cypherpunks-legacy
Threads by month
- ----- 2025 -----
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1998 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1997 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1996 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1995 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1994 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1993 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1992 -----
- December
- November
- October
- September
July 2018
- 1371 participants
- 9656 discussions
[liberationtech] ETH ZC<rich Systems Design Publication: The Network of Global Corporate Control
by Moritz Bartl 05 Jul '18
by Moritz Bartl 05 Jul '18
05 Jul '18
http://arxiv.org/abs/1107.5728
Stefania Vitali, James B. Glattfelder, Stefano Battiston
Chair of Systems Design, ETH ZC<rich
(Submitted on 28 Jul 2011, last revised 19 Sep 2011)
The structure of the control network of transnational corporations
affects global market competition and financial stability. So far, only
small national samples were studied and there was no appropriate
methodology to assess control globally. We present the first
investigation of the architecture of the …
[View More]international ownership
network, along with the computation of the control held by each global
player. We find that transnational corporations form a giant bow-tie
structure and that a large portion of control flows to a small
tightly-knit core of financial institutions. This core can be seen as an
economic "super-entity" that raises new important issues both for
researchers and policy makers.
>QUOTE:
This is the o,rst time a ranking of economic actors by global control is
presented. Notice that many actors belong to the o,nancial sector and
many of the names are well-known global players. The interest of this
ranking is not that it exposes unsuspected powerful players. Instead, it
shows that many of the top actors belong to the core. This means that
they do not carry out their business in isolation but, on the contrary,
they are tied together in an extremely entangled web of control. This
o,nding is extremely important since there was no prior economic theory
or empirical evidence regarding whether and how top players are
connected. Finally, it should be noted that governments and natural
persons are only featured further down in the list.
(via
http://www.newscientist.com/article/mg21228354.500-revealed--the-capitalist…
, quoted below: )
AS PROTESTS against financial power sweep the world this week, science
may have confirmed the protesters' worst fears. An analysis of the
relationships between 43,000 transnational corporations has identified a
relatively small group of companies, mainly banks, with disproportionate
power over the global economy.
The 1318 transnational corporations that form the core of the economy.
Superconnected companies are red, very connected companies are yellow.
The study's assumptions have attracted some criticism, but complex
systems analysts contacted by New Scientist say it is a unique effort to
untangle control in the global economy. Pushing the analysis further,
they say, could help to identify ways of making global capitalism more
stable.
The idea that a few bankers control a large chunk of the global economy
might not seem like news to New York's Occupy Wall Street movement and
protesters elsewhere. But the study, by a trio of complex systems
theorists at the Swiss Federal Institute of Technology in Zurich, is the
first to go beyond ideology to empirically identify such a network of
power. It combines the mathematics long used to model natural systems
with comprehensive corporate data to map ownership among the world's
transnational corporations (TNCs).
"Reality is so complex, we must move away from dogma, whether it's
conspiracy theories or free-market," says James Glattfelder. "Our
analysis is reality-based."
Previous studies have found that a few TNCs own large chunks of the
world's economy, but they included only a limited number of companies
and omitted indirect ownerships, so could not say how this affected the
global economy - whether it made it more or less stable, for instance.
The Zurich team can. From Orbis 2007, a database listing 37 million
companies and investors worldwide, they pulled out all 43,060 TNCs and
the share ownerships linking them. Then they constructed a model of
which companies controlled others through shareholding networks, coupled
with each company's operating revenues, to map the structure of economic
power.
The work, to be published in PloS One, revealed a core of 1318 companies
with interlocking ownerships (see image). Each of the 1318 had ties to
two or more other companies, and on average they were connected to 20.
What's more, although they represented 20 per cent of global operating
revenues, the 1318 appeared to collectively own through their shares the
majority of the world's large blue chip and manufacturing firms - the
"real" economy - representing a further 60 per cent of global revenues.
When the team further untangled the web of ownership, it found much of
it tracked back to a "super-entity" of 147 even more tightly knit
companies - all of their ownership was held by other members of the
super-entity - that controlled 40 per cent of the total wealth in the
network. "In effect, less than 1 per cent of the companies were able to
control 40 per cent of the entire network," says Glattfelder. Most were
financial institutions. The top 20 included Barclays Bank, JPMorgan
Chase & Co, and The Goldman Sachs Group.
John Driffill of the University of London, a macroeconomics expert, says
the value of the analysis is not just to see if a small number of people
controls the global economy, but rather its insights into economic
stability.
Concentration of power is not good or bad in itself, says the Zurich
team, but the core's tight interconnections could be. As the world
learned in 2008, such networks are unstable. "If one [company] suffers
distress," says Glattfelder, "this propagates."
"It's disconcerting to see how connected things really are," agrees
George Sugihara of the Scripps Institution of Oceanography in La Jolla,
California, a complex systems expert who has advised Deutsche Bank.
Yaneer Bar-Yam, head of the New England Complex Systems Institute
(NECSI), warns that the analysis assumes ownership equates to control,
which is not always true. Most company shares are held by fund managers
who may or may not control what the companies they part-own actually do.
The impact of this on the system's behaviour, he says, requires more
analysis.
Crucially, by identifying the architecture of global economic power, the
analysis could help make it more stable. By finding the vulnerable
aspects of the system, economists can suggest measures to prevent future
collapses spreading through the entire economy. Glattfelder says we may
need global anti-trust rules, which now exist only at national level, to
limit over-connection among TNCs. Bar-Yam says the analysis suggests one
possible solution: firms should be taxed for excess interconnectivity to
discourage this risk.
One thing won't chime with some of the protesters' claims: the
super-entity is unlikely to be the intentional result of a conspiracy to
rule the world. "Such structures are common in nature," says Sugihara.
Newcomers to any network connect preferentially to highly connected
members. TNCs buy shares in each other for business reasons, not for
world domination. If connectedness clusters, so does wealth, says Dan
Braha of NECSI: in similar models, money flows towards the most highly
connected members. The Zurich study, says Sugihara, "is strong evidence
that simple rules governing TNCs give rise spontaneously to highly
connected groups". Or as Braha puts it: "The Occupy Wall Street claim
that 1 per cent of people have most of the wealth reflects a logical
phase of the self-organising economy."
So, the super-entity may not result from conspiracy. The real question,
says the Zurich team, is whether it can exert concerted political power.
Driffill feels 147 is too many to sustain collusion. Braha suspects they
will compete in the market but act together on common interests.
Resisting changes to the network structure may be one such common interest.
The top 50 of the 147 superconnected companies
1. Barclays plc
2. Capital Group Companies Inc
3. FMR Corporation
4. AXA
5. State Street Corporation
6. JP Morgan Chase & Co
7. Legal & General Group plc
8. Vanguard Group Inc
9. UBS AG
10. Merrill Lynch & Co Inc
11. Wellington Management Co LLP
12. Deutsche Bank AG
13. Franklin Resources Inc
14. Credit Suisse Group
15. Walton Enterprises LLC
16. Bank of New York Mellon Corp
17. Natixis
18. Goldman Sachs Group Inc
19. T Rowe Price Group Inc
20. Legg Mason Inc
21. Morgan Stanley
22. Mitsubishi UFJ Financial Group Inc
23. Northern Trust Corporation
24. SociC)tC) GC)nC)rale
25. Bank of America Corporation
26. Lloyds TSB Group plc
27. Invesco plc
28. Allianz SE 29. TIAA
30. Old Mutual Public Limited Company
31. Aviva plc
32. Schroders plc
33. Dodge & Cox
34. Lehman Brothers Holdings Inc*
35. Sun Life Financial Inc
36. Standard Life plc
37. CNCE
38. Nomura Holdings Inc
39. The Depository Trust Company
40. Massachusetts Mutual Life Insurance
41. ING Groep NV
42. Brandes Investment Partners LP
43. Unicredito Italiano SPA
44. Deposit Insurance Corporation of Japan
45. Vereniging Aegon
46. BNP Paribas
47. Affiliated Managers Group Inc
48. Resona Holdings Inc
49. Capital Group International Inc
50. China Petrochemical Group Company
* Lehman still existed in the 2007 dataset used
Graphic: The 1318 transnational corporations that form the core of the
economy
(Data: PLoS One)
--
Moritz Bartl
https://www.torservers.net/
_______________________________________________
liberationtech mailing list
liberationtech(a)lists.stanford.edu
Should you need to change your subscription options, please go to:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
You will need the user name and password you receive from the list moderator in monthly reminders.
Should you need immediate assistance, please contact the list moderator.
Please don't forget to follow us on http://twitter.com/#!/Liberationtech
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[View Less]
1
0
>> like the NSA for example, consider that they haven't yet managed to track
>> down the guys running the Silk Road drug site (http://silkroadvb5piz3r.onion)
Call me stupid, but I actually think the NSA does have the capability to
locate Tor hidden services, even if only those existing within the USA. But
as usual, they may be restricted from originally passing it to enforcement,
or from producing data at bequest of same. Or for whatever reason, no one
cares, or wishes to keep …
[View More]capabilties or bigger fish under wraps. Nothing new
here.
> Do you know who runs Silk Road?
Silk Road will likely go down via the usual means... some Joe somewhere
flapping their gums, a street grudge, too much bling, etc. Just as with
Farmer's Market, the case files will certainly make for interesting reading.
But not really tell us much about Tor :(
_______________________________________________
tor-talk mailing list
tor-talk(a)lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[View Less]
1
0
Link: http://slashdot.org/article.pl?sid=04/10/10/1716256
Posted by: timothy, on 2004-10-10 17:18:00
from the fbi-just-along-for-the-ride dept.
[1]daveschroeder writes "According to [2]this Indymedia.org article
and [3]AFP report, the request to seize Indymedia servers hosted by a
U.S. company in the UK (covered in this [4]previous slashdot story)
originated from government agencies in Italy and Switzerland, not the
United States. Because Indymedia's hosting company, …
[View More]Rackspace.com, is
a U.S. company, the FBI coordinated the request and accompanied UK
Metropolitan Police on the seizure under the auspices of the [5]Mutual
Legal Assistance Treaty (MLAT), an international legal treaty, but,
according to an FBI spokesman, 'It is not an FBI operation. Through
[MLAT], the subpoena was on behalf of a third country.'" Read on below
for more.
daveschroeder continues: "Rackspace's statement reads, 'In the present
matter regarding Indymedia, Rackspace Managed Hosting, a U.S. based
company with offices in London, is acting in compliance with a court
order pursuant to a Mutual Legal Assistance Treaty (MLAT), which
establishes procedures for countries to assist each other in
investigations such as international terrorism, kidnapping and money
laundering. Rackspace responded to a Commissioner's subpoena, duly
issued under Title 28, United States Code, Section 1782 in an
investigation that did not arise in the United States. Rackspace is
acting as a good corporate citizen and is cooperating with
international law enforcement authorities. The court prohibits
Rackspace from commenting further on this matter.'"
