July 2018 - cypherpunks-legacy

[liberationtech] ETH ZC<rich Systems Design Publication: The Network of Global Corporate Control
by Moritz Bartl 06 Jul '18

06 Jul '18

http://arxiv.org/abs/1107.5728 Stefania Vitali, James B. Glattfelder, Stefano Battiston Chair of Systems Design, ETH ZC<rich (Submitted on 28 Jul 2011, last revised 19 Sep 2011) The structure of the control network of transnational corporations affects global market competition and financial stability. So far, only small national samples were studied and there was no appropriate methodology to assess control globally. We present the first investigation of the architecture of the international ownership network, along with the computation of the control held by each global player. We find that transnational corporations form a giant bow-tie structure and that a large portion of control flows to a small tightly-knit core of financial institutions. This core can be seen as an economic "super-entity" that raises new important issues both for researchers and policy makers. >QUOTE: This is the o,rst time a ranking of economic actors by global control is presented. Notice that many actors belong to the o,nancial sector and many of the names are well-known global players. The interest of this ranking is not that it exposes unsuspected powerful players. Instead, it shows that many of the top actors belong to the core. This means that they do not carry out their business in isolation but, on the contrary, they are tied together in an extremely entangled web of control. This o,nding is extremely important since there was no prior economic theory or empirical evidence regarding whether and how top players are connected. Finally, it should be noted that governments and natural persons are only featured further down in the list. (via http://www.newscientist.com/article/mg21228354.500-revealed--the-capitalist… , quoted below: ) AS PROTESTS against financial power sweep the world this week, science may have confirmed the protesters' worst fears. An analysis of the relationships between 43,000 transnational corporations has identified a relatively small group of companies, mainly banks, with disproportionate power over the global economy. The 1318 transnational corporations that form the core of the economy. Superconnected companies are red, very connected companies are yellow. The study's assumptions have attracted some criticism, but complex systems analysts contacted by New Scientist say it is a unique effort to untangle control in the global economy. Pushing the analysis further, they say, could help to identify ways of making global capitalism more stable. The idea that a few bankers control a large chunk of the global economy might not seem like news to New York's Occupy Wall Street movement and protesters elsewhere. But the study, by a trio of complex systems theorists at the Swiss Federal Institute of Technology in Zurich, is the first to go beyond ideology to empirically identify such a network of power. It combines the mathematics long used to model natural systems with comprehensive corporate data to map ownership among the world's transnational corporations (TNCs). "Reality is so complex, we must move away from dogma, whether it's conspiracy theories or free-market," says James Glattfelder. "Our analysis is reality-based." Previous studies have found that a few TNCs own large chunks of the world's economy, but they included only a limited number of companies and omitted indirect ownerships, so could not say how this affected the global economy - whether it made it more or less stable, for instance. The Zurich team can. From Orbis 2007, a database listing 37 million companies and investors worldwide, they pulled out all 43,060 TNCs and the share ownerships linking them. Then they constructed a model of which companies controlled others through shareholding networks, coupled with each company's operating revenues, to map the structure of economic power. The work, to be published in PloS One, revealed a core of 1318 companies with interlocking ownerships (see image). Each of the 1318 had ties to two or more other companies, and on average they were connected to 20. What's more, although they represented 20 per cent of global operating revenues, the 1318 appeared to collectively own through their shares the majority of the world's large blue chip and manufacturing firms - the "real" economy - representing a further 60 per cent of global revenues. When the team further untangled the web of ownership, it found much of it tracked back to a "super-entity" of 147 even more tightly knit companies - all of their ownership was held by other members of the super-entity - that controlled 40 per cent of the total wealth in the network. "In effect, less than 1 per cent of the companies were able to control 40 per cent of the entire network," says Glattfelder. Most were financial institutions. The top 20 included Barclays Bank, JPMorgan Chase & Co, and The Goldman Sachs Group. John Driffill of the University of London, a macroeconomics expert, says the value of the analysis is not just to see if a small number of people controls the global economy, but rather its insights into economic stability. Concentration of power is not good or bad in itself, says the Zurich team, but the core's tight interconnections could be. As the world learned in 2008, such networks are unstable. "If one [company] suffers distress," says Glattfelder, "this propagates." "It's disconcerting to see how connected things really are," agrees George Sugihara of the Scripps Institution of Oceanography in La Jolla, California, a complex systems expert who has advised Deutsche Bank. Yaneer Bar-Yam, head of the New England Complex Systems Institute (NECSI), warns that the analysis assumes ownership equates to control, which is not always true. Most company shares are held by fund managers who may or may not control what the companies they part-own actually do. The impact of this on the system's behaviour, he says, requires more analysis. Crucially, by identifying the architecture of global economic power, the analysis could help make it more stable. By finding the vulnerable aspects of the system, economists can suggest measures to prevent future collapses spreading through the entire economy. Glattfelder says we may need global anti-trust rules, which now exist only at national level, to limit over-connection among TNCs. Bar-Yam says the analysis suggests one possible solution: firms should be taxed for excess interconnectivity to discourage this risk. One thing won't chime with some of the protesters' claims: the super-entity is unlikely to be the intentional result of a conspiracy to rule the world. "Such structures are common in nature," says Sugihara. Newcomers to any network connect preferentially to highly connected members. TNCs buy shares in each other for business reasons, not for world domination. If connectedness clusters, so does wealth, says Dan Braha of NECSI: in similar models, money flows towards the most highly connected members. The Zurich study, says Sugihara, "is strong evidence that simple rules governing TNCs give rise spontaneously to highly connected groups". Or as Braha puts it: "The Occupy Wall Street claim that 1 per cent of people have most of the wealth reflects a logical phase of the self-organising economy." So, the super-entity may not result from conspiracy. The real question, says the Zurich team, is whether it can exert concerted political power. Driffill feels 147 is too many to sustain collusion. Braha suspects they will compete in the market but act together on common interests. Resisting changes to the network structure may be one such common interest. The top 50 of the 147 superconnected companies 1. Barclays plc 2. Capital Group Companies Inc 3. FMR Corporation 4. AXA 5. State Street Corporation 6. JP Morgan Chase & Co 7. Legal & General Group plc 8. Vanguard Group Inc 9. UBS AG 10. Merrill Lynch & Co Inc 11. Wellington Management Co LLP 12. Deutsche Bank AG 13. Franklin Resources Inc 14. Credit Suisse Group 15. Walton Enterprises LLC 16. Bank of New York Mellon Corp 17. Natixis 18. Goldman Sachs Group Inc 19. T Rowe Price Group Inc 20. Legg Mason Inc 21. Morgan Stanley 22. Mitsubishi UFJ Financial Group Inc 23. Northern Trust Corporation 24. SociC)tC) GC)nC)rale 25. Bank of America Corporation 26. Lloyds TSB Group plc 27. Invesco plc 28. Allianz SE 29. TIAA 30. Old Mutual Public Limited Company 31. Aviva plc 32. Schroders plc 33. Dodge & Cox 34. Lehman Brothers Holdings Inc* 35. Sun Life Financial Inc 36. Standard Life plc 37. CNCE 38. Nomura Holdings Inc 39. The Depository Trust Company 40. Massachusetts Mutual Life Insurance 41. ING Groep NV 42. Brandes Investment Partners LP 43. Unicredito Italiano SPA 44. Deposit Insurance Corporation of Japan 45. Vereniging Aegon 46. BNP Paribas 47. Affiliated Managers Group Inc 48. Resona Holdings Inc 49. Capital Group International Inc 50. China Petrochemical Group Company * Lehman still existed in the 2007 dataset used Graphic: The 1318 transnational corporations that form the core of the economy (Data: PLoS One) -- Moritz Bartl https://www.torservers.net/ _______________________________________________ liberationtech mailing list liberationtech(a)lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: [tor-talk] [info] Anonymous Publishing Is Dead.
by grarpamp 06 Jul '18

06 Jul '18

>> like the NSA for example, consider that they haven't yet managed to track >> down the guys running the Silk Road drug site (http://silkroadvb5piz3r.onion) Call me stupid, but I actually think the NSA does have the capability to locate Tor hidden services, even if only those existing within the USA. But as usual, they may be restricted from originally passing it to enforcement, or from producing data at bequest of same. Or for whatever reason, no one cares, or wishes to keep capabilties or bigger fish under wraps. Nothing new here. > Do you know who runs Silk Road? Silk Road will likely go down via the usual means... some Joe somewhere flapping their gums, a street grudge, too much bling, etc. Just as with Farmer's Market, the case files will certainly make for interesting reading. But not really tell us much about Tor :( _______________________________________________ tor-talk mailing list tor-talk(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Indymedia Seizures Initiated In Europe
by brian-slashdotnews＠hyperreal.org 06 Jul '18

06 Jul '18

Link: http://slashdot.org/article.pl?sid=04/10/10/1716256 Posted by: timothy, on 2004-10-10 17:18:00 from the fbi-just-along-for-the-ride dept. [1]daveschroeder writes "According to [2]this Indymedia.org article and [3]AFP report, the request to seize Indymedia servers hosted by a U.S. company in the UK (covered in this [4]previous slashdot story) originated from government agencies in Italy and Switzerland, not the United States. Because Indymedia's hosting company, Rackspace.com, is a U.S. company, the FBI coordinated the request and accompanied UK Metropolitan Police on the seizure under the auspices of the [5]Mutual Legal Assistance Treaty (MLAT), an international legal treaty, but, according to an FBI spokesman, 'It is not an FBI operation. Through [MLAT], the subpoena was on behalf of a third country.'" Read on below for more. daveschroeder continues: "Rackspace's statement reads, 'In the present matter regarding Indymedia, Rackspace Managed Hosting, a U.S. based company with offices in London, is acting in compliance with a court order pursuant to a Mutual Legal Assistance Treaty (MLAT), which establishes procedures for countries to assist each other in investigations such as international terrorism, kidnapping and money laundering. Rackspace responded to a Commissioner's subpoena, duly issued under Title 28, United States Code, Section 1782 in an investigation that did not arise in the United States. Rackspace is acting as a good corporate citizen and is cooperating with international law enforcement authorities. The court prohibits Rackspace from commenting further on this matter.'" References 1. mailto:dasNO@SPAMdoit.wisc.edu 2. http://www.indymedia.org/en/2004/10/112047.shtml 3. http://story.news.yahoo.com/news?tmpl=story&cid=1509&ncid=738&e=6&u=/afp/20… 1008/tc_afp/us_internet_justice 4. http://yro.slashdot.org/article.pl?sid=04/10/07/204217&tid=153 5. http://travel.state.gov/law/mlat.html ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

