|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Bruce Schneier (schneier
SCHNEIER.COM)
Date: Sat Apr 14 2007 - 23:13:15 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
CRYPTO-GRAM
April 15, 2007
by Bruce Schneier
Founder and CTO
BT Counterpane
schneierschneier.com
http://www.schneier.com
http://www.counterpane.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-0704.html>. These same essays
appear in the "Schneier on Security" blog:
<http://www.schneier.com/blog>. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Announcing: Second Annual Movie-Plot Threat Contest
The U.S. Terrorist Database
News
JavaScript Hijacking
Bank Botches Two-Factor Authentication
Schneier/BT Counterpane News
U.S. Government Contractor Injects Malicious Software into
Critical Military Computers
The Doghouse: Brutuslib
Cyber-Attack
Comments from Readers
** *** ***** ******* *********** *************
Announcing: Second Annual Movie-Plot Threat Contest
The first Movie-Plot Threat Contest asked you to invent a horrific and
completely ridiculous, but plausible, terrorist plot. All the entries
were worth reading, but Tom Grant won with his idea to crash an
explosive-filled plane into the Grand Coulee Dam.
This year the contest is a little different. We all know that a good
plot to blow up an airplane will cause the banning, or at least
screening, of something innocuous. If you stop and think about it, it's
a stupid response. We screened for guns and bombs, so the terrorists
used box cutters. We took away box cutters and small knives, so they
hid explosives in their shoes. We started screening shoes, so they
planned to use liquids. We now confiscate liquids (even though experts
agree the plot was implausible)...and they're going to do something
else. We can't win this game, so why are we playing?
Well, we are playing. And now you can, too. Your goal: invent a
terrorist plot to hijack or blow up an airplane with a commonly carried
item as a key component. The component should be so critical to the
plot that the TSA will have no choice but to ban the item once the plot
is uncovered. I want to see a plot horrific and ridiculous, but just
plausible enough to take seriously.
Make the TSA ban wristwatches. Or laptop computers. Or polyester. Or
zippers over three inches long. You get the idea.
Your entry will be judged on the common item that the TSA has no choice
but to ban, as well as the cleverness of the plot. It has to be
realistic; no science fiction, please. And the write-up is critical;
last year, the best entries were the most entertaining to read.
As before, assume an attacker profile on the order of 9/11: 20 to 30
unskilled people, and about $500,000 with which to buy skills,
equipment, etc.
Post your movie plots -- and read other entries -- on the blog post.
Judging will be by me, swayed by popular acclaim in the blog comments
section. The prize will be an autographed copy of "Beyond Fear" (in both
English and Japanese) and the adulation of your peers. And, if I can
swing it -- I couldn't last year -- a phone call with a real live movie
producer.
Entries close at the end of the month: April 30.
The purpose of this contest is absurd humor, but I hope it also makes a
point. Terrorism is a real threat, but we're not any safer through
security measures that require us to correctly guess what the terrorists
are going to do next.
Blog post:
http://www.schneier.com/blog/archives/2007/04/announcing_seco.html
The implausibility of the liquids plot:
http://www.schneier.com/blog/archives/2006/08/on_the_implausi.html
First Annual Contest:
http://www.schneier.com/blog/archives/2006/04/announcing_movi.html
http://www.schneier.com/blog/archives/2006/06/movieplot_threa_1.html
** *** ***** ******* *********** *************
The U.S. Terrorist Database
It's called Terrorist Identities Datamart Environment (TIDE), and it's
huge. In 2003, there were 100,000 people on it; now there are 435,000.
Of course there are problems:
"TIDE has also created concerns about secrecy, errors and privacy. The
list marks the first time foreigners and U.S. citizens are combined in
an intelligence database. The bar for inclusion is low, and once someone
is on the list, it is virtually impossible to get off it. At any stage,
the process can lead to 'horror stories' of mixed-up names and
unconfirmed information, Travers acknowledged."
Mostly the article tells you things you already know: the list is
riddled with errors, and there's no defined process for getting on or
off the list. But the most surreal quote is at the end, from Rick
Kopel, the center's acting director:
"The center came in for ridicule last year when CBS's '60 Minutes' noted
that 14 of the 19 Sept. 11 hijackers were listed -- five years after
their deaths. Kopel defended the listings, saying that 'we know for a
fact that these people will use names that they believe we are not going
to list because they're out of circulation -- either because they're
dead or incarcerated.... It's not willy-nilly. Every name on the list,
there's a reason that it's on there.'"