References
1. mailto:dasNO@SPAMdoit.wisc.edu
2. http://www.indymedia.org/en/2004/10/112047.shtml
3.
http://story.news.yahoo.com/news?tmpl=story&cid=1509&ncid=738&e=6&u=/afp/20…
1008/tc_afp/us_internet_justice
4. http://yro.slashdot.org/article.pl?sid=04/10/07/204217&tid=153
5. http://travel.state.gov/law/mlat.html
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net
[demime 1.01d removed an attachment of type application/pgp-signature]
[View Less]
1
0
05 Jul '18
dark
<http://www.theglobeandmail.com/servlet/story/RTGAM.20060626.wcse0626/BNStory
/National/home>
Canada's high-tech spies leave Lamer in the dark
JIM BRONSKILL
Canadian Press
[The Globe and Mail, June 27, 2006]
Ottawa b The watchdog over Canada's eavesdropping agency says he's not
getting the detailed information he needs to be sure the secretive spy
outfit is obeying the rules.
In his annual report, Antonio Lamer laments a "lack of clarity" in the
information the Communications …
[View More]Security Establishment provides when
seeking ministerial permission for sensitive operations.
The disagreement raises questions about whether Mr. Lamer, as CSE
commissioner, can provide full assurances that the spy agency is
meeting all legal requirements.
The Ottawa-based CSE, an ultra-secret wing of the Defence Department,
monitors foreign radio, telephone, fax, satellite and computer traffic
for information of interest to Canada. The intelligence is used in
support of Canadian crime-fighting, defence and trade policies.
Military listening posts assist the agency's efforts to intercept the
communications of foreign states and organizations, as well as the
phone calls and messages of suspected terrorists, drug traffickers and
smugglers.
The CSE has long been prohibited from directing its surveillance at
Canadians or anybody in Canada.
However, the Anti-Terrorism Act of 2001 gave the CSE authority to tap
into conversations and messages even if those communications begin or
end in Canada.
For instance, the CSE could now intercept a phone call from a member
of Osama bin Laden's al-Qaeda network somewhere in Asia to a residence
in Montreal.
Various safeguards, including the need for the defence minister's
approval, were built into the practice.
Mr. Lamer, a former Supreme Court chief justice, recently concluded
his term as CSE commissioner, an independent watchdog who scrutinizes
the spy agency's activities to ensure compliance with the law.
In his final report, he says there should be a clear linkage between
the government's intelligence priorities, the targets chosen and the
activities for which ministerial approval is needed.
But supporting documentation provided by the CSE as part of its
requests for authorization address foreign intelligence requirements
"only in general terms."
The dispute stems from differing legal interpretations held by Mr.
Lamer's independent counsel and the deputy minister of Justice, whose
department provides legal direction to the CSE.
"The lack of clarity in this regard has made it difficult for my staff
to assess compliance with certain of the conditions that the
legislation requires to be satisfied before a ministerial
authorization is given."
Mr. Lamer says he has "offered specific recommendations" to the
defence minister and CSE to iron out "ambiguities" in the legislation
governing the CSE.
As a result, Mr. Lamer qualifies his finding that CSE activities
2005-06 complied with the law "as it is currently interpreted by the
Department of Justice."
CSE spokesman Adrian Simpson said Monday that, as a government agency,
the organization "must follow the interpretation" of the Justice
Department.
Mr. Simpson added that the CSE "takes great pains to comply with all
of the laws of Canada."
Mr. Lamer says his one regret is leaving the post "without a
resolution of the legal interpretation issues that have bedevilled
this office since December 2001."
"I wish my successor well in bringing this matter to a satisfactory
conclusion for all concerned."
Defence Minister Gordon O'Connor's office had no immediate comment.
A spokesman for Mr. Lamer was unavailable.
Mr. Lamer's concerns emerge as the CSE's American counterpart, the
National Security Agency, faces the glare of controversy.
In December, the New York Times disclosed that U.S. President George
W. Bush had authorized the NSA to eavesdrop on Americans and others
inside the United States without court-approved warrants, as has been
the recognized practice there.
Despite pointed criticism from privacy advocates, U.S. officials have
defended the program.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)metzdowd.com
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
[View Less]
1
0
[liberationtech] ETH ZC<rich Systems Design Publication: The Network of Global Corporate Control
by Moritz Bartl 05 Jul '18
by Moritz Bartl 05 Jul '18
05 Jul '18
http://arxiv.org/abs/1107.5728
Stefania Vitali, James B. Glattfelder, Stefano Battiston
Chair of Systems Design, ETH ZC<rich
(Submitted on 28 Jul 2011, last revised 19 Sep 2011)
The structure of the control network of transnational corporations
affects global market competition and financial stability. So far, only
small national samples were studied and there was no appropriate
methodology to assess control globally. We present the first
investigation of the architecture of the …
[View More]international ownership
network, along with the computation of the control held by each global
player. We find that transnational corporations form a giant bow-tie
structure and that a large portion of control flows to a small
tightly-knit core of financial institutions. This core can be seen as an
economic "super-entity" that raises new important issues both for
researchers and policy makers.
>QUOTE:
This is the o,rst time a ranking of economic actors by global control is
presented. Notice that many actors belong to the o,nancial sector and
many of the names are well-known global players. The interest of this
ranking is not that it exposes unsuspected powerful players. Instead, it
shows that many of the top actors belong to the core. This means that
they do not carry out their business in isolation but, on the contrary,
they are tied together in an extremely entangled web of control. This
o,nding is extremely important since there was no prior economic theory
or empirical evidence regarding whether and how top players are
connected. Finally, it should be noted that governments and natural
persons are only featured further down in the list.
(via
http://www.newscientist.com/article/mg21228354.500-revealed--the-capitalist…
, quoted below: )
AS PROTESTS against financial power sweep the world this week, science
may have confirmed the protesters' worst fears. An analysis of the
relationships between 43,000 transnational corporations has identified a
relatively small group of companies, mainly banks, with disproportionate
power over the global economy.
The 1318 transnational corporations that form the core of the economy.
Superconnected companies are red, very connected companies are yellow.
The study's assumptions have attracted some criticism, but complex
systems analysts contacted by New Scientist say it is a unique effort to
untangle control in the global economy. Pushing the analysis further,
they say, could help to identify ways of making global capitalism more
stable.
The idea that a few bankers control a large chunk of the global economy
might not seem like news to New York's Occupy Wall Street movement and
protesters elsewhere. But the study, by a trio of complex systems
theorists at the Swiss Federal Institute of Technology in Zurich, is the
first to go beyond ideology to empirically identify such a network of
power. It combines the mathematics long used to model natural systems
with comprehensive corporate data to map ownership among the world's
transnational corporations (TNCs).
"Reality is so complex, we must move away from dogma, whether it's
conspiracy theories or free-market," says James Glattfelder. "Our
analysis is reality-based."
Previous studies have found that a few TNCs own large chunks of the
world's economy, but they included only a limited number of companies
and omitted indirect ownerships, so could not say how this affected the
global economy - whether it made it more or less stable, for instance.
The Zurich team can. From Orbis 2007, a database listing 37 million
companies and investors worldwide, they pulled out all 43,060 TNCs and
the share ownerships linking them. Then they constructed a model of
which companies controlled others through shareholding networks, coupled
with each company's operating revenues, to map the structure of economic
power.
The work, to be published in PloS One, revealed a core of 1318 companies
with interlocking ownerships (see image). Each of the 1318 had ties to
two or more other companies, and on average they were connected to 20.
What's more, although they represented 20 per cent of global operating
revenues, the 1318 appeared to collectively own through their shares the
majority of the world's large blue chip and manufacturing firms - the
"real" economy - representing a further 60 per cent of global revenues.
When the team further untangled the web of ownership, it found much of
it tracked back to a "super-entity" of 147 even more tightly knit
companies - all of their ownership was held by other members of the
super-entity - that controlled 40 per cent of the total wealth in the
network. "In effect, less than 1 per cent of the companies were able to
control 40 per cent of the entire network," says Glattfelder. Most were
financial institutions. The top 20 included Barclays Bank, JPMorgan
Chase & Co, and The Goldman Sachs Group.
John Driffill of the University of London, a macroeconomics expert, says
the value of the analysis is not just to see if a small number of people
controls the global economy, but rather its insights into economic
stability.
Concentration of power is not good or bad in itself, says the Zurich
team, but the core's tight interconnections could be. As the world
learned in 2008, such networks are unstable. "If one [company] suffers
distress," says Glattfelder, "this propagates."
"It's disconcerting to see how connected things really are," agrees
George Sugihara of the Scripps Institution of Oceanography in La Jolla,
California, a complex systems expert who has advised Deutsche Bank.
Yaneer Bar-Yam, head of the New England Complex Systems Institute
(NECSI), warns that the analysis assumes ownership equates to control,
which is not always true. Most company shares are held by fund managers
who may or may not control what the companies they part-own actually do.
The impact of this on the system's behaviour, he says, requires more
analysis.
Crucially, by identifying the architecture of global economic power, the
analysis could help make it more stable. By finding the vulnerable
aspects of the system, economists can suggest measures to prevent future
collapses spreading through the entire economy. Glattfelder says we may
need global anti-trust rules, which now exist only at national level, to
limit over-connection among TNCs. Bar-Yam says the analysis suggests one
possible solution: firms should be taxed for excess interconnectivity to
discourage this risk.
One thing won't chime with some of the protesters' claims: the
super-entity is unlikely to be the intentional result of a conspiracy to
rule the world. "Such structures are common in nature," says Sugihara.
Newcomers to any network connect preferentially to highly connected
members. TNCs buy shares in each other for business reasons, not for
world domination. If connectedness clusters, so does wealth, says Dan
Braha of NECSI: in similar models, money flows towards the most highly
connected members. The Zurich study, says Sugihara, "is strong evidence
that simple rules governing TNCs give rise spontaneously to highly
connected groups". Or as Braha puts it: "The Occupy Wall Street claim
that 1 per cent of people have most of the wealth reflects a logical
phase of the self-organising economy."
So, the super-entity may not result from conspiracy. The real question,
says the Zurich team, is whether it can exert concerted political power.
Driffill feels 147 is too many to sustain collusion. Braha suspects they
will compete in the market but act together on common interests.
Resisting changes to the network structure may be one such common interest.
