|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
CRYPTO-GRAM, March 15, 2004
From: Bruce Schneier (schneier
counterpane.com)
Date: Mon Mar 15 2004 - 01:14:50 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
CRYPTO-GRAM
March 15, 2004
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneiercounterpane.com
<http://www.schneier.com>
<http://www.counterpane.com>
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
Back issues are available at
<http://www.schneier.com/crypto-gram.html>. To subscribe, visit
<http://www.schneier.com/crypto-gram.html> or send a blank message to
crypto-gram-subscribechaparraltree.com.
Crypto-Gram is also available as an RSS feed:
<http://www.schneier.com/crypto-gram-rss.xml>
** *** ***** ******* *********** *************
In this issue:
Microsoft Source Code Leak
A Social Engineering Virus
News
Counterpane News
Port Knocking
Crypto-Gram Reprints
Security Notes from All Over: USPTO
Password Safe Version 2.0
The Doghouse: Symbiot Security
"I am Not a Terrorist" Cards
Security Risks of Centralization
Comments from Readers
** *** ***** ******* *********** *************
Microsoft Source Code Leak
On 13 February, it became known that Windows 2000 and Windows NT source
code was circulating on the Internet. Microsoft soon confirmed the
leak, saying that "incomplete portions of Windows 2000 and NT 4.0
source code was illegally made available on the Internet." Microsoft
downplayed the loss, and said it represented approximately 15% of
Windows source code. The leak was soon traced to a Microsoft partner,
Mainsoft. The Windows NT code that was leaked consisted of all of NT
4.0 Service Pack 3 -- more than 27,000 files. The Windows 2000 code
only contained select portions of the source code, but did include the
PKI module.
I am stunned that Microsoft didn't immediately know exactly who leaked
the code. There are easy techniques to give each version of the
Microsoft source code files a unique watermark, such that any copy can
be traced back to its source. The fact that they didn't bother doing
this says a lot about their own internal security.
It is interesting to speculate who might make use of the code. The
obvious group are hackers, who could pore through the code looking for
vulnerabilities to exploit. These could be hackers working on their
own, in the employ of spammers, or maybe as part of organized crime. I
believe that there will be some of this, but not that much. It's not
as if Microsoft vulnerabilities are hard to find, and that people need
the source code in order to find them.
Another possible group are companies writing compatible software. I
doubt there's much use here. It's just not worth the money for a team
of programmers to pore through the source code looking for hidden
system calls and programming tricks, especially since there's no
guarantee that those tricks will still work in the next revision of the
software.
A third group are attorneys looking for lawsuits. It has long been
rumored that Windows contains shortcuts that only Microsoft software
has access to, and that are denied to competing products. It might be
worth it for an attorney to hire a team of programmers to look for a
smoking gun, code that specifically helps Microsoft Office or hinders
StarOffice, for example. But even so, my guess is that it's too risky
a gamble.
National intelligence organizations are a fourth group that might be
interested in the code. It's certainly possible, but I believe that
any intelligence organization worth its salt that wants a copy of the
code already has it.
Microsoft's reaction demonstrates that they've thought about this,
too. According to an Information Week article, "Microsoft said
Wednesday that it has sent warning letters to people who've illegally
downloaded Windows source code." If you only think about the hacker
threat, this is an extraordinarily dumb move. The code is already out
there. It's public. There's no taking it back. Any bad guys who want
the code now have it, and won't be deterred by any lawyer letter. The
only thing Microsoft's lawyers are doing is preventing any good guys
from looking at the code, and maybe finding vulnerabilities that
Microsoft can then fix.
But if you realize that Microsoft's primary fear is probably other
attorneys, then their move makes sense. They want to limit the number
of good guys that can access the code, because they're afraid of what
might be found.
A company that truly understands data security would respond by
admitting and trying to fix the security breach that caused the leak,
and by proactively poring over the released code to quickly patch as
many of the inevitable bugs as possible. They would realize that the
hackers have the code and might use it, and not prevent the good guys
from helping defend themselves.
I even think they would have gotten better PR by doing that than they
did by calling in the lawyers.
<http://www.informationweek.com/story/showArticle.jhtml?articleID=177013
40> or <http://tinyurl.com/3a2w3>
<http://www.winnetmag.com/windowspaulthurrott/Article/ArticleID/41788/wi
ndowspaulthurrott_41788.html> or <http://tinyurl.com/26kca>
<http://www.cnn.com/2004/TECH/internet/02/13/microsoft.code.ap/>
<http://news.com.com/2100-7349_3-5158496.html>
Report that Mainsoft is the source of the leak:
<http://www.eweek.com/article2/0,4149,1526831,00.asp>
** *** ***** ******* *********** *************
A Social Engineering Virus
Years ago I talked about the rise of semantic attacks: computer attacks
that target the user instead of semantics in the computer
software. One obvious example of this is malicious e-mails that try to
entice the user to click on the attachment. They've been around for a
while, and they continue to get better. This is one I recently
received. (The attachment is the Bagle.J virus.) Although it still
has some grammatical errors that seem to be the hallmark of this sort
of thing--are any virus spreaders competent English writers?--it's very
convincing:
Dear user, the management of DOMAIN.COM mailing system wants to let you
know that,
Some of our clients complained about the spam (negative e-mail content)
outgoing from your e-mail account. Probably, you have been infected by
a proxy-relay Trojan server. In order to keep your computer safe,
follow the instructions.
