July 2018 - cypherpunks-legacy

CRYPTO-GRAM, OCTOBER 15, 2010
by Bruce Schneier 06 Jul '18

06 Jul '18

CRYPTO-GRAM October 15, 2010 by Bruce Schneier Chief Security Technology Officer, BT schneier(a)schneier.com http://www.schneier.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>. You can read this issue on the web at <http://www.schneier.com/crypto-gram-1010.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively comment section. An RSS feed is available. ** *** ***** ******* *********** ************* In this issue: Wiretapping the Internet News Me on Cyberwar Putting Unique Codes on Objects to Detect Counterfeiting Schneier News Stuxnet ** *** ***** ******* *********** ************* Wiretapping the Internet In September, The New York Times reported that President Obama will seek sweeping laws enabling law enforcement to more easily eavesdrop on the internet. Technologies are changing, the administration argues, and modern digital systems aren't as easy to monitor as traditional telephones. The government wants to force companies to redesign their communications systems and information networks to facilitate surveillance, and to provide law enforcement with back doors that enable them to bypass any security measures. The proposal may seem extreme, but -- unfortunately -- it's not unique. Just a few months ago, the governments of the United Arab Emirates and Saudi Arabia threatened to ban BlackBerry devices unless the company made eavesdropping easier. China has already built a massive internet surveillance system to better control its citizens. Formerly reserved for totalitarian countries, this wholesale surveillance of citizens has moved into the democratic world as well. Governments like Sweden, Canada and the United Kingdom are debating or passing laws giving their police new powers of internet surveillance, in many cases requiring communications system providers to redesign products and services they sell. More are passing data retention laws, forcing companies to retain customer data in case they might need to be investigated later. Obama isn't the first U.S. president to seek expanded digital eavesdropping. The 1994 CALEA law required phone companies to build ways to better facilitate FBI eavesdropping into their digital phone switches. Since 2001, the National Security Agency has built substantial eavesdropping systems within the United States. These laws are dangerous, both for citizens of countries like China and citizens of Western democracies. Forcing companies to redesign their communications products and services to facilitate government eavesdropping reduces privacy and liberty; that's obvious. But the laws also make us less safe. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in. Any surveillance system invites both criminal appropriation and government abuse. Function creep is the most obvious abuse: New police powers, enacted to fight terrorism, are already used in situations of conventional nonterrorist crime. Internet surveillance and control will be no different. Official misuses are bad enough, but the unofficial uses are far more worrisome. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and the people you don't. Any surveillance and control system must itself be secured, and we're not very good at that. Why does anyone think that only authorized law enforcement will mine collected internet data or eavesdrop on Skype and IM conversations? These risks are not theoretical. After 9/11, the National Security Agency built a surveillance infrastructure to eavesdrop on telephone calls and e-mails within the United States. Although procedural rules stated that only non-Americans and international phone calls were to be listened to, actual practice didn't always match those rules. NSA analysts collected more data than they were authorized to and used the system to spy on wives, girlfriends and famous people like former President Bill Clinton. The most serious known misuse of a telecommunications surveillance infrastructure took place in Greece. Between June 2004 and March 2005, someone wiretapped more than 100 cell phones belonging to members of the Greek government -- the prime minister and the ministers of defense, foreign affairs and justice -- and other prominent people. Ericsson built this wiretapping capability into Vodafone's products, but enabled it only for governments that requested it. Greece wasn't one of those governments, but some still unknown party -- a rival political group? organized crime? -- figured out how to surreptitiously turn the feature on. Surveillance infrastructure is easy to export. Once surveillance capabilities are built into Skype or Gmail or your BlackBerry, it's easy for more totalitarian countries to demand the same access; after all, the technical work has already been done. Western companies such as Siemens, Nokia and Secure Computing built Iran's surveillance infrastructure, and U.S. companies like L-1 Identity Solutions helped build China's electronic police state. The next generation of worldwide citizen control will be paid for by countries like the United States. We should be embarrassed to export eavesdropping capabilities. Secure, surveillance-free systems protect the lives of people in totalitarian countries around the world. They allow people to exchange ideas even when the government wants to limit free exchange. They power citizen journalism, political movements and social change. For example, Twitter's anonymity saved the lives of Iranian dissidents -- anonymity that many governments want to eliminate. Yes, communications technologies are used by both the good guys and the bad guys. But the good guys far outnumber the bad guys, and it's far more valuable to make sure they're secure than it is to cripple them on the off chance it might help catch a bad guy. It's like the FBI demanding that no automobiles drive above 50 mph, so they can more easily pursue getaway cars. It might or might not work -- but, regardless, the cost to society of the resulting slowdown would be enormous. It's bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers say, these systems cost too much and put us all at greater risk. This essay previously appeared on CNN.com. http://www.cnn.com/2010/OPINION/09/29/schneier.web.surveillance/index.html?… or http://tinyurl.com/2449te3 It was a rewrite of a 2009 op-ed on MPR News Q. http://www.schneier.com/essay-281.html That was based in part on a 2007 Washington Post op-ed by Susan Landau. http://www.washingtonpost.com/wp-dyn/content/article/2007/08/08/AR200708080… or http://tinyurl.com/2cz43v News articles: http://www.nytimes.com/2010/09/27/us/27wiretap.html http://www.wired.com/threatlevel/2010/09/fbi-backdoors/ https://www.eff.org/deeplinks/2010/09/government-seeks http://arstechnica.com/tech-policy/news/2010/09/fbi-drive-for-encryption-ba… or http://tinyurl.com/37sk66r Blackberry bans: http://www.schneier.com/blog/archives/2010/08/uae_to_ban_blac.html Eavesdropping on Bill Clinton: http://www.wired.com/threatlevel/2009/06/pinwale Wiretapping cell phones in Greece: http://spectrum.ieee.org/telecom/security/the-athens-affair ** *** ***** ******* *********** ************* News Kenzero is a Japanese Trojan that collects and publishes users' porn surfing habits, and then blackmails them, requiring them to pay to have the information removed. http://www.telegraph.co.uk/technology/news/7596756/Browsing-histories-publi… or http://tinyurl.com/yynwghl http://www.dangerousminds.net/comments/kenzero_the_blackmailing_porn_virus/ or http://tinyurl.com/2b3snvc http://news.bbc.co.uk/2/hi/8622665.stm http://www.pc1news.com/news/1299/kenzero-trojan-blackmails-victims.html or http://tinyurl.com/25kk6k5 There's a paper at the upcoming ACM CCS conference examining similar Japanese scams. http://www.andrew.cmu.edu/user/nicolasc/publications/TR-CMU-CyLab-10-011.pdf or http://tinyurl.com/22njamx Vulnerabilities in US-CERT network. You'd think they'd do somewhat better. http://www.wired.com/threatlevel/2010/09/us-cert/ http://www.nextgov.com/nextgov/ng_20100909_5549.php?oref=topnews http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_10-111_Aug10.pdf http://gcn.com/articles/2010/09/09/us-cert-riddled-with-security-holes.aspx… or http://tinyurl.com/3a4xz56 Not answering questions at U.S. Customs. http://knifetricks.blogspot.com/2010/04/i-am-detained-by-feds-for-not-answe… or http://tinyurl.com/264resf Police set up a highway sign warning motorists that there are random stops for narcotics checks ahead, but they actually search people who take the next exit. Clever real-world honeypot. http://420tribune.com/2010/03/narcotics-checkpoint/ A graphical representation of popular usernames and passwords. http://www.dragonresearchgroup.org/insight/sshpwauth-cloud.html DHS *still* worried about terrorists using Internet surveillance. http://www.schneier.com/blog/archives/2010/09/dhs_still_worri.html DARPA is looking for something that can automatically declassify documents. http://www.wired.com/dangerroom/2010/09/darpa-wants-you-to-build-it-an-anti… or http://tinyurl.com/2v7q2xa The master key for the High-Bandwidth Digital Content Protection standard -- that's what encrypts digital television between set-top boxes and digital televisions -- has been cracked and published. The ramifications are unclear. http://www.engadget.com/2010/09/14/hdcp-master-key-supposedly-released-unlo… or http://tinyurl.com/35t6cg7 http://news.cnet.com/8301-27080_3-20016756-245.html http://www.wired.com/threatlevel/2010/09/no-pirate-bonanza/ Good essay questioning counterterrorism policy: http://www.theatlantic.com/magazine/archive/2007/11/just-asking/6288 This list of "Four Irrefutable Security Laws" is from Malcolm Harkins, Intel's chief information security officer: 1) users want to click on things, 2) code wants to be wrong, 3) services want to be on, and 4) security features can be used to harm. http://www.schneier.com/blog/archives/2010/09/four_irrefutabl.html Statistical distribution of combat wounds to the head. http://mindhacks.com/2010/09/15/an-uneven-hail-of-bullets/ I'm not sure it's useful, but it is interesting. I stayed clear of Haystack -- the anonymity program that was going to protect the privacy of dissidents the world over -- because I didn't have enough details about the program to have an intelligent opinion. The project has since imploded, and here are two excellent essays about the program and the hype surrounding it. http://www.slate.com/id/2267262/pagenum/all/ http://jilliancyork.com/2010/09/13/haystack-and-media-irresponsibility/ or http://tinyurl.com/24m22vf http://esr.ibiblio.org/?p=2568 http://www.pelicancrossing.net/netwars/2010/09/lost_in_a_haystack.html A new prepaid electricity meter fraud: http://www.schneier.com/blog/archives/2010/09/new_prepaid_ele.html Evercookies: extremely persistent browser cookies. http://www.schneier.com/blog/archives/2010/09/evercookies.html WARNING --My blog page is safe, but when you visit the evercookie site, it stores an evercookie on your machine. In an article about Robert Woodward's new book, Obama's Wars, this is listed as one of the book's "disclosures": "A new capability developed by the National Security Agency has dramatically increased the speed at which intercepted communications can be turned around into useful information for intelligence analysts and covert operators. 