? How exactly
    is this going to solve any security problem? Is a terrorist going to
    send a card in when he moves? I don't think so.

    DMCA Abuse. Wal-Mart and other retailers are using the DMCA to stop
    consumer Web sites from publishing information about their sale
    prices. This flagrant abuse of the DMCA is yet more evidence of how
    bad a law it is.
    Wal-Mart has backpedaled on this issue, and has decided not to
    prosecute. Before you cheer, realize that the damage has already been
    done. The DMCA is much less a law to prosecute people under and much
    more a law to intimidate people by. The intimidation has already been

    Steganography, and whether or not terrorists are using it:

    Further evidence that sysadmins don't install security patches. This
    is a well-done scientific survey, and a really important result.

    Excellent paper on DRM, copyright, and peer-to-peer file
    sharing. Don't let the fact that this is written by Microsoft people
    fool you; this is good stuff.

    Good paper on home network security:

    2002 computer security survey:

    ** *** ***** ******* *********** *************

                    Counterpane News

    Still can't talk about what I can't talk about. Sorry.

    Interview with Schneier on CNet:

    Another article on Schneier:

    Interview with Schneier in Portugese:

    ** *** ***** ******* *********** *************

        Security Notes from All Over: Dan Cooper

    On 24 November 1971, someone using the alias "Dan Cooper" invented a
    new way to hijack an aircraft, or at least a new way of getting
    away. He took over a Northwest Orient flight from Portland to Seattle
    by claiming he had a bomb. On the ground in Seattle, he exchanged the
    passengers and flight attendants for two hundred thousand dollars and
    four parachutes. Taking off again, he told the pilots to fly at 10,000
    feet toward Nevada. Then, somewhere over southwest Washington, he
    lowered the plane's back stairs and parachuted away. He was never
    caught, and the FBI still doesn't know who he is or whether he survived.

    This attack was new. It was thinking outside the box. The attack
    exploited a vulnerability in the seams of the security system: we spend
    a lot of effort securing entry and exit to aircraft on the ground, but
    don't really think about securing it in the air. (Also notice the
    cleverness in asking for four parachutes. The FBI had to assume that
    he would force some of the hostages to jump with him, and could not
    risk giving him dud chutes.) Cooper "cheated" and got away with it.

    He also inspired lots of copycats. In fact, so many attackers tried
    the same trick that Boeing installed something called a Cooper Vane on
    their planes, preventing the back stairs from opening in flight.

    N.B. A police officer erroneously called him "D.B. Cooper" and the name
    stuck, giving rise to both a ballad and a movie.

    ** *** ***** ******* *********** *************

           Crime: The Internet's Next Big Thing

    I think the next big Internet security trend is going to be crime. Not
    the spray-painting cow-tipping annoyance-causing crime we've been
    seeing over the past few years. Not the viruses and Trojans and DDoS
    attacks for fun and bragging rights. Not even the epidemics that sweep
    the Internet in hours and cause millions of dollars of damage. Real
    crime. On the Internet.

    Crime on the Internet is nothing new. We've all heard isolated stories
    of competitors breaking into each others networks, hackers breaking
    into networks and extorting money from dazed sysadmins, and industrial
    espionage, identity theft, credit card-number theft, simple monetary
    theft from banks and other financial institutions, but it's the Nimdas
    and the root-name-server attacks that make the headlines. And while
    we're worrying about those threats, the criminals are slipping by
    unnoticed. They're stealing money and things they can sell for
    money. They're stealing credit card numbers and identity information
    and using it to commit fraud. They're engaging in industrial
    espionage. The crimes never change; it's only the tactics that are new.

    I predict that people will start noticing. Companies have a strong
    self-interest not to publicize any real crime against their
    networks. The bad press from making an attack public is often more
    harmful than the attack itself. But the times are changing. Just this
    year, California passed a law -- with large loopholes, unfortunately --
    requiring companies to make these attacks public. I predict more of
    these sorts of laws in the future.

    Criminals tend to lag behind technology by five to ten years, but
    eventually they figure it out. Just as Willie Sutton robbed banks
    because "that's where the money is," modern criminals will attack
    computer networks. Increasingly, value is online instead of in a
    vault; illicitly changing a number in a bank database can be
    significantly more lucrative than walking into a branch office waving a
    gun around.

    Real crime is hard to detect. When your network is being scanned
    dozens of times a day by script kiddies, the one serious criminal can
    sneak in unnoticed. At Counterpane, we monitor hundreds of networks
    against attack. Our hardest job, and the thing we spend the most time
    worrying about, is catching the real criminals among the hundreds of
    annoying hackers. It's the insider trying to change his salary in the
    human resources computer. It's the robbers trying to manipulate
    account balances on a bank computer. This is the real crime on the
    net, and when we catch these guys our customers are elated. More and
    more, this is going to be where companies want their computer security
    dollars to be spent.

    ** *** ***** ******* *********** *************

                 Comments from Readers

    From: Anomymous
    Subject: Embedded Systems - July 15, 2002 Cryptogram

    A draft of this sat in my mail program for several months. I noticed
    there were no replies with similar comments in later Cryptograms, so
    I'm sending this.

    Regarding your comments on embedded systems: I agree that threats like
    bombs and germs (as well as hurricanes and earthquakes) are far more
    likely than hackers, but these systems still have some serious security

    A few comments from personal experience (I coordinate the IT aspects of
    some energy management systems for my employer):

      * These systems are moving away from direct hard-wire connections to
    TCP/IP-based communications, since institutions can take advantage of
    existing network infrastructure rather than spend a lot of money to run
    and maintain dedicated hardwired connections. While they'll
    (hopefully) use a restricted network for their equipment, chances are
    they'll have a gateway on the open Internet so users (maintenance staff
    as well as contractors) can check on the equipment remotely.

      * Users of these systems are moving away from proprietary systems to
    open protocols like LonMark (aka LonWorks, EcheLon), BACnet, ModBus
    over IP, etc. Forget about security through obscurity.

      * The people who have designed these protocols know about their
    respective systems (fire alarms, heating/cooling systems, electrical
    metering, etc.) and little about network security, if even about
    computer networks. (I recall one vendor's BACnet system that required
    users setting them up to create their own MAC addresses.) What little
    security they implement may be a simple plaintext username and password.

      * Web-based (Java) interfaces are becoming more
    popular. Institutions prefer this since systems can be accessed from
    any computer with a web browser, instead of a specific computer with
    specialized software.

      * For the usual reasons, systems which are designed to take advantage
    of Internet Explorer's features are quite popular. Imagine analyzing a
    problem from a nearby office instead of going down 50 floors to the
    sub-basement of the building, or having a contractor quickly fixing a
    problem from his office rather than making a visit at $100+/hour, and
    you'll understand the appeal. Of course, this means anybody can get to
    such systems. A hacker does not even need to know about protocols,
    only the right Web site and password.

      * These systems may use proprietary or lesser-known Web servers,
    which don't have the same degree of testing or evaluation that
    something like Apache or even IIS has.

      * Often these systems have little or no logging facilities to say who
    logged in when (or tried to) and did what.

      * The people who use and maintain these systems on a day-to-day basis
    are not the most computer literate. Who regularly checks on the
    computers, installs service packs or patches, examines logs, etc.?

      * My experience with some contractors is that they are used to just
    throwing these systems onto whatever network connections they get and
    installing software onto a computer used by the maintenance staff. I
    suspect there are many institutions where the IT department has no idea
    such systems exist on their networks.

      * Likewise, the contractors usually send somebody who is an expert in
    the a specific field (HVAC, electronic locks, fire alarms) but knows
    little about setting up or maintaining a Windows NT or Linux box.

      * The maintenance staff often makes the purchasing decisions with no
    input from the IT staff.

      * Queries or complaints to the vendors about security of their
    systems either disappear down the black hole of "we'll have development
    look at it" or result in defensive responses from their sales staff.

      * Throw in the usual sloppiness about users writing down passwords on
    their desks, sharing passwords or using easy-to-guess passwords,
    vendors using one password for all of their clients' systems, default
    passwords left unchanged....

    That's the tip of the iceberg.

    From: "Christian Gruber" <cgruberinfotriever.com>
    Subject: National Strategy to Secure Cyberspace

    This is in response to a letter you included in the November
    Cryptogram. In it, a reader indicated that protecting the commons was
    best achieved by parceling it up, and sectioning it out to private
    ownership, who would "keep it clean" because they had incentive, since
    it was theirs, with the caveat: "The tricky bit is dividing the commons
    up into the proper chunks of property to insure that the greatest
    number of people can still use it at a fair price."

    There are three flaws here.

    The first is in the assumption that people keep what is theirs clean
    and accessible at all. I almost never weed my lawn. My wife gets
    allergy attacks when I use pesticides, and I'm not outdoorsy enough to
    take care of it myself. Because it's mine, I don't tend to take out
    the dandelions. I only do so when I am pressured by subtle and/or
    angry hints from my neighbours. Frankly, that's external pressure,
    unrelated to property ownership. That's them defending the commons of
    the beauty of the neighbourhood, combined with the commons of the
    airspace we share through which dandelion seeds fly. My "private"
    owned lot itself provides no incentive pressure to keep clean, nor do I
    have incentive to allow others onto it -- especially when they are just
    going to complain about my weeds. So indeed, parceling up "commons"
    seems to have no advantage to the common folk, but has great benefit to
    me, since I get to own property with which I can do what I please (more
    or less).

    Second, the statement "laws don't work" is patently ridiculous. If
    laws don't work, then I invite the reader to take tea with me the day
    after I brutally kill his dog. Since he will establish that I "damaged
    his property" and bring those same pesky community enforcement arms
    (popo's, for you ghetto kids) to arrest me on that basis. You see, if
    he is enforcing property rights under the law, he is saying laws
    work. Just not the laws FOR the commons.

    Thirdly, he's comparing the best of private ownership and minimalist
    governance against the worst of public trust governance. "Private
    owners are good, honest people, who will keep their own streets clean"
    but "Pork-barrel politicians are just waiting for that bribe to ignore
    environmental laws, whilst feeding at the public trough in the first
    place." The inverse picture is made by opponents of privatization,
    etc. "Those nasty megacorporations are polluting the earth" and "We
    need our big daddy the government to legislate moral behavior into
    corporations." Both are extreme comparisons of the worst of each side
    against the best, depending on which the speaker prefers. The truth is
    more moderate.

    The point is I smell bias here. Laws work for our friend. What
    doesn't work for the dear reader are laws that don't support an agenda
    of private ownership taking priority over public ownership. That's a
    fine position to take, and I am somewhat sympathetic to laws that
    enforce property rights. His presentation, however, tries to pass off
    a partisan bit of rhetoric as sensible argument, when it is in fact
    self-contradictory, and (albeit anecdotally) demonstrably false.

    ** *** ***** ******* *********** *************

    CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
    insights, and commentaries on computer security and cryptography. Back
    issues are available on <http://www.counterpane.com/crypto-gram.html>.

    To subscribe, visit <http://www.counterpane.com/crypto-gram.html> or
    send a blank message to crypto-gram-subscribechaparraltree.com. To
    unsubscribe, visit <http://www.counterpane.com/unsubform.html>.

    Please feel free to forward CRYPTO-GRAM to colleagues and friends who
    will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
    as long as it is reprinted in its entirety.

    CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO
    of Counterpane Internet Security Inc., the author of "Secrets and Lies"
    and "Applied Cryptography," and an inventor of the Blowfish, Twofish,
    and Yarrow algorithms. He is a member of the Advisory Board of the
    Electronic Privacy Information Center (EPIC). He is a frequent writer
    and lecturer on computer security and cryptography.

    Counterpane Internet Security, Inc. is the world leader in Managed
    Security Monitoring. Counterpane's expert security analysts protect
    networks for Fortune 1000 companies world-wide.


    Copyright (c) 2002 by Counterpane Internet Security, Inc.