Please, read the attach for further details.
Attached file protected with the password for security reasons.
Password is 64003.
The Management,
The DOMAIN.COM team
http://www.DOMAIN.COM
[Attachment called "message.zip"]
My essay on semantic attacks:
<http://www.schneier.com/crypto-gram-0010.html#1>
** *** ***** ******* *********** *************
News
Very good article about the mathematics behind Rijndael, the Advanced
Encryption Standard.
<http://research.sun.com/people/slandau/maa1.pdf>
Here's an obvious twist on the "bad guys smuggle a bomb on an airplane"
story. The bad guys smuggle the bomb on in parts, one at a time,
through security, and then assemble the device on board. I am reminded
of the MIT group that managed to win millions at casinos by counting
cards in blackjack. The casinos knew how to spot card counters, but
the group divided the tasks up among several people, such that none of
them individually was suspicious. This tactic of distributing an
attack works in several different security domains, and can be very
difficult to prevent.
<http://observer.guardian.co.uk/international/story/0,6903,1143524,00.ht
ml> or <http://tinyurl.com/2jqdg>
Honeypots in wireless networks.
<http://www.securityfocus.com/infocus/1761>
Exploit code for a recent ASN.1 vulnerability is available:
<http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci
950665,00.html> or <http://tinyurl.com/2ssku>
Ben Cohen of Ben & Jerry's Ice Cream has launched "The Computer Ate My
Vote" campaign, to lobby for increased security in electronic voting
machines.
<http://www.wired.com/news/business/0,1367,62294,00.html>
The German police are using SMS to distribute information on missing
persons and fugitives. Presumably the next step will be pictures.
<http://www.siliconvalley.com/mld/siliconvalley/news/7965775.htm>
There are now automated tools for Bluetooth hacking. This means that
it'll increasingly be done by people with less skill, and fewer ethics.
<http://www.silicon.com/networks/mobile/0,39024665,39118440,00.htm>
Opinion on the futility of anti-spam laws:
<http://www.silicon.com/research/specialreports/protectingid/0,380000222
0,39118479,00.htm> or <http://tinyurl.com/37ccq>
Meanwhile, AOL, EarthLink, Microsoft, and Yahoo have filed separate
suits against spammers in the US, under the CAN-SPAM law. They're
working together to build their case:
<http://www.internetretailer.com/dailyNews.asp?id=11500>
<http://seattlepi.nwsource.com/business/127114_spam18.html>
<http://www.pcworld.com/news/article/0%2Caid%2C112212%2Cpg%2C1%2C00.asp>
or <http://tinyurl.com/2t63a>
A movie industry group is suing a company that sells DVD-copying software:
<http://www.siliconvalley.com/mld/siliconvalley/news/editorial/7950558.h
tm> or <http://tinyurl.com/3aphr>
<http://news.zdnet.co.uk/business/legal/0,39020651,39146323,00.htm>
<http://www.usatoday.com/tech/world/2004-02-16-canada-music-swamps_x.htm
> or <http://tinyurl.com/23lj5>
Sad story of the aftermath of identity theft.
<http://msnbc.msn.com/id/4264051/>
Low-tech credit-card scam. Restaurant workers steal credit card
numbers from patrons, and then pass them to others who manufacture fake
credit cards.
<http://www.mercurynews.com/mld/mercurynews/news/local/7988627.htm>
The courts have ruled that JetBlue did not violate any laws when it
gave passenger information to U.S. defense contractors. This doesn't
surprise me. It was a violation of trust, to be sure, but not of law.
<http://www.usatoday.com/tech/news/techpolicy/2004-02-20-jetblue-privacy
_x.htm> or <http://tinyurl.com/35axx>
"If hundreds of thousands of people are still blindly clicking on
attachments in their email, is there any hope of mitigating the threat
of hundreds of thousands of compromised systems with open backdoors?"
<http://www.securityfocus.com/columnists/221>
More evidence that technology has made photographs unreliable as
evidence of truth. Someone doctored a photo of John Kerry at an
anti-war rally to add Jane Fonda.
<http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2004/02/20/MNG4S54RGO1.DTL
> or <http://tinyurl.com/2p9vp>
The Department of Homeland Security's (DHS) Protected Critical
Infrastructure Information (PCII) program causes security problems. By
allowing corporations to submit details about security vulnerabilities
and keep that information secret from the public, it can be used to
hide negligence or criminal behavior.