Get that? There's someone who deliberately puts wrong names on the list
because they think the terrorists might use aliases, and they want to
catch them. Given that reasoning, wouldn't you want to put the entire
phone book on the list?
http://www.washingtonpost.com/wp-dyn/content/article/2007/03/24/AR2007032400944.html
or http://tinyurl.com/2m6qft
** *** ***** ******* *********** *************
News
Time Magazine article (from last November) on why we get risk so wrong.
Interesting stuff, and very similar to my essay on the psychology of
security.
http://www.time.com/time/magazine/article/0,9171,1562978-1,00.html
You can buy a fake U.S. Employment Authorization card for $200.
http://groups.google.com/group/alt.visa.us.marriage-based/browse_thread/thread/c5eb06ad0ba5f23e/78971a9ce120f1c6#78971a9ce120f1c6
or http://tinyurl.com/yw6vnn
Here's a real version. Notice how all the security features of the card
are faked -- very well.
http://www.immihelp.com/greencard/sample-employment-authorization-card-ead.html
or http://tinyurl.com/265od2
Interesting article: Neil M. Richards & Daniel J. Solove, "Privacy's
Other Path: Recovering the Law of Confidentiality," 96 Georgetown Law
Journal, 2007.
http://ssrn.com/abstract=969495
"Terrorist bus drivers" is a movie-plot threat that taps into two of our
fears: terrorists, and risks to our children.
http://www.foxnews.com/story/0,2933,259168,00.html
http://news.aol.com/topnews/articles/_a/fbi-says-extremists-eye-school-buses/20070316134109990001
or http://tinyurl.com/2lzfbl
http://www.boingboing.net/2007/03/19/fbi_terrorists_might.html
Interesting story of a social-engineering diamond theft:
http://news.independent.co.uk/europe/article2369019.ece
U.S. Patent Office spreads FUD about music downloads. "The report,
which the patent office recently forwarded to the U.S. Department of
Justice, states that peer-to-peer networks could manipulate sites so
children violate copyright laws more frequently than adults. That could
make children the target in most copyright lawsuits and, in turn, make
those protecting their material appear antagonistic, according to the
report." What happened? Did someone in the entertainment industry
bribe the PTO to write this?
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198000239
or http://tinyurl.com/267zjx
http://www.uspto.gov/web/offices/com/speeches/07-11.htm
Another great movie-plot threat: "The Personal Car Communicator (PCC)
is your car key's smart connection with your Volvo S80 applying the
latest in two-way radio technology. When in range, you'll always know
the status of your car. Locked or unlocked. Alarm activated or not. If
the alarm has been activated, the heartbeat sensor will also tell you if
there is someone inside the car. The PCC also includes keyless entry and
keyless drive."
http://www.volvocars.us/models/s80/FeaturesOptions.htm
Ford press release explaining the technology:
http://media.ford.com/article_display.cfm?article_id=9253
The greater Manchester police want everyone to help them find terrorists:
http://www.manchestereveningnews.co.uk/news/s/1000/1000981_help_us_spot_terrorists__police.html
or http://tinyurl.com/27wuan
This reminds me of TIPS, the ill-conceived U.S. program to have meter
readers and the like -- people who regularly enter people's homes --
report suspicious activity to the police. It's just dumb; people will
report each other because their food smells wrong, or they talk in a
funny language. The system will be swamped with false alarms, which
police will have to waste their time following up on. This sort of
state-sponsored snitchery is something you'd expect out of the former
East Germany or Soviet Union -- not the UK.