The top 50 of the 147 superconnected companies
1. Barclays plc
2. Capital Group Companies Inc
3. FMR Corporation
4. AXA
5. State Street Corporation
6. JP Morgan Chase & Co
7. Legal & General Group plc
8. Vanguard Group Inc
9. UBS AG
10. Merrill Lynch & Co Inc
11. Wellington Management Co LLP
12. Deutsche Bank AG
13. Franklin Resources Inc
14. Credit Suisse Group
15. Walton Enterprises LLC
16. Bank of New York Mellon Corp
17. Natixis
18. Goldman Sachs Group Inc
19. T Rowe Price Group Inc
20. Legg Mason Inc
21. Morgan Stanley
22. Mitsubishi UFJ Financial Group Inc
23. Northern Trust Corporation
24. SociC)tC) GC)nC)rale
25. Bank of America Corporation
26. Lloyds TSB Group plc
27. Invesco plc
28. Allianz SE 29. TIAA
30. Old Mutual Public Limited Company
31. Aviva plc
32. Schroders plc
33. Dodge & Cox
34. Lehman Brothers Holdings Inc*
35. Sun Life Financial Inc
36. Standard Life plc
37. CNCE
38. Nomura Holdings Inc
39. The Depository Trust Company
40. Massachusetts Mutual Life Insurance
41. ING Groep NV
42. Brandes Investment Partners LP
43. Unicredito Italiano SPA
44. Deposit Insurance Corporation of Japan
45. Vereniging Aegon
46. BNP Paribas
47. Affiliated Managers Group Inc
48. Resona Holdings Inc
49. Capital Group International Inc
50. China Petrochemical Group Company
* Lehman still existed in the 2007 dataset used
Graphic: The 1318 transnational corporations that form the core of the
economy
(Data: PLoS One)
--
Moritz Bartl
https://www.torservers.net/
_______________________________________________
liberationtech mailing list
liberationtech(a)lists.stanford.edu
Should you need to change your subscription options, please go to:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
You will need the user name and password you receive from the list moderator in monthly reminders.
Should you need immediate assistance, please contact the list moderator.
Please don't forget to follow us on http://twitter.com/#!/Liberationtech
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[View Less]
1
0
CRYPTO-GRAM
October 15, 2008
by Bruce Schneier
Chief Security Technology Officer, BT
schneier(a)schneier.com
http://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-0810.…
[View More]html>. These same essays
appear in the "Schneier on Security" blog:
<http://www.schneier.com/blog>. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
The Seven Habits of Highly Ineffective Terrorists
The Two Classes of Airport Contraband
News
The More Things Change, the More They Stay the Same
NSA's Warrantless Eavesdropping Targets Innocent Americans
Schneier/BT News
Taleb on the Limitations of Risk Management
"New Attack" Against Encrypted Images
Nonviolent Activists Are Now Terrorists
Does Risk Management Make Sense?
Comments from Readers
** *** ***** ******* *********** *************
The Seven Habits of Highly Ineffective Terrorists
Most counterterrorism policies fail, not because of tactical problems,
but because of a fundamental misunderstanding of what motivates
terrorists in the first place. If we're ever going to defeat terrorism,
we need to understand what drives people to become terrorists in the
first place.
Conventional wisdom holds that terrorism is inherently political, and
that people become terrorists for political reasons. This is the
"strategic" model of terrorism, and it's basically an economic model. It
posits that people resort to terrorism when they believe -- rightly or
wrongly -- that terrorism is worth it; that is, when they believe the
political gains of terrorism minus the political costs are greater than
if they engaged in some other, more peaceful form of protest. It's
assumed, for example, that people join Hamas to achieve a Palestinian
state; that people join the PKK to attain a Kurdish national homeland;
and that people join al-Qaida to, among other things, get the United
States out of the Persian Gulf.
If you believe this model, the way to fight terrorism is to change that
equation, and that's what most experts advocate. Governments tend to
minimize the political gains of terrorism through a no-concessions
policy; the international community tends to recommend reducing the
political grievances of terrorists via appeasement, in hopes of getting
them to renounce violence. Both advocate policies to provide effective
nonviolent alternatives, like free elections.
Historically, none of these solutions has worked with any regularity.
Max Abrahms, a predoctoral fellow at Stanford University's Center for
International Security and Cooperation, has studied dozens of terrorist
groups from all over the world. He argues that the model is wrong. In a
paper published this year in International Security that -- sadly --
doesn't have the title "Seven Habits of Highly Ineffective Terrorists,"
he discusses, well, seven habits of highly ineffective terrorists. These
seven tendencies are seen in terrorist organizations all over the world,
and they directly contradict the theory that terrorists are political
maximizers:
Terrorists, he writes, (1) attack civilians, a policy that has a lousy
track record of convincing those civilians to give the terrorists what
they want; (2) treat terrorism as a first resort, not a last resort,
failing to embrace nonviolent alternatives like elections; (3) don't
compromise with their target country, even when those compromises are in
their best interest politically; (4) have protean political platforms,
which regularly, and sometimes radically, change; (5) often engage in
anonymous attacks, which precludes the target countries making political
concessions to them; (6) regularly attack other terrorist groups with
the same political platform; and (7) resist disbanding, even when they
consistently fail to achieve their political objectives or when their
stated political objectives have been achieved.
Abrahms has an alternative model to explain all this: People turn to
terrorism for social solidarity. He theorizes that people join terrorist
organizations worldwide in order to be part of a community, much like
the reason inner-city youths join gangs in the United States.
The evidence supports this. Individual terrorists often have no prior
involvement with a group's political agenda, and often join multiple
terrorist groups with incompatible platforms. Individuals who join
terrorist groups are frequently not oppressed in any way, and often
can't describe the political goals of their organizations. People who
join terrorist groups most often have friends or relatives who are
members of the group, and the great majority of terrorist are socially
isolated: unmarried young men or widowed women who weren't working prior
to joining. These things are true for members of terrorist groups as
diverse as the IRA and al-Qaida.
For example, several of the 9/11 hijackers planned to fight in Chechnya,
but they didn't have the right paperwork so they attacked America
instead. The mujahedeen had no idea whom they would attack after the
Soviets withdrew from Afghanistan, so they sat around until they came up
with a new enemy: America. Pakistani terrorists regularly defect to
another terrorist group with a totally different political platform.
Many new al-Qaida members say, unconvincingly, that they decided to
become a jihadist after reading an extreme, anti-American blog, or after
converting to Islam, sometimes just a few weeks before. These people
know little about politics or Islam, and they frankly don't even seem to
care much about learning more. The blogs they turn to don't have a lot
of substance in these areas, even though more informative blogs do exist.
All of this explains the seven habits. It's not that they're
ineffective; it's that they have a different goal. They might not be
effective politically, but they are effective socially: They all help
preserve the group's existence and cohesion.
This kind of analysis isn't just theoretical; it has practical
implications for counterterrorism. Not only can we now better understand
who is likely to become a terrorist, we can engage in strategies
specifically designed to weaken the social bonds within terrorist
organizations. Driving a wedge between group members -- commuting prison
sentences in exchange for actionable intelligence, planting more double
agents within terrorist groups -- will go a long way to weakening the
social bonds within those groups.
We also need to pay more attention to the socially marginalized than to
the politically downtrodden, like unassimilated communities in Western
countries. We need to support vibrant, benign communities and
organizations as alternative ways for potential terrorists to get the
social cohesion they need. And finally, we need to minimize collateral
damage in our counterterrorism operations, as well as clamping down on
bigotry and hate crimes, which just creates more dislocation and social
isolation, and the inevitable calls for revenge.
http://maxabrahms.com/pdfs/DC_250-1846.pdf
This essay previously appeared on Wired.com.
http://www.wired.com/print/politics/security/commentary/securitymatters/200…
or http://tinyurl.com/3vf3x5
Interesting rebuttal:
http://www.cambridgeblog.org/2008/10/can-terror-be-understood/
** *** ***** ******* *********** *************
The Two Classes of Airport Contraband
Airport security found a jar of pasta sauce in my luggage last month. It
was a 6-ounce jar, above the limit; the official confiscated it, because
allowing it on the airplane with me would have been too dangerous. And
to demonstrate how dangerous he really thought that jar was, he blithely
tossed it in a nearby bin of similar liquid bottles and sent me on my way.
There are two classes of contraband at airport security checkpoints: the
class that will get you in trouble if you try to bring it on an
airplane, and the class that will cheerily be taken away from you if you
try to bring it on an airplane. This difference is important: Making
security screeners confiscate anything from that second class is a waste
of time. All it does is harm innocents; it doesn't stop terrorists at all.
Let me explain. If you're caught at airport security with a bomb or a
gun, the screeners aren't just going to take it away from you. They're
going to call the police, and you're going to be stuck for a few hours
answering a lot of awkward questions. You may be arrested, and you'll
almost certainly miss your flight. At best, you're going to have a very
unpleasant day.
This is why articles about how screeners don't catch every -- or even a
majority -- of guns and bombs that go through the checkpoints don't
bother me. The screeners don't have to be perfect; they just have to be
good enough. No terrorist is going to base his plot on getting a gun
through airport security if there's a decent chance of getting caught,
because the consequences of getting caught are too great.
Contrast that with a terrorist plot that requires a 12-ounce bottle of
liquid. There's no evidence that the London liquid bombers actually had
a workable plot, but assume for the moment they did. If some copycat
terrorists try to bring their liquid bomb through airport security and
the screeners catch them -- like they caught me with my bottle of pasta
sauce -- the terrorists can simply try again. They can try again and
again. They can keep trying until they succeed. Because there are no
consequences to trying and failing, the screeners have to be 100 percent
effective. Even if they slip up one in a hundred times, the plot can
succeed.
The same is true for knitting needles, pocketknives, scissors,
corkscrews, cigarette lighters and whatever else the airport screeners
are confiscating this week. If there's no consequence to getting caught
with it, then confiscating it only hurts innocent people. At best, it
mildly annoys the terrorists.