<http://www.securityfocus.com/news/8090>
Another idea for Web surfing privacy:
<http://zdnet.com.com/2100-1104_2-5164413.html>
There's a new lobbying group in the U.S.: the Cyber Security Industry
Alliance (CSIA) was formed by eleven security companies.
<http://www.washingtonpost.com/wp-dyn/articles/A3455-2004Feb24.html>
Patching is still much too difficult, and too many network owners still
don't do it.
<http://news.zdnet.co.uk/internet/security/0,39020375,39147340,00.htm>
More cyber-terrorism fear mongering
<http://www.latimes.com/technology/la-na-cyber24feb25,1,7457295.story>
Risks of using hotel networks:
<http://edition.cnn.com/2004/TRAVEL/02/25/biz.trav.security>
Freeware password recovery utilities for Windows:
<http://freehost14.websamba.com/nirsoft/utils/index.html>
Interesting IDS research:
<http://www.gcn.com/vol1_no1/daily-updates/25155-1.html>
Another commentary on the open-source vs. closed-source security debate.
<http://www.theregister.co.uk/content/55/36029.html>
Some companies are trying to limit their liability in the event that
your personal information gets stolen.
<http://www.washingtonpost.com/wp-dyn/articles/A31874-2004Mar4.html?refe
rrer%3Demail> or <http://tinyurl.com/2rbuc>
How anonymous cell phones used by terrorists were tracked by police:
<http://www.iht.com/articles/508783.html>
<http://www.theregister.co.uk/content/28/36060.html>
** *** ***** ******* *********** *************
Counterpane News
NEW: Crypto-Gram now has an RSS feed:
<http://www.schneier.com/crypto-gram-rss.xml>
Anyone who's having trouble getting Crypto-Gram through a spam filter
might want to consider this option.
Schneier's essay on security and terrorism appeared in the March issue
of Wired:
<http://www.schneier.com/essay-wired.html>
Schneier is speaking at PC Forum on March 22nd in Scottsdale.
<http://www.edventure.com/pcforum/index.cfm>
Schneier is speaking, and will be signing books, at Stacy's Bookstore
in San Francisco.
Another "Beyond Fear" review:
<http://www.nwfusion.com/newsletters/sec/2004/0216sec1.html>
** *** ***** ******* *********** *************
Port Knocking
Port knocking is a clever new computer security trick. It's a way to
configure a system so that only systems who know the "secret knock" can
access a certain port. For example, you could build a port-knocking
defensive system that would not accept any SSH connections (port 22)
unless it detected connection attempts to closed ports 1026, 1027,
1029, 1034, 1026, 1044, and 1035 in that sequence within five seconds,
then listened on port 22 for a connection within ten
seconds. Otherwise, the system would completely ignore port 22.
It's a clever idea, and one that could easily be built into VPN systems
and the like. Network administrators could create unique knocks for
their networks -- family keys, really -- and only give them to
authorized users. It's no substitute for good access control, but it's
a nice addition. And it's an addition that's invisible to those who
don't know about it.
<http://www.linuxjournal.com/article.php?sid=6811>
<http://www.portknocking.org/>
** *** ***** ******* *********** *************
Crypto-Gram Reprints
Crypto-Gram is currently in its seventh year of publication. Back
issues cover a variety of security-related topics, and can all be found
on <http://www.schneier.com/crypto-gram.html>. These are a selection
of articles that appeared in this calendar month in other years.
Practical Cryptography:
<http://www.schneier.com/crypto-gram-0303.html#1>
SSL flaw:
<http://www.schneier.com/crypto-gram-0303.html#3>
SSL patent infringement:
<http://www.schneier.com/crypto-gram-0303.html#8>
SNMP vulnerabilities:
<http://www.schneier.com./crypto-gram-0203.html#1>
Bernstein's factoring breakthrough?
<http://www.schneier.com./crypto-gram-0203.html#6>
Richard Clarke on 9/11's Lessons
<http://www.schneier.com./crypto-gram-0203.html#7>
Security patch treadmill:
<http://www.schneier.com/crypto-gram-0103.html#1>
Insurance and the future of network security:
<http://www.schneier.com/crypto-gram-0103.html#3>
The "death" of IDSs:
<http://www.schneier.com/crypto-gram-0103.html#9>
802.11 security:
<http://www.schneier.com/crypto-gram-0103.html#10>
Software complexity and security:
<http://www.schneier.com/crypto-gram-0003.html#SoftwareComplexityandSecu
rity>
Why the worst cryptography is in systems that pass initial cryptanalysis:
<http://www.schneier.com/crypto-gram-9903.html#initial>
** *** ***** ******* *********** *************
Security Notes from All Over: USPTO
The ricin patent is no longer available from the U.S. Patent Office
website.