'They talk, we listen. They move, we observe. Given the opportunity, we react operationally,' then-Director of National Intelligence Mike McConnell explained to Obama at a briefing two days after he was elected president." Eavesdropping is easy. Getting actual intelligence to the hands of people is hard. It sounds as if the NSA has advanced capabilities to automatically sift through massive amounts of electronic communications and find the few bits worth relaying to intelligence officers. http://www.washingtonpost.com/wp-dyn/content/article/2010/09/21/AR201009210… or http://tinyurl.com/2b67b6j http://www.amazon.com/exec/obidos/ASIN/1439172498/counterpane/ Serious new attack against ASP.NET: http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet… or http://tinyurl.com/357jhfc http://threatpost.com/en_us/blogs/demo-aspnet-padding-oracle-attack-091710 or http://tinyurl.com/2vo66be https://www.microsoft.com/technet/security/advisory/2416728.mspx http://www.computerworld.com/s/article/9186842/Microsoft_sounds_alert_on_ma… or http://tinyurl.com/23t93vh http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.as… or http://tinyurl.com/32wq3cw http://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-securit… or http://tinyurl.com/2fdqvgn http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-question… or http://tinyurl.com/2uy54b9 http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnera… or http://tinyurl.com/2d7934r There's a patch. http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx It's better to try to isolate parts of a terrorist network than to attempt to destroy it as a whole, at least according to this model: http://www.sciencedaily.com/releases/2010/09/100917090835.htm The cultural cognition of risk: http://www.schneier.com/blog/archives/2010/09/cultural_cognit.html Stealing money from a safe with a vacuum. http://www.thesun.co.uk/sol/homepage/news/3149962/Robbers-clean-up-with-vac… or http://tinyurl.com/378p7ft There is an interesting list of NSA publications in this document, pages 30b36. This document is a bunch of pages from the NSA intranet. http://www.governmentattic.org/3docs/NSA-CCH-1-page-Intranet.pdf This is a list of master's theses from the Naval Postgraduate School's Center for Homeland Defense and Security, this year. http://www.hlswatch.com/2010/09/21/growing-ideas-in-homeland-security/ Monitoring employees' online behavior: not their online behavior at work, but their online behavior in life. http://www.schneier.com/blog/archives/2010/10/monitoring_empl.html I regularly say that security decisions are primarily made for non-security reasons. This article about the placement of sky marshals on airplanes is an excellent example. Basically, the airlines would prefer they fly coach instead of first class. http://online.wsj.com/article_email/SB1000142405274870343160457552183247393… or http://tinyurl.com/25txpf5 http://www.economist.com/blogs/gulliver/2010/10/sky_marshals When I list the few improvements to airline security since 9/11, I don't include sky marshals. New research: "Attacks and Design of Image Recognition CAPTCHAs." http://homepages.cs.ncl.ac.uk/jeff.yan/ccs10.pdf The politics of allocating Homeland Security money to states. http://www.schneier.com/blog/archives/2010/10/the_politics_of_1.html Hacking trial breaks D.C. Internet voting system. It was easy. http://voices.washingtonpost.com/debonis/2010/10/hacker_infiltration_ends_d… or http://tinyurl.com/2fsvxdo http://www.dcboee.us/dvm/ http://www.wired.com/threatlevel/2010/10/dc-voting-system-hacked/ http://www.freedom-to-tinker.com/blog/jhalderm/hacking-dc-internet-voting-p… or http://tinyurl.com/23w8ocw My primary worry about contests like this is that people will think a positive result means something. If a bunch of students can break into a system after a couple of weeks of attempts, we know it's insecure. But just because a system withstands a test like this doesn't mean it's secure. We don't know who tried. We don't know what they tried. We don't know how long they tried. And we don't know if someone who tries smarter, harder, and longer could break the system. The ineffectiveness of vague security warnings. http://www.slate.com/id/2269845 http://www.washingtonpost.com/wp-dyn/content/article/2010/10/04/AR201010040… or http://tinyurl.com/28umefm I wrote much the same thing in 2004, about the DHS's vague terrorist warnings and the color-coded threat advisory system. http://www.schneier.com/essay-055.html http://www.schneier.com/blog/archives/2004/10/do_terror_alert.html Good article from The Economist on biometrics. http://www.economist.com/blogs/babbage/2010/10/biometrics Here's my essay on biometrics, from 1999. http://www.schneier.com/essay-019.html Remember the Mahmoud al-Mabhouh assassination last January? The police identified 30 suspects, but haven't been able to find any of them. "Police spent about 10,000 hours poring over footage from some 1,500 security cameras around Dubai. Using face-recognition software, electronic-payment records, receipts and interviews with taxi drivers and hotel staff, they put together a list of suspects and publicized it." But every trail has gone cold. Seems ubiquitous electronic surveillance is no match for a sufficiently advanced adversary. http://www.schneier.com/blog/archives/2010/10/the_mahmoud_al-.html The FBI is tracking a college student in Silicon Valley. He's 20, partially Egyptian, and studying marketing at Mission College. He found the tracking device attached to his car. Near as he could tell, what he did to warrant the FBI's attention was be the friend of someone who did something to warrant the FBI's attention. http://www.schneier.com/blog/archives/2010/10/the_fbi_is_trac.html Pen-and-paper SQL injection attack against Swedish election: http://www.schneier.com/blog/archives/2010/10/pen-and-paper_s.html New technology that can pick a single voice out of a crowded and noisy stadium: http://www.wired.com/gadgetlab/2010/10/super-microphone-picks-out-single-vo… or http://tinyurl.com/2e8fy45 India is writing its own operating system so it doesn't have to rely on Western technology: http://www.schneier.com/blog/archives/2010/10/indian_os.html ** *** ***** ******* *********** ************* Me on Cyberwar During the cyberwar debate a few months ago, I said this: If we frame this discussion as a war discussion, then what you do when there's a threat of war is you call in the military and you get military solutions. You get lockdown; you get an enemy that needs to be subdued. If you think about these threats in terms of crime, you get police solutions. And as we have this debate, not just on stage, but in the country, the way we frame it, the way we talk about it; the way the headlines read, determine what sort of solutions we want, make us feel better. And so the threat of cyberwar is being grossly exaggerated and I think it's being done for a reason. This is a power grab by government. What Mike McConnell didn't mention is that grossly exaggerating a threat of cyberwar is incredibly profitable. The debate: http://www.npr.org/templates/story/story.php?storyId=127861446 The quote: http://techinsider.nextgov.com/2010/09/the_cyberwar_echo_chamber.php More of my writings on cyberwar are here: http://www.schneier.com/blog/archives/2010/07/the_threat_of_c.html ** *** ***** ******* *********** ************* Putting Unique Codes on Objects to Detect Counterfeiting This will help some. At least two rival systems plan to put unique codes on packages containing antimalarials and other medications. Buyers will be able to text the code to a phone number on the package and get an immediate reply of "NO" or "OK," with the drug's name, expiration date, and other information. To defeat the system, the counterfeiter has to copy the bar codes. If the stores selling to customers are in on the scam, it can be the same code. If not, there have to be sufficient different bar codes that the store doesn't detect duplications. Presumably, numbers that are known to have been copied are added to the database, so the counterfeiters need to keep updating their codes. And presumably the codes are cryptographically hard to predict, so the only way to keep updating them is to look at legitimate products. Another attack would be to intercept the verification system. A man-in-the-middle attack against the phone number or the website would be difficult, but presumably the verification information would be on the object itself. It would be easy to swap in a fake phone number that would verify anything. It'll be interesting to see how the counterfeiters get around this security measure. http://www.businessweek.com/magazine/content/10_21/b4179037128534.htm ** *** ***** ******* *********** ************* Schneier News On October 19, I'll be giving a keynote speech at Information Security Trends Meeting 2010 in Medellin, Colombia. On October 20, I'll be giving a keynote in BogotC!, Colombia, as part of the same conference. http://www.digiware.net/images/stories/istmweb/istm.html I'll be speaking at the GRC Meeting in Lisbon, Portugal, on October 28. http://www.grc-meeting.com/ On November 6, I'll be speaking in Milton Keynes, UK, at the annual ACCU Security Fundraising Conference, in support of the Bletchley Park Trust and The National Museum of Computing. http://www.bletchleypark.org.uk/calendar/event_detail.rhtm?cat=special&recI… or http://tinyurl.com/25pge74 I'll be speaking at the Information Security Forum Annual World Congress in Monaco on November 7. https://www.securityforum.org/services/publiccongress/ I'll be speaking at the Gartner Symposium/ITxpo in Nice on November 8. http://www.gartner.com/technology/symposium/cannes/index.jsp My musical recording debut. It's not about security. http://www.schneier.com/blog/archives/2010/10/my_recording_de.html ** *** ***** ******* *********** ************* Stuxnet Computer security experts are often surprised at which stories get picked up by the mainstream media. Sometimes it makes no sense. Why this particular data breach, vulnerability, or worm and not others? Sometimes it's obvious. In the case of Stuxnet, there's a great story. As the story goes, the Stuxnet worm was designed and released by a government--the U.S. and Israel are the most common suspects--specifically to attack the Bushehr nuclear power plant in Iran. How could anyone not report that? It combines computer attacks, nuclear power, spy agencies and a country that's a pariah to much of the world. The only problem with the story is that it's almost entirely speculation. Here's what we do know: Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. These mechanisms include both known and patched vulnerabilities, and four "zero-day exploits": vulnerabilities that were unknown and unpatched when the worm was released. (All the infection vulnerabilities have since been patched.) Stuxnet doesn't actually do anything on those infected Windows computers, because they're not the real target. What Stuxnet looks for is a particular model of Programmable Logic Controller (PLC) made by Siemens (the press often refers to these as SCADA systems, which is technically incorrect). These are small embedded industrial control systems that run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines--and, yes, in nuclear power plants. These PLCs are often controlled by computers, and Stuxnet looks for Siemens SIMATIC WinCC/Step 7 controller software. If it doesn't find one, it does nothing. If it does, it infects it using yet another unknown and unpatched vulnerability, this one in the controller software. Then it reads and changes particular bits of data in the controlled PLCs. It's impossible to predict the effects of this without knowing what the PLC is doing and how it is programmed, and that programming can be unique based on the application. But the changes are very specific, leading many to believe that Stuxnet is targeting a specific PLC, or a specific group of PLCs, performing a specific function in a specific location--and that Stuxnet's authors knew exactly what they were targeting. It's already infected more than 50,000 Windows computers, and Siemens has reported 14 infected control systems, many in Germany. (These numbers were certainly out of date as soon as I typed them.) We don't know of any physical damage Stuxnet has caused, although there are rumors that it was responsible for the failure of India's INSAT-4B satellite in July. We believe that it did infect the Bushehr plant. All the anti-virus programs detect and remove Stuxnet from Windows systems. Stuxnet was first discovered in late June, although there's speculation that it was released a year earlier. As worms go, it's very complex and got more complex over time. In addition to the multiple vulnerabilities that it exploits, it installs its own driver into Windows. These have to be signed, of course, but Stuxnet used a stolen legitimate certificate. Interestingly, the stolen certificate was revoked on July 16, and a Stuxnet variant with a different stolen certificate was discovered on July 17. Over time the attackers swapped out modules that didn't work and replaced them with new ones--perhaps as Stuxnet made its way to its intended target. Those certificates first appeared in January. USB propagation, in March. Stuxnet has two ways to update itself. It checks back to two control servers, one in Malaysia and the other in Denmark, but also uses a peer-to-peer update system: When two Stuxnet infections encounter each other, they compare versions and make sure they both have the most recent one. It also has a kill date of June 24, 2012. On that date, the worm will stop spreading and delete itself. We don't know who wrote Stuxnet. We don't know why. We don't know what the target is, or if Stuxnet reached it. But you can see why there is so much speculation that it was created by a government. Stuxnet doesn't act like a criminal worm. It doesn't spread indiscriminately. It doesn't steal credit card information or account login credentials. It doesn't herd infected computers into a botnet. It uses multiple zero-day vulnerabilities. A criminal group would be smarter to create different worm variants and use one in each. Stuxnet performs sabotage. It doesn't threaten sabotage, like a criminal organization intent on extortion might. Stuxnet was expensive to create. Estimates are that it took 8 to 10 people six months to write. There's also the lab setup--surely any organization that goes to all this trouble would test the thing before releasing it--and the intelligence gathering to know exactly how to target it. Additionally, zero-day exploits are valuable. They're hard to find, and they can only be used once. Whoever wrote Stuxnet was willing to spend a lot of money to ensure that whatever job it was intended to do would be done. None of this points to the Bushehr nuclear power plant in Iran, though. Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany. He labeled his theory "highly speculative," and based it primarily on the facts that Iran had an unusually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates--India, Indonesia, and Pakistan--are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats. Once a theory takes hold, though, it's easy to find more evidence. The word "myrtus" appears in the worm: an artifact that the compiler left, possibly by accident. That's the myrtle plant. Of course, that doesn't mean that druids wrote Stuxnet. According to the story, it refers to Queen Esther, also known as Hadassah; she saved the Persian Jews from genocide in the 4th century B.C. "Hadassah" means "myrtle" in Hebrew. Stuxnet also sets a registry value of "19790509" to alert new copies of Stuxnet that the computer has already been infected. It's rather obviously a date, but instead of looking at the gazillion things--large and small--that happened on that the date, the story insists it refers to the date Persian Jew Habib Elghanain was executed in Tehran for spying for Israel. Sure, these markers could point to Israel as the author. On the other hand, Stuxnet's authors were uncommonly thorough about not leaving clues in their code; the markers could have been deliberately planted by someone who wanted to frame Israel. Or they could have been deliberately planted by Israel, who wanted us to think they were planted by someone who wanted to frame Israel. Once you start walking down this road, it's impossible to know when to stop. Another number found in Stuxnet is 0xDEADF007. Perhaps that means "Dead Fool" or "Dead Foot," a term that refers to an airplane engine failure. Perhaps this means Stuxnet is trying to cause the targeted system to fail. Or perhaps not. Still, a targeted worm designed to cause a specific sabotage seems to be the most likely explanation. If that's the case, why is Stuxnet so sloppily targeted? Why doesn't Stuxnet erase itself when it realizes it's not in the targeted network? When it infects a network via USB stick, it's supposed to only spread to three additional computers and to erase itself after 21 days--but it doesn't do that. A mistake in programming, or a feature in the code not enabled? Maybe we're not supposed to reverse engineer the target. By allowing Stuxnet to spread globally, its authors committed collateral damage worldwide. From a foreign policy perspective, that seems dumb. But maybe Stuxnet's authors didn't care. My guess is that Stuxnet's authors, and its target, will forever remain a mystery. This essay originally appeared on Forbes.com. http://www.forbes.com/2010/10/06/iran-nuclear-computer-technology-security-… or http://tinyurl.com/29bhajd My alternate explanations for Stuxnet were cut from the essay. Here they are: 1. A research project that got out of control. Researchers have accidentally released worms before. But given the press, and the fact that any researcher working on something like this would be talking to friends, colleagues, and his advisor, I would expect someone to have outed him by now, especially if it was done by a team. 2. A criminal worm designed to demonstrate a capability. Sure, that's possible. Stuxnet could be a prelude to extortion. But I think a cheaper demonstration would be just as effective. Then again, maybe not. 3. A message. It's hard to speculate any further, because we don't know who the message is for, or its context. Presumably the intended recipient would know. Maybe it's a "look what we can do" message. Or an "if you don't listen to us, we'll do worse next time" message. Again, it's a very expensive message, but maybe one of the pieces of the message is "we have so many resources that we can burn four or five man-years of effort and four zero-day vulnerabilities just for the fun of it." If that message were for me, I'd be impressed. 4. A worm released by the U.S. military to scare the government into giving it more budget and power over cybersecurity. Nah, that sort of conspiracy is much more common in fiction than in real life. Note that some of these alternate explanations overlap. http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-des… or http://tinyurl.com/37aqurn reported: http://www.computerworld.com/s/article/9185419/Siemens_Stuxnet_worm_hit_ind… or http://tinyurl.com/32lsl8b http://blogs.forbes.com/firewall/2010/09/29/did-the-stuxnet-worm-kill-india… or http://tinyurl.com/26jkaw8 http://www.wired.com/threatlevel/2010/10/stuxnet-deconstructed/ http://www.nytimes.com/2010/09/27/technology/27virus.html http://www.symantec.com/connect/blogs/stuxnet-print-spooler-zero-day-vulner… or http://tinyurl.com/2fh7hr9 http://news.cnet.com/8301-27080_3-20018530-245.html http://sites.google.com/site/n3td3v/latest/whatweknowaboutstuxnet http://antivirus.about.com/b/2010/10/02/debunking-the-bunk-of-stuxnet.htm or http://tinyurl.com/237yed9 http://frank.geekheim.de/?p=1189 Good technical info on Stuxnet: http://www.f-secure.com/weblog/archives/00002040.html http://www.symantec.com/content/en/us/enterprise/media/security_response/wh… or http://tinyurl.com/36y7jzb Ralph Langner: http://www.langner.com/en/ ** *** ***** ******* *********** ************* Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL. Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>. Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT. Copyright (c) 2010 by Bruce Schneier. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: Blocking International DNS
by Leen Besselink 06 Jul '18