Canada's high-tech spies (CSE) leave (commissioner) Lamer in the
by michael taylor 06 Jul '18

06 Jul '18

dark <http://www.theglobeandmail.com/servlet/story/RTGAM.20060626.wcse0626/BNStory /National/home> Canada's high-tech spies leave Lamer in the dark JIM BRONSKILL Canadian Press [The Globe and Mail, June 27, 2006] Ottawa b The watchdog over Canada's eavesdropping agency says he's not getting the detailed information he needs to be sure the secretive spy outfit is obeying the rules. In his annual report, Antonio Lamer laments a "lack of clarity" in the information the Communications Security Establishment provides when seeking ministerial permission for sensitive operations. The disagreement raises questions about whether Mr. Lamer, as CSE commissioner, can provide full assurances that the spy agency is meeting all legal requirements. The Ottawa-based CSE, an ultra-secret wing of the Defence Department, monitors foreign radio, telephone, fax, satellite and computer traffic for information of interest to Canada. The intelligence is used in support of Canadian crime-fighting, defence and trade policies. Military listening posts assist the agency's efforts to intercept the communications of foreign states and organizations, as well as the phone calls and messages of suspected terrorists, drug traffickers and smugglers. The CSE has long been prohibited from directing its surveillance at Canadians or anybody in Canada. However, the Anti-Terrorism Act of 2001 gave the CSE authority to tap into conversations and messages even if those communications begin or end in Canada. For instance, the CSE could now intercept a phone call from a member of Osama bin Laden's al-Qaeda network somewhere in Asia to a residence in Montreal. Various safeguards, including the need for the defence minister's approval, were built into the practice. Mr. Lamer, a former Supreme Court chief justice, recently concluded his term as CSE commissioner, an independent watchdog who scrutinizes the spy agency's activities to ensure compliance with the law. In his final report, he says there should be a clear linkage between the government's intelligence priorities, the targets chosen and the activities for which ministerial approval is needed. But supporting documentation provided by the CSE as part of its requests for authorization address foreign intelligence requirements "only in general terms." The dispute stems from differing legal interpretations held by Mr. Lamer's independent counsel and the deputy minister of Justice, whose department provides legal direction to the CSE. "The lack of clarity in this regard has made it difficult for my staff to assess compliance with certain of the conditions that the legislation requires to be satisfied before a ministerial authorization is given." Mr. Lamer says he has "offered specific recommendations" to the defence minister and CSE to iron out "ambiguities" in the legislation governing the CSE. As a result, Mr. Lamer qualifies his finding that CSE activities 2005-06 complied with the law "as it is currently interpreted by the Department of Justice." CSE spokesman Adrian Simpson said Monday that, as a government agency, the organization "must follow the interpretation" of the Justice Department. Mr. Simpson added that the CSE "takes great pains to comply with all of the laws of Canada." Mr. Lamer says his one regret is leaving the post "without a resolution of the legal interpretation issues that have bedevilled this office since December 2001." "I wish my successor well in bringing this matter to a satisfactory conclusion for all concerned." Defence Minister Gordon O'Connor's office had no immediate comment. A spokesman for Mr. Lamer was unavailable. Mr. Lamer's concerns emerge as the CSE's American counterpart, the National Security Agency, faces the glare of controversy. In December, the New York Times disclosed that U.S. President George W. Bush had authorized the NSA to eavesdrop on Americans and others inside the United States without court-approved warrants, as has been the recognized practice there. Despite pointed criticism from privacy advocates, U.S. officials have defended the program. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)metzdowd.com ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

[liberationtech] ETH ZC<rich Systems Design Publication: The Network of Global Corporate Control
by Moritz Bartl 06 Jul '18

06 Jul '18

http://arxiv.org/abs/1107.5728 Stefania Vitali, James B. Glattfelder, Stefano Battiston Chair of Systems Design, ETH ZC<rich (Submitted on 28 Jul 2011, last revised 19 Sep 2011) The structure of the control network of transnational corporations affects global market competition and financial stability. So far, only small national samples were studied and there was no appropriate methodology to assess control globally. We present the first investigation of the architecture of the international ownership network, along with the computation of the control held by each global player. We find that transnational corporations form a giant bow-tie structure and that a large portion of control flows to a small tightly-knit core of financial institutions. This core can be seen as an economic "super-entity" that raises new important issues both for researchers and policy makers. >QUOTE: This is the o,rst time a ranking of economic actors by global control is presented. Notice that many actors belong to the o,nancial sector and many of the names are well-known global players. The interest of this ranking is not that it exposes unsuspected powerful players. Instead, it shows that many of the top actors belong to the core. This means that they do not carry out their business in isolation but, on the contrary, they are tied together in an extremely entangled web of control. This o,nding is extremely important since there was no prior economic theory or empirical evidence regarding whether and how top players are connected. Finally, it should be noted that governments and natural persons are only featured further down in the list. (via http://www.newscientist.com/article/mg21228354.500-revealed--the-capitalist… , quoted below: ) AS PROTESTS against financial power sweep the world this week, science may have confirmed the protesters' worst fears. An analysis of the relationships between 43,000 transnational corporations has identified a relatively small group of companies, mainly banks, with disproportionate power over the global economy. The 1318 transnational corporations that form the core of the economy. Superconnected companies are red, very connected companies are yellow. The study's assumptions have attracted some criticism, but complex systems analysts contacted by New Scientist say it is a unique effort to untangle control in the global economy. Pushing the analysis further, they say, could help to identify ways of making global capitalism more stable. The idea that a few bankers control a large chunk of the global economy might not seem like news to New York's Occupy Wall Street movement and protesters elsewhere. But the study, by a trio of complex systems theorists at the Swiss Federal Institute of Technology in Zurich, is the first to go beyond ideology to empirically identify such a network of power. It combines the mathematics long used to model natural systems with comprehensive corporate data to map ownership among the world's transnational corporations (TNCs). "Reality is so complex, we must move away from dogma, whether it's conspiracy theories or free-market," says James Glattfelder. "Our analysis is reality-based." Previous studies have found that a few TNCs own large chunks of the world's economy, but they included only a limited number of companies and omitted indirect ownerships, so could not say how this affected the global economy - whether it made it more or less stable, for instance. The Zurich team can. From Orbis 2007, a database listing 37 million companies and investors worldwide, they pulled out all 43,060 TNCs and the share ownerships linking them. Then they constructed a model of which companies controlled others through shareholding networks, coupled with each company's operating revenues, to map the structure of economic power. The work, to be published in PloS One, revealed a core of 1318 companies with interlocking ownerships (see image). Each of the 1318 had ties to two or more other companies, and on average they were connected to 20. What's more, although they represented 20 per cent of global operating revenues, the 1318 appeared to collectively own through their shares the majority of the world's large blue chip and manufacturing firms - the "real" economy - representing a further 60 per cent of global revenues. When the team further untangled the web of ownership, it found much of it tracked back to a "super-entity" of 147 even more tightly knit companies - all of their ownership was held by other members of the super-entity - that controlled 40 per cent of the total wealth in the network. "In effect, less than 1 per cent of the companies were able to control 40 per cent of the entire network," says Glattfelder. Most were financial institutions. The top 20 included Barclays Bank, JPMorgan Chase & Co, and The Goldman Sachs Group. John Driffill of the University of London, a macroeconomics expert, says the value of the analysis is not just to see if a small number of people controls the global economy, but rather its insights into economic stability. Concentration of power is not good or bad in itself, says the Zurich team, but the core's tight interconnections could be. As the world learned in 2008, such networks are unstable. "If one [company] suffers distress," says Glattfelder, "this propagates." "It's disconcerting to see how connected things really are," agrees George Sugihara of the Scripps Institution of Oceanography in La Jolla, California, a complex systems expert who has advised Deutsche Bank. Yaneer Bar-Yam, head of the New England Complex Systems Institute (NECSI), warns that the analysis assumes ownership equates to control, which is not always true. Most company shares are held by fund managers who may or may not control what the companies they part-own actually do. The impact of this on the system's behaviour, he says, requires more analysis. Crucially, by identifying the architecture of global economic power, the analysis could help make it more stable. By finding the vulnerable aspects of the system, economists can suggest measures to prevent future collapses spreading through the entire economy. Glattfelder says we may need global anti-trust rules, which now exist only at national level, to limit over-connection among TNCs. Bar-Yam says the analysis suggests one possible solution: firms should be taxed for excess interconnectivity to discourage this risk. One thing won't chime with some of the protesters' claims: the super-entity is unlikely to be the intentional result of a conspiracy to rule the world. "Such structures are common in nature," says Sugihara. Newcomers to any network connect preferentially to highly connected members. TNCs buy shares in each other for business reasons, not for world domination. If connectedness clusters, so does wealth, says Dan Braha of NECSI: in similar models, money flows towards the most highly connected members. The Zurich study, says Sugihara, "is strong evidence that simple rules governing TNCs give rise spontaneously to highly connected groups". Or as Braha puts it: "The Occupy Wall Street claim that 1 per cent of people have most of the wealth reflects a logical phase of the self-organising economy." So, the super-entity may not result from conspiracy. The real question, says the Zurich team, is whether it can exert concerted political power. Driffill feels 147 is too many to sustain collusion. Braha suspects they will compete in the market but act together on common interests. Resisting changes to the network structure may be one such common interest. The top 50 of the 147 superconnected companies 1. Barclays plc 2. Capital Group Companies Inc 3. FMR Corporation 4. AXA 5. State Street Corporation 6. JP Morgan Chase & Co 7. Legal & General Group plc 8. Vanguard Group Inc 9. UBS AG 10. Merrill Lynch & Co Inc 11. Wellington Management Co LLP 12. Deutsche Bank AG 13. Franklin Resources Inc 14. Credit Suisse Group 15. Walton Enterprises LLC 16. Bank of New York Mellon Corp 17. Natixis 18. Goldman Sachs Group Inc 19. T Rowe Price Group Inc 20. Legg Mason Inc 21. Morgan Stanley 22. Mitsubishi UFJ Financial Group Inc 23. Northern Trust Corporation 24. SociC)tC) GC)nC)rale 25. Bank of America Corporation 26. Lloyds TSB Group plc 27. Invesco plc 28. Allianz SE 29. TIAA 30. Old Mutual Public Limited Company 31. Aviva plc 32. Schroders plc 33. Dodge & Cox 34. Lehman Brothers Holdings Inc* 35. Sun Life Financial Inc 36. Standard Life plc 37. CNCE 38. Nomura Holdings Inc 39. The Depository Trust Company 40. Massachusetts Mutual Life Insurance 41. ING Groep NV 42. Brandes Investment Partners LP 43. Unicredito Italiano SPA 44. Deposit Insurance Corporation of Japan 45. Vereniging Aegon 46. BNP Paribas 47. Affiliated Managers Group Inc 48. Resona Holdings Inc 49. Capital Group International Inc 50. China Petrochemical Group Company * Lehman still existed in the 2007 dataset used Graphic: The 1318 transnational corporations that form the core of the economy (Data: PLoS One) -- Moritz Bartl https://www.torservers.net/ _______________________________________________ liberationtech mailing list liberationtech(a)lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