To fix this, airport security has to make a choice. If something is
dangerous, treat it as dangerous and treat anyone who tries to bring it
on as potentially dangerous. If it's not dangerous, then stop trying to
keep it off airplanes. Trying to have it both ways just distracts the
screeners from actually making us safer.
http://www.cnn.com/2008/US/01/28/tsa.bombtest/index.html
http://www.homelandstupidity.us/2007/10/25/tsa-screeners-fail-most-bomb-tes…
or http://tinyurl.com/4npg9o
http://www.homelandstupidity.us/2006/10/31/tsa-screeners-still-fail-to-find…
or http://tinyurl.com/3ephgq
http://www.boston.com/news/local/articles/2003/10/16/logan_screeners_fail_w…
or http://tinyurl.com/r5gu
This essay originally appeared on Wired.com.
http://www.wired.com/politics/security/commentary/securitymatters/2008/09/s…
or http://tinyurl.com/4m6vvj
** *** ***** ******* *********** *************
News
According to U.S. government documents, fear of terrorism could cause a
psychosomatic epidemic:
http://blog.wired.com/27bstroke6/2008/09/terrorism-fear.html
GPS spoofing:
http://philosecurity.org/2008/09/07/gps-spoofing
http://www.ne.anl.gov/capabilities/vat/spoof.html
NSA -- and others -- snooping on cell phone calls with off-the-shelf
technology:
http://news.cnet.com/8301-13739_3-10030134-46.html
The NSA teams up with the Chinese government to limit Internet anonymity:
http://www.schneier.com/blog/archives/2008/09/the_nsa_teams_u.html
The Pentagon's World of Warcraft Movie-Plot threat:
http://www.schneier.com/blog/archives/2008/09/the_pentagons_w.html
TSA employees are bypassing airport screening.
http://www.9news.com/news/article.aspx?storyid=99941&catid=339
This isn't a big deal. Screeners have to go in and out of security all
the time as they work. Yes, they can smuggle things in and out of the
airport. But you have to remember that the airport screeners are
trusted insiders for the system: there are a zillion ways they could
break airport security. On the other hand, it's probably a smart idea
to screen screeners when they walk through airport security when they
aren't working at that checkpoint at that time. The reason is the same
reason you should screen everyone, including pilots who can crash their
plane: you're not screening screeners (or pilots), you're screening
people wearing screener (or pilot) uniforms and carrying screener (or
pilot) IDs. You can either train your screeners to recognize authentic
uniforms and IDs, or you can just screen everybody. The latter is just
easier. But this isn't a big deal.
I can think of specific instances where the ability to unlock your door
over the Internet can be useful, but in most places it's not a good idea.
http://www.theinquirer.net/gb/inquirer/news/2008/09/04/unlock-house-via-int…
or http://tinyurl.com/4rsyve
http://treocentral.com/content/Stories/1999-1.htm
India using brain scans to prove guilt in court.
http://www.nytimes.com/2008/09/15/world/asia/15brainscan.html
The pseudo-science here is even worse than for lie detectors.
http://www.thehindu.com/2008/09/08/stories/2008090854420400.htm
People have been asking me to comment about Sarah Palin's Yahoo e-mail
account being hacked. I've already written about the security problems
with "secret questions" back in 2005:
http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html
More commentary:
http://www.freedom-to-tinker.com/blog/felten/how-yahoo-could-have-protected…
or http://tinyurl.com/4689km
The $20M camera system at New York's Freedom Tower is pretty sophisticated.
http://cityroom.blogs.nytimes.com/2008/09/24/unblinking-eyes-for-20-million…
or http://tinyurl.com/53e52c
We're developing a pre-crime detector that detects hostile thoughts.
http://www.newscientist.com/blogs/shortsharpscience/2008/09/precrime-detect…
or http://tinyurl.com/53ftps
http://www.foxnews.com/printer_friendly_story/0,3566,426485,00.html
Spykee is your own personal robot spy. It takes pictures and movies
that you can watch on the Internet in real time or save for later. You
can even talk with whoever you're spying on via Skype. Only $300.
http://www.spykeeworld.com/
http://www.robotsrule.com/html/spykee.php
http://www.amazon.com/gp/offer-listing/B000N6470A?tag=counterpane
Security maxims from Roger Johnston. Funny, and all too true.
http://www.ne.anl.gov/capabilities/vat/seals/maxims.html
Send your personalized message to TSA X-ray screeners using metal plates
you can put in your carry-on luggage.
http://blog.makezine.com/archive/2008/09/metal_plates_send_message.html
or http://tinyurl.com/4ro8es
http://www.nytimes.com/idg/IDG_852573C400693880002574D70000A2FB.html
Another bomb scare. Hot dogs this time.
http://www.philly.com/philly/blogs/phillies_zone/Just_Hot_Dogs_Folks.html
or http://tinyurl.com/5xpzsp
http://www.nytimes.com/aponline/us/AP-ODD-Hot-Dog-Scare.html
The Hackers Choice has released a tool allowing people to clone and
modify electronic passports. The problem is self-signed certificates.
A CA is not a great solution, and the link gives a good explanation as
to why. "So what's the solution? We know that humans are good at Border
Control. In the end they protected us well for the last 120 years. We
also know that humans are good at pattern matching and image
recognition. Humans also do an excellent job 'assessing' the person and
not just the passport. Take the human part away and passport security
falls apart."
http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.h…
or http://tinyurl.com/4l49v4
http://www.theregister.co.uk/2008/09/30/epassport_hack_description/
Hand grenades are now weapons of mass destruction:
http://www.schneier.com/blog/archives/2008/10/hand_grenades_a.html
MI6 camera -- including secrets -- sold on eBay. The buyer turned the
camera in to the police.
http://www.techcrunch.com/2008/09/30/top-secret-mi6-camera-sold-to-the-high…
or http://tinyurl.com/4n5ov2
http://gizmodo.com/5056749/mi6-camera-with-secret-images-bought-on-ebay-for…
or http://tinyurl.com/4pj5jh
"Scareware" vendors sued -- it's about time.
http://voices.washingtonpost.com/securityfix/2008/09/microsoft_washington_s…
or http://tinyurl.com/3pxho4
This is clever: bank robber hires accomplices on Craigslist.
http://www.king5.com/topstories/stories/NW_100108WAB_monroe_robber_floating…
or http://tinyurl.com/3h8wfe
New cross-site request forgery attacks.
http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-c…
or http://tinyurl.com/4ubb2f
http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf
"Clickjacking" is a stunningly sexy name, but the vulnerability is
really just a variant of cross-site scripting. We don't know how bad it
really is, because the details are still being withheld. But the name
alone is causing dread. Here's a good Q&A on the vulnerability:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&art…
or http://tinyurl.com/3rmfac
http://www.cgisecurity.org/2008/10/interview-jerem.html
http://hackademix.net/2008/09/27/clickjacking-and-noscript/
Turns out you can add anyone's number to -- or remove anyone's number
from -- the Canadian do-not-call list. You can also add (but not remove)
numbers to the U.S. do-not-call list, though only up to three at a time,
and you have to provide a valid e-mail address to confirm the addition.
Here's my idea. If you're a company, add every one of your customers
to the list. That way, none of your competitors will be able to cold
call them.
https://www.lnnte-dncl.gc.ca/
https://www.donotcall.gov/register/reg.aspx
Chinese monitoring Skype messages:
http://arstechnica.com/news.ars/post/20081002-skype-security-flub-leads-to-…
or http://tinyurl.com/4pgn2j
According to a massive report from the National Research Council, data
mining for terrorists doesn't work.
http://news.cnet.com/8301-13578_3-10059987-38.html?part=rss&subj=news&tag=2…
or http://tinyurl.com/4klgqe
http://arstechnica.com/news.ars/post/20081009-analysis-data-mining-doesnt-w…
or http://tinyurl.com/4azsds
http://www.nap.edu/catalog.php?record_id=12452
Interesting paper by Adam Shostack on threat modeling at Microsoft:
http://blogs.msdn.com/sdl/attachment/8991806.ashx
Elcomsoft is claiming that the WPA protocol is dead, just because they
can speed up brute-force cracking by 100 times using a hardware
accelerator. Why exactly is this news? Yes, weak passwords are weak --
we already know that. And strong WPA passwords are still strong. This
seems like yet another blatant attempt to grab some press attention with
a half-baked cryptanalytic result.
http://www.elcomsoft.com/edpr.html?r1=pr&r2=wpa
http://mobile.slashdot.org/mobile/08/10/12/1724230.shtml
http://www.theregister.co.uk/2008/10/10/graphics_card_wireless_hacking/
http://www.schneier.com/essay-148.html
Clever counterterrorism attack against the IRA: set up a laundromat, and
watch who has bomb residue on their clothes:
http://www.schneier.com/blog/archives/2008/10/clever_countert.html
There's a new chip-and-pin scam in the UK. The card readers were hacked
when they were built, "either during the manufacturing process at a
factory in China, or shortly after they came off the production line."
It's being called a "supply chain hack." Sophisticated stuff, and yet
another demonstration that these all-computer security systems are full
of risks.
http://online.wsj.com/article/SB122366999999723871.html
http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chi…
http://www.telegraph.co.uk/news/worldnews/asia/pakistan/3173161/Credit-card…
BTW, what's it worth to rig an election?
http://www.schneier.com/essay-046.html
BART, the San Francisco subway authority, has been debating allowing
passengers to bring drinks on trains. There are all sorts of good
reasons why or why not -- convenience, problems with spills, and so on
-- but one reason that makes no sense is that terrorists may bring
flammable liquids on board. Yet that is exactly what BART managers
said. No big news -- we've seen stupid things like this regularly since
9/11 -- but this time people responded: "Added Director Tom Radulovich,
'If somebody wants to break the law and bring flammable liquids on, they
can. It's not like al Qaeda is waiting in their caves for us to have a
sippy-cup rule.' Directing his comments to BART administrators, he
said, 'You know, it's just fearmongering and you should be ashamed.'
Terrorist fear mongering seems to be working less well.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/10/10/BAB813EELU.DTL
** *** ***** ******* *********** *************
The More Things Change, the More They Stay the Same
Guess the year: "Murderous organizations have increased in size and
scope; they are more daring, they are served by the most terrible
weapons offered by modern science, and the world is nowadays threatened
by new forces which, if recklessly unchained, may some day wreck
universal destruction. The Orsini bombs were mere children's toys
compared with the later developments of infernal machines. Between 1858
and 1898 the dastardly science of destruction had made rapid and
alarming strides..."
No, that wasn't a typo. "Between 1858 and 1898...." This quote is from
Major Arthur Griffith, "Mysteries of Police and Crime," London, 1898,
II, p. 469. It's quoted in: Walter Laqueur, "A History of Terrorism,"
New Brunswick/London, Transaction Publishers, 2002.
http://query.nytimes.com/mem/archive-free/pdf?res=9907E7D8153DE633A25757C0A…
or http://tinyurl.com/3wn2ct
http://www.amazon.com/History-Terrorism-Walter-Laqueur/dp/0765807998/ref=pd…
or http://tinyurl.com/46s7ny
** *** ***** ******* *********** *************
NSA's Warrantless Eavesdropping Targets Innocent Americans
Remember when the U.S. government said it was only spying on terrorists?