06 Jul '18

>> And once you get these things in place you never know where it will end... > That, OTOH, is true. > Actually, we do. Every time a country creates a list, even though you wouldn't expect it from these respectable countries, politicians and policemen with their good intentions, somehow things end up on these lists which should not be every single time. Obviously, these lists are secret because otherwise the bad people can use them as a pointer where to go. So there is no oversight. They do however end up on Wikileaks and then you see that their are lots of other things on these lists. To start with the websites of the people who oppose such lists and political movements (even though the countries are democracies). Or websites like the Pirate Bay, Wikileaks or even Wikipedia. As we all know, these lists don't work anyway. So it does not prevent the people who are looking for this content to get to this content and the people who are performing these acts with these children are not stopped by this. One of the most heard arguments the politicians (or more likely from the lobbyists) is that is it hard to get websites removed or deleted when they are in other countries. Which may sound plausible until you look at what Paypal and the banks can a chief, they get websites removed in a day or 2, mostly hours. Most of the time by just sending an e-mail or picking up the phone. I know people can have really heated discussions about these subjects "think of the kinds", but that does not mean we should not make clear headed decisions in the end. An other often heard argument is, but we should prevent all the other people and especially children from running in to this filth on the Internet. Which is also an interesting argument, because people who share this kind of content do not do this openly, they don't want to be discovered. They don't use misleading advertisement where people might click on to lure them in. As I understand it, they password protect their content or use VPN's and share links by word of mouth. Doesn't matter how you look at it, it is much more effective to go after the people that do this then to argue about or set up these blacklists. Have a nice day, Leen. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