CRYPTO-GRAM, October 15, 2008
by Bruce Schneier 06 Jul '18

06 Jul '18

CRYPTO-GRAM October 15, 2008 by Bruce Schneier Chief Security Technology Officer, BT schneier(a)schneier.com http://www.schneier.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>. You can read this issue on the web at <http://www.schneier.com/crypto-gram-0810.html>. These same essays appear in the "Schneier on Security" blog: <http://www.schneier.com/blog>. An RSS feed is available. ** *** ***** ******* *********** ************* In this issue: The Seven Habits of Highly Ineffective Terrorists The Two Classes of Airport Contraband News The More Things Change, the More They Stay the Same NSA's Warrantless Eavesdropping Targets Innocent Americans Schneier/BT News Taleb on the Limitations of Risk Management "New Attack" Against Encrypted Images Nonviolent Activists Are Now Terrorists Does Risk Management Make Sense? Comments from Readers ** *** ***** ******* *********** ************* The Seven Habits of Highly Ineffective Terrorists Most counterterrorism policies fail, not because of tactical problems, but because of a fundamental misunderstanding of what motivates terrorists in the first place. If we're ever going to defeat terrorism, we need to understand what drives people to become terrorists in the first place. Conventional wisdom holds that terrorism is inherently political, and that people become terrorists for political reasons. This is the "strategic" model of terrorism, and it's basically an economic model. It posits that people resort to terrorism when they believe -- rightly or wrongly -- that terrorism is worth it; that is, when they believe the political gains of terrorism minus the political costs are greater than if they engaged in some other, more peaceful form of protest. It's assumed, for example, that people join Hamas to achieve a Palestinian state; that people join the PKK to attain a Kurdish national homeland; and that people join al-Qaida to, among other things, get the United States out of the Persian Gulf. If you believe this model, the way to fight terrorism is to change that equation, and that's what most experts advocate. Governments tend to minimize the political gains of terrorism through a no-concessions policy; the international community tends to recommend reducing the political grievances of terrorists via appeasement, in hopes of getting them to renounce violence. Both advocate policies to provide effective nonviolent alternatives, like free elections. Historically, none of these solutions has worked with any regularity. Max Abrahms, a predoctoral fellow at Stanford University's Center for International Security and Cooperation, has studied dozens of terrorist groups from all over the world. He argues that the model is wrong. In a paper published this year in International Security that -- sadly -- doesn't have the title "Seven Habits of Highly Ineffective Terrorists," he discusses, well, seven habits of highly ineffective terrorists. These seven tendencies are seen in terrorist organizations all over the world, and they directly contradict the theory that terrorists are political maximizers: Terrorists, he writes, (1) attack civilians, a policy that has a lousy track record of convincing those civilians to give the terrorists what they want; (2) treat terrorism as a first resort, not a last resort, failing to embrace nonviolent alternatives like elections; (3) don't compromise with their target country, even when those compromises are in their best interest politically; (4) have protean political platforms, which regularly, and sometimes radically, change; (5) often engage in anonymous attacks, which precludes the target countries making political concessions to them; (6) regularly attack other terrorist groups with the same political platform; and (7) resist disbanding, even when they consistently fail to achieve their political objectives or when their stated political objectives have been achieved. Abrahms has an alternative model to explain all this: People turn to terrorism for social solidarity. He theorizes that people join terrorist organizations worldwide in order to be part of a community, much like the reason inner-city youths join gangs in the United States. The evidence supports this. Individual terrorists often have no prior involvement with a group's political agenda, and often join multiple terrorist groups with incompatible platforms. Individuals who join terrorist groups are frequently not oppressed in any way, and often can't describe the political goals of their organizations. People who join terrorist groups most often have friends or relatives who are members of the group, and the great majority of terrorist are socially isolated: unmarried young men or widowed women who weren't working prior to joining. These things are true for members of terrorist groups as diverse as the IRA and al-Qaida. For example, several of the 9/11 hijackers planned to fight in Chechnya, but they didn't have the right paperwork so they attacked America instead. The mujahedeen had no idea whom they would attack after the Soviets withdrew from Afghanistan, so they sat around until they came up with a new enemy: America. Pakistani terrorists regularly defect to another terrorist group with a totally different political platform. Many new al-Qaida members say, unconvincingly, that they decided to become a jihadist after reading an extreme, anti-American blog, or after converting to Islam, sometimes just a few weeks before. These people know little about politics or Islam, and they frankly don't even seem to care much about learning more. The blogs they turn to don't have a lot of substance in these areas, even though more informative blogs do exist. All of this explains the seven habits. It's not that they're ineffective; it's that they have a different goal. They might not be effective politically, but they are effective socially: They all help preserve the group's existence and cohesion. This kind of analysis isn't just theoretical; it has practical implications for counterterrorism. Not only can we now better understand who is likely to become a terrorist, we can engage in strategies specifically designed to weaken the social bonds within terrorist organizations. Driving a wedge between group members -- commuting prison sentences in exchange for actionable intelligence, planting more double agents within terrorist groups -- will go a long way to weakening the social bonds within those groups. We also need to pay more attention to the socially marginalized than to the politically downtrodden, like unassimilated communities in Western countries. We need to support vibrant, benign communities and organizations as alternative ways for potential terrorists to get the social cohesion they need. And finally, we need to minimize collateral damage in our counterterrorism operations, as well as clamping down on bigotry and hate crimes, which just creates more dislocation and social isolation, and the inevitable calls for revenge. http://maxabrahms.com/pdfs/DC_250-1846.pdf This essay previously appeared on Wired.com. http://www.wired.com/print/politics/security/commentary/securitymatters/200… or http://tinyurl.com/3vf3x5 Interesting rebuttal: http://www.cambridgeblog.org/2008/10/can-terror-be-understood/ ** *** ***** ******* *********** ************* The Two Classes of Airport Contraband Airport security found a jar of pasta sauce in my luggage last month. It was a 6-ounce jar, above the limit; the official confiscated it, because allowing it on the airplane with me would have been too dangerous. And to demonstrate how dangerous he really thought that jar was, he blithely tossed it in a nearby bin of similar liquid bottles and sent me on my way. There are two classes of contraband at airport security checkpoints: the class that will get you in trouble if you try to bring it on an airplane, and the class that will cheerily be taken away from you if you try to bring it on an airplane. This difference is important: Making security screeners confiscate anything from that second class is a waste of time. All it does is harm innocents; it doesn't stop terrorists at all. Let me explain. If you're caught at airport security with a bomb or a gun, the screeners aren't just going to take it away from you. They're going to call the police, and you're going to be stuck for a few hours answering a lot of awkward questions. You may be arrested, and you'll almost certainly miss your flight. At best, you're going to have a very unpleasant day. This is why articles about how screeners don't catch every -- or even a majority -- of guns and bombs that go through the checkpoints don't bother me. The screeners don't have to be perfect; they just have to be good enough. No terrorist is going to base his plot on getting a gun through airport security if there's a decent chance of getting caught, because the consequences of getting caught are too great. Contrast that with a terrorist plot that requires a 12-ounce bottle of liquid. There's no evidence that the London liquid bombers actually had a workable plot, but assume for the moment they did. If some copycat terrorists try to bring their liquid bomb through airport security and the screeners catch them -- like they caught me with my bottle of pasta sauce -- the terrorists can simply try again. They can try again and again. They can keep trying until they succeed. Because there are no consequences to trying and failing, the screeners have to be 100 percent effective. Even if they slip up one in a hundred times, the plot can succeed. The same is true for knitting needles, pocketknives, scissors, corkscrews, cigarette lighters and whatever else the airport screeners are confiscating this week. If there's no consequence to getting caught with it, then confiscating it only hurts innocent people. At best, it mildly annoys the terrorists. To fix this, airport security has to make a choice. If something is dangerous, treat it as dangerous and treat anyone who tries to bring it on as potentially dangerous. If it's not dangerous, then stop trying to keep it off airplanes. Trying to have it both ways just distracts the screeners from actually making us safer. http://www.cnn.com/2008/US/01/28/tsa.bombtest/index.html http://www.homelandstupidity.us/2007/10/25/tsa-screeners-fail-most-bomb-tes… or http://tinyurl.com/4npg9o http://www.homelandstupidity.us/2006/10/31/tsa-screeners-still-fail-to-find… or http://tinyurl.com/3ephgq http://www.boston.com/news/local/articles/2003/10/16/logan_screeners_fail_w… or http://tinyurl.com/r5gu This essay originally appeared on Wired.com. http://www.wired.com/politics/security/commentary/securitymatters/2008/09/s… or http://tinyurl.com/4m6vvj ** *** ***** ******* *********** ************* News According to U.S. government documents, fear of terrorism could cause a psychosomatic epidemic: http://blog.wired.com/27bstroke6/2008/09/terrorism-fear.html GPS spoofing: http://philosecurity.org/2008/09/07/gps-spoofing http://www.ne.anl.gov/capabilities/vat/spoof.html NSA -- and others -- snooping on cell phone calls with off-the-shelf technology: http://news.cnet.com/8301-13739_3-10030134-46.html The NSA teams up with the Chinese government to limit Internet anonymity: http://www.schneier.com/blog/archives/2008/09/the_nsa_teams_u.html The Pentagon's World of Warcraft Movie-Plot threat: http://www.schneier.com/blog/archives/2008/09/the_pentagons_w.html TSA employees are bypassing airport screening. http://www.9news.com/news/article.aspx?storyid=99941&catid=339 This isn't a big deal. Screeners have to go in and out of security all the time as they work. Yes, they can smuggle things in and out of the airport. But you have to remember that the airport screeners are trusted insiders for the system: there are a zillion ways they could break airport security. On the other hand, it's probably a smart idea to screen screeners when they walk through airport security when they aren't working at that checkpoint at that time. The reason is the same reason you should screen everyone, including pilots who can crash their plane: you're not screening screeners (or pilots), you're screening people wearing screener (or pilot) uniforms and carrying screener (or pilot) IDs. You can either train your screeners to recognize authentic uniforms and IDs, or you can just screen everybody. The latter is just easier. But this isn't a big deal. I can think of specific instances where the ability to unlock your door over the Internet can be useful, but in most places it's not a good idea. http://www.theinquirer.net/gb/inquirer/news/2008/09/04/unlock-house-via-int… or http://tinyurl.com/4rsyve http://treocentral.com/content/Stories/1999-1.htm India using brain scans to prove guilt in court. http://www.nytimes.com/2008/09/15/world/asia/15brainscan.html The pseudo-science here is even worse than for lie detectors. http://www.thehindu.com/2008/09/08/stories/2008090854420400.htm People have been asking me to comment about Sarah Palin's Yahoo e-mail account being hacked. I've already written about the security problems with "secret questions" back in 2005: http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html More commentary: http://www.freedom-to-tinker.com/blog/felten/how-yahoo-could-have-protected… or http://tinyurl.com/4689km The $20M camera system at New York's Freedom Tower is pretty sophisticated. http://cityroom.blogs.nytimes.com/2008/09/24/unblinking-eyes-for-20-million… or http://tinyurl.com/53e52c We're developing a pre-crime detector that detects hostile thoughts. http://www.newscientist.com/blogs/shortsharpscience/2008/09/precrime-detect… or http://tinyurl.com/53ftps http://www.foxnews.com/printer_friendly_story/0,3566,426485,00.html Spykee is your own personal robot spy. It takes pictures and movies that you can watch on the Internet in real time or save for later. You can even talk with whoever you're spying on via Skype. Only $300. http://www.spykeeworld.com/ http://www.robotsrule.com/html/spykee.php http://www.amazon.com/gp/offer-listing/B000N6470A?tag=counterpane Security maxims from Roger Johnston. Funny, and all too true. http://www.ne.anl.gov/capabilities/vat/seals/maxims.html Send your personalized message to TSA X-ray screeners using metal plates you can put in your carry-on luggage. http://blog.makezine.com/archive/2008/09/metal_plates_send_message.html or http://tinyurl.com/4ro8es http://www.nytimes.com/idg/IDG_852573C400693880002574D70000A2FB.html Another bomb scare. Hot dogs this time. http://www.philly.com/philly/blogs/phillies_zone/Just_Hot_Dogs_Folks.html or http://tinyurl.com/5xpzsp http://www.nytimes.com/aponline/us/AP-ODD-Hot-Dog-Scare.html The Hackers Choice has released a tool allowing people to clone and modify electronic passports. The problem is self-signed certificates. A CA is not a great solution, and the link gives a good explanation as to why. "So what's the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart." http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.h… or http://tinyurl.com/4l49v4 http://www.theregister.co.uk/2008/09/30/epassport_hack_description/ Hand grenades are now weapons of mass destruction: http://www.schneier.com/blog/archives/2008/10/hand_grenades_a.html MI6 camera -- including secrets -- sold on eBay. The buyer turned the camera in to the police. http://www.techcrunch.com/2008/09/30/top-secret-mi6-camera-sold-to-the-high… or http://tinyurl.com/4n5ov2 http://gizmodo.com/5056749/mi6-camera-with-secret-images-bought-on-ebay-for… or http://tinyurl.com/4pj5jh "Scareware" vendors sued -- it's about time. http://voices.washingtonpost.com/securityfix/2008/09/microsoft_washington_s… or http://tinyurl.com/3pxho4 This is clever: bank robber hires accomplices on Craigslist. http://www.king5.com/topstories/stories/NW_100108WAB_monroe_robber_floating… or http://tinyurl.com/3h8wfe New cross-site request forgery attacks. http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-c… or http://tinyurl.com/4ubb2f http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf "Clickjacking" is a stunningly sexy name, but the vulnerability