For comparison's sake, here's a similar program that I actually liked.
http://www.schneier.com/blog/archives/2005/12/truckers_watchi.html
Control your car from the Internet. Or, for more fun, hack into the
system and control someone else's car from the Internet.
http://www.autoblog.com/2007/03/17/you-are-big-brother-control-and-track-your-car-from-the-net/
or http://tinyurl.com/29hwcc
Selling and reselling phone minutes: an interesting new variation of
phone fraud:
http://www.msnbc.msn.com/id/17522658/site/newsweek/
A new threat I hadn't thought of before: stealing data from disk drives
in photocopiers:
http://edition.cnn.com/2007/TECH/ptech/03/14/photocopier.risks.ap/index.html
or http://tinyurl.com/25zmdo
Google has new privacy rules: they only store personal data for two
years, instead of forever. It's a good change, but I'm not sure it is
enough. I'd really prefer it if Google deleted the information after a
shorter time.
http://articles.techrepublic.com.com/2100-1009_11-6167333.html?tag=nl.e019
or http://tinyurl.com/2f9l32
http://www.huffingtonpost.com/huff-wires/20070314/google-privacy
CRS Report on polygraphs. Especially note pages 6-7: the bit about
false positives.
http://www.fas.org/sgp/crs/intel/RL31988.pdf
See also "The Lie Behind the Lie Detector":
http://antipolygraph.org/lie-behind-the-lie-detector.pdf
The ultimate movie-plot threat: killer asteroids. And there's not
enough money to track them.
http://www.msnbc.msn.com/id/17473059/
Tom Kyte, Oracle database expert, relays a surreal story of a border
crossing -- and the incompetence of the border official -- into the U.S.
from Canada:
http://tkyte.blogspot.com/2007/03/crossing-border.html
Interesting article about diplomatic immunity as a "get out of jail
free" card in Germany.
http://www.spiegel.de/international/spiegel/0,1518,468715,00.html
"The Straight Dope" on diplomatic immunity:
http://www.straightdope.com/mailbag/mdiploimmunity.html
American Express is patenting tracking people via RFID. I don't know
how serious AmEx is about this, but it certainly is a good illustration
of the possibilities of the technology.
http://www.spychips.com/press-releases/american-express-conference.html
or http://tinyurl.com/3d52je
Dutch e-voting scandal:
http://www.theregister.co.uk/2007/03/17/foi_dutch/
Really good article about how we misplace the blame in personal identity
thefts:
http://arstechnica.com/news.ars/post/20070314-breaches-of-data-blaming-the-myth.html
or http://tinyurl.com/ysfn7e
The British government issues 10,000 fraudulent passports in one year.
These aren't fake passports; they're real ones mis-issued. They have
RFID chips and any other anti-counterfeiting measure the British
government includes. This is the kind of thing that demonstrates why
attempts to make passports harder to forge are not the right way to
spend security dollars.
http://www.guardian.co.uk/terrorism/story/0,,2038442,00.html
This article is about Singapore's vast data mining program. What's
troubling to me is that even though Congress pulled funding for the
program, it was developed elsewhere and now may be sold back to the U.S.
http://www.wired.com/politics/onlinerights/news/2007/03/SINGAPORE
Security measures in the UK's new 20-pound note:
http://news.bbc.co.uk/1/hi/business/6444003.stm#graphic
How to recover from identity theft: a U.S.-specific checklist:
http://www.yourcreditadvisor.com/blog/2007/03/your_identity_h.html
Website of U.S. "right to privacy" law cases:
http://www.law.umkc.edu/faculty/projects/ftrials/conlaw/rightofprivacy.html
or http://tinyurl.com/yeuv3y
In the UK, parents are buying body armor for children. One type of risk
we consistently overestimate is risks involving our children.
http://www.timesonline.co.uk/tol/news/uk/article1552956.ece
Great old article from The Onion: Al-Qaeda or Teens?
http://www.theonion.com/content/node/39374
Interesting insights on teenagers and risk assessment, in an article on
auto-asphyxiation:
http://www.schneier.com/blog/archives/2007/03/teenagers_and_r.html
http://www.nytimes.com/2007/03/28/us/28risk.html?ex=1332734400&en=0a99164763a02077&ei=5090&partner=rssuserland&emc=rss
or http://tinyurl.com/26ot9e
The Royal Academy of Engineering (in the UK) has just published a
report, "Dilemmas of Privacy and Surveillance: Challenges of
Technological Change," where they argue that security and privacy are
not in opposition, and that we can have both if we're sensible about it.
http://www.raeng.org.uk/policy/reports/pdf/dilemmas_of_privacy_and_surveillance_report.pdf
or http://tinyurl.com/yul7kl
http://www.raeng.org.uk/news/releases/shownews.htm?NewsID=378
http://www.theregister.co.uk/2007/03/27/security_privacy_study/
At least read the recommendations:
http://www.schneier.com/blog/archives/2007/03/security_plus_p.html
Mennonites are considering moving to a different state because they
don't want their photo taken for their driver's licenses. Many (all?)