CRYPTO-GRAM, OCTOBER 15, 2010
by Bruce Schneier 06 Jul '18

06 Jul '18

CRYPTO-GRAM October 15, 2010 by Bruce Schneier Chief Security Technology Officer, BT schneier(a)schneier.com http://www.schneier.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>. You can read this issue on the web at <http://www.schneier.com/crypto-gram-1010.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively comment section. An RSS feed is available. ** *** ***** ******* *********** ************* In this issue: Wiretapping the Internet News Me on Cyberwar Putting Unique Codes on Objects to Detect Counterfeiting Schneier News Stuxnet ** *** ***** ******* *********** ************* Wiretapping the Internet In September, The New York Times reported that President Obama will seek sweeping laws enabling law enforcement to more easily eavesdrop on the internet. Technologies are changing, the administration argues, and modern digital systems aren't as easy to monitor as traditional telephones. The government wants to force companies to redesign their communications systems and information networks to facilitate surveillance, and to provide law enforcement with back doors that enable them to bypass any security measures. The proposal may seem extreme, but -- unfortunately -- it's not unique. Just a few months ago, the governments of the United Arab Emirates and Saudi Arabia threatened to ban BlackBerry devices unless the company made eavesdropping easier. China has already built a massive internet surveillance system to better control its citizens. Formerly reserved for totalitarian countries, this wholesale surveillance of citizens has moved into the democratic world as well. Governments like Sweden, Canada and the United Kingdom are debating or passing laws giving their police new powers of internet surveillance, in many cases requiring communications system providers to redesign products and services they sell. More are passing data retention laws, forcing companies to retain customer data in case they might need to be investigated later. Obama isn't the first U.S. president to seek expanded digital eavesdropping. The 1994 CALEA law required phone companies to build ways to better facilitate FBI eavesdropping into their digital phone switches. Since 2001, the National Security Agency has built substantial eavesdropping systems within the United States. These laws are dangerous, both for citizens of countries like China and citizens of Western democracies. Forcing companies to redesign their communications products and services to facilitate government eavesdropping reduces privacy and liberty; that's obvious. But the laws also make us less safe. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in. Any surveillance system invites both criminal appropriation and government abuse. Function creep is the most obvious abuse: New police powers, enacted to fight terrorism, are already used in situations of conventional nonterrorist crime. Internet surveillance and control will be no different. Official misuses are bad enough, but the unofficial uses are far more worrisome. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and the people you don't. Any surveillance and control system must itself be secured, and we're not very good at that. Why does anyone think that only authorized law enforcement will mine collected internet data or eavesdrop on Skype and IM conversations? These risks are not theoretical. After 9/11, the National Security Agency built a surveillance infrastructure to eavesdrop on telephone calls and e-mails within the United States. Although procedural rules stated that only non-Americans and international phone calls were to be listened to, actual practice didn't always match those rules. NSA analysts collected more data than they were authorized to and used the system to spy on wives, girlfriends and famous people like former President Bill Clinton. The most serious known misuse of a telecommunications surveillance infrastructure took place in Greece. Between June 2004 and March 2005, someone wiretapped more than 100 cell phones belonging to members of the Greek government -- the prime minister and the ministers of defense, foreign affairs and justice -- and other prominent people. Ericsson built this wiretapping capability into Vodafone's products, but enabled it only for governments that requested it. Greece wasn't one of those governments, but some still unknown party -- a rival political group? organized crime? -- figured out how to surreptitiously turn the feature on. Surveillance infrastructure is easy to export. Once surveillance capabilities are built into Skype or Gmail or your BlackBerry, it's easy for more totalitarian countries to demand the same access; after all, the technical work has already been done. Western companies such as Siemens, Nokia and Secure Computing built Iran's surveillance infrastructure, and U.S. companies like L-1 Identity Solutions helped build China's electronic police state. The next generation of worldwide citizen control will be paid for by countries like the United States. We should be embarrassed to export eavesdropping capabilities. Secure, surveillance-free systems protect the lives of people in totalitarian countries around the world. They allow people to exchange ideas even when the government wants to limit free exchange. They power citizen journalism, political movements and social change. For example, Twitter's anonymity saved the lives of Iranian dissidents -- anonymity that many governments want to eliminate. Yes, communications technologies are used by both the good guys and the bad guys. But the good guys far outnumber the bad guys, and it's far more valuable to make sure they're secure than it is to cripple them on the off chance it might help catch a bad guy. It's like the FBI demanding that no automobiles drive above 50 mph, so they can more easily pursue getaway cars. It might or might not work -- but, regardless, the cost to society of the resulting slowdown would be enormous. It's bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers say, these systems cost too much and put us all at greater risk. This essay previously appeared on CNN.com. http://www.cnn.com/2010/OPINION/09/29/schneier.web.surveillance/index.html?… or http://tinyurl.com/2449te3 It was a rewrite of a 2009 op-ed on MPR News Q. http://www.schneier.com/essay-281.html That was based in part on a 2007 Washington Post op-ed by Susan Landau. http://www.washingtonpost.com/wp-dyn/content/article/2007/08/08/AR200708080… or http://tinyurl.com/2cz43v News articles: http://www.nytimes.com/2010/09/27/us/27wiretap.html http://www.wired.com/threatlevel/2010/09/fbi-backdoors/ https://www.eff.org/deeplinks/2010/09/government-seeks http://arstechnica.com/tech-policy/news/2010/09/fbi-drive-for-encryption-ba… or http://tinyurl.com/37sk66r Blackberry bans: http://www.schneier.com/blog/archives/2010/08/uae_to_ban_blac.html Eavesdropping on Bill Clinton: http://www.wired.com/threatlevel/2009/06/pinwale Wiretapping cell phones in Greece: http://spectrum.ieee.org/telecom/security/the-athens-affair ** *** ***** ******* *********** ************* News Kenzero is a Japanese Trojan that collects and publishes users' porn surfing habits, and then blackmails them, requiring them to pay to have the information removed. http://www.telegraph.co.uk/technology/news/7596756/Browsing-histories-publi… or http://tinyurl.com/yynwghl http://www.dangerousminds.net/comments/kenzero_the_blackmailing_porn_virus/ or http://tinyurl.com/2b3snvc http://news.bbc.co.uk/2/hi/8622665.stm http://www.pc1news.com/news/1299/kenzero-trojan-blackmails-victims.html or http://tinyurl.com/25kk6k5 There's a paper at the upcoming ACM CCS conference examining similar Japanese scams. http://www.andrew.cmu.edu/user/nicolasc/publications/TR-CMU-CyLab-10-011.pdf or http://tinyurl.com/22njamx Vulnerabilities in US-CERT network. You'd think they'd do somewhat better. http://www.wired.com/threatlevel/2010/09/us-cert/ http://www.nextgov.com/nextgov/ng_20100909_5549.php?oref=topnews http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_10-111_Aug10.pdf http://gcn.com/articles/2010/09/09/us-cert-riddled-with-security-holes.aspx… or http://tinyurl.com/3a4xz56 Not answering questions at U.S. Customs. http://knifetricks.blogspot.com/2010/04/i-am-detained-by-feds-for-not-answe… or http://tinyurl.com/264resf Police set up a highway sign warning motorists that there are random stops for narcotics checks ahead, but they actually search people who take the next exit. Clever real-world honeypot. http://420tribune.com/2010/03/narcotics-checkpoint/ A graphical representation of popular usernames and passwords. http://www.dragonresearchgroup.org/insight/sshpwauth-cloud.html DHS *still* worried about terrorists using Internet surveillance. http://www.schneier.com/blog/archives/2010/09/dhs_still_worri.html DARPA is looking for something that can automatically declassify documents. http://www.wired.com/dangerroom/2010/09/darpa-wants-you-to-build-it-an-anti… or http://tinyurl.com/2v7q2xa The master key for the High-Bandwidth Digital Content Protection standard -- that's what encrypts digital television between set-top boxes and digital televisions -- has been cracked and published. The ramifications are unclear. http://www.engadget.com/2010/09/14/hdcp-master-key-supposedly-released-unlo… or http://tinyurl.com/35t6cg7 http://news.cnet.com/8301-27080_3-20016756-245.html http://www.wired.com/threatlevel/2010/09/no-pirate-bonanza/ Good essay questioning counterterrorism policy: http://www.theatlantic.com/magazine/archive/2007/11/just-asking/6288 This list of "Four Irrefutable Security Laws" is from Malcolm Harkins, Intel's chief information security officer: 1) users want to click on things, 2) code wants to be wrong, 3) services want to be on, and 4) security features can be used to harm. http://www.schneier.com/blog/archives/2010/09/four_irrefutabl.html Statistical distribution of combat wounds to the head. http://mindhacks.com/2010/09/15/an-uneven-hail-of-bullets/ I'm not sure it's useful, but it is interesting. I stayed clear of Haystack -- the anonymity program that was going to protect the privacy of dissidents the world over -- because I didn't have enough details about the program to have an intelligent opinion. The project has since imploded, and here are two excellent essays about the program and the hype surrounding it. http://www.slate.com/id/2267262/pagenum/all/ http://jilliancyork.com/2010/09/13/haystack-and-media-irresponsibility/ or http://tinyurl.com/24m22vf http://esr.ibiblio.org/?p=2568 http://www.pelicancrossing.net/netwars/2010/09/lost_in_a_haystack.html A new prepaid electricity meter fraud: http://www.schneier.com/blog/archives/2010/09/new_prepaid_ele.html Evercookies: extremely persistent browser cookies. http://www.schneier.com/blog/archives/2010/09/evercookies.html WARNING --My blog page is safe, but when you visit the evercookie site, it stores an evercookie on your machine. In an article about Robert Woodward's new book, Obama's Wars, this is listed as one of the book's "disclosures": "A new capability developed by the National Security Agency has dramatically increased the speed at which intercepted communications can be turned around into useful information for intelligence analysts and covert operators. 'They talk, we listen. They move, we observe. Given the opportunity, we react operationally,' then-Director of National Intelligence Mike McConnell explained to Obama at a briefing two days after he was elected president." Eavesdropping is easy. Getting actual intelligence to the hands of people is hard. It sounds as if the NSA has advanced capabilities to automatically sift through massive amounts of electronic communications and find the few bits worth relaying to intelligence officers. http://www.washingtonpost.com/wp-dyn/content/article/2010/09/21/AR201009210… or http://tinyurl.com/2b67b6j http://www.amazon.com/exec/obidos/ASIN/1439172498/counterpane/ Serious new attack against ASP.NET: http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet… or http://tinyurl.com/357jhfc http://threatpost.com/en_us/blogs/demo-aspnet-padding-oracle-attack-091710 or http://tinyurl.com/2vo66be https://www.microsoft.com/technet/security/advisory/2416728.mspx http://www.computerworld.com/s/article/9186842/Microsoft_sounds_alert_on_ma… or http://tinyurl.com/23t93vh http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.as… or http://tinyurl.com/32wq3cw http://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-securit… or http://tinyurl.com/2fdqvgn http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-question… or http://tinyurl.com/2uy54b9 http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnera… or http://tinyurl.com/2d7934r There's a patch. http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx It's better to try to isolate parts of a terrorist network than to attempt to destroy it as a whole, at least according to this model: http://www.sciencedaily.com/releases/2010/09/100917090835.htm The cultural cognition of risk: http://www.schneier.com/blog/archives/2010/09/cultural_cognit.html Stealing money from a safe with a vacuum. http://www.thesun.co.uk/sol/homepage/news/3149962/Robbers-clean-up-with-vac… or http://tinyurl.com/378p7ft There is an interesting list of NSA publications in this document, pages 30b36. This document is a bunch of pages from the NSA intranet. http://www.governmentattic.org/3docs/NSA-CCH-1-page-Intranet.pdf This is a list of master's theses from the Naval Postgraduate School's Center for Homeland Defense and Security, this year. http://www.hlswatch.com/2010/09/21/growing-ideas-in-homeland-security/ Monitoring employees' online behavior: not their online behavior at work, but their online behavior in life. http://www.schneier.com/blog/archives/2010/10/monitoring_empl.html I regularly say that security decisions are primarily made for non-security reasons. This article about the placement of sky marshals on airplanes is an excellent example. Basically, the airlines would prefer they fly coach instead of first class. http://online.wsj.com/article_email/SB1000142405274870343160457552183247393… or http://tinyurl.com/25txpf5 http://www.economist.com/blogs/gulliver/2010/10/sky_marshals When I list the few improvements to airline security since 9/11, I don't include sky marshals. New research: "Attacks and Design of Image Recognition CAPTCHAs." http://homepages.cs.ncl.ac.uk/jeff.yan/ccs10.pdf The politics of allocating Homeland Security money to states. http://www.schneier.com/blog/archives/2010/10/the_politics_of_1.html Hacking trial breaks D.C. Internet voting system. It was easy. http://voices.washingtonpost.com/debonis/2010/10/hacker_infiltration_ends_d… or http://tinyurl.com/2fsvxdo http://www.dcboee.us/dvm/ http://www.wired.com/threatlevel/2010/10/dc-voting-system-hacked/ http://www.freedom-to-tinker.com/blog/jhalderm/hacking-dc-internet-voting-p… or http://tinyurl.com/23w8ocw My primary worry about contests like this is that people will think a positive result means something. If a bunch of students can break into a system after a couple of weeks of attempts, we know it's insecure. But just because a system withstands a test like this doesn't mean it's secure. We don't know who tried. We don't know what they tried. We don't know how long they tried. And we don't know if someone who tries smarter, harder, and longer could break the system. The ineffectiveness of vague security warnings. http://www.slate.com/id/2269845 http://www.washingtonpost.com/wp-dyn/content/article/2010/10/04/AR201010040… or http://tinyurl.com/28umefm I wrote much the same thing in 2004, about the DHS's vague terrorist warnings and the color-coded threat advisory system. http://www.schneier.com/essay-055.html http://www.schneier.com/blog/archives/2004/10/do_terror_alert.html