is really just a variant of cross-site scripting. We don't know how bad it really is, because the details are still being withheld. But the name alone is causing dread. Here's a good Q&A on the vulnerability: http://www.computerworld.com/action/article.do?command=viewArticleBasic&art… or http://tinyurl.com/3rmfac http://www.cgisecurity.org/2008/10/interview-jerem.html http://hackademix.net/2008/09/27/clickjacking-and-noscript/ Turns out you can add anyone's number to -- or remove anyone's number from -- the Canadian do-not-call list. You can also add (but not remove) numbers to the U.S. do-not-call list, though only up to three at a time, and you have to provide a valid e-mail address to confirm the addition. Here's my idea. If you're a company, add every one of your customers to the list. That way, none of your competitors will be able to cold call them. https://www.lnnte-dncl.gc.ca/ https://www.donotcall.gov/register/reg.aspx Chinese monitoring Skype messages: http://arstechnica.com/news.ars/post/20081002-skype-security-flub-leads-to-… or http://tinyurl.com/4pgn2j According to a massive report from the National Research Council, data mining for terrorists doesn't work. http://news.cnet.com/8301-13578_3-10059987-38.html?part=rss&subj=news&tag=2… or http://tinyurl.com/4klgqe http://arstechnica.com/news.ars/post/20081009-analysis-data-mining-doesnt-w… or http://tinyurl.com/4azsds http://www.nap.edu/catalog.php?record_id=12452 Interesting paper by Adam Shostack on threat modeling at Microsoft: http://blogs.msdn.com/sdl/attachment/8991806.ashx Elcomsoft is claiming that the WPA protocol is dead, just because they can speed up brute-force cracking by 100 times using a hardware accelerator. Why exactly is this news? Yes, weak passwords are weak -- we already know that. And strong WPA passwords are still strong. This seems like yet another blatant attempt to grab some press attention with a half-baked cryptanalytic result. http://www.elcomsoft.com/edpr.html?r1=pr&r2=wpa http://mobile.slashdot.org/mobile/08/10/12/1724230.shtml http://www.theregister.co.uk/2008/10/10/graphics_card_wireless_hacking/ http://www.schneier.com/essay-148.html Clever counterterrorism attack against the IRA: set up a laundromat, and watch who has bomb residue on their clothes: http://www.schneier.com/blog/archives/2008/10/clever_countert.html There's a new chip-and-pin scam in the UK. The card readers were hacked when they were built, "either during the manufacturing process at a factory in China, or shortly after they came off the production line." It's being called a "supply chain hack." Sophisticated stuff, and yet another demonstration that these all-computer security systems are full of risks. http://online.wsj.com/article/SB122366999999723871.html http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chi… http://www.telegraph.co.uk/news/worldnews/asia/pakistan/3173161/Credit-card… BTW, what's it worth to rig an election? http://www.schneier.com/essay-046.html BART, the San Francisco subway authority, has been debating allowing passengers to bring drinks on trains. There are all sorts of good reasons why or why not -- convenience, problems with spills, and so on -- but one reason that makes no sense is that terrorists may bring flammable liquids on board. Yet that is exactly what BART managers said. No big news -- we've seen stupid things like this regularly since 9/11 -- but this time people responded: "Added Director Tom Radulovich, 'If somebody wants to break the law and bring flammable liquids on, they can. It's not like al Qaeda is waiting in their caves for us to have a sippy-cup rule.' Directing his comments to BART administrators, he said, 'You know, it's just fearmongering and you should be ashamed.' Terrorist fear mongering seems to be working less well. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/10/10/BAB813EELU.DTL ** *** ***** ******* *********** ************* The More Things Change, the More They Stay the Same Guess the year: "Murderous organizations have increased in size and scope; they are more daring, they are served by the most terrible weapons offered by modern science, and the world is nowadays threatened by new forces which, if recklessly unchained, may some day wreck universal destruction. The Orsini bombs were mere children's toys compared with the later developments of infernal machines. Between 1858 and 1898 the dastardly science of destruction had made rapid and alarming strides..." No, that wasn't a typo. "Between 1858 and 1898...." This quote is from Major Arthur Griffith, "Mysteries of Police and Crime," London, 1898, II, p. 469. It's quoted in: Walter Laqueur, "A History of Terrorism," New Brunswick/London, Transaction Publishers, 2002. http://query.nytimes.com/mem/archive-free/pdf?res=9907E7D8153DE633A25757C0A… or http://tinyurl.com/3wn2ct http://www.amazon.com/History-Terrorism-Walter-Laqueur/dp/0765807998/ref=pd… or http://tinyurl.com/46s7ny ** *** ***** ******* *********** ************* NSA's Warrantless Eavesdropping Targets Innocent Americans Remember when the U.S. government said it was only spying on terrorists? Anyone with any common sense knew it was lying -- power without oversight is always abused -- but even I didn't think it was this bad: "Faulk says he and others in his section of the NSA facility at Fort Gordon routinely shared salacious or tantalizing phone calls that had been intercepted, alerting office mates to certain time codes of 'cuts' that were available on each operator's computer. "'Hey, check this out,' Faulk says he would be told, 'there's good phone sex or there's some pillow talk, pull up this call, it's really funny, go check it out. It would be some colonel making pillow talk and we would say, "Wow, this was crazy",' Faulk told ABC News." Warrants are a security device. They protect us against government abuse of power. http://www.nytimes.com/2008/10/10/washington/10nsa.html http://abcnews.go.com/Blotter/story?id=5987804&page=1 http://www.upi.com/Top_News/2008/10/10/Spy_agency_accused_of_improper_liste… http://www.reuters.com/article/domesticNews/idUSTRE4990CD20081010 ** *** ***** ******* *********** ************* Schneier/BT News Schneier is speaking at the 30th International Conference of Data Protection and Privacy Commissioners on 15 October in Strasbourg, France. http://www.privacyconference2008.org/ Schneier is speaking at the European Security and Information System Congress on 17 October in Monaco. http://cms.event-catalyst.com/assises/home.aspx Schneier is speaking at RSA Europe on 28 October in London. http://www.rsaconference.com/2008/Europe/Home.aspx Schneier is speaking at the 22nd Large Installation System Administration Conference on 13 November in San Diego, CA. http://usenix.org/events/lisa08/ Schneier was interviewed by Telecom Asia: http://www.telecomasia.net/article.php?id_article=10230 Schneier was interviewed by the Irish Times: http://www.irishtimes.com/newspaper/finance/2008/1003/1222959300589.html or http://tinyurl.com/4ccjmw Schneier was interviewed by Dr. Dobb's Journal: http://www.ddj.com/security/210605067 My essay on chemical plants and security for the Guardian. Nothing I haven't said before. http://www.schneier.com/essay-243.html ** *** ***** ******* *********** ************* Taleb on the Limitations of Risk Management Nice paragraph on the limitations of risk management in this occasionally interesting interview with Nicholas Taleb: "Because then you get a Maginot Line problem. [After World War I, the French erected concrete fortifications to prevent Germany from invading again -- a response to the previous war, which proved ineffective for the next one.] You know, they make sure they solve that particular problem, the Germans will not invade from here. The thing you have to be aware of most obviously is scenario planning, because typically if you talk about scenarios, you'll overestimate the probability of these scenarios. If you examine them at the expense of those you don't examine, sometimes it has left a lot of people worse off, so scenario planning can be bad. I'll just take my track record. Those who did scenario planning have not fared better than those who did not do scenario planning. A lot of people have done some kind of "make-sense" type measures, and that has made them more vulnerable because they give the illusion of having done your job. This is the problem with risk management. I always come back to a classical question. Don't give a fool the illusion of risk management. Don't ask someone to guess the number of dentists in Manhattan after asking him the last four digits of his Social Security number. The numbers will always be correlated. I actually did some work on risk management, to show how stupid we are when it comes to risk." http://www.portfolio.com/views/columns/the-world-according-to/2008/08/14/In… or http://tinyurl.com/5eazpu ** *** ***** ******* *********** ************* "New Attack" Against Encrypted Images In a blatant attempt to get some PR, a researcher at PMC Ciphers has figured out that encrypting data with ECB mode results in ciphertext patterns. Yeah, we already knew that. And -1 point for a security company requiring the use of JavaScript, and not failing gracefully for a browser that doesn't have it enabled. And -- ahem -- what is it with that photograph in the paper? Couldn't the researchers have found something a little less adolescent? For the record, I doghoused PMC Ciphers back in 2003: "PMC Ciphers. The theory description is so filled with pseudo-cryptography that it's funny to read. Hypotheses are presented as conclusions. Current research is misstated or ignored. The first link is a technical paper with four references, three of them written before 1975. Who needs thirty years of cryptographic research when you have polymorphic cipher theory?" I didn't realize it at the time, but PMC Ciphers responded to my doghousing them. Funny stuff. http://www.techworld.com/security/news/index.cfm?newsid=105263 http://www.turbocrypt.com/vpics/9a8f098c615a425eab6d17c804dd67ae/whitepaper… or http://tinyurl.com/3fe64r Doghouse and response: http://www.schneier.com/crypto-gram-0303.html#4 http://www.ciphers.de/eng/content/Backround-Info/Bruce-Schneiers-comments.h… or http://tinyurl.com/52ymfo When I posted this on my blog, three new commenters using dialups at the same German ISP showed up to defend the paper. What are the odds? http://www.schneier.com/blog/archives/2008/10/new_attack_agai.html ** *** ***** ******* *********** ************* Nonviolent Activists Are Now Terrorists This is an abomination: "The Maryland State Police classified 53 nonviolent activists as terrorists and entered their names and personal information into state and federal databases that track terrorism suspects, the state police chief acknowledged yesterday." Why did they do that? "Both Hutchins and Sheridan said the activists' names were entered into the state police database as terrorists partly because the software offered limited options for classifying entries." I know that once we had this "either you're with us or with the terrorists" mentality, but don't you think that -- just maybe -- the software should allow for a little bit more nuance? http://www.washingtonpost.com/wp-dyn/content/article/2008/10/07/AR200810070… or http://tinyurl.com/3znjv7 ** *** ***** ******* *********** ************* Does Risk Management Make Sense? We engage in risk management all the time, but it only makes sense if we do it right. "Risk management" is just a fancy term for the cost-benefit tradeoff associated with any security decision. It's what we do when we react to fear, or try to make ourselves feel secure. It's the fight-or-flight reflex that evolved in primitive fish and remains in all vertebrates. It's instinctual, intuitive and fundamental to life, and one of the brain's primary functions. Some have hypothesized that humans have a "risk thermostat" that tries to maintain some optimal risk level. It explains why we drive our motorcycles faster when we wear a helmet, or are more likely to take up smoking during wartime. It's our natural risk management in action. The problem is our brains are intuitively suited to the sorts of risk management decisions endemic to living in small family groups in the East African highlands in 100,000 BC, and not to living in the New York City of 2008. We make systematic risk management mistakes -- miscalculating the probability of rare events, reacting more to stories than data, responding to the feeling of security rather than reality, and making decisions based on irrelevant context. And that risk thermostat of ours? It's not nearly as finely tuned as we might like it to be. Like a rabbit that responds to an oncoming car with its default predator avoidance behavior -- dart left, dart right, dart left, and at the last moment jump -- instead of just getting out of the way, our Stone Age intuition doesn't serve us well in a modern technological society. So when we in the security industry use the term "risk management," we don't want you to do it by trusting your gut. We want you to do risk management consciously and intelligently, to analyze the tradeoff and make the best decision. This means balancing the costs and benefits of any security decision -- buying and installing a new technology, implementing a new procedure or forgoing a common precaution. It means allocating a security budget to mitigate different risks by different amounts. It means buying insurance to transfer some risks to others. It's what businesses do, all the time, about everything. IT security has its own risk management decisions, based on the threats and the technologies. There's never just one risk, of course, and bad risk management decisions often carry an underlying tradeoff. Terrorism policy in the U.S. is based more on politics than actual security risk, but the politicians who make these decisions are concerned about the risks of not being re-elected. Many corporate security decisions are made to mitigate the risk of lawsuits rather than address the risk of any actual security breach. And individuals make risk management decisions that consider not only the risks to the corporation, but the risks to their departments' budgets, and to their careers. You can't completely remove emotion from risk management decisions, but the best way to keep risk management focused on the data is to formalize the methodology. That's what companies that manage risk for a living -- insurance companies, financial trading firms and arbitrageurs -- try to do. They try to replace intuition with models, and hunches with mathematics. The problem in the security world is we often lack the data to do risk management well. Technological risks are complicated and subtle. We don't know how well our network security will keep the bad guys out, and we don't know the cost to the company if we don't keep them out. And the risks change all the time, making the calculations even harder. But this doesn't mean we shouldn't try. You can't avoid risk management; it's fundamental to business just as to life. The question is whether you're going to try to use data or whether you're going to just react based on emotions, hunches and anecdotes. This essay appeared as the first half of a point-counterpoint with Marcus Ranum in Information Security magazine. http://searchsecurity.techtarget.com/loginMembersOnly/1,289498,sid14_gci133… ** *** ***** ******* *********** ************* Comments from Readers There are hundreds of comments -- many of them interesting -- on these topics on my blog. Search for the story you want to comment on, and join in. http://www.schneier.com/blog ** *** ***** ******* *********** ************* Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL. Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish and Twofish algorithms. He is the Chief Security Technology Officer of BT (BT acquired Counterpane in 2006), and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>. Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT. Copyright (c) 2008 by Bruce Schneier. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