Anyone with any common sense knew it was lying -- power without
oversight is always abused -- but even I didn't think it was this bad:
"Faulk says he and others in his section of the NSA facility at Fort
Gordon routinely shared salacious or tantalizing phone calls that had
been intercepted, alerting office mates to certain time codes of 'cuts'
that were available on each operator's computer.
"'Hey, check this out,' Faulk says he would be told, 'there's good phone
sex or there's some pillow talk, pull up this call, it's really funny,
go check it out. It would be some colonel making pillow talk and we
would say, "Wow, this was crazy",' Faulk told ABC News."
Warrants are a security device. They protect us against government
abuse of power.
http://www.nytimes.com/2008/10/10/washington/10nsa.html
http://abcnews.go.com/Blotter/story?id=5987804&page=1
http://www.upi.com/Top_News/2008/10/10/Spy_agency_accused_of_improper_liste…
http://www.reuters.com/article/domesticNews/idUSTRE4990CD20081010
** *** ***** ******* *********** *************
Schneier/BT News
Schneier is speaking at the 30th International Conference of Data
Protection and Privacy Commissioners on 15 October in Strasbourg, France.
http://www.privacyconference2008.org/
Schneier is speaking at the European Security and Information System
Congress on 17 October in Monaco.
http://cms.event-catalyst.com/assises/home.aspx
Schneier is speaking at RSA Europe on 28 October in London.
http://www.rsaconference.com/2008/Europe/Home.aspx
Schneier is speaking at the 22nd Large Installation System
Administration Conference on 13 November in San Diego, CA.
http://usenix.org/events/lisa08/
Schneier was interviewed by Telecom Asia:
http://www.telecomasia.net/article.php?id_article=10230
Schneier was interviewed by the Irish Times:
http://www.irishtimes.com/newspaper/finance/2008/1003/1222959300589.html
or http://tinyurl.com/4ccjmw
Schneier was interviewed by Dr. Dobb's Journal:
http://www.ddj.com/security/210605067
My essay on chemical plants and security for the Guardian. Nothing I
haven't said before.
http://www.schneier.com/essay-243.html
** *** ***** ******* *********** *************
Taleb on the Limitations of Risk Management
Nice paragraph on the limitations of risk management in this
occasionally interesting interview with Nicholas Taleb:
"Because then you get a Maginot Line problem. [After World War I, the
French erected concrete fortifications to prevent Germany from invading
again -- a response to the previous war, which proved ineffective for
the next one.] You know, they make sure they solve that particular
problem, the Germans will not invade from here. The thing you have to be
aware of most obviously is scenario planning, because typically if you
talk about scenarios, you'll overestimate the probability of these
scenarios. If you examine them at the expense of those you don't
examine, sometimes it has left a lot of people worse off, so scenario
planning can be bad. I'll just take my track record. Those who did
scenario planning have not fared better than those who did not do
scenario planning. A lot of people have done some kind of "make-sense"
type measures, and that has made them more vulnerable because they give
the illusion of having done your job. This is the problem with risk
management. I always come back to a classical question. Don't give a
fool the illusion of risk management. Don't ask someone to guess the
number of dentists in Manhattan after asking him the last four digits of
his Social Security number. The numbers will always be correlated. I
actually did some work on risk management, to show how stupid we are
when it comes to risk."
http://www.portfolio.com/views/columns/the-world-according-to/2008/08/14/In…
or http://tinyurl.com/5eazpu
** *** ***** ******* *********** *************
"New Attack" Against Encrypted Images
In a blatant attempt to get some PR, a researcher at PMC Ciphers has
figured out that encrypting data with ECB mode results in ciphertext
patterns.
Yeah, we already knew that.
And -1 point for a security company requiring the use of JavaScript, and
not failing gracefully for a browser that doesn't have it enabled. And
-- ahem -- what is it with that photograph in the paper? Couldn't the
researchers have found something a little less adolescent?
For the record, I doghoused PMC Ciphers back in 2003: "PMC Ciphers. The
theory description is so filled with pseudo-cryptography that it's funny
to read. Hypotheses are presented as conclusions. Current research is
misstated or ignored. The first link is a technical paper with four
references, three of them written before 1975. Who needs thirty years of
cryptographic research when you have polymorphic cipher theory?"
I didn't realize it at the time, but PMC Ciphers responded to my
doghousing them. Funny stuff.
http://www.techworld.com/security/news/index.cfm?newsid=105263
http://www.turbocrypt.com/vpics/9a8f098c615a425eab6d17c804dd67ae/whitepaper…
or http://tinyurl.com/3fe64r
Doghouse and response:
http://www.schneier.com/crypto-gram-0303.html#4
http://www.ciphers.de/eng/content/Backround-Info/Bruce-Schneiers-comments.h…
or http://tinyurl.com/52ymfo
When I posted this on my blog, three new commenters using dialups at the
same German ISP showed up to defend the paper. What are the odds?
http://www.schneier.com/blog/archives/2008/10/new_attack_agai.html
** *** ***** ******* *********** *************
Nonviolent Activists Are Now Terrorists
This is an abomination: "The Maryland State Police classified 53
nonviolent activists as terrorists and entered their names and personal
information into state and federal databases that track terrorism
suspects, the state police chief acknowledged yesterday."
Why did they do that? "Both Hutchins and Sheridan said the activists'
names were entered into the state police database as terrorists partly
because the software offered limited options for classifying entries."
I know that once we had this "either you're with us or with the
terrorists" mentality, but don't you think that -- just maybe -- the
software should allow for a little bit more nuance?
http://www.washingtonpost.com/wp-dyn/content/article/2008/10/07/AR200810070…
or http://tinyurl.com/3znjv7
** *** ***** ******* *********** *************
Does Risk Management Make Sense?
We engage in risk management all the time, but it only makes sense if we
do it right.
"Risk management" is just a fancy term for the cost-benefit tradeoff
associated with any security decision. It's what we do when we react to
fear, or try to make ourselves feel secure. It's the fight-or-flight
reflex that evolved in primitive fish and remains in all vertebrates.
It's instinctual, intuitive and fundamental to life, and one of the
brain's primary functions.
Some have hypothesized that humans have a "risk thermostat" that tries
to maintain some optimal risk level. It explains why we drive our
motorcycles faster when we wear a helmet, or are more likely to take up
smoking during wartime. It's our natural risk management in action.
The problem is our brains are intuitively suited to the sorts of risk
management decisions endemic to living in small family groups in the
East African highlands in 100,000 BC, and not to living in the New York
City of 2008. We make systematic risk management mistakes --
miscalculating the probability of rare events, reacting more to stories
than data, responding to the feeling of security rather than reality,
and making decisions based on irrelevant context. And that risk
thermostat of ours? It's not nearly as finely tuned as we might like it
to be.
Like a rabbit that responds to an oncoming car with its default predator
avoidance behavior -- dart left, dart right, dart left, and at the last
moment jump -- instead of just getting out of the way, our Stone Age
intuition doesn't serve us well in a modern technological society. So
when we in the security industry use the term "risk management," we
don't want you to do it by trusting your gut. We want you to do risk
management consciously and intelligently, to analyze the tradeoff and
make the best decision.
This means balancing the costs and benefits of any security decision --
buying and installing a new technology, implementing a new procedure or
forgoing a common precaution. It means allocating a security budget to
mitigate different risks by different amounts. It means buying insurance
to transfer some risks to others. It's what businesses do, all the time,
about everything. IT security has its own risk management decisions,
based on the threats and the technologies.
There's never just one risk, of course, and bad risk management
decisions often carry an underlying tradeoff. Terrorism policy in the
U.S. is based more on politics than actual security risk, but the
politicians who make these decisions are concerned about the risks of
not being re-elected.
Many corporate security decisions are made to mitigate the risk of
lawsuits rather than address the risk of any actual security breach. And
individuals make risk management decisions that consider not only the
risks to the corporation, but the risks to their departments' budgets,
and to their careers.
You can't completely remove emotion from risk management decisions, but
the best way to keep risk management focused on the data is to formalize
the methodology. That's what companies that manage risk for a living --
insurance companies, financial trading firms and arbitrageurs -- try to
do. They try to replace intuition with models, and hunches with
mathematics.
The problem in the security world is we often lack the data to do risk
management well. Technological risks are complicated and subtle. We
don't know how well our network security will keep the bad guys out, and
we don't know the cost to the company if we don't keep them out. And the
risks change all the time, making the calculations even harder. But this
doesn't mean we shouldn't try.
You can't avoid risk management; it's fundamental to business just as to
life. The question is whether you're going to try to use data or whether
you're going to just react based on emotions, hunches and anecdotes.
This essay appeared as the first half of a point-counterpoint with
Marcus Ranum in Information Security magazine.
http://searchsecurity.techtarget.com/loginMembersOnly/1,289498,sid14_gci133…
** *** ***** ******* *********** *************
Comments from Readers
There are hundreds of comments -- many of them interesting -- on these
topics on my blog. Search for the story you want to comment on, and join in.
http://www.schneier.com/blog
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise. You can subscribe, unsubscribe, or change your address
on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues
are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the
best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish algorithms.
He is the Chief Security Technology Officer of BT (BT acquired
Counterpane in 2006), and is on the Board of Directors of the Electronic
Privacy Information Center (EPIC). He is a frequent writer and lecturer
on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of BT.
Copyright (c) 2008 by Bruce Schneier.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[View Less]
1
0
Paycash, digital cash payment system, released production version 1.xx. It
can be downloaded at English section of www.paycash.ru. Current pilot
version has about 10,000 users what is about 1-2% of active Russian internet
users. Concerning current growth rate it is expected that in the next 6
month this number will increase five times. To the moment the system has
operating representative companies in Russia, Latvia, Ukraine and USA.
For help on using this list (especially unsubscribing), …
[View More]send a message to
"dcsb-request(a)reservoir.com" with one line of text: "help".
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah(a)ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
[View Less]
1
0
I've gotten a bunch of queries about WASTE, generally with a focus on user
problems like how to get a connection or FAQ issues like how to build on
OS X. To help people to help each other, as well as to foster discussion
of technical issues related to WASTE, I have created a mailing list and
web home at http://groups.yahoo.com/group/waste-discuss/.
- Lucas
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah(a)ibuc.com>
The Internet Bearer Underwriting Corporation …
[View More]<http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
[View Less]
1
0
Sen.: White House Agrees to Spy Law Change
By KATHERINE SHRADER, Associated Press Writer
1 hour, 35 minutes ago
Senate Intelligence Chairman Pat Roberts said he has worked out an agreement
with the White House to change U.S. law regarding the National Security
Agency's warrantless surveillance program and provide more information about
it to Congress.