Good article from The Economist on biometrics. http://www.economist.com/blogs/babbage/2010/10/biometrics Here's my essay on biometrics, from 1999. http://www.schneier.com/essay-019.html Remember the Mahmoud al-Mabhouh assassination last January? The police identified 30 suspects, but haven't been able to find any of them. "Police spent about 10,000 hours poring over footage from some 1,500 security cameras around Dubai. Using face-recognition software, electronic-payment records, receipts and interviews with taxi drivers and hotel staff, they put together a list of suspects and publicized it." But every trail has gone cold. Seems ubiquitous electronic surveillance is no match for a sufficiently advanced adversary. http://www.schneier.com/blog/archives/2010/10/the_mahmoud_al-.html The FBI is tracking a college student in Silicon Valley. He's 20, partially Egyptian, and studying marketing at Mission College. He found the tracking device attached to his car. Near as he could tell, what he did to warrant the FBI's attention was be the friend of someone who did something to warrant the FBI's attention. http://www.schneier.com/blog/archives/2010/10/the_fbi_is_trac.html Pen-and-paper SQL injection attack against Swedish election: http://www.schneier.com/blog/archives/2010/10/pen-and-paper_s.html New technology that can pick a single voice out of a crowded and noisy stadium: http://www.wired.com/gadgetlab/2010/10/super-microphone-picks-out-single-vo… or http://tinyurl.com/2e8fy45 India is writing its own operating system so it doesn't have to rely on Western technology: http://www.schneier.com/blog/archives/2010/10/indian_os.html ** *** ***** ******* *********** ************* Me on Cyberwar During the cyberwar debate a few months ago, I said this: If we frame this discussion as a war discussion, then what you do when there's a threat of war is you call in the military and you get military solutions. You get lockdown; you get an enemy that needs to be subdued. If you think about these threats in terms of crime, you get police solutions. And as we have this debate, not just on stage, but in the country, the way we frame it, the way we talk about it; the way the headlines read, determine what sort of solutions we want, make us feel better. And so the threat of cyberwar is being grossly exaggerated and I think it's being done for a reason. This is a power grab by government. What Mike McConnell didn't mention is that grossly exaggerating a threat of cyberwar is incredibly profitable. The debate: http://www.npr.org/templates/story/story.php?storyId=127861446 The quote: http://techinsider.nextgov.com/2010/09/the_cyberwar_echo_chamber.php More of my writings on cyberwar are here: http://www.schneier.com/blog/archives/2010/07/the_threat_of_c.html ** *** ***** ******* *********** ************* Putting Unique Codes on Objects to Detect Counterfeiting This will help some. At least two rival systems plan to put unique codes on packages containing antimalarials and other medications. Buyers will be able to text the code to a phone number on the package and get an immediate reply of "NO" or "OK," with the drug's name, expiration date, and other information. To defeat the system, the counterfeiter has to copy the bar codes. If the stores selling to customers are in on the scam, it can be the same code. If not, there have to be sufficient different bar codes that the store doesn't detect duplications. Presumably, numbers that are known to have been copied are added to the database, so the counterfeiters need to keep updating their codes. And presumably the codes are cryptographically hard to predict, so the only way to keep updating them is to look at legitimate products. Another attack would be to intercept the verification system. A man-in-the-middle attack against the phone number or the website would be difficult, but presumably the verification information would be on the object itself. It would be easy to swap in a fake phone number that would verify anything. It'll be interesting to see how the counterfeiters get around this security measure. http://www.businessweek.com/magazine/content/10_21/b4179037128534.htm ** *** ***** ******* *********** ************* Schneier News On October 19, I'll be giving a keynote speech at Information Security Trends Meeting 2010 in Medellin, Colombia. On October 20, I'll be giving a keynote in BogotC!, Colombia, as part of the same conference. http://www.digiware.net/images/stories/istmweb/istm.html I'll be speaking at the GRC Meeting in Lisbon, Portugal, on October 28. http://www.grc-meeting.com/ On November 6, I'll be speaking in Milton Keynes, UK, at the annual ACCU Security Fundraising Conference, in support of the Bletchley Park Trust and The National Museum of Computing. http://www.bletchleypark.org.uk/calendar/event_detail.rhtm?cat=special&recI… or http://tinyurl.com/25pge74 I'll be speaking at the Information Security Forum Annual World Congress in Monaco on November 7. https://www.securityforum.org/services/publiccongress/ I'll be speaking at the Gartner Symposium/ITxpo in Nice on November 8. http://www.gartner.com/technology/symposium/cannes/index.jsp My musical recording debut. It's not about security. http://www.schneier.com/blog/archives/2010/10/my_recording_de.html ** *** ***** ******* *********** ************* Stuxnet Computer security experts are often surprised at which stories get picked up by the mainstream media. Sometimes it makes no sense. Why this particular data breach, vulnerability, or worm and not others? Sometimes it's obvious. In the case of Stuxnet, there's a great story. As the story goes, the Stuxnet worm was designed and released by a government--the U.S. and Israel are the most common suspects--specifically to attack the Bushehr nuclear power plant in Iran. How could anyone not report that? It combines computer attacks, nuclear power, spy agencies and a country that's a pariah to much of the world. The only problem with the story is that it's almost entirely speculation. Here's what we do know: Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. These mechanisms include both known and patched vulnerabilities, and four "zero-day exploits": vulnerabilities that were unknown and unpatched when the worm was released. (All the infection vulnerabilities have since been patched.) Stuxnet doesn't actually do anything on those infected Windows computers, because they're not the real target. What Stuxnet looks for is a particular model of Programmable Logic Controller (PLC) made by Siemens (the press often refers to these as SCADA systems, which is technically incorrect). These are small embedded industrial control systems that run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines--and, yes, in nuclear power plants. These PLCs are often controlled by computers, and Stuxnet looks for Siemens SIMATIC WinCC/Step 7 controller software. If it doesn't find one, it does nothing. If it does, it infects it using yet another unknown and unpatched vulnerability, this one in the controller software. Then it reads and changes particular bits of data in the controlled PLCs. It's impossible to predict the effects of this without knowing what the PLC is doing and how it is programmed, and that programming can be unique based on the application. But the changes are very specific, leading many to believe that Stuxnet is targeting a specific PLC, or a specific group of PLCs, performing a specific function in a specific location--and that Stuxnet's authors knew exactly what they were targeting. It's already infected more than 50,000 Windows computers, and Siemens has reported 14 infected control systems, many in Germany. (These numbers were certainly out of date as soon as I typed them.) We don't know of any physical damage Stuxnet has caused, although there are rumors that it was responsible for the failure of India's INSAT-4B satellite in July. We believe that it did infect the Bushehr plant. All the anti-virus programs detect and remove Stuxnet from Windows systems. Stuxnet was first discovered in late June, although there's speculation that it was released a year earlier. As worms go, it's very complex and got more complex over time. In addition to the multiple vulnerabilities that it exploits, it installs its own driver into Windows. These have to be signed, of course, but Stuxnet used a stolen legitimate certificate. Interestingly, the stolen certificate was revoked on July 16, and a Stuxnet variant with a different stolen certificate was discovered on July 17. Over time the attackers swapped out modules that didn't work and replaced them with new ones--perhaps as Stuxnet made its way to its intended target. Those certificates first appeared in January. USB propagation, in March. Stuxnet has two ways to update itself. It checks back to two control servers, one in Malaysia and the other in Denmark, but also uses a peer-to-peer update system: When two Stuxnet infections encounter each other, they compare versions and make sure they both have the most recent one. It also has a kill date of June 24, 2012. On that date, the worm will stop spreading and delete itself. We don't know who wrote Stuxnet. We don't know why. We don't know what the target is, or if Stuxnet reached it. But you can see why there is so much speculation that it was created by a government. Stuxnet doesn't act like a criminal worm. It doesn't spread indiscriminately. It doesn't steal credit card information or account login credentials. It doesn't herd infected computers into a botnet. It uses multiple zero-day vulnerabilities. A criminal group would be smarter to create different worm variants and use one in each. Stuxnet performs sabotage. It doesn't threaten sabotage, like a criminal organization intent on extortion might. Stuxnet was expensive to create. Estimates are that it took 8 to 10 people six months to write. There's also the lab setup--surely any organization that goes to all this trouble would test the thing before releasing it--and the intelligence gathering to know exactly how to target it. Additionally, zero-day exploits are valuable. They're hard to find, and they can only be used once. Whoever wrote Stuxnet was willing to spend a lot of money to ensure that whatever job it was intended to do would be done. None of this points to the Bushehr nuclear power plant in Iran, though. Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany. He labeled his theory "highly speculative," and based it primarily on the facts that Iran had an unusually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates--India, Indonesia, and Pakistan--are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats. Once a theory takes hold, though, it's easy to find more evidence. The word "myrtus" appears in the worm: an artifact that the compiler left, possibly by accident. That's the myrtle plant. Of course, that doesn't mean that druids wrote Stuxnet. According to the story, it refers to Queen Esther, also known as Hadassah; she saved the Persian Jews from genocide in the 4th century B.C. "Hadassah" means "myrtle" in Hebrew. Stuxnet also sets a registry value of "19790509" to alert new copies of Stuxnet that the computer has already been infected. It's rather obviously a date, but instead of looking at the gazillion things--large and small--that happened on that the date, the story insists it refers to the date Persian Jew Habib Elghanain was executed in Tehran for spying for Israel. Sure, these markers could point to Israel as the author. On the other hand, Stuxnet's authors were uncommonly thorough about not leaving clues in their code; the markers could have been deliberately planted by someone who wanted to frame Israel. Or they could have been deliberately planted by Israel, who wanted us to think they were planted by someone who wanted to frame Israel. Once you start walking down this road, it's impossible to know when to stop. Another number found in Stuxnet is 0xDEADF007. Perhaps that means "Dead Fool" or "Dead Foot," a term that refers to an airplane engine failure. Perhaps this means Stuxnet is trying to cause the targeted system to fail. Or perhaps not. Still, a targeted worm designed to cause a specific sabotage seems to be the most likely explanation. If that's the case, why is Stuxnet so sloppily targeted? Why doesn't Stuxnet erase itself when it realizes it's not in the targeted network? When it infects a network via USB stick, it's supposed to only spread to three additional computers and to erase itself after 21 days--but it doesn't do that. A mistake in programming, or a feature in the code not enabled? Maybe we're not supposed to reverse engineer the target. By allowing Stuxnet to spread globally, its authors committed collateral damage worldwide. From a foreign policy perspective, that seems dumb. But maybe Stuxnet's authors didn't care. My guess is that Stuxnet's authors, and its target, will forever remain a mystery. This essay originally appeared on Forbes.com. http://www.forbes.com/2010/10/06/iran-nuclear-computer-technology-security-… or http://tinyurl.com/29bhajd My alternate explanations for Stuxnet were cut from the essay. Here they are: 1. A research project that got out of control. Researchers have accidentally released worms before. But given the press, and the fact that any researcher working on something like this would be talking to friends, colleagues, and his advisor, I would expect someone to have outed him by now, especially if it was done by a team. 2. A criminal worm designed to demonstrate a capability. Sure, that's possible. Stuxnet could be a prelude to extortion. But I think a cheaper demonstration would be just as effective. Then again, maybe not. 3. A message. It's hard to speculate any further, because we don't know who the message is for, or its context. Presumably the intended recipient would know. Maybe it's a "look what we can do" message. Or an "if you don't listen to us, we'll do worse next time" message. Again, it's a very expensive message, but maybe one of the pieces of the message is "we have so many resources that we can burn four or five man-years of effort and four zero-day vulnerabilities just for the fun of it." If that message were for me, I'd be impressed. 4. A worm released by the U.S. military to scare the government into giving it more budget and power over cybersecurity. Nah, that sort of conspiracy is much more common in fiction than in real life. Note that some of these alternate explanations overlap. http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-des… or http://tinyurl.com/37aqurn reported: http://www.computerworld.com/s/article/9185419/Siemens_Stuxnet_worm_hit_ind… or http://tinyurl.com/32lsl8b http://blogs.forbes.com/firewall/2010/09/29/did-the-stuxnet-worm-kill-india… or http://tinyurl.com/26jkaw8 http://www.wired.com/threatlevel/2010/10/stuxnet-deconstructed/ http://www.nytimes.com/2010/09/27/technology/27virus.html http://www.symantec.com/connect/blogs/stuxnet-print-spooler-zero-day-vulner… or http://tinyurl.com/2fh7hr9 http://news.cnet.com/8301-27080_3-20018530-245.html http://sites.google.com/site/n3td3v/latest/whatweknowaboutstuxnet http://antivirus.about.com/b/2010/10/02/debunking-the-bunk-of-stuxnet.htm or http://tinyurl.com/237yed9 http://frank.geekheim.de/?p=1189 Good technical info on Stuxnet: http://www.f-secure.com/weblog/archives/00002040.html http://www.symantec.com/content/en/us/enterprise/media/security_response/wh… or http://tinyurl.com/36y7jzb Ralph Langner: http://www.langner.com/en/ ** *** ***** ******* *********** ************* Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL. Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>. Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT. Copyright (c) 2010 by Bruce Schneier. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: Blocking International DNS
by Leen Besselink 06 Jul '18