states had religious exemptions to the photo requirement, but now fewer
do. The most interesting paragraph to me is the last one, which says
that Amish hunters in Pennsylvania are getting their non-Amish neighbors
to buy guns for them, to get around a law requiring a photo-ID to
purchase a gun.
http://www.msnbc.msn.com/id/17725931/
This is an old article-- from 2000 -- but the sidebar (at the end)
describing how the electronics store Crazy Eddie committed massive
financial fraud is fascinating.
http://www.aicpa.org/pubs/jofa/oct2000/wells.htm
Comment by Crazy Eddie's former CFO:
http://www.schneier.com/blog/archives/2007/03/crazy_eddie_fin.html#c159443
or http://tinyurl.com/2hqk9a
Security-related April Fool's jokes.
My favorite: Windows Transparency Information Disclosure
http://www.caughq.org/advisories/CAU-2007-0001.txt
More:
http://www.ndtv.com/convergence/ndtv/story.aspx?id=NEWEN20070007398
http://www.techliberation.com/archives/042234.php
I don't know if "Threat Alert" Jesus is specifically April Fool's, but
it's pretty funny.
http://www.threatalertjesus.com/
"2006 Operating System Vulnerability Study": long, but interesting. At
least read the closing.
http://www.omninerd.com/2007/03/26/articles/74
A "red team" was able to sneak about 90% of simulated weapons through
Denver airport security. I'm not sure which is more important -- the
news or the fact that no one is surprised.
http://www.9news.com/news/article.aspx?storyid=67166
"Papers, Please," a great essay from 1990 by Bill Holm.
http://bibdaily.com/pdfs/Papers,%20Please.pdf
VBootkit bypasses Windows Vista's code-signing mechanisms.
http://www.heise-security.co.uk/news/87709
A fascinating first-person story of a credit-card fraudster, excerpted
from a forthcoming book:
http://www.guardian.co.uk/weekend/story/0,,2041537,00.html
http://www.guardian.co.uk/weekend/story/0,,2041544,00.html
WEP (Wired Equivalent Privacy) was the protocol used to secure wireless
networks. It's known to be insecure and has been replaced by Wi-Fi
Protected Access, but it's still in use. This paper shows how to break
104-bit WEP in less than 60 seconds, the best attack to date:
http://eprint.iacr.org/2007/120.pdf
More info and a proof-of-concept implementation:
http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/
Random-number humor from Dilbert:
http://web.archive.org/web/20011027002011/http://dilbert.com/comics/dilbert/archive/images/dilbert2001182781025.gif
or http://tinyurl.com/3aav3f
And 17 is the most random number between 1 and 20.
http://scienceblogs.com/cognitivedaily/2007/02/is_17_the_most_random_number.php
or http://tinyurl.com/358or5
http://scienceblogs.com/cognitivedaily/2007/02/randomness_wrapup.php
This paper, from February's "International Journal of Health
Geographics," analyzes the consequences of a nuclear attack on several
American cities and points out that burn unit capacity nationwide is far
too small to accommodate the victims. It says just training people to
flee crosswind could greatly reduce deaths from fallout.
http://www.ij-healthgeographics.com/content/6/1/5/abstract/
http://www.ij-healthgeographics.com/content/pdf/1476-072X-6-5.pdf
http://www.ij-healthgeographics.com/content/6/1/5
http://www.fas.org/main/content.jsp?formAction=297&contentId=367
I've long said that emergency response is something we should be
spending money on. This kind of analysis is both interesting and helpful.