paycash payment system ver. 1.xx
by Victor Dostov 06 Jul '18

06 Jul '18

Paycash, digital cash payment system, released production version 1.xx. It can be downloaded at English section of www.paycash.ru. Current pilot version has about 10,000 users what is about 1-2% of active Russian internet users. Concerning current growth rate it is expected that in the next 6 month this number will increase five times. To the moment the system has operating representative companies in Russia, Latvia, Ukraine and USA. For help on using this list (especially unsubscribing), send a message to "dcsb-request(a)reservoir.com" with one line of text: "help". --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

web home for waste
by lgonze＠panix.com 06 Jul '18

06 Jul '18

I've gotten a bunch of queries about WASTE, generally with a focus on user problems like how to get a connection or FAQ issues like how to build on OS X. To help people to help each other, as well as to foster discussion of technical issues related to WASTE, I have created a mailing list and web home at http://groups.yahoo.com/group/waste-discuss/. - Lucas --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

Sen.: White House Agrees to Spy Law Change
by feis 06 Jul '18

06 Jul '18

Sen.: White House Agrees to Spy Law Change By KATHERINE SHRADER, Associated Press Writer 1 hour, 35 minutes ago Senate Intelligence Chairman Pat Roberts said he has worked out an agreement with the White House to change U.S. law regarding the National Security Agency's warrantless surveillance program and provide more information about it to Congress. "We are trying to get some movement, and we have a clear indication of that movement," Roberts, R-Kan., said. Without offering specifics, Roberts said the agreement with the White House provides "a fix" to the Foreign Intelligence Surveillance Act and offers more briefings to the Senate Intelligence Committee. The deal comes as the committee was set to have a meeting Thursday about whether to open an investigation into the hotly disputed program. Roberts indicated the deal may eliminate the need for such an inquiry. Democrats have been demanding an investigation but some Republicans don't want to tangle the panel in a testy election-year probe. "Whether or not an investigation is the right thing to do at this particular time, I am not sure," Roberts told reporters while heading into the meeting. The White House was not immediately available for comment on Roberts' statement. Earlier in the day, White House spokesman Scott McClellan hinted at a "good discussion going on" with lawmakers and praised in particular "some good ideas" presented by Sen. Mike DeWine (news, bio, voting record). The Ohio Republican has suggested the FISA law be changed to accommodate the NSA program. However, McClellan left the impression that any deal would not allow for significant changes. He said the White House continued to maintain that Bush does not need Congress' approval to authorize the warrantless eavesdropping and that the president would resist any legislation that might compromise the program. "There's kind of a high bar to overcome," McClellan said. "We think there's some good ideas, but we have not seen actual legislation." Separately, the Justice Department has strongly discouraged the Senate Judiciary Committee from calling former Attorney General John Ashcroft and his deputy to testify about the surveillance program, saying they won't have new information for Congress about it. Just as Attorney General Alberto Gonzales could not talk about the administration's internal deliberations when he appeared before the committee earlier this month, neither can Ashcroft nor his former No. 2, James Comey, Assistant Attorney General William Moschella said in a letter to Senate Judiciary Committee Chairman Arlen Specter, R-Pa. The letter, written Wednesday, was obtained by The Associated Press. "In light of their inability to discuss such confidential information, along with the fact that the attorney general has already provided the executive branch position on the legal authority for the program, we do not believe that Messrs. Ashcroft and Comey would be in a position to provide any new information to the committee," Moschella wrote. He was responding to Specter's request that the two men testify this month. While Moschella indicated their testimony wouldn't be of value, he did not say the committee could not call Ashcroft and Comey to appear. The Judiciary Committee has been looking into the legality of the National Security Agency's program. In a heated daylong hearing on Feb. 6, four Republicans joined the committee's Democrats in raising questions about whether President Bush went too far in authorizing the wiretapping without court warrants. Specter wants the secretive Foreign Intelligence Surveillance Court to review the program's constitutionality. Reports have indicated that Comey and others had reservations about the program in 2004. White House Chief of Staff Andy Card and Gonzales, then the White House counsel, visited Ashcroft about those issues while Ashcroft was in the hospital for gallstone pancreatitis. ___ Associated Press Writer Mark Sherman contributed to this report. http://news.yahoo.com/s/ap/20060216/ap_on_go_co/eavesdropping_4&printer=1;_… t=A86.I2Ct.vRD4L0AqQWMwfIE;_ylu=X3oDMTA3MXN1bHE0BHNlYwN0bWE- --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)metzdowd.com ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