"We are trying to get some movement, and we have a clear indication of that
movement," Roberts, R-Kan., said.
Without offering specifics, …
[View More]Roberts said the agreement with the White House
provides "a fix" to the Foreign Intelligence Surveillance Act and offers more
briefings to the Senate Intelligence Committee.
The deal comes as the committee was set to have a meeting Thursday about
whether to open an investigation into the hotly disputed program. Roberts
indicated the deal may eliminate the need for such an inquiry. Democrats have
been demanding an investigation but some Republicans don't want to tangle the
panel in a testy election-year probe.
"Whether or not an investigation is the right thing to do at this particular
time, I am not sure," Roberts told reporters while heading into the meeting.
The White House was not immediately available for comment on Roberts'
statement.
Earlier in the day, White House spokesman Scott McClellan hinted at a "good
discussion going on" with lawmakers and praised in particular "some good
ideas" presented by Sen. Mike DeWine (news, bio, voting record). The Ohio
Republican has suggested the FISA law be changed to accommodate the NSA
program.
However, McClellan left the impression that any deal would not allow for
significant changes. He said the White House continued to maintain that Bush
does not need Congress' approval to authorize the warrantless eavesdropping
and that the president would resist any legislation that might compromise the
program.
"There's kind of a high bar to overcome," McClellan said. "We think there's
some good ideas, but we have not seen actual legislation."
Separately, the Justice Department has strongly discouraged the Senate
Judiciary Committee from calling former Attorney General John Ashcroft and
his
deputy to testify about the surveillance program, saying they won't have new
information for Congress about it.
Just as Attorney General Alberto Gonzales could not talk about the
administration's internal deliberations when he appeared before the committee
earlier this month, neither can Ashcroft nor his former No. 2, James Comey,
Assistant Attorney General William Moschella said in a letter to Senate
Judiciary Committee Chairman Arlen Specter, R-Pa.
The letter, written Wednesday, was obtained by The Associated Press.
"In light of their inability to discuss such confidential information, along
with the fact that the attorney general has already provided the executive
branch position on the legal authority for the program, we do not believe
that
Messrs. Ashcroft and Comey would be in a position to provide any new
information to the committee," Moschella wrote. He was responding to
Specter's
request that the two men testify this month.
While Moschella indicated their testimony wouldn't be of value, he did not
say
the committee could not call Ashcroft and Comey to appear.
The Judiciary Committee has been looking into the legality of the National
Security Agency's program. In a heated daylong hearing on Feb. 6, four
Republicans joined the committee's Democrats in raising questions about
whether President Bush went too far in authorizing the wiretapping without
court warrants.
Specter wants the secretive Foreign Intelligence Surveillance Court to review
the program's constitutionality.
Reports have indicated that Comey and others had reservations about the
program in 2004. White House Chief of Staff Andy Card and Gonzales, then the
White House counsel, visited Ashcroft about those issues while Ashcroft was
in
the hospital for gallstone pancreatitis.
___
Associated Press Writer Mark Sherman contributed to this report.
http://news.yahoo.com/s/ap/20060216/ap_on_go_co/eavesdropping_4&printer=1;_…
t=A86.I2Ct.vRD4L0AqQWMwfIE;_ylu=X3oDMTA3MXN1bHE0BHNlYwN0bWE-
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)metzdowd.com
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
[View Less]
1
0
CRYPTO-GRAM
October 15, 2008
by Bruce Schneier
Chief Security Technology Officer, BT
schneier(a)schneier.com
http://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-0810.…
[View More]html>. These same essays
appear in the "Schneier on Security" blog:
<http://www.schneier.com/blog>. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
The Seven Habits of Highly Ineffective Terrorists
The Two Classes of Airport Contraband
News
The More Things Change, the More They Stay the Same
NSA's Warrantless Eavesdropping Targets Innocent Americans
Schneier/BT News
Taleb on the Limitations of Risk Management
"New Attack" Against Encrypted Images
Nonviolent Activists Are Now Terrorists
Does Risk Management Make Sense?
Comments from Readers
** *** ***** ******* *********** *************
The Seven Habits of Highly Ineffective Terrorists
Most counterterrorism policies fail, not because of tactical problems,
but because of a fundamental misunderstanding of what motivates
terrorists in the first place. If we're ever going to defeat terrorism,
we need to understand what drives people to become terrorists in the
first place.
Conventional wisdom holds that terrorism is inherently political, and
that people become terrorists for political reasons. This is the
"strategic" model of terrorism, and it's basically an economic model. It
posits that people resort to terrorism when they believe -- rightly or
wrongly -- that terrorism is worth it; that is, when they believe the
political gains of terrorism minus the political costs are greater than
if they engaged in some other, more peaceful form of protest. It's
assumed, for example, that people join Hamas to achieve a Palestinian
state; that people join the PKK to attain a Kurdish national homeland;
and that people join al-Qaida to, among other things, get the United
States out of the Persian Gulf.
If you believe this model, the way to fight terrorism is to change that
equation, and that's what most experts advocate. Governments tend to
minimize the political gains of terrorism through a no-concessions
policy; the international community tends to recommend reducing the
political grievances of terrorists via appeasement, in hopes of getting
them to renounce violence. Both advocate policies to provide effective
nonviolent alternatives, like free elections.
Historically, none of these solutions has worked with any regularity.
Max Abrahms, a predoctoral fellow at Stanford University's Center for
International Security and Cooperation, has studied dozens of terrorist
groups from all over the world. He argues that the model is wrong. In a
paper published this year in International Security that -- sadly --
doesn't have the title "Seven Habits of Highly Ineffective Terrorists,"
he discusses, well, seven habits of highly ineffective terrorists. These
seven tendencies are seen in terrorist organizations all over the world,
and they directly contradict the theory that terrorists are political
maximizers:
Terrorists, he writes, (1) attack civilians, a policy that has a lousy
track record of convincing those civilians to give the terrorists what
they want; (2) treat terrorism as a first resort, not a last resort,
failing to embrace nonviolent alternatives like elections; (3) don't
compromise with their target country, even when those compromises are in
their best interest politically; (4) have protean political platforms,
which regularly, and sometimes radically, change; (5) often engage in
anonymous attacks, which precludes the target countries making political
concessions to them; (6) regularly attack other terrorist groups with
the same political platform; and (7) resist disbanding, even when they
consistently fail to achieve their political objectives or when their
stated political objectives have been achieved.
Abrahms has an alternative model to explain all this: People turn to
terrorism for social solidarity. He theorizes that people join terrorist
organizations worldwide in order to be part of a community, much like
the reason inner-city youths join gangs in the United States.
The evidence supports this. Individual terrorists often have no prior
involvement with a group's political agenda, and often join multiple
terrorist groups with incompatible platforms. Individuals who join
terrorist groups are frequently not oppressed in any way, and often
can't describe the political goals of their organizations. People who
join terrorist groups most often have friends or relatives who are
members of the group, and the great majority of terrorist are socially
isolated: unmarried young men or widowed women who weren't working prior
to joining. These things are true for members of terrorist groups as
diverse as the IRA and al-Qaida.
For example, several of the 9/11 hijackers planned to fight in Chechnya,
but they didn't have the right paperwork so they attacked America
instead. The mujahedeen had no idea whom they would attack after the
Soviets withdrew from Afghanistan, so they sat around until they came up
with a new enemy: America. Pakistani terrorists regularly defect to
another terrorist group with a totally different political platform.
Many new al-Qaida members say, unconvincingly, that they decided to
become a jihadist after reading an extreme, anti-American blog, or after
converting to Islam, sometimes just a few weeks before. These people
know little about politics or Islam, and they frankly don't even seem to
care much about learning more. The blogs they turn to don't have a lot
of substance in these areas, even though more informative blogs do exist.
All of this explains the seven habits. It's not that they're
ineffective; it's that they have a different goal. They might not be
effective politically, but they are effective socially: They all help
preserve the group's existence and cohesion.
This kind of analysis isn't just theoretical; it has practical
implications for counterterrorism. Not only can we now better understand
who is likely to become a terrorist, we can engage in strategies
specifically designed to weaken the social bonds within terrorist
organizations. Driving a wedge between group members -- commuting prison
sentences in exchange for actionable intelligence, planting more double
agents within terrorist groups -- will go a long way to weakening the
social bonds within those groups.
We also need to pay more attention to the socially marginalized than to
the politically downtrodden, like unassimilated communities in Western
countries. We need to support vibrant, benign communities and
organizations as alternative ways for potential terrorists to get the
social cohesion they need. And finally, we need to minimize collateral
damage in our counterterrorism operations, as well as clamping down on
bigotry and hate crimes, which just creates more dislocation and social
isolation, and the inevitable calls for revenge.
http://maxabrahms.com/pdfs/DC_250-1846.pdf
This essay previously appeared on Wired.com.
http://www.wired.com/print/politics/security/commentary/securitymatters/200…
or http://tinyurl.com/3vf3x5
Interesting rebuttal:
http://www.cambridgeblog.org/2008/10/can-terror-be-understood/
** *** ***** ******* *********** *************
The Two Classes of Airport Contraband
Airport security found a jar of pasta sauce in my luggage last month. It
was a 6-ounce jar, above the limit; the official confiscated it, because
allowing it on the airplane with me would have been too dangerous. And
to demonstrate how dangerous he really thought that jar was, he blithely
tossed it in a nearby bin of similar liquid bottles and sent me on my way.
There are two classes of contraband at airport security checkpoints: the
class that will get you in trouble if you try to bring it on an
airplane, and the class that will cheerily be taken away from you if you
try to bring it on an airplane. This difference is important: Making
security screeners confiscate anything from that second class is a waste
of time. All it does is harm innocents; it doesn't stop terrorists at all.
Let me explain. If you're caught at airport security with a bomb or a
gun, the screeners aren't just going to take it away from you. They're
going to call the police, and you're going to be stuck for a few hours
answering a lot of awkward questions. You may be arrested, and you'll
almost certainly miss your flight. At best, you're going to have a very
unpleasant day.
This is why articles about how screeners don't catch every -- or even a
majority -- of guns and bombs that go through the checkpoints don't
bother me. The screeners don't have to be perfect; they just have to be
good enough. No terrorist is going to base his plot on getting a gun
through airport security if there's a decent chance of getting caught,
because the consequences of getting caught are too great.