In October 1962, the U.S. Patent Office granted patent 3,060,165
regarding the use of ricin as a biological weapon. Published patents
are, of course, publicly available. That's the whole point of the
patent process.
All U.S. patents are available from the USPTO website. As the site
says: "full-text since 1976, full-page images since 1790."
However, this particular patent is no longer in the database. Search
for it, and you'll get a "Patent not found" image.
<http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PAL
L&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1=3,060,165.WKU.&OS=PN/3,060
,165&RS=PN/3,060,165> or <http://tinyurl.com/38vbt>
The obvious reason for its removal is fear that it would fall into the
wrong hands. But the patent is still available in foreign databases,
so this seems like a rather pointless exercise. You can still get the
patent from the European Patent Office. The German Patent Office also
has a version.
More and more, we're seeing the U.S. government take public information
and try to hide it. Sometimes there are pretty obvious reasons why,
like this one. Sometimes there are no obvious reasons why, and
terrorism looks like an excuse. There's resilient security in
openness, and brittle security in secrecy.
European Patent Office copy:
<http://v3.espacenet.com/textdoc?DB=EPODOC&IDX=US3060165>
German Patent Office:
<http://depatisnet.dpma.de/>
Search for it manually: pick a language, choose beginner's search and
enter the patent number without commas.
** *** ***** ******* *********** *************
Password Safe Version 2.0
The new version of Password Safe is ready for download.
For those of you who don't know, Password Safe is my free Windows
password-storage utility. The problem Password Safe addresses is that
anyone who uses the Web regularly needs too many passwords, and it's
impossible to remember them all. The solution is a small program that
secures all of your passwords using one passphrase. Password Safe is
easy to use, and isn't bogged down by lots of unnecessary
features. Simplicity equals security. The website has details on
what's new in Version 2.0.
Password Safe is an open-source project at SourceForge, and is run by
Rony Shapiro. Thank you to him and to all the other programmers who
worked on the project. And we're still looking for people willing to
translate the program to Mac or Palm OS.
Project's homepage:
<http://passwordsafe.sourceforge.net/>
URL for this release:
<https://sourceforge.net/project/showfiles.php?group_id=41019&package_id
=33169&release_id=217889> or <http://tinyurl.com/2qnc3>
Note that most users will want to download the bin.zip file, not the
bin.src file.
Release notes:
<https://sourceforge.net/project/shownotes.php?release_id=217889>
Linux version of Password Safe:
<http://www.semanticgap.com/myps/>
** *** ***** ******* *********** *************
The Doghouse: Symbiot Security
Symbiot Security claims to have a product that identifies attackers,
and then attacks back. Kind of scary, especially since many attacking
computers are victims themselves and there are all sorts of ways to
disguise the origin of an attack.
I know that vigilante justice is emotionally satisfying, but it's
unbecomming of a civilized society. This kind of thing could certainly
get the user sued, and may be illegal. It certainly is immoral.
<http://www.symbiot.com>
My essay on "strike back" technologies:
<http://www.schneier.com/crypto-gram-0212.html#1>
** *** ***** ******* *********** *************
"I am Not a Terrorist" Cards
Journalist and entrepreneur Steve Brill is developing a voluntary,
fingerprint-based ID card with a background check attached. The
company is called Verified Identity Card, Inc., and the card is called
a V-ID.
The idea is for people who are not on a set of government watch lists
to be able to subscribe to the service (or for organizations to buy it
for their employees, customers, etc.), and then get faster treatment at
security checkpoints around the country. Guards would be able to
divide people into two categories: more-trusted people with a card and
less-trusted people without a card -- and concentrate their screening
resources on the less-trusted category.
This topic has so many facets that it's hard to keep them
straight. There are actually two parallel systems here. The two
systems use the same card and the same infrastructure, but the security
analysis is different. The first is an outsourced corporate ID. I
think this is a fine idea, and a pretty good business model. Better
security at a cheaper cost -- how could you not like that?
The second system is essentially a voluntary national ID card. This is
the system I want to talk about in this essay. It's a bad idea, both
as a security countermeasure and as social policy. It's bad for
complicated reasons. There's the question of whether the system will
actually work -- whether the identity card would reduce the risk of
terrorism. There's the question of whether the two categories of
people -- cardholders and everyone else -- is a useful categorization,
and why the government would trust a private company with the terrorist
watch list. (Brill has presented this system as a solution to the
problem of innocent people with names similar or identical to that of
people on the terrorist watch list.) There's the question of whether
we as a nation want a system that divides people based on whether they
can afford a card. And there's the larger question of what in the
world identity has to do with security.
First, let's look at how the system works.
Any American can apply for a card. When you do, your name is compared
against certain lists: "presence on any government watch list,
citizenship or legal immigrant status, and the absence of any
significant, relevant criminal record." As long as your name isn't on
one of those lists, you are eligible for a card.