06 Jul '18

>> And once you get these things in place you never know where it will end... > That, OTOH, is true. > Actually, we do. Every time a country creates a list, even though you wouldn't expect it from these respectable countries, politicians and policemen with their good intentions, somehow things end up on these lists which should not be every single time. Obviously, these lists are secret because otherwise the bad people can use them as a pointer where to go. So there is no oversight. They do however end up on Wikileaks and then you see that their are lots of other things on these lists. To start with the websites of the people who oppose such lists and political movements (even though the countries are democracies). Or websites like the Pirate Bay, Wikileaks or even Wikipedia. As we all know, these lists don't work anyway. So it does not prevent the people who are looking for this content to get to this content and the people who are performing these acts with these children are not stopped by this. One of the most heard arguments the politicians (or more likely from the lobbyists) is that is it hard to get websites removed or deleted when they are in other countries. Which may sound plausible until you look at what Paypal and the banks can a chief, they get websites removed in a day or 2, mostly hours. Most of the time by just sending an e-mail or picking up the phone. I know people can have really heated discussions about these subjects "think of the kinds", but that does not mean we should not make clear headed decisions in the end. An other often heard argument is, but we should prevent all the other people and especially children from running in to this filth on the Internet. Which is also an interesting argument, because people who share this kind of content do not do this openly, they don't want to be discovered. They don't use misleading advertisement where people might click on to lure them in. As I understand it, they password protect their content or use VPN's and share links by word of mouth. Doesn't matter how you look at it, it is much more effective to go after the people that do this then to argue about or set up these blacklists. Have a nice day, Leen. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: [FoRK] Reminder: ZSF launch event tomorrow! Please help spread the word if you can!
by Gregory Alan Bolcer 06 Jul '18

06 Jul '18

You keep changing the subject. The idea that all money is equivalent is the argument bitcoin wants to make. You asked for flaws in that argument, so I played devil's advocate. The flaw is that bitcoin is not accredited and the amortized value is being fed by criminal activity. The legal argument against Napster was that it was solely a criminal enterprise, whose only purpose was to steal copyrighted material, and the criminal activity was not separate from the purpose of its being. Further, everything that it was and will ever be, would never evolve past the ability to steal copyrighted material. (You can agree or disagree with that, but that was the determination that led to its downfall). That's not to say that bitcoin (or Napster which failed to do so) can't evolve past a criminal enterprise. I was simply pointing out that it hasn't done so thus far and the mechanisms it's using are incentived so that investors have a vested stake to cover up or remain willfully ignorant of that criminal activity. In the RISKS part of the transhumanist/bci portfolio, the over-dependence on bitcoin should be spelled out as a specific risk, unless of course the ZS people truly believe they are post-logical and true believers, which would make them a cult and not the ultra-logical transhumanists they truly believe. I'm not claiming what you state below, only that the market which was set up has yet to evolve past the tipping point. Do you believe bitcoin has evolved past a criminal enterprise? Greg On 11/16/2012 9:45 AM, Eugen Leitl wrote: > On Fri, Nov 16, 2012 at 09:29:58AM -0800, Gregory Alan Bolcer wrote: > >> Wouldn't that be a logical fallacy? You don't remember the Napster >> legal arguments do you? > > I don't recall these arguments. I see no problem with P2P in general, > by the way. I'm not happy that Ents are persecuted by tree killers, > too, not that I personally care about trees. > > But money definitely has utility, and claiming that money is > tainted because it's being use by evil, bad, no good people > does not follow any recognizable chain of logic, at least > none I'm familiar with. > _______________________________________________ > FoRK mailing list > http://xent.com/mailman/listinfo/fork > -- greg(a)bolcer.org, http://bolcer.org, c: +1.714.928.5476 _______________________________________________ FoRK mailing list http://xent.com/mailman/listinfo/fork ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

[IP] No expectation of privacy in public? In a pig's eye!
by David Farber 06 Jul '18

06 Jul '18

Orwell was an amateur djf ------ Forwarded Message From: Lauren Weinstein <lauren(a)vortex.com> Date: Wed, 12 Jan 2005 11:38:28 -0800 To: <dave(a)farber.net> Cc: <lauren(a)vortex.com> Subject: No expectation of privacy in public? In a pig's eye! Dave, It's time to blow the lid off this "no expectation of privacy in public places" argument that judges and law enforcement now spout out like demented parrots in so many situations. Technology has rendered that argument meaningless -- unless we intend to permit a pervasive surveillance slave society to become our future -- which apparently is the goal among some parties. It is incredibly disingenuous to claim that cameras (increasingly tied to face recognition software) and GPS tracking devices (which could end up being standard in new vehicles as part of their instrumentation black boxes), etc. are no different than cops following suspects. Technology will effectively allow everyone to be followed all of the time. Unless society agrees that everything you do outside the confines of your home and office should be available to authorities on demand -- even retrospectively via archived images and data -- we are going down an incredibly dangerous hole. I use the "slimy guy in the raincoat" analogy. Let's say the government arranged for everyone to be followed at all times in public by slimy guys in raincoats. Each has a camera and clipboard, and wherever you go in public, they are your shadow. They keep snapping photos of where you go and where you look. They're constantly jotting down the details of your movements. When you go into your home, they wait outside, ready to start shadowing you again as soon as you step off your property. Every day, they report everything they've learned about you to a government database. Needless to say, most people would presumably feel incredibly violated by such a scenario, even though it's all taking place in that public space where we're told that we have no expectation of privacy. Technology is creating the largely invisible equivalent of that guy in the raincoat, ready to tail us all in perpetuity. If we don't control him, he will most assuredly control us. --Lauren-- Lauren Weinstein lauren(a)pfir.org or lauren(a)vortex.com or lauren(a)privacyforum.org Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, Fact Squad - http://www.factsquad.org Co-Founder, URIICA - Union for Representative International Internet Cooperation and Analysis - http://www.uriica.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com - - - > > ------ Forwarded Message > From: Gregory Hicks <ghicks(a)cadence.com> > Reply-To: Gregory Hicks <ghicks(a)cadence.com> > Date: Wed, 12 Jan 2005 09:42:03 -0800 (PST) > To: <dave(a)farber.net> > Cc: <ghicks(a)metis.cadence.com> > Subject: Ruling gives cops leeway with GPS > > Dave: > > For IP if you wish... > > http://timesunion.com/AspStories/storyprint.asp?StoryID=322152 > > Ruling gives cops leeway with GPS > Decision allows use of vehicle tracking device without a warrant > > By BRENDAN LYONS, Staff writer > First published: Tuesday, January 11, 2005 > > In a decision that could dramatically affect criminal investigations > nationwide, a federal judge has ruled police didn't need a warrant when > they attached a satellite tracking device to the underbelly of a car > being driven by a suspected Hells Angels operative. > > [...snip...] > > All Times Union materials copyright 1996-2005, Capital Newspapers > Division of The Hearst Corporation, Albany, N.Y. > > ------ End of Forwarded Message ------------------------------------- You are subscribed as eugen(a)leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