Contrast that with a terrorist plot that requires a 12-ounce bottle of
liquid. There's no evidence that the London liquid bombers actually had
a workable plot, but assume for the moment they did. If some copycat
terrorists try to bring their liquid bomb through airport security and
the screeners catch them -- like they caught me with my bottle of pasta
sauce -- the terrorists can simply try again. They can try again and
again. They can keep trying until they succeed. Because there are no
consequences to trying and failing, the screeners have to be 100 percent
effective. Even if they slip up one in a hundred times, the plot can
succeed.
The same is true for knitting needles, pocketknives, scissors,
corkscrews, cigarette lighters and whatever else the airport screeners
are confiscating this week. If there's no consequence to getting caught
with it, then confiscating it only hurts innocent people. At best, it
mildly annoys the terrorists.
To fix this, airport security has to make a choice. If something is
dangerous, treat it as dangerous and treat anyone who tries to bring it
on as potentially dangerous. If it's not dangerous, then stop trying to
keep it off airplanes. Trying to have it both ways just distracts the
screeners from actually making us safer.
http://www.cnn.com/2008/US/01/28/tsa.bombtest/index.html
http://www.homelandstupidity.us/2007/10/25/tsa-screeners-fail-most-bomb-tes…
or http://tinyurl.com/4npg9o
http://www.homelandstupidity.us/2006/10/31/tsa-screeners-still-fail-to-find…
or http://tinyurl.com/3ephgq
http://www.boston.com/news/local/articles/2003/10/16/logan_screeners_fail_w…
or http://tinyurl.com/r5gu
This essay originally appeared on Wired.com.
http://www.wired.com/politics/security/commentary/securitymatters/2008/09/s…
or http://tinyurl.com/4m6vvj
** *** ***** ******* *********** *************
News
According to U.S. government documents, fear of terrorism could cause a
psychosomatic epidemic:
http://blog.wired.com/27bstroke6/2008/09/terrorism-fear.html
GPS spoofing:
http://philosecurity.org/2008/09/07/gps-spoofing
http://www.ne.anl.gov/capabilities/vat/spoof.html
NSA -- and others -- snooping on cell phone calls with off-the-shelf
technology:
http://news.cnet.com/8301-13739_3-10030134-46.html
The NSA teams up with the Chinese government to limit Internet anonymity:
http://www.schneier.com/blog/archives/2008/09/the_nsa_teams_u.html
The Pentagon's World of Warcraft Movie-Plot threat:
http://www.schneier.com/blog/archives/2008/09/the_pentagons_w.html
TSA employees are bypassing airport screening.
http://www.9news.com/news/article.aspx?storyid=99941&catid=339
This isn't a big deal. Screeners have to go in and out of security all
the time as they work. Yes, they can smuggle things in and out of the
airport. But you have to remember that the airport screeners are
trusted insiders for the system: there are a zillion ways they could
break airport security. On the other hand, it's probably a smart idea
to screen screeners when they walk through airport security when they
aren't working at that checkpoint at that time. The reason is the same
reason you should screen everyone, including pilots who can crash their
plane: you're not screening screeners (or pilots), you're screening
people wearing screener (or pilot) uniforms and carrying screener (or
pilot) IDs. You can either train your screeners to recognize authentic
uniforms and IDs, or you can just screen everybody. The latter is just
easier. But this isn't a big deal.
I can think of specific instances where the ability to unlock your door
over the Internet can be useful, but in most places it's not a good idea.
http://www.theinquirer.net/gb/inquirer/news/2008/09/04/unlock-house-via-int…
or http://tinyurl.com/4rsyve
http://treocentral.com/content/Stories/1999-1.htm
India using brain scans to prove guilt in court.
http://www.nytimes.com/2008/09/15/world/asia/15brainscan.html
The pseudo-science here is even worse than for lie detectors.
http://www.thehindu.com/2008/09/08/stories/2008090854420400.htm
People have been asking me to comment about Sarah Palin's Yahoo e-mail
account being hacked. I've already written about the security problems
with "secret questions" back in 2005:
http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html
More commentary:
http://www.freedom-to-tinker.com/blog/felten/how-yahoo-could-have-protected…
or http://tinyurl.com/4689km
The $20M camera system at New York's Freedom Tower is pretty sophisticated.
http://cityroom.blogs.nytimes.com/2008/09/24/unblinking-eyes-for-20-million…
or http://tinyurl.com/53e52c
We're developing a pre-crime detector that detects hostile thoughts.
http://www.newscientist.com/blogs/shortsharpscience/2008/09/precrime-detect…
or http://tinyurl.com/53ftps
http://www.foxnews.com/printer_friendly_story/0,3566,426485,00.html
Spykee is your own personal robot spy. It takes pictures and movies
that you can watch on the Internet in real time or save for later. You
can even talk with whoever you're spying on via Skype. Only $300.
http://www.spykeeworld.com/
http://www.robotsrule.com/html/spykee.php
http://www.amazon.com/gp/offer-listing/B000N6470A?tag=counterpane
Security maxims from Roger Johnston. Funny, and all too true.
http://www.ne.anl.gov/capabilities/vat/seals/maxims.html
Send your personalized message to TSA X-ray screeners using metal plates
you can put in your carry-on luggage.
http://blog.makezine.com/archive/2008/09/metal_plates_send_message.html
or http://tinyurl.com/4ro8es
http://www.nytimes.com/idg/IDG_852573C400693880002574D70000A2FB.html
Another bomb scare. Hot dogs this time.
http://www.philly.com/philly/blogs/phillies_zone/Just_Hot_Dogs_Folks.html
or http://tinyurl.com/5xpzsp
http://www.nytimes.com/aponline/us/AP-ODD-Hot-Dog-Scare.html
The Hackers Choice has released a tool allowing people to clone and
modify electronic passports. The problem is self-signed certificates.
A CA is not a great solution, and the link gives a good explanation as
to why. "So what's the solution? We know that humans are good at Border
Control. In the end they protected us well for the last 120 years. We
also know that humans are good at pattern matching and image
recognition. Humans also do an excellent job 'assessing' the person and
not just the passport. Take the human part away and passport security
falls apart."
http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.h…
or http://tinyurl.com/4l49v4
http://www.theregister.co.uk/2008/09/30/epassport_hack_description/
Hand grenades are now weapons of mass destruction:
http://www.schneier.com/blog/archives/2008/10/hand_grenades_a.html
MI6 camera -- including secrets -- sold on eBay. The buyer turned the
camera in to the police.
http://www.techcrunch.com/2008/09/30/top-secret-mi6-camera-sold-to-the-high…
or http://tinyurl.com/4n5ov2
http://gizmodo.com/5056749/mi6-camera-with-secret-images-bought-on-ebay-for…
or http://tinyurl.com/4pj5jh
"Scareware" vendors sued -- it's about time.
http://voices.washingtonpost.com/securityfix/2008/09/microsoft_washington_s…
or http://tinyurl.com/3pxho4
This is clever: bank robber hires accomplices on Craigslist.
http://www.king5.com/topstories/stories/NW_100108WAB_monroe_robber_floating…
or http://tinyurl.com/3h8wfe
New cross-site request forgery attacks.
http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-c…
or http://tinyurl.com/4ubb2f
http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf
"Clickjacking" is a stunningly sexy name, but the vulnerability is
really just a variant of cross-site scripting. We don't know how bad it
really is, because the details are still being withheld. But the name
alone is causing dread. Here's a good Q&A on the vulnerability:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&art…
or http://tinyurl.com/3rmfac
http://www.cgisecurity.org/2008/10/interview-jerem.html
http://hackademix.net/2008/09/27/clickjacking-and-noscript/
Turns out you can add anyone's number to -- or remove anyone's number
from -- the Canadian do-not-call list. You can also add (but not remove)
numbers to the U.S. do-not-call list, though only up to three at a time,
and you have to provide a valid e-mail address to confirm the addition.
Here's my idea. If you're a company, add every one of your customers
to the list. That way, none of your competitors will be able to cold
call them.
https://www.lnnte-dncl.gc.ca/
https://www.donotcall.gov/register/reg.aspx
Chinese monitoring Skype messages:
http://arstechnica.com/news.ars/post/20081002-skype-security-flub-leads-to-…
or http://tinyurl.com/4pgn2j
According to a massive report from the National Research Council, data
mining for terrorists doesn't work.
http://news.cnet.com/8301-13578_3-10059987-38.html?part=rss&subj=news&tag=2…
or http://tinyurl.com/4klgqe
http://arstechnica.com/news.ars/post/20081009-analysis-data-mining-doesnt-w…
or http://tinyurl.com/4azsds
http://www.nap.edu/catalog.php?record_id=12452
Interesting paper by Adam Shostack on threat modeling at Microsoft:
http://blogs.msdn.com/sdl/attachment/8991806.ashx
Elcomsoft is claiming that the WPA protocol is dead, just because they
can speed up brute-force cracking by 100 times using a hardware
accelerator. Why exactly is this news? Yes, weak passwords are weak --
we already know that. And strong WPA passwords are still strong. This
seems like yet another blatant attempt to grab some press attention with
a half-baked cryptanalytic result.
http://www.elcomsoft.com/edpr.html?r1=pr&r2=wpa
http://mobile.slashdot.org/mobile/08/10/12/1724230.shtml
http://www.theregister.co.uk/2008/10/10/graphics_card_wireless_hacking/
http://www.schneier.com/essay-148.html
Clever counterterrorism attack against the IRA: set up a laundromat, and
watch who has bomb residue on their clothes:
http://www.schneier.com/blog/archives/2008/10/clever_countert.html
There's a new chip-and-pin scam in the UK. The card readers were hacked
when they were built, "either during the manufacturing process at a
factory in China, or shortly after they came off the production line."
It's being called a "supply chain hack." Sophisticated stuff, and yet
another demonstration that these all-computer security systems are full
of risks.
http://online.wsj.com/article/SB122366999999723871.html
http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chi…
http://www.telegraph.co.uk/news/worldnews/asia/pakistan/3173161/Credit-card…
BTW, what's it worth to rig an election?
http://www.schneier.com/essay-046.html
BART, the San Francisco subway authority, has been debating allowing
passengers to bring drinks on trains. There are all sorts of good
reasons why or why not -- convenience, problems with spills, and so on
-- but one reason that makes no sense is that terrorists may bring
flammable liquids on board. Yet that is exactly what BART managers
said. No big news -- we've seen stupid things like this regularly since
9/11 -- but this time people responded: "Added Director Tom Radulovich,
'If somebody wants to break the law and bring flammable liquids on, they
can. It's not like al Qaeda is waiting in their caves for us to have a
sippy-cup rule.' Directing his comments to BART administrators, he
said, 'You know, it's just fearmongering and you should be ashamed.'