(It is not at all clear whether Brill will have access to the terrorist
watch lists. He has said that the law mandates that he have
access. He has said that the law mandates that he be able to pass
names to the government, who will give a "yes or no" response. He has
said all sorts of things, but the proof will be in the deployment. I'm
not at all convinced that, at the end of the day, he will have any
ability to check names against the list.)
To ensure that you are who you say you are, the system uses information
from the Choicepoint database (Choicepoint is a for-profit company that
does background checks) to construct a series of questions that only
you can answer. "Which of these five banks did you get a loan
from?" "Which of these addresses did you live at once?" You have to
apply in person, and answer these questions on computer in front of a
proctor. If you can answer these questions, the system assumes that
you're not an imposter.
Assuming everything checks out, the proctor records the fingerprints
(some number of them) of the person and he is issued a V-ID card. This
is a card that has information about the person; maybe a picture, maybe
the fingerprint information, and definitely an identification number.
(Presumably the outsourced ID system is similar, with some added
requirement about the corporation deciding who gets the card, and some
corporate logo on the card itself. But corporate cards can be used in
the general system, something Brill hopes will bootstrap that
system. I'm not sure, though, about what happens when a person on a
company's payroll is determined to be on a terrorist watch
list. Presumably the card will work as a corporate ID, but not as a
national ID.)
Security checkpoints that accept the card have some kind of reader
device. This device may or may not have the complete database of
fingerprints. The list of valid cards is definitely updated daily, as
people get on to (or off, I suppose) the various government lists. It
has a fingerprint reader and a slot for the card, and some kind of
visual indicator to let the guards know that the cardholder is okay.
This card is meant to be multi-use. Brill envisions that airports,
government buildings, stadiums, national monuments, and office
buildings will screen entrants. People with a card can go into a
special lane at any of these locations, verify their fingerprint, and
go through security with less hassle. People without the card would
have to go through the "unverified" lane, and presumably be more
extensively screened.
That's how the system is supposed to work. Let's look at how likely it
is to actually work.
The system hasn't been fully designed yet, but it looks as if the
fingerprint will be used to authenticate the cardholder, not identify
him. That's a good thing. I also assume that any data on the card
will be well-protected. There are, of course, many ways to defeat
fingerprint readers, but having a guard watch the person put his finger
on the reader is the best way to ensure its proper use. My worries are
not about how the system is used, but in the registration and the
administration of the back-end database.
It certainly would be possible to get a card in a fake name, just as it
is possible to get any other kind of ID card -- including a passport --
in a fake name. While the V-ID system won't deliberately issue cards
to people who should not have them, it will be designed to make is easy
for people to get cards. The Choicepoint questions are a clever idea,
but the database was developed to be secure against a very different
sort of attacker. Someone needs to do a lot of thinking about the
Choicepoint database as it relates to this new kind of attacker.
Trusted people within Choicepoint and V-ID are, of course, a potential
problem. Several of the 9/11 terrorists had real Virginia driver's
licenses in fake names, issued by dishonest state employees. This
system will not be immune to that sort of problem, although I'm sure
the creators will take pains to minimize the risk.
I worry about the back-end system. Somewhere there will be a computer
that generates the questions, matches identity information with
government databases, and generally administers the system. The
fingerprint database will be stored somewhere, possibly on every
reader. These databases would be vulnerable to attack, from insiders
and outsiders.
One counter-argument to this analysis is that most people won't be able
to subvert the system, either by defeating the card or the fingerprint
reader or the back-end database, or by manipulating the system into
giving them a card in a false name. Most people will either get a card
(or not) honestly, and use the system correctly. And while a few might
be able to successfully attack the system, that's no reason to throw it
out entirely. But the whole point of the system is to work in the face
of a dedicated and well-funded adversary. Even the argument that most
terrorists are stupid misses the point. It doesn't matter whether or
not average people can subvert the system; we want security systems
that protect us against smart people, especially smart terrorists.
The system is designed to be decentralized, so that someone cannot be
tracked through the use of the card. It is an open question as to
whether law enforcement could force the company to change that design
and use the system to track people. The infrastructure is all there to
do that: software on the reader and a communications system between the
readers and some central point. Brill has said that it would be
impossible, but from his description of the system, that's clearly not
true. He has also said that this couldn't happen because it would be a
violation of the contract the V-ID company has with its customers,
which makes no sense to me.