[Clips] Europe's Plan to Track Phone and Net Use
by R.A. Hettinga 06 Jul '18

06 Jul '18

<http://www.nytimes.com/2007/02/20/business/worldbusiness/20privacy.html?th=…> The New York Times February 20, 2007 Europe's Plan to Track Phone and Net Use By VICTORIA SHANNON PARIS, Feb. 19 - European governments are preparing legislation to require companies to keep detailed data about people's Internet and phone use that goes beyond what the countries will be required to do under a European Union directive. In Germany, a proposal from the Ministry of Justice would essentially prohibit using false information to create an e-mail account, making the standard Internet practice of creating accounts with pseudonyms illegal. A draft law in the Netherlands would likewise go further than the European Union requires, in this case by requiring phone companies to save records of a caller's precise location during an entire mobile phone conversation. Even now, Internet service providers in Europe divulge customer information - which they normally keep on hand for about three months, for billing purposes - to police officials with legally valid orders on a routine basis, said Peter Fleischer, the Paris-based European privacy counsel for Google. The data concerns how the communication was sent and by whom but not its content. But law enforcement officials argued after the terrorist bombings in Spain and Britain that they needed better and longer data storage from companies handling Europe's communications networks. European Union countries have until 2009 to put the Data Retention Directive into law, so the proposals seen now are early interpretations. But some people involved in the issue are concerned about a shift in policy in Europe, which has long been a defender of individuals' privacy rights. Under the proposals in Germany, consumers theoretically could not create fictitious e-mail accounts, to disguise themselves in online auctions, for example. Nor could they use a made-up account to use for receiving commercial junk mail. While e-mail aliases would not be banned, they would have to be traceable to the actual account holder. "This is an incredibly bad thing in terms of privacy, since people have grown up with the idea that you ought to be able to have an anonymous e-mail account," Mr. Fleischer said. "Moreover, it's totally unenforceable and would never work." Mr. Fleischer said the law would have to require some kind of identity verification, "like you may have to register for an e-mail address with your national ID card." Jvrg Hladjk, a privacy lawyer at Hunton & Williams, a Brussels law firm, said that might also mean that it could become illegal to pay cash for prepaid cellphone accounts. The billing information for regular cellphone subscriptions is already verified. Mr. Fleischer said: "It's ironic, because Germany is one of the countries in Europe where people talk the most about privacy. In terms of consciousness of privacy in general, I would put Germany at the extreme end." He said it was not clear that any European law would apply to e-mail providers based in the United States, like Google, so anyone who needed an unverified e-mail address - for political, commercial or philosophical reasons - could still use Gmail, Yahoo or Hotmail addresses. Mr. Hladjk said, "It's going to be difficult to know which law applies." Google requires only two pieces of information to open a Gmail account - a name and a password - and the company does not try to determine whether the name is authentic. In the Netherlands, the proposed extension of the law on phone company records to all mobile location data "implies surveillance of the movement of large amounts of innocent citizens," the Dutch Data Protection Agency has said. The agency concluded in January that the draft disregarded privacy protections in the European Convention on Human Rights. Similarly, the German technology trade association Bitkom said the draft there violated the German Constitution. Internet and telecommunications industry associations raised objections when the directive was being debated, but at that time their concerns were for the length of time the data would have to be stored and how the companies would be compensated for the cost of gathering and keeping the information. The directive ended up leaving both decisions in the hands of national governments, setting a range of six months to two years. The German draft settled on six months, while in Spain the proposal is for a year, and in the Netherlands it is 18 months. "There are not a lot of people in Germany who support this draft entirely," said Christian Spahr, a spokesman for Bitkom. "But there are others who are more critical of it than we are." -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' _______________________________________________ Clips mailing list Clips(a)philodox.com http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

[IP] No expectation of privacy in public? In a pig's eye!
by David Farber 06 Jul '18

06 Jul '18

Orwell was an amateur djf ------ Forwarded Message From: Lauren Weinstein <lauren(a)vortex.com> Date: Wed, 12 Jan 2005 11:38:28 -0800 To: <dave(a)farber.net> Cc: <lauren(a)vortex.com> Subject: No expectation of privacy in public? In a pig's eye! Dave, It's time to blow the lid off this "no expectation of privacy in public places" argument that judges and law enforcement now spout out like demented parrots in so many situations. Technology has rendered that argument meaningless -- unless we intend to permit a pervasive surveillance slave society to become our future -- which apparently is the goal among some parties. It is incredibly disingenuous to claim that cameras (increasingly tied to face recognition software) and GPS tracking devices (which could end up being standard in new vehicles as part of their instrumentation black boxes), etc. are no different than cops following suspects. Technology will effectively allow everyone to be followed all of the time. Unless society agrees that everything you do outside the confines of your home and office should be available to authorities on demand -- even retrospectively via archived images and data -- we are going down an incredibly dangerous hole. I use the "slimy guy in the raincoat" analogy. Let's say the government arranged for everyone to be followed at all times in public by slimy guys in raincoats. Each has a camera and clipboard, and wherever you go in public, they are your shadow. They keep snapping photos of where you go and where you look. They're constantly jotting down the details of your movements. When you go into your home, they wait outside, ready to start shadowing you again as soon as you step off your property. Every day, they report everything they've learned about you to a government database. Needless to say, most people would presumably feel incredibly violated by such a scenario, even though it's all taking place in that public space where we're told that we have no expectation of privacy. Technology is creating the largely invisible equivalent of that guy in the raincoat, ready to tail us all in perpetuity. If we don't control him, he will most assuredly control us. --Lauren-- Lauren Weinstein lauren(a)pfir.org or lauren(a)vortex.com or lauren(a)privacyforum.org Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, Fact Squad - http://www.factsquad.org Co-Founder, URIICA - Union for Representative International Internet Cooperation and Analysis - http://www.uriica.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com - - - > > ------ Forwarded Message > From: Gregory Hicks <ghicks(a)cadence.com> > Reply-To: Gregory Hicks <ghicks(a)cadence.com> > Date: Wed, 12 Jan 2005 09:42:03 -0800 (PST) > To: <dave(a)farber.net> > Cc: <ghicks(a)metis.cadence.com> > Subject: Ruling gives cops leeway with GPS > > Dave: > > For IP if you wish... > > http://timesunion.com/AspStories/storyprint.asp?StoryID=322152 > > Ruling gives cops leeway with GPS > Decision allows use of vehicle tracking device without a warrant > > By BRENDAN LYONS, Staff writer > First published: Tuesday, January 11, 2005 > > In a decision that could dramatically affect criminal investigations > nationwide, a federal judge has ruled police didn't need a warrant when > they attached a satellite tracking device to the underbelly of a car > being driven by a suspected Hells Angels operative. > > [...snip...] > > All Times Union materials copyright 1996-2005, Capital Newspapers > Division of The Hearst Corporation, Albany, N.Y. > > ------ End of Forwarded Message ------------------------------------- You are subscribed as eugen(a)leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

[Clips] Europe's Plan to Track Phone and Net Use
by R.A. Hettinga 06 Jul '18

06 Jul '18

<http://www.nytimes.com/2007/02/20/business/worldbusiness/20privacy.html?th=…> The New York Times February 20, 2007 Europe's Plan to Track Phone and Net Use By VICTORIA SHANNON PARIS, Feb. 19 - European governments are preparing legislation to require companies to keep detailed data about people's Internet and phone use that goes beyond what the countries will be required to do under a European Union directive. In Germany, a proposal from the Ministry of Justice would essentially prohibit using false information to create an e-mail account, making the standard Internet practice of creating accounts with pseudonyms illegal. A draft law in the Netherlands would likewise go further than the European Union requires, in this case by requiring phone companies to save records of a caller's precise location during an entire mobile phone conversation. Even now, Internet service providers in Europe divulge customer information - which they normally keep on hand for about three months, for billing purposes - to police officials with legally valid orders on a routine basis, said Peter Fleischer, the Paris-based European privacy counsel for Google. The data concerns how the communication was sent and by whom but not its content. But law enforcement officials argued after the terrorist bombings in Spain and Britain that they needed better and longer data storage from companies handling Europe's communications networks. European Union countries have until 2009 to put the Data Retention Directive into law, so the proposals seen now are early interpretations. But some people involved in the issue are concerned about a shift in policy in Europe, which has long been a defender of individuals' privacy rights. Under the proposals in Germany, consumers theoretically could not create fictitious e-mail accounts, to disguise themselves in online auctions, for example. Nor could they use a made-up account to use for receiving commercial junk mail. While e-mail aliases would not be banned, they would have to be traceable to the actual account holder. "This is an incredibly bad thing in terms of privacy, since people have grown up with the idea that you ought to be able to have an anonymous e-mail account," Mr. Fleischer said. "Moreover, it's totally unenforceable and would never work." Mr. Fleischer said the law would have to require some kind of identity verification, "like you may have to register for an e-mail address with your national ID card." Jvrg Hladjk, a privacy lawyer at Hunton & Williams, a Brussels law firm, said that might also mean that it could become illegal to pay cash for prepaid cellphone accounts. The billing information for regular cellphone subscriptions is already verified. Mr. Fleischer said: "It's ironic, because Germany is one of the countries in Europe where people talk the most about privacy. In terms of consciousness of privacy in general, I would put Germany at the extreme end." He said it was not clear that any European law would apply to e-mail providers based in the United States, like Google, so anyone who needed an unverified e-mail address - for political, commercial or philosophical reasons - could still use Gmail, Yahoo or Hotmail addresses. Mr. Hladjk said, "It's going to be difficult to know which law applies." Google requires only two pieces of information to open a Gmail account - a name and a password - and the company does not try to determine whether the name is authentic. In the Netherlands, the proposed extension of the law on phone company records to all mobile location data "implies surveillance of the movement of large amounts of innocent citizens," the Dutch Data Protection Agency has said. The agency concluded in January that the draft disregarded privacy protections in the European Convention on Human Rights. Similarly, the German technology trade association Bitkom said the draft there violated the German Constitution. Internet and telecommunications industry associations raised objections when the directive was being debated, but at that time their concerns were for the length of time the data would have to be stored and how the companies would be compensated for the cost of gathering and keeping the information. The directive ended up leaving both decisions in the hands of national governments, setting a range of six months to two years. The German draft settled on six months, while in Spain the proposal is for a year, and in the Netherlands it is 18 months. "There are not a lot of people in Germany who support this draft entirely," said Christian Spahr, a spokesman for Bitkom. "But there are others who are more critical of it than we are." -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' _______________________________________________ Clips mailing list Clips(a)philodox.com http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

[fc] LNCS 1465 online
by R. Hirschfeld 06 Jul '18

06 Jul '18

Springer has informed me that the FC98 Proceedings have just been published online. They are available at: http://link.springer.de/link/service/series/0558/tocs/t1465.htm or http://link.springer-ny.com/link/service/series/0558/tocs/t1465.htm _______________________________________________ fc mailing list fc(a)ifca.ai http://mail.ifca.ai/mailman/listinfo/fc --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0