Terrorist fear mongering seems to be working less well.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/10/10/BAB813EELU.DTL
** *** ***** ******* *********** *************
The More Things Change, the More They Stay the Same
Guess the year: "Murderous organizations have increased in size and
scope; they are more daring, they are served by the most terrible
weapons offered by modern science, and the world is nowadays threatened
by new forces which, if recklessly unchained, may some day wreck
universal destruction. The Orsini bombs were mere children's toys
compared with the later developments of infernal machines. Between 1858
and 1898 the dastardly science of destruction had made rapid and
alarming strides..."
No, that wasn't a typo. "Between 1858 and 1898...." This quote is from
Major Arthur Griffith, "Mysteries of Police and Crime," London, 1898,
II, p. 469. It's quoted in: Walter Laqueur, "A History of Terrorism,"
New Brunswick/London, Transaction Publishers, 2002.
http://query.nytimes.com/mem/archive-free/pdf?res=9907E7D8153DE633A25757C0A…
or http://tinyurl.com/3wn2ct
http://www.amazon.com/History-Terrorism-Walter-Laqueur/dp/0765807998/ref=pd…
or http://tinyurl.com/46s7ny
** *** ***** ******* *********** *************
NSA's Warrantless Eavesdropping Targets Innocent Americans
Remember when the U.S. government said it was only spying on terrorists?
Anyone with any common sense knew it was lying -- power without
oversight is always abused -- but even I didn't think it was this bad:
"Faulk says he and others in his section of the NSA facility at Fort
Gordon routinely shared salacious or tantalizing phone calls that had
been intercepted, alerting office mates to certain time codes of 'cuts'
that were available on each operator's computer.
"'Hey, check this out,' Faulk says he would be told, 'there's good phone
sex or there's some pillow talk, pull up this call, it's really funny,
go check it out. It would be some colonel making pillow talk and we
would say, "Wow, this was crazy",' Faulk told ABC News."
Warrants are a security device. They protect us against government
abuse of power.
http://www.nytimes.com/2008/10/10/washington/10nsa.html
http://abcnews.go.com/Blotter/story?id=5987804&page=1
http://www.upi.com/Top_News/2008/10/10/Spy_agency_accused_of_improper_liste…
http://www.reuters.com/article/domesticNews/idUSTRE4990CD20081010
** *** ***** ******* *********** *************
Schneier/BT News
Schneier is speaking at the 30th International Conference of Data
Protection and Privacy Commissioners on 15 October in Strasbourg, France.
http://www.privacyconference2008.org/
Schneier is speaking at the European Security and Information System
Congress on 17 October in Monaco.
http://cms.event-catalyst.com/assises/home.aspx
Schneier is speaking at RSA Europe on 28 October in London.
http://www.rsaconference.com/2008/Europe/Home.aspx
Schneier is speaking at the 22nd Large Installation System
Administration Conference on 13 November in San Diego, CA.
http://usenix.org/events/lisa08/
Schneier was interviewed by Telecom Asia:
http://www.telecomasia.net/article.php?id_article=10230
Schneier was interviewed by the Irish Times:
http://www.irishtimes.com/newspaper/finance/2008/1003/1222959300589.html
or http://tinyurl.com/4ccjmw
Schneier was interviewed by Dr. Dobb's Journal:
http://www.ddj.com/security/210605067
My essay on chemical plants and security for the Guardian. Nothing I
haven't said before.
http://www.schneier.com/essay-243.html
** *** ***** ******* *********** *************
Taleb on the Limitations of Risk Management
Nice paragraph on the limitations of risk management in this
occasionally interesting interview with Nicholas Taleb:
"Because then you get a Maginot Line problem. [After World War I, the
French erected concrete fortifications to prevent Germany from invading
again -- a response to the previous war, which proved ineffective for
the next one.] You know, they make sure they solve that particular
problem, the Germans will not invade from here. The thing you have to be
aware of most obviously is scenario planning, because typically if you
talk about scenarios, you'll overestimate the probability of these
scenarios. If you examine them at the expense of those you don't
examine, sometimes it has left a lot of people worse off, so scenario
planning can be bad. I'll just take my track record. Those who did
scenario planning have not fared better than those who did not do
scenario planning. A lot of people have done some kind of "make-sense"
type measures, and that has made them more vulnerable because they give
the illusion of having done your job. This is the problem with risk
management. I always come back to a classical question. Don't give a
fool the illusion of risk management. Don't ask someone to guess the
number of dentists in Manhattan after asking him the last four digits of
his Social Security number. The numbers will always be correlated. I
actually did some work on risk management, to show how stupid we are
when it comes to risk."
http://www.portfolio.com/views/columns/the-world-according-to/2008/08/14/In…
or http://tinyurl.com/5eazpu
** *** ***** ******* *********** *************
"New Attack" Against Encrypted Images
In a blatant attempt to get some PR, a researcher at PMC Ciphers has
figured out that encrypting data with ECB mode results in ciphertext
patterns.
Yeah, we already knew that.
And -1 point for a security company requiring the use of JavaScript, and
not failing gracefully for a browser that doesn't have it enabled. And
-- ahem -- what is it with that photograph in the paper? Couldn't the
researchers have found something a little less adolescent?
For the record, I doghoused PMC Ciphers back in 2003: "PMC Ciphers. The
theory description is so filled with pseudo-cryptography that it's funny
to read. Hypotheses are presented as conclusions. Current research is
misstated or ignored. The first link is a technical paper with four
references, three of them written before 1975. Who needs thirty years of
cryptographic research when you have polymorphic cipher theory?"
I didn't realize it at the time, but PMC Ciphers responded to my
doghousing them. Funny stuff.
http://www.techworld.com/security/news/index.cfm?newsid=105263
http://www.turbocrypt.com/vpics/9a8f098c615a425eab6d17c804dd67ae/whitepaper…
or http://tinyurl.com/3fe64r
Doghouse and response:
http://www.schneier.com/crypto-gram-0303.html#4
http://www.ciphers.de/eng/content/Backround-Info/Bruce-Schneiers-comments.h…
or http://tinyurl.com/52ymfo
When I posted this on my blog, three new commenters using dialups at the
same German ISP showed up to defend the paper. What are the odds?
http://www.schneier.com/blog/archives/2008/10/new_attack_agai.html
** *** ***** ******* *********** *************
Nonviolent Activists Are Now Terrorists
This is an abomination: "The Maryland State Police classified 53
nonviolent activists as terrorists and entered their names and personal
information into state and federal databases that track terrorism
suspects, the state police chief acknowledged yesterday."
Why did they do that? "Both Hutchins and Sheridan said the activists'
names were entered into the state police database as terrorists partly
because the software offered limited options for classifying entries."
I know that once we had this "either you're with us or with the
terrorists" mentality, but don't you think that -- just maybe -- the
software should allow for a little bit more nuance?
http://www.washingtonpost.com/wp-dyn/content/article/2008/10/07/AR200810070…
or http://tinyurl.com/3znjv7
** *** ***** ******* *********** *************
Does Risk Management Make Sense?
We engage in risk management all the time, but it only makes sense if we
do it right.
"Risk management" is just a fancy term for the cost-benefit tradeoff
associated with any security decision. It's what we do when we react to
fear, or try to make ourselves feel secure. It's the fight-or-flight
reflex that evolved in primitive fish and remains in all vertebrates.
It's instinctual, intuitive and fundamental to life, and one of the
brain's primary functions.
Some have hypothesized that humans have a "risk thermostat" that tries
to maintain some optimal risk level. It explains why we drive our
motorcycles faster when we wear a helmet, or are more likely to take up
smoking during wartime. It's our natural risk management in action.
The problem is our brains are intuitively suited to the sorts of risk
management decisions endemic to living in small family groups in the
East African highlands in 100,000 BC, and not to living in the New York
City of 2008. We make systematic risk management mistakes --
miscalculating the probability of rare events, reacting more to stories
than data, responding to the feeling of security rather than reality,
and making decisions based on irrelevant context. And that risk
thermostat of ours? It's not nearly as finely tuned as we might like it
to be.
Like a rabbit that responds to an oncoming car with its default predator
avoidance behavior -- dart left, dart right, dart left, and at the last
moment jump -- instead of just getting out of the way, our Stone Age
intuition doesn't serve us well in a modern technological society. So
when we in the security industry use the term "risk management," we
don't want you to do it by trusting your gut. We want you to do risk
management consciously and intelligently, to analyze the tradeoff and
make the best decision.
This means balancing the costs and benefits of any security decision --
buying and installing a new technology, implementing a new procedure or
forgoing a common precaution. It means allocating a security budget to
mitigate different risks by different amounts. It means buying insurance
to transfer some risks to others. It's what businesses do, all the time,
about everything. IT security has its own risk management decisions,
based on the threats and the technologies.
There's never just one risk, of course, and bad risk management
decisions often carry an underlying tradeoff. Terrorism policy in the
U.S. is based more on politics than actual security risk, but the
politicians who make these decisions are concerned about the risks of
not being re-elected.
Many corporate security decisions are made to mitigate the risk of
lawsuits rather than address the risk of any actual security breach. And
individuals make risk management decisions that consider not only the
risks to the corporation, but the risks to their departments' budgets,
and to their careers.
You can't completely remove emotion from risk management decisions, but
the best way to keep risk management focused on the data is to formalize
the methodology. That's what companies that manage risk for a living --
insurance companies, financial trading firms and arbitrageurs -- try to
do. They try to replace intuition with models, and hunches with
mathematics.
The problem in the security world is we often lack the data to do risk
management well. Technological risks are complicated and subtle. We
don't know how well our network security will keep the bad guys out, and
we don't know the cost to the company if we don't keep them out. And the
risks change all the time, making the calculations even harder. But this
doesn't mean we shouldn't try.
You can't avoid risk management; it's fundamental to business just as to
life. The question is whether you're going to try to use data or whether
you're going to just react based on emotions, hunches and anecdotes.
This essay appeared as the first half of a point-counterpoint with
Marcus Ranum in Information Security magazine.
http://searchsecurity.techtarget.com/loginMembersOnly/1,289498,sid14_gci133…
** *** ***** ******* *********** *************
Comments from Readers
There are hundreds of comments -- many of them interesting -- on these
topics on my blog. Search for the story you want to comment on, and join in.
http://www.schneier.com/blog
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise. You can subscribe, unsubscribe, or change your address
on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues
are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the
best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish algorithms.
He is the Chief Security Technology Officer of BT (BT acquired
Counterpane in 2006), and is on the Board of Directors of the Electronic
Privacy Information Center (EPIC). He is a frequent writer and lecturer
on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of BT.
Copyright (c) 2008 by Bruce Schneier.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[View Less]
1
0