CRYPTO-GRAM, October 15, 2008
by Bruce Schneier 06 Jul '18

06 Jul '18

CRYPTO-GRAM October 15, 2008 by Bruce Schneier Chief Security Technology Officer, BT schneier(a)schneier.com http://www.schneier.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>. You can read this issue on the web at <http://www.schneier.com/crypto-gram-0810.html>. These same essays appear in the "Schneier on Security" blog: <http://www.schneier.com/blog>. An RSS feed is available. ** *** ***** ******* *********** ************* In this issue: The Seven Habits of Highly Ineffective Terrorists The Two Classes of Airport Contraband News The More Things Change, the More They Stay the Same NSA's Warrantless Eavesdropping Targets Innocent Americans Schneier/BT News Taleb on the Limitations of Risk Management "New Attack" Against Encrypted Images Nonviolent Activists Are Now Terrorists Does Risk Management Make Sense? Comments from Readers ** *** ***** ******* *********** ************* The Seven Habits of Highly Ineffective Terrorists Most counterterrorism policies fail, not because of tactical problems, but because of a fundamental misunderstanding of what motivates terrorists in the first place. If we're ever going to defeat terrorism, we need to understand what drives people to become terrorists in the first place. Conventional wisdom holds that terrorism is inherently political, and that people become terrorists for political reasons. This is the "strategic" model of terrorism, and it's basically an economic model. It posits that people resort to terrorism when they believe -- rightly or wrongly -- that terrorism is worth it; that is, when they believe the political gains of terrorism minus the political costs are greater than if they engaged in some other, more peaceful form of protest. It's assumed, for example, that people join Hamas to achieve a Palestinian state; that people join the PKK to attain a Kurdish national homeland; and that people join al-Qaida to, among other things, get the United States out of the Persian Gulf. If you believe this model, the way to fight terrorism is to change that equation, and that's what most experts advocate. Governments tend to minimize the political gains of terrorism through a no-concessions policy; the international community tends to recommend reducing the political grievances of terrorists via appeasement, in hopes of getting them to renounce violence. Both advocate policies to provide effective nonviolent alternatives, like free elections. Historically, none of these solutions has worked with any regularity. Max Abrahms, a predoctoral fellow at Stanford University's Center for International Security and Cooperation, has studied dozens of terrorist groups from all over the world. He argues that the model is wrong. In a paper published this year in International Security that -- sadly -- doesn't have the title "Seven Habits of Highly Ineffective Terrorists," he discusses, well, seven habits of highly ineffective terrorists. These seven tendencies are seen in terrorist organizations all over the world, and they directly contradict the theory that terrorists are political maximizers: Terrorists, he writes, (1) attack civilians, a policy that has a lousy track record of convincing those civilians to give the terrorists what they want; (2) treat terrorism as a first resort, not a last resort, failing to embrace nonviolent alternatives like elections; (3) don't compromise with their target country, even when those compromises are in their best interest politically; (4) have protean political platforms, which regularly, and sometimes radically, change; (5) often engage in anonymous attacks, which precludes the target countries making political concessions to them; (6) regularly attack other terrorist groups with the same political platform; and (7) resist disbanding, even when they consistently fail to achieve their political objectives or when their stated political objectives have been achieved. Abrahms has an alternative model to explain all this: People turn to terrorism for social solidarity. He theorizes that people join terrorist organizations worldwide in order to be part of a community, much like the reason inner-city youths join gangs in the United States. The evidence supports this. Individual terrorists often have no prior involvement with a group's political agenda, and often join multiple terrorist groups with incompatible platforms. Individuals who join terrorist groups are frequently not oppressed in any way, and often can't describe the political goals of their organizations. People who join terrorist groups most often have friends or relatives who are members of the group, and the great majority of terrorist are socially isolated: unmarried young men or widowed women who weren't working prior to joining. These things are true for members of terrorist groups as diverse as the IRA and al-Qaida. For example, several of the 9/11 hijackers planned to fight in Chechnya, but they didn't have the right paperwork so they attacked America instead. The mujahedeen had no idea whom they would attack after the Soviets withdrew from Afghanistan, so they sat around until they came up with a new enemy: America. Pakistani terrorists regularly defect to another terrorist group with a totally different political platform. Many new al-Qaida members say, unconvincingly, that they decided to become a jihadist after reading an extreme, anti-American blog, or after converting to Islam, sometimes just a few weeks before. These people know little about politics or Islam, and they frankly don't even seem to care much about learning more. The blogs they turn to don't have a lot of substance in these areas, even though more informative blogs do exist. All of this explains the seven habits. It's not that they're ineffective; it's that they have a different goal. They might not be effective politically, but they are effective socially: They all help preserve the group's existence and cohesion. This kind of analysis isn't just theoretical; it has practical implications for counterterrorism. Not only can we now better understand who is likely to become a terrorist, we can engage in strategies specifically designed to weaken the social bonds within terrorist organizations. Driving a wedge between group members -- commuting prison sentences in exchange for actionable intelligence, planting more double agents within terrorist groups -- will go a long way to weakening the social bonds within those groups. We also need to pay more attention to the socially marginalized than to the politically downtrodden, like unassimilated communities in Western countries. We need to support vibrant, benign communities and organizations as alternative ways for potential terrorists to get the social cohesion they need. And finally, we need to minimize collateral damage in our counterterrorism operations, as well as clamping down on bigotry and hate crimes, which just creates more dislocation and social isolation, and the inevitable calls for revenge. http://maxabrahms.com/pdfs/DC_250-1846.pdf This essay previously appeared on Wired.com. http://www.wired.com/print/politics/security/commentary/securitymatters/200… or http://tinyurl.com/3vf3x5 Interesting rebuttal: http://www.cambridgeblog.org/2008/10/can-terror-be-understood/ ** *** ***** ******* *********** ************* The Two Classes of Airport Contraband Airport security found a jar of pasta sauce in my luggage last month. It was a 6-ounce jar, above the limit; the official confiscated it, because allowing it on the airplane with me would have been too dangerous. And to demonstrate how dangerous he really thought that jar was, he blithely tossed it in a nearby bin of similar liquid bottles and sent me on my way. There are two classes of contraband at airport security checkpoints: the class that will get you in trouble if you try to bring it on an airplane, and the class that will cheerily be taken away from you if you try to bring it on an airplane. This difference is important: Making security screeners confiscate anything from that second class is a waste of time. All it does is harm innocents; it doesn't stop terrorists at all. Let me explain. If you're caught at airport security with a bomb or a gun, the screeners aren't just going to take it away from you. They're going to call the police, and you're going to be stuck for a few hours answering a lot of awkward questions. You may be arrested, and you'll almost certainly miss your flight. At best, you're going to have a very unpleasant day. This is why articles about how screeners don't catch every -- or even a majority -- of guns and bombs that go through the checkpoints don't bother me. The screeners don't have to be perfect; they just have to be good enough. No terrorist is going to base his plot on getting a gun through airport security if there's a decent chance of getting caught, because the consequences of getting caught are too great. Contrast that with a terrorist plot that requires a 12-ounce bottle of liquid. There's no evidence that the London liquid bombers actually had a workable plot, but assume for the moment they did. If some copycat terrorists try to bring their liquid bomb through airport security and the screeners catch them -- like they caught me with my bottle of pasta sauce -- the terrorists can simply try again. They can try again and again. They can keep trying until they succeed. Because there are no consequences to trying and failing, the screeners have to be 100 percent effective. Even if they slip up one in a hundred times, the plot can succeed. The same is true for knitting needles, pocketknives, scissors, corkscrews, cigarette lighters and whatever else the airport screeners are confiscating this week. If there's no consequence to getting caught with it, then confiscating it only hurts innocent people. At best, it mildly annoys the terrorists. To fix this, airport security has to make a choice. If something is dangerous, treat it as dangerous and treat anyone who tries to bring it on as potentially dangerous. If it's not dangerous, then stop trying to keep it off airplanes. Trying to have it both ways just distracts the screeners from actually making us safer. http://www.cnn.com/2008/US/01/28/tsa.bombtest/index.html http://www.homelandstupidity.us/2007/10/25/tsa-screeners-fail-most-bomb-tes… or http://tinyurl.com/4npg9o http://www.homelandstupidity.us/2006/10/31/tsa-screeners-still-fail-to-find… or http://tinyurl.com/3ephgq http://www.boston.com/news/local/articles/2003/10/16/logan_screeners_fail_w… or http://tinyurl.com/r5gu This essay originally appeared on Wired.com. http://www.wired.com/politics/security/commentary/securitymatters/2008/09/s… or http://tinyurl.com/4m6vvj ** *** ***** ******* *********** ************* News According to U.S. government documents, fear of terrorism could cause a psychosomatic epidemic: http://blog.wired.com/27bstroke6/2008/09/terrorism-fear.html GPS spoofing: http://philosecurity.org/2008/09/07/gps-spoofing http://www.ne.anl.gov/capabilities/vat/spoof.html NSA -- and others -- snooping on cell phone calls with off-the-shelf technology: http://news.cnet.com/8301-13739_3-10030134-46.html The NSA teams up with the Chinese government to limit Internet anonymity: http://www.schneier.com/blog/archives/2008/09/the_nsa_teams_u.html The Pentagon's World of Warcraft Movie-Plot threat: http://www.schneier.com/blog/archives/2008/09/the_pentagons_w.html TSA employees are bypassing airport screening. http://www.9news.com/news/article.aspx?storyid=99941&catid=339 This isn't a big deal. Screeners have to go in and out of security all the time as they work. Yes, they can smuggle things in and out of the airport. But you have to remember that the airport screeners are trusted insiders for the system: there are a zillion ways they could break airport security. On the other hand, it's probably a smart idea to screen screeners when they walk through airport security when they aren't working at that checkpoint at that time. The reason is the same reason you should screen everyone, including pilots who can crash their plane: you're not screening screeners (or pilots), you're screening people wearing screener (or pilot) uniforms and carrying screener (or pilot) IDs. You can either train your screeners to recognize authentic uniforms and IDs, or you can just screen everybody. The latter is just easier. But this isn't a big deal. I can think of specific instances where the ability to unlock your door over the Internet can be useful, but in most places it's not a good idea. http://www.theinquirer.net/gb/inquirer/news/2008/09/04/unlock-house-via-int… or http://tinyurl.com/4rsyve http://treocentral.com/content/Stories/1999-1.htm India using brain scans to prove guilt in court. http://www.nytimes.com/2008/09/15/world/asia/15brainscan.html The pseudo-science here is even worse than for lie detectors. http://www.thehindu.com/2008/09/08/stories/2008090854420400.htm People have been asking me to comment about Sarah Palin's Yahoo e-mail account being hacked. I've already written about the security problems with "secret questions" back in 2005: http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html More commentary: http://www.freedom-to-tinker.com/blog/felten/how-yahoo-could-have-protected… or http://tinyurl.com/4689km The $20M camera system at New York's Freedom Tower is pretty sophisticated. http://cityroom.blogs.nytimes.com/2008/09/24/unblinking-eyes-for-20-million… or http://tinyurl.com/53e52c We're developing a pre-crime detector that detects hostile thoughts. http://www.newscientist.com/blogs/shortsharpscience/2008/09/precrime-detect… or http://tinyurl.com/53ftps http://www.foxnews.com/printer_friendly_story/0,3566,426485,00.html Spykee is your own personal robot spy. It takes pictures and movies that you can watch on the Internet in real time or save for later. You can even talk with whoever you're spying on via Skype. Only $300. http://www.spykeeworld.com/ http://www.robotsrule.com/html/spykee.php http://www.amazon.com/gp/offer-listing/B000N6470A?tag=counterpane Security maxims from Roger Johnston. Funny, and all too true. http://www.ne.anl.gov/capabilities/vat/seals/maxims.html Send your personalized message to TSA X-ray screeners using metal plates you can put in your carry-on luggage. http://blog.makezine.com/archive/2008/09/metal_plates_send_message.html or http://tinyurl.com/4ro8es http://www.nytimes.com/idg/IDG_852573C400693880002574D70000A2FB.html Another bomb scare. Hot dogs this time. http://www.philly.com/philly/blogs/phillies_zone/Just_Hot_Dogs_Folks.html or http://tinyurl.com/5xpzsp http://www.nytimes.com/aponline/us/AP-ODD-Hot-Dog-Scare.html The Hackers Choice has released a tool allowing people to clone and modify electronic passports. The problem is self-signed certificates. A CA is not a great solution, and the link gives a good explanation as to why. "So what's the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart." http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.h… or http://tinyurl.com/4l49v4 http://www.theregister.co.uk/2008/09/30/epassport_hack_description/ Hand grenades are now weapons of mass destruction: http://www.schneier.com/blog/archives/2008/10/hand_grenades_a.html MI6 camera -- including secrets -- sold on eBay. The buyer turned the camera in to the police. http://www.techcrunch.com/2008/09/30/top-secret-mi6-camera-sold-to-the-high… or http://tinyurl.com/4n5ov2 http://gizmodo.com/5056749/mi6-camera-with-secret-images-bought-on-ebay-for… or http://tinyurl.com/4pj5jh "Scareware" vendors sued -- it's about time. http://voices.washingtonpost.com/securityfix/2008/09/microsoft_washington_s… or http://tinyurl.com/3pxho4 This is clever: bank robber hires accomplices on Craigslist. http://www.king5.com/topstories/stories/NW_100108WAB_monroe_robber_floating… or http://tinyurl.com/3h8wfe New cross-site request forgery attacks. http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-c… or http://tinyurl.com/4ubb2f http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf "Clickjacking" is a stunningly sexy name, but the vulnerability is really just a variant of cross-site scripting. We don't know how bad it really is, because the details are still being withheld. But the name alone is causing dread. Here's a good Q&A on the vulnerability: http://www.computerworld.com/action/article.do?command=viewArticleBasic&art… or http://tinyurl.com/3rmfac http://www.cgisecurity.org/2008/10/interview-jerem.html http://hackademix.net/2008/09/27/clickjacking-and-noscript/ Turns out you can add anyone's number to -- or remove anyone's number from -- the Canadian do-not-call list. You can also add (but not remove) numbers to the U.S. do-not-call list, though only up to three at a time, and you have to provide a valid e-mail address to confirm the addition. Here's my idea. If you're a company, add every one of your customers to the list. That way, none of your competitors will be able to cold call them. https://www.lnnte-dncl.gc.ca/ https://www.donotcall.gov/register/reg.aspx Chinese monitoring Skype messages: http://arstechnica.com/news.ars/post/20081002-skype-security-flub-leads-to-… or http://tinyurl.com/4pgn2j According to a massive report from the National Research Council, data mining for terrorists doesn't work. http://news.cnet.com/8301-13578_3-10059987-38.html?part=rss&subj=news&tag=2… or http://tinyurl.com/4klgqe http://arstechnica.com/news.ars/post/20081009-analysis-data-mining-doesnt-w… or http://tinyurl.com/4azsds http://www.nap.edu/catalog.php?record_id=12452 Interesting paper by Adam Shostack on threat modeling at Microsoft: http://blogs.msdn.com/sdl/attachment/8991806.ashx Elcomsoft is claiming that the WPA protocol is dead, just because they can speed up brute-force cracking by 100 times using a hardware accelerator. Why exactly is this news? Yes, weak passwords are weak -- we already know that. And strong WPA passwords are still strong. This seems like yet another blatant attempt to grab some press attention with a half-baked cryptanalytic result. http://www.elcomsoft.com/edpr.html?r1=pr&r2=wpa http://mobile.slashdot.org/mobile/08/10/12/1724230.shtml http://www.theregister.co.uk/2008/10/10/graphics_card_wireless_hacking/ http://www.schneier.com/essay-148.html Clever counterterrorism attack against the IRA: set up a laundromat, and watch who has bomb residue on their clothes: http://www.schneier.com/blog/archives/2008/10/clever_countert.html There's a new chip-and-pin scam in the UK. The card readers were hacked when they were built, "either during the manufacturing process at a factory in China, or shortly after they came off the production line." It's being called a "supply chain hack." Sophisticated stuff, and yet another demonstration that these all-computer security systems are full of risks. http://online.wsj.com/article/SB122366999999723871.html http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chi… http://www.telegraph.co.uk/news/worldnews/asia/pakistan/3173161/Credit-card… BTW, what's it worth to rig an election? http://www.schneier.com/essay-046.html BART, the San Francisco subway authority, has been debating allowing passengers to bring drinks on trains. There are all sorts of good reasons why or why not -- convenience, problems with spills, and so on -- but one reason that makes no sense is that terrorists may bring flammable liquids on board. Yet that is exactly what BART managers said. No big news -- we've seen stupid things like this regularly since 9/11 -- but this time people responded: "Added Director Tom Radulovich, 'If somebody wants to break the law and bring flammable liquids on, they can. It's not like al Qaeda is waiting in their caves for us to have a sippy-cup rule.' Directing his comments to BART administrators, he said, 'You know, it's just fearmongering and you should be ashamed.' Terrorist fear mongering seems to be working less well. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/10/10/BAB813EELU.DTL ** *** ***** ******* *********** ************* The More Things Change, the More They Stay the Same Guess the year: "Murderous organizations have increased in size and scope; they are more daring, they are served by the most terrible weapons offered by modern science, and the world is nowadays threatened by new forces which, if recklessly unchained, may some day wreck universal destruction. The Orsini bombs were mere children's toys compared with the later developments of infernal machines. Between 1858 and 1898 the dastardly science of destruction had made rapid and alarming strides..." No, that wasn't a typo. "Between 1858 and 1898...." This quote is from Major Arthur Griffith, "Mysteries of Police and Crime," London, 1898, II, p. 469. It's quoted in: Walter Laqueur, "A History of Terrorism," New Brunswick/London, Transaction Publishers, 2002. http://query.nytimes.com/mem/archive-free/pdf?res=9907E7D8153DE633A25757C0A… or http://tinyurl.com/3wn2ct http://www.amazon.com/History-Terrorism-Walter-Laqueur/dp/0765807998/ref=pd… or http://tinyurl.com/46s7ny ** *** ***** ******* *********** ************* NSA's Warrantless Eavesdropping Targets Innocent Americans Remember when the U.S. government said it was only spying on terrorists? Anyone with any common sense knew it was lying -- power without oversight is always abused -- but even I didn't think it was this bad: "Faulk says he and others in his section of the NSA facility at Fort Gordon routinely shared salacious or tantalizing phone calls that had been intercepted, alerting office mates to certain time codes of 'cuts' that were available on each operator's computer. "'Hey, check this out,' Faulk says he would be told, 'there's good phone sex or there's some pillow talk, pull up this call, it's really funny, go check it out. It would be some colonel making pillow talk and we would say, "Wow, this was crazy",' Faulk told ABC News." Warrants are a security device. They protect us against government abuse of power. http://www.nytimes.com/2008/10/10/washington/10nsa.html http://abcnews.go.com/Blotter/story?id=5987804&page=1 http://www.upi.com/Top_News/2008/10/10/Spy_agency_accused_of_improper_liste… http://www.reuters.com/article/domesticNews/idUSTRE4990CD20081010 ** *** ***** ******* *********** ************* Schneier/BT News Schneier is speaking at the 30th International Conference of Data Protection and Privacy Commissioners on 15 October in Strasbourg, France. http://www.privacyconference2008.org/ Schneier is speaking at the European Security and Information System Congress on 17 October in Monaco. http://cms.event-catalyst.com/assises/home.aspx Schneier is speaking at RSA Europe on 28 October in London. http://www.rsaconference.com/2008/Europe/Home.aspx Schneier is speaking at the 22nd Large Installation System Administration Conference on 13 November in San Diego, CA. http://usenix.org/events/lisa08/ Schneier was interviewed by Telecom Asia: http://www.telecomasia.net/article.php?id_article=10230 Schneier was interviewed by the Irish Times: http://www.irishtimes.com/newspaper/finance/2008/1003/1222959300589.html or http://tinyurl.com/4ccjmw Schneier was interviewed by Dr. Dobb's Journal: http://www.ddj.com/security/210605067 My essay on chemical plants and security for the Guardian. Nothing I haven't said before. http://www.schneier.com/essay-243.html ** *** ***** ******* *********** ************* Taleb on the Limitations of Risk Management Nice paragraph on the limitations of risk management in this occasionally interesting interview with Nicholas Taleb: "Because then you get a Maginot Line problem. [After World War I, the French erected concrete fortifications to prevent Germany from invading again -- a response to the previous war, which proved ineffective for the next one.] You know, they make sure they solve that particular problem, the Germans will not invade from here. The thing you have to be aware of most obviously is scenario planning, because typically if you talk about scenarios, you'll overestimate the probability of these scenarios. If you examine them at the expense of those you don't examine, sometimes it has left a lot of people worse off, so scenario planning can be bad. I'll just take my track record. Those who did scenario planning have not fared better than those who did not do scenario planning. A lot of people have done some kind of "make-sense" type measures, and that has made them more vulnerable because they give the illusion of having done your job. This is the problem with risk management. I always come back to a classical question. Don't give a fool the illusion of risk management. Don't ask someone to guess the number of dentists in Manhattan after asking him the last four digits of his Social Security number. The numbers will always be correlated. I actually did some work on risk management, to show how stupid we are when it comes to risk." http://www.portfolio.com/views/columns/the-world-according-to/2008/08/14/In… or http://tinyurl.com/5eazpu ** *** ***** ******* *********** ************* "New Attack" Against Encrypted Images In a blatant attempt to get some PR, a researcher at PMC Ciphers has figured out that encrypting data with ECB mode results in ciphertext patterns. Yeah, we already knew that. And -1 point for a security company requiring the use of JavaScript, and not failing gracefully for a browser that doesn't have it enabled. And -- ahem -- what is it with that photograph in the paper? Couldn't the researchers have found something a little less adolescent? For the record, I doghoused PMC Ciphers back in 2003: "PMC Ciphers. The theory description is so filled with pseudo-cryptography that it's funny to read. Hypotheses are presented as conclusions. Current research is misstated or ignored. The first link is a technical paper with four references, three of them written before 1975. Who needs thirty years of cryptographic research when you have polymorphic cipher theory?" I didn't realize it at the time, but PMC Ciphers responded to my doghousing them. Funny stuff. http://www.techworld.com/security/news/index.cfm?newsid=105263 http://www.turbocrypt.com/vpics/9a8f098c615a425eab6d17c804dd67ae/whitepaper… or http://tinyurl.com/3fe64r Doghouse and response: http://www.schneier.com/crypto-gram-0303.html#4 http://www.ciphers.de/eng/content/Backround-Info/Bruce-Schneiers-comments.h… or http://tinyurl.com/52ymfo When I posted this on my blog, three new commenters using dialups at the same German ISP showed up to defend the paper. What are the odds? http://www.schneier.com/blog/archives/2008/10/new_attack_agai.html ** *** ***** ******* *********** ************* Nonviolent Activists Are Now Terrorists This is an abomination: "The Maryland State Police classified 53 nonviolent activists as terrorists and entered their names and personal information into state and federal databases that track terrorism suspects, the state police chief acknowledged yesterday." Why did they do that? "Both Hutchins and Sheridan said the activists' names were entered into the state police database as terrorists partly because the software offered limited options for classifying entries." I know that once we had this "either you're with us or with the terrorists" mentality, but don't you think that -- just maybe -- the software should allow for a little bit more nuance? http://www.washingtonpost.com/wp-dyn/content/article/2008/10/07/AR200810070… or http://tinyurl.com/3znjv7 ** *** ***** ******* *********** ************* Does Risk Management Make Sense? We engage in risk management all the time, but it only makes sense if we do it right. "Risk management" is just a fancy term for the cost-benefit tradeoff associated with any security decision. It's what we do when we react to fear, or try to make ourselves feel secure. It's the fight-or-flight reflex that evolved in primitive fish and remains in all vertebrates. It's instinctual, intuitive and fundamental to life, and one of the brain's primary functions. Some have hypothesized that humans have a "risk thermostat" that tries to maintain some optimal risk level. It explains why we drive our motorcycles faster when we wear a helmet, or are more likely to take up smoking during wartime. It's our natural risk management in action. The problem is our brains are intuitively suited to the sorts of risk management decisions endemic to living in small family groups in the East African highlands in 100,000 BC, and not to living in the New York City of 2008. We make systematic risk management mistakes -- miscalculating the probability of rare events, reacting more to stories than data, responding to the feeling of security rather than reality, and making decisions based on irrelevant context. And that risk thermostat of ours? It's not nearly as finely tuned as we might like it to be. Like a rabbit that responds to an oncoming car with its default predator avoidance behavior -- dart left, dart right, dart left, and at the last moment jump -- instead of just getting out of the way, our Stone Age intuition doesn't serve us well in a modern technological society. So when we in the security industry use the term "risk management," we don't want you to do it by trusting your gut. We want you to do risk management consciously and intelligently, to analyze the tradeoff and make the best decision. This means balancing the costs and benefits of any security decision -- buying and installing a new technology, implementing a new procedure or forgoing a common precaution. It means allocating a security budget to mitigate different risks by different amounts. It means buying insurance to transfer some risks to others. It's what businesses do, all the time, about everything. IT security has its own risk management decisions, based on the threats and the technologies. There's never just one risk, of course, and bad risk management decisions often carry an underlying tradeoff. Terrorism policy in the U.S. is based more on politics than actual security risk, but the politicians who make these decisions are concerned about the risks of not being re-elected. Many corporate security decisions are made to mitigate the risk of lawsuits rather than address the risk of any actual security breach. And individuals make risk management decisions that consider not only the risks to the corporation, but the risks to their departments' budgets, and to their careers. You can't completely remove emotion from risk management decisions, but the best way to keep risk management focused on the data is to formalize the methodology. That's what companies that manage risk for a living -- insurance companies, financial trading firms and arbitrageurs -- try to do. They try to replace intuition with models, and hunches with mathematics. The problem in the security world is we often lack the data to do risk management well. Technological risks are complicated and subtle. We don't know how well our network security will keep the bad guys out, and we don't know the cost to the company if we don't keep them out. And the risks change all the time, making the calculations even harder. But this doesn't mean we shouldn't try. You can't avoid risk management; it's fundamental to business just as to life. The question is whether you're going to try to use data or whether you're going to just react based on emotions, hunches and anecdotes. This essay appeared as the first half of a point-counterpoint with Marcus Ranum in Information Security magazine. http://searchsecurity.techtarget.com/loginMembersOnly/1,289498,sid14_gci133… ** *** ***** ******* *********** ************* Comments from Readers There are hundreds of comments -- many of them interesting -- on these topics on my blog. Search for the story you want to comment on, and join in. http://www.schneier.com/blog ** *** ***** ******* *********** ************* Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL. Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish and Twofish algorithms. He is the Chief Security Technology Officer of BT (BT acquired Counterpane in 2006), and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>. Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT. Copyright (c) 2008 by Bruce Schneier. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0