CRYPTO-GRAM, December 15, 2007

6 Jul 2018

      CRYPTO-GRAM

              December 15, 2007

              by Bruce Schneier
               Founder and CTO
                BT Counterpane
             schneier@schneier.com
            http://www.schneier.com
           http://www.counterpane.com

A free monthly newsletter providing summaries, analyses, insights, and 
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit 
<http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at 
<http://www.schneier.com/crypto-gram-0712.html>.  These same essays 
appear in the "Schneier on Security" blog: 
<http://www.schneier.com/blog>.  An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
     How to Secure Your Computer, Disks, and Portable Drives
     Defeating the Shoe Scanning Machine at Heathrow Airport
     News
     Gitmo Manual Leaked
     Schneier/BT Counterpane News
     Security in Ten Years
     Comments from Readers

** *** ***** ******* *********** *************

     How to Secure Your Computer, Disks, and Portable Drives

Computer security is hard. Software, computer and network security are 
all ongoing battles between attacker and defender. And in many cases the 
attacker has an inherent advantage: He only has to find one network 
flaw, while the defender has to find and fix every flaw.

Cryptography is an exception. As long as you don't write your own 
algorithm, secure encryption is easy. And the defender has an inherent 
mathematical advantage: Longer keys increase the amount of work the 
defender has to do linearly, while geometrically increasing the amount 
of work the attacker has to do.

Unfortunately, cryptography can't solve most computer-security problems. 
The one problem cryptography *can* solve is the security of data when 
it's not in use. Encrypting files, archives -- even entire disks -- is easy.

All of this makes it even more amazing that Her Majesty's Revenue & 
Customs in the United Kingdom lost two disks with personal data on 25 
million British citizens, including dates of birth, addresses, 
bank-account information and national insurance numbers. On the one 
hand, this is no bigger a deal than any of the thousands of other 
exposures of personal data we've read about in recent years -- the U.S. 
Veteran's Administration loss of personal data of 26 million American 
veterans is an obvious similar event. But this has turned into Britain's 
privacy Chernobyl.

Perhaps encryption isn't so easy after all, and some people could use a 
little primer. This is how I protect my laptop.

There are several whole-disk encryption products on the market. I use 
PGP Disk's Whole Disk Encryption tool for two reasons. It's easy, and I 
trust both the company and the developers to write it securely. 
(Disclosure: I'm also on PGP Corp.'s Technical Advisory Board.)

Setup only takes a few minutes. After that, the program runs in the 
background. Everything works like before, and the performance 
degradation is negligible. Just make sure you choose a secure password 
-- PGP's encouragement of passphrases makes this much easier -- and 
you're secure against leaving your laptop in the airport or having it 
stolen out of your hotel room.

The reason you encrypt your entire disk, and not just key files, is so 
you don't have to worry about swap files, temp files, hibernation files, 
erased files, browser cookies or whatever. You don't need to enforce a 
complex policy about which files are important enough to be encrypted. 
And you have an easy answer to your boss or to the press if the computer 
is stolen: no problem; the laptop is encrypted.

PGP Disk can also encrypt external disks, which means you can also 
secure that USB memory device you've been using to transfer data from 
computer to computer. When I travel, I use a portable USB drive for 
backup. Those devices are getting physically smaller -- but larger in 
capacity -- every year, and by encrypting I don't have to worry about 
losing them.

I recommend one more complication. Whole-disk encryption means that 
anyone at your computer has access to everything: someone at your 
unattended computer, a Trojan that infected your computer and so on. To 
deal with these and similar threats I recommend a two-tier encryption 
strategy. Encrypt anything you don't need access to regularly -- 
archived documents, old e-mail, whatever -- separately, with a different 
password. I like to use PGP Disk's encrypted zip files, because it also 
makes secure backup easier (and lets you secure those files before you 
burn them on a DVD and mail them across the country), but you can also 
use the program's virtual-encrypted-disk feature to create a separately 
encrypted volume. Both options are easy to set up and use.

There are still two scenarios you aren't secure against, though. You're 
not secure against someone snatching your laptop out of your hands as 
you're typing away at the local coffee shop. And you're not secure 
against the authorities telling you to decrypt your data for them.

The latter threat is becoming more real. I have long been worried that 
someday, at a border crossing, a customs official will open my laptop 
and ask me to type in my password. Of course I could refuse, but the 
consequences might be severe -- and permanent. And some countries -- the 
United Kingdom, Singapore, Malaysia -- have passed laws giving police 
the authority to demand that you divulge your passwords and encryption keys.

To defend against both of these threats, minimize the amount of data on 
your laptop. Do you really need 10 years of old e-mails? Does everyone 
in the company really need to carry around the entire customer database? 
One of the most incredible things about the Revenue & Customs story is 
that a low-level government employee mailed a copy of the entire 
national child database to