Dept of Homeland Security wants DNSSEC keys:
http://www.theregister.co.uk/2007/04/03/dns_master_key_controversy
The UK police are considering mandating the quality of commercial CCTV
cameras to ensure that the images meet their evidence standards.
http://www.telegraph.co.uk/news/main.jhtml;jsessionid=3EO1IUQZFRRALQFIQMFSFFOAVCBQ0IV0?xml=/news/2007/03/26/ncctv26.xml
or http://tinyurl.com/22ss5j
By law, every business has to check its customers against a list of
"specially designated nationals," and not do business with anyone on
that list. Of course, the list is riddled with bad names and many
innocents get caught up in the net. And many businesses decide that
it's easier to turn away potential customers whose name is on the list,
creating -- well -- a shunned class. This is the same problem as the
no-fly list, only in a larger context. And it's no way to combat
terrorism. Thankfully, many businesses don't know to check this list,
and people whose names are similar to suspected terrorists' can still
lead mostly normal lives. But the trend here is not good.
http://www.washingtonpost.com/wp-dyn/content/article/2007/03/26/AR2007032602088_pf.html
or http://tinyurl.com/2r6kev
The Specifically Designated Nationals List (SDNL):
http://www.treas.gov/offices/enforcement/ofac/sdn/index.shtml
The Onion is reporting on this as well:
http://www.theonion.com/content/infograph/everyday_customers_mistaken
Interesting analysis that concludes that there aren't many serious
spammers out there:
http://www.lightbluetouchpaper.org/2007/04/03/there-arent-that-many-serious-spammers-any-more/
or http://tinyurl.com/yrrbyh
German police want the right to hack computers:
http://www.expatica.com/actual/article.asp?subchannel_id=26&story_id=38496
or http://tinyurl.com/2fnm2k
Childhood safety vs. childhood health -- another example of how we get
the risks wrong:
http://www.post-gazette.com/pg/07093/774604-51.stm
http://www.boingboing.net/2007/03/04/no_child_left_inside.html
Great blog comment:
http://www.schneier.com/blog/archives/2007/04/childhood_safet.html#c162565
or http://tinyurl.com/24ljeo
I love this quote from a press release: "The computer was protected by
two layers of security, a unique user-identifier and a
multiple-character, alpha-numeric password." Um, hello? Having a
username and a password -- even if they're both secret -- does not count
as two factors, two layers, or two of anything. You need to have two
*different* authentication systems: a password and a biometric, a
password and a token. I wouldn't trust the New Horizons Community
Credit Union with my money.
http://www.ncua.gov/news/press_releases/2007/MR07-0411.htm
** *** ***** ******* *********** *************
JavaScript Hijacking
JavaScript hijacking is a new type of eavesdropping attack against
Ajax-style Web applications. I'm pretty sure it's the first type of
attack that specifically targets Ajax code. The attack is possible
because Web browsers don't protect JavaScript the same way they protect
HTML; if a Web application transfers confidential data using messages
written in JavaScript, in some cases the messages can be read by an
attacker.
The authors show that many popular Ajax programming frameworks do
nothing to prevent JavaScript hijacking. Some actually *require* a
programmer to create a vulnerable server in order to function.
Like so many of these sorts of vulnerabilities, preventing the class of
attacks is easy. In many cases, it requires just a few additional lines
of code. And like so many software security problems, programmers need
to understand the security implications of their work so they can
mitigate the risks they face. But my guess is that JavaScript hijacking
won't be solved so easily, because programmers don't understand the
security implications of their work and won't prevent the attacks.
Paper:
http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
or http://tinyurl.com/28nzje
Responses to many of the blog comments, by one of the paper's co-authors:
http://www.schneier.com/blog/archives/2007/04/javascript_hija_1.html#c160667
or http://tinyurl.com/yqaoz5
** *** ***** ******* *********** *************
Bank Botches Two-Factor Authentication
From their press release: "The computer was protected by two layers of
security, a unique user-identifier and a multiple-character,
alpha-numeric password."
Um, hello? Having a username and a password -- even if they're both
secret -- does not count as two factors, two layers, or two of anything.
You need to have two *different* authentication systems: a password
and a biometric, a password and a token.
I wouldn't trust the New Horizons Community Credit Union with my money.
http://www.ncua.gov/news/press_releases/2007/MR07-0411.htm
** *** ***** ******* *********** *************
Schneier/BT Counterpane News
Last month I accepted my EFF Pioneer Award. There is audio and video of
my speech.
http://www.archive.org/details/Bruce_Schneier_EFF_Pioneer_Awards_2007
http://stage6.divx.com/EFF/video/1179205/Bruce-Schneier-EFF-Acceptance-Speech
or http://tinyurl.com/ytdskp
I am very pleased to receive the award, and am simply stunned by this
quote from Cory Doctorow: "Technology could never achieve what the
fundamental values of a democratic society can attain. We can change the
world with the power of ideas. I defy you to read Bruce's incredible
essays and not have it change the way you think about the world."
http://blog.wired.com/business/2007/03/words_of_wisdom.html
Bruce Schneier T-shirts (I had nothing to do with any of this):
http://geekz.co.uk/shop/store/show/schneier-tshirt
http://www.goodstorm.com/item/pbutler/what_would_bruce_schneier_do
http://www.goodstorm.com/item/pbutler/schneier_mosaic
Stickers:
http://geekz.co.uk/shop/store/show/schneier-sticker-0
Chapter 57 of "my surreal life."
RU Sirius interviewed me for his podcast show.
http://www.rusiriusradio.com/2007/04/02/show-98-everything-the-us-government-is-doing-about-security-is-wrong/
or http://tinyurl.com/yuvum2
eWeek named me #40 in the "Top 100 Most Influential People in IT."
http://www.eweek.com/slideshow_viewer/0,1205,l=%26s=26744%26a=203626%26po=12,00.asp
or http://tinyurl.com/yu2oqy
IT.com named me as one of the "59 Top Influencers in IT Security"
http://www.itsecurity.com/features/top-59-influencers-itsecurity-031407/
or http://tinyurl.com/yroh8b
News articles on Schneier from India:
http://www.schneier.com/news-031.html
http://economictimes.indiatimes.com/articleshow/1775503.cms
Wired published an excerpt from my "Psychology of Security" essay:
http://www.wired.com/politics/security/commentary/securitymatters/2007/03/SECURITY_MATTERS0322
or http://tinyurl.com/2dez23
Schneier is speaking at the Electronic Transactions Association Annual
Meeting and Conference in Las Vegas on April 19.
http://www.electran.org/events/annual_meeting.asp
Schneier is the tech guest of honor at Penguicon, in Troy, MI, April 20-22.
http://www.penguicon.org/
Schneier is speaking at InfoSec Europe, in London, on April 25.
http://www.infosec.co.uk/
Schneier is speaking at the Computers, Freedom, and Privacy conference
in Montreal on May 4.
http://www.cfp2007.org/
Schneier is speaking for the ACLU in Iowa City, IA, on May 5.
** *** ***** ******* *********** *************
U.S. Government Contractor Injects Malicious Software into
Critical Military Computers
This is just a frightening story. Basically, a contractor with a top
secret security clearance was able to inject malicious code and sabotage
computers used to track Navy submarines.
Yeah, it was annoying to find and fix the problem, but hang on. How is
it possible for a single disgruntled idiot to damage a
multi-billion-dollar weapons system? Why aren't there any security
systems in place to prevent this? I'll bet anything that there was
absolutely no control or review over who put what code in where. I'll
bet that if this guy had been just a little bit cleverer, he could have
done a whole lot more damage without ever getting caught.
One of the ways to deal with the problem of trusted individuals is by
making sure they're trustworthy. The clearance process is supposed to
handle that. But given the enormous damage that a single person can do
here, it makes a lot of sense to add a second security mechanism:
limiting the degree to which each individual must be trusted. A decent
system of code reviews, or change auditing, would go a long way to
reduce the risk of this sort of thing.
I'll also bet you anything that Microsoft has more security around its
critical code than the U.S. military does.
http://content.hamptonroads.com/story.cfm?story=122352&ran=199274
** *** ***** ******* *********** *************
The Doghouse: Brutuslib
It's 2007, and I can't believe people are still using homebrewed
encryption algorithms. This one looks pretty easy to break.
http://www.yan.cz/brutuslib/hdiw.php?lang=en
** *** ***** ******* *********** *************
Cyber-Attack
Last month, Marine General James Cartwright told the House Armed
Services Committee that the best cyber defense is a good offense.
As reported in "Federal Computer Week," Cartwright said: "History
teaches us that a purely defensive posture poses significant risks," and
that if "we apply the principle of warfare to the cyberdomain, as we do
to sea, air and land, we realize the defense of the nation is better
served by capabilities enabling us to take the fight to our adversaries,
when necessary, to deter actions detrimental to our interests."
The general isn't alone. In 2003, the entertainment industry tried to
get a law passed giving them the right to attack any computer suspected
of distributing copyrighted material. And there probably isn't a
sysadmin in the world who doesn't want to strike back at computers that
are blindly and repeatedly attacking their networks.