My primary security concerns surrounding this system stem from what
it's trying to do. In his writings and speaking, Brill is very careful
to explain that these are not "trusted traveler cards." He calls them
"verified identity cards." But the only purpose of his card is to
divide people into two lines -- a fast line and a slow line, a "search
less" line and a "search more" line, or whatever. (Each security
checkpoint that uses the card would develop its own procedures.) This
division only makes sense if it's based on a degree of trust. If you
didn't believe that people with the card were more trusted, you
wouldn't let them go in the fast lane. Here's an example: if I
designed a card that verified a person's dental hygiene, you wouldn't
divide people into two security lines based on that card, because you
know that people with good dental hygiene aren't more trusted than
people without. On the other hand, it would be valid to use that card
to divide people into dental service lines based on the assumption that
the people with good dental hygiene would be able to be treated
faster. Brill's plan is that people who have the card get a more
lenient security treatment than people without. Call it what you will,
but it means that people with the card are more trusted than people
without.
The reality is that the existence of the card creates a third, and very
dangerous, category: bad guys with the card. Timothy McVeigh would
have been able to get one of these cards. The DC sniper and the
Unabomber would have been able to get this card. Any terrorist mole
who hasn't done anything yet and is being saved for something big would
be able to get this card. Some of the 9/11 terrorists would have been
able to get this card. These are people who are deemed trustworthy by
the system even though they are not.
And even worse, the system lets terrorists test the system
beforehand. Imagine you're in a terrorist cell. Twelve of you apply
for the card, but only four of you get it. Those four not only have a
card that lets them go through the easy line at security checkpoints;
they also know that they're not on any terrorist watch lists. Which
four do you think will be going on the mission? By "pre-approving"
trust, you're building a system that is easier to exploit.
Moreover, any break in the system is much more serious because it has
so many applications. The company's literature considers it a problem
that "Americans now need several identification/security cards." But
that is actually a security feature. If a terrorist can subvert the
V-ID system, he can use it to gain access to any facility that uses the
system. It's a large single point of failure. Contrast that with a
company ID, which only grants access to a company's
facilities. Subverting that system would only allow the attacker
access to those facilities, and nothing else.
This brings up another fundamental question: Why should any security
checkpoint accept a V-ID card? This system costs money to install in
airports, sports stadiums, etc. -- they have to buy the card readers --
so there needs to be some benefit. The claimed benefit is customer
service; people with the card can get better treatment. Airlines have
long recognized the problem of forcing their best customers to wait in
long security lines, and have implemented special lines for first-class
passengers and high-tier frequent fliers. But for the owner of a
sports stadium, a person with a V-ID card isn't a higher-tier customer,
he's just a customer who paid for a V-ID card. What benefit does it
give to the stadium to separate people on that basis? The only one I
can think of is liability: by using the V-ID system, they receive some
kind of shielding from liability issues if someone with the card does
something nasty.
This is a big deal, and one that is very important to Verified Identity
Card's business. The company wants to be a voluntary national ID card,
but it doesn't want to accept any liability for being one. This is why
they try very hard not to call people with the card "trusted" in any
way. But why would a business accept the card if, when someone with a
card caused a problem, the business was liable? The business trusted
the card and the company backing it to tell it who is trusted and who
is not. The reason businesses accept government-issued identification
is that the courts consider it a reasonable check. A liquor store
owner can stand up in court and say: "He had a driver's license." What
does "he had a V-ID card" mean, unless the V-ID company is willing to
accept liability?
From their point of view, I think the V-ID company is smart not to
want to accept liability. The company is 100% correct when they say
that a person with a card isn't more trusted than a person without a
card, even though by saying so they are exposing the huge hole in their
business model. If a building's management decides that it is going to
run people through a metal detector, it makes no sense for them to only
screen people without a V-ID card. If an airport wants to implement
"extra" screening procedures on a few passengers, it makes no sense for
them to make that decision based on whether or not a passenger has a
V-ID card. Terrorists come in all shapes and sizes, and the last thing
we want is a terrorist with a V-ID card to be able to operate with
impunity.
Security is always a trade-off. The question to ask is not "Does this
system make us safer?" Otherwise we'd all be wearing bulletproof vests
and locking ourselves in our bedrooms. The question to ask is: "Is
this system worth the trade-offs?" The V-ID system has some pretty
serious trade-offs. The system collects a fingerprint database on
everyone who applies for the card -- a database that can be used and
abused by anyone with access, legitimate or illegitimate.
The system creates a social division of haves and have-nots based on an
ability to pay for the card. The system puts an infrastructure in
place for surveillance; even though the proposed system takes pains to
ensure that no information is collected about how people use the card,
it's not unreasonable to assume that this kind of data collection might
be added in the future. And it's expensive. The cost of the system
won't just be borne by those willing to pay for preferential treatment;
infrastructure costs will be passed on to all consumers somehow.
And what do we get for those costs? We get a security system with
built-in flaws. We get a system that divides people into two
categories that don't correlate very well with how dangerous they
are. We get a system that's a single point of failure, and one that
terrorists can use to their advantage. We get a system that collects
data on all users, innocent or not, with all the potential security
problems that can cause.
And we get a system that concentrates security resources on terrorism,
when the more serious problems are criminal. On 24 July 1998, Russell
Weston Jr. walked into the U.S. Capitol and started shooting, killing
two. Despite being known to the Secret Service and having been
investigated previously, he was not a "terrorist" threat. He would
likely have been able to get a V-ID card.
Identification has minimal security value, but it does have some. On
the other hand, freedom, privacy, and liberty are all values we
cherish, and they are the values that give our country its greatest
security. Citizens have rightly refused a national ID card because
they realize that the costs are simply not worth the security. A
system that issues ID cards to only those wealthy enough to afford them
is even worse.
Brill said that he doesn't believe in democratizing security, that it
doesn't make sense to apply the same security scrutiny to everyone. I
think that, at core, is the problem here. He thinks that he should be
able to get into a building without waiting in line because he is more
trustworthy. But by building a system that allows him to do so, we
runs the risk of infringing on the rights of convicted felons who have
already paid their debt to society. We move from an "innocent until
proven guilty" society to a "treat some people as guilty, just in case"
one. It's a dangerous road to travel.
Press release:
<http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=SVBIZINK3.story&STORY
=/www/story/10-23-2003/0002042658&EDATE=THU+Oct+23+2003,+09:05+AM> or
<http://tinyurl.com/s1nt>
News articles:
<http://209.157.64.200/focus/f-news/1006499/posts>
<http://www.wired.com/news/business/0,1367,60965,00.html>
** *** ***** ******* *********** *************
Security Risks of Centralization
In discussions with Brill, he regularly said things like: "It's
obviously better to do something than nothing." Actually, it's not
obvious. Replacing several decentralized security systems with a
single centralized security system can actually reduce the overall
security, even though the new system is more secure than the systems
being replaced.
An example will make this clear. I'll postulate piles of money secured
by individual systems. The systems are characterized by the cost to
break them. A $100 pile of money secured by a $200 system is secure,
since it's not worth the cost to break. A $100 pile of money secured
by a $50 system is insecure, since an attacker can make $50 profit by
breaking the security and stealing the money.
Here's my example. There are 10 $100 piles, each secured by individual
$200 security systems. They're all secure. There are another 10 $100
piles, each secured by individual $50 systems. They're all insecure.
Clearly something must be done.
One suggestion is to replace all the individual security systems by a
single centralized system. The new system is much better than the ones
being replaced; it's a $500 system.
Unfortunately, the new system won't provide more security. Under the
old systems, 10 piles of money could be stolen at a cost of $50 per
pile; an attacker would realize a total profit of $500. Under the new
system, we have 20 $100 piles all secured by a single $500 system. An
attacker now has an incentive to break that more-secure system, since
he can steal $2000 by spending $500 -- a profit of $1500.
The problem is centralization. When individual security systems are
combined in one centralized system, the incentive to break that new
system is generally higher. Even though the centralized system may be
harder to break than any of the individual systems, if it is easier to
break than ALL of the individual systems, it may result in less
security overall.
There is a security benefit to decentralized security.
** *** ***** ******* *********** *************
Comments from Readers
From: "Ryan Malayter" <rmalayterbai.org>
Subject: Identification and Security
I agree IDs are easy to forge, and don't offer any real assurance as to
the identity or intent of those being screened, for the reasons you
mention.
However, I always assumed that the authorities knew this, and
identification checks were designed to do something else: allow
security officers to study the behavior of those while being screened.
I knew a guy who used to check IDs at a bar in college, and he was
almost unbeatable. Some of the fakes were very good. Some were even
real state-issued IDs obtained with false documents. He could still
spot most of the would-be underage patrons, though, because of their
behavior while they handed him the ID. Sweaty palms, looking at the
ground, an overconfident smile, or an inane "cover conversation" gave
many of the kids away.
Even a well-trained trained terrorist would have a hard time not
showing *any* signs of anxiety while his ID was being checked by a
uniformed security official. Unfortunately, I suspect many TSA
employees have little or no training in identifying this type of
behavior. In the bar example, such training was obtained only through
years of observation and experience.
Of course, this "behavioral observation" is certainly an error-prone
process, but it could be very useful for identifying a pool of people
who might need further screening. Is it too much to hope that
providing a forum for such "behavior study" is the real reason for the
proliferation of ID checkpoints in our post-9/11 society, and not some
mass delusion on the part of security officials?
From: DV Henkel-Wallace <gumbyhenkel-wallace.org>
Subject: Identification and Security
ID checks are more useless and pernicious than you state. In most
cases you don't need a false ID -- a legitimate ID will do. These "ID
checks" at hospitals, government buildings, trade shows (!) and the
like usually don't even involve any check to see if you're on any list
of any sort.
They merely check to see that you are carrying a document that looks
like legitimate identification. I've successfully used my now-obsolete
Price Club card, my National Shooting Club photo ID (a handwritten
document, although it _is_ laminated) and the like to get into office
buildings. And why not? The "check" doesn't verify anything about me
anyway.
What this DOES accomplish is 1) keep homeless people out of
courthouses, 2) keep those who wish to be anonymous from leaving a
message for their senator and 3) build a culture that accepts a routine
request for "Your papers, please."
Personally, I don't consider any of those useful accomplishments. But
perhaps I'm in the minority.
From: "Bruce Ediger" <eballen1qwest.net>
Subject: The Economics of Spam
Hi. I read your Feb 15th "Crypto-Gram" newsletter with some interest,
in particular your "Economics of Spam" article.
I like that you treated spamming as an economic fact, but I think you
missed two points:
1. Of course Gates would decide that someone should pay for
e-mails. That's the only way that Microsoft can turn e-mail into a
profit center. They already have plans in progress to put copy
protection (DRM) on all Windows boxes, so Gates probably figures that
the DRM infrastructure could have a second use in e-mail. Imposing a
fee structure and copy protection on e-mails also allows them to
overthrow the current open standard SMTP transport of e-mail. Gates
has a keen awareness that commodity protocols get copied very rapidly.
2. The profitability of spam as advertising depends on very weak market
forces on that form of advertising. Spam has the unique property that
each and every recipient helps pay for the advertising (on-line time,
CPU cycles, disk space, etc) *before* the spam victim gets a chance to
decide to buy the advertised product or not. This differs completely
from any other form of advertising except telemarketing and
junk-faxing. Billboards, radio and TV spots, magazine and newspaper
ads, and direct mailings all require the advertiser to bear 100% of the
ad's costs. Of course, the small percentage that decide to buy the
advertised product end up paying for the advertising, but the key
aspect of buyer's choice remains. A conventional ad has to not offend
almost all potential buyers. Otherwise, the Invisible Hand spanks the
people who make the advertised product. The Invisible Hand of the
Marketplace only weakly affects spammers, as some or most of the ad's
cost has already been borne by the advertised-to.
From: Ralf Holzer <rholzercmu.edu>
Subject: US-VISIT Exemptions and Error Rates
You repeatedly mentioned that all but 27 countries are subject to the
fingerprinting and photographing measures (US-VISIT) now in effect at
most American ports of entry. I just wanted to point out that these
exemptions are mostly for tourists. I am a graduate student from
Germany with an F-1 visa and I have to go through the same
fingerprinting and photographing procedures. Tourists from Germany and
other European countries are only exempt because all European passports
will be required to have biometric identification in order to be able
to enter the U.S. beginning this fall.
A fellow student from a country requiring special registration has told
me that he now has several different profiles registered with US-VISIT,
because the system keeps falsely identifying his fingerprint. The
immigration officer seemed to be clueless about how to correct
this. Such a high error rate really makes me wonder about the
effectiveness of US-VISIT.
From: rflemingcultdeadcow.com
Subject: Supermarket Club Card Databases
About a week ago, some junk mail arrived at my home from Albertson's
supermarket, announcing the creation of their new club card. The ad
copy declares: "The labor dispute has been tough on everyone. But one
thing we know for sure -- the day it's over, you're going to save like
never before. Great low prices and extra special values will be
yours... with the new Albertsons Sav-on Preferred Savings Card. Sign up
today!"
It got me thinking. Safeway and Ralph's (the other two supermarkets
affected by the strike) already have club cards. And one thing THEY now
know for sure is which of their customers are willing to cross picket
lines to buy groceries, and which aren't.
In other words, the purchase patterns contained in the Safeway and
Ralph's club card databases could be EASILY mined for individual
customers' sympathies to organized labor.
Think about that. The next time somebody applies for a job at his
neighborhood Safeway or Ralph's, should he expect them to check his
2003-2004 shopping habits for hints that he might be pro- or antiunion?
And what's keeping the supermarkets from offering this data to other
employers, or even the custodians of the Total Information Awareness
program?
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on security: computer and otherwise. Back
issues are available on <http://www.schneier.com/crypto-gram.html>.
To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send
a blank message to crypto-gram-subscribechaparraltree.com. To
unsubscribe, visit <http://www.schneier.com/crypto-gram-faq.html>.
Comments on CRYPTO-GRAM should be sent to
schneiercounterpane.com. Permission to print comments is assumed
unless otherwise stated. Comments may be edited for length and clarity.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who
will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
the best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish
algorithms. He is founder and CTO of Counterpane Internet Security
Inc., and is a member of the Advisory Board of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See <http://www.schneier.com>.
Counterpane Internet Security, Inc. is the world leader in Managed
Security Monitoring. Counterpane's expert security analysts protect
networks for Fortune 1000 companies world-wide. See
<http://www.counterpane.com>.
Copyright (c) 2004 by Bruce Schneier.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]