Of course, the general is correct. But his reasoning illustrates
perfectly why peacetime and wartime are different, and why generals
don't make good police chiefs.
A cyber-security policy that condones both active deterrence and
retaliation -- without any judicial determination of wrongdoing -- is
attractive, but it's wrongheaded, not least because it ignores the line
between war, where those involved are permitted to determine when
counterattack is required, and crime, where only impartial third parties
(judges and juries) can impose punishment.
In warfare, the notion of counterattack is extremely powerful. Going
after the enemy -- its positions, its supply lines, its factories, its
infrastructure -- is an age-old military tactic. But in peacetime, we
call it revenge, and consider it dangerous. Anyone accused of a crime
deserves a fair trial. The accused has the right to defend himself, to
face his accuser, to be represented by an attorney, and to be presumed
innocent until proven guilty.
Both vigilante counterattacks and pre-emptive attacks fly in the face of
these rights. They punish people who haven't been found guilty. It's
the same whether it's an angry lynch mob stringing up a suspect, the
MPAA disabling the computer of someone it believes made an illegal copy
of a movie, or a corporate security officer launching a
denial-of-service attack against someone he believes is targeting his
company over the net.
In all of these cases, the attacker could be wrong. This has been true
for lynch mobs, and on the Internet it's even harder to know who's
attacking you. Just because my computer looks like the source of an
attack doesn't mean it is. And even if it is, it might be a zombie
controlled by yet another computer; I might be a victim, too. The goal
of a government's legal system is justice; the goal of a vigilante is
expediency.
I understand the frustrations of General Cartwright, just as I do the
frustrations of the entertainment industry, and the world's sysadmins.
Justice in cyberspace can be difficult. It can be hard to figure out who
is attacking you, and it can take a long time to make them stop. It can
be even harder to prove anything in court. The international nature of
many attacks exacerbates the problems; more and more cybercriminals are
jurisdiction shopping: attacking from countries with ineffective
computer crime laws, easily bribable police forces, and no extradition
treaties.
Revenge is appealingly straightforward, and treating the whole thing as
a military problem is easier than working within the legal system.
But that doesn't make it right. In 1789, the Declaration of the Rights
of Man and of the Citizen declared: "No person shall be accused,
arrested, or imprisoned except in the cases and according to the forms
prescribed by law. Any one soliciting, transmitting, executing, or
causing to be executed any arbitrary order shall be punished."
I'm glad General Cartwright thinks about offensive cyberwar; it's how
generals are supposed to think. I even agree with Richard Clarke's
threat of military-style reaction in the event of a cyber-attack by a
foreign country or a terrorist organization. But short of an act of war,
we're far safer with a legal system that respects our rights.
http://www.fcw.com/article98016-03-22-07-Web
Allowing the entertainment industry to hack:
http://www.politechbot.com/docs/berman.coble.p2p.final.072502.pdf
http://www.freedom-to-tinker.com/?cat=6
Clarke's comments:
http://www.usatoday.com/tech/news/2002/02/14/cyberterrorism.htm
This essay originally appeared in Wired.
http://www.wired.com/politics/security/commentary/securitymatters/2007/04/securitymatter_0405
or http://tinyurl.com/2dkpcc
** *** ***** ******* *********** *************
Comments from Readers
There are hundreds of comments -- many of them interesting -- on these
topics on my blog. Search for the story you want to comment on, and join
in.
http://www.schneier.com/blog
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on security: computer and otherwise. You can
subscribe, unsubscribe, or change your address on the Web at
<http://www.schneier.com/crypto-gram.html>. Back issues are also
available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the
best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish algorithms.
He is founder and CTO of BT Counterpane, and is a member of the Board of
Directors of the Electronic Privacy Information Center (EPIC). He is a
frequent writer and lecturer on security topics. See
<http://www.schneier.com>.
BT Counterpane is the world's leading protector of networked information
- the inventor of outsourced security monitoring and the foremost
authority on effective mitigation of emerging IT threats. BT
Counterpane protects networks for Fortune 1000 companies and governments
world-wide. See <http://www.counterpane.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of BT or BT Counterpane.
Copyright (c) 2007 by Bruce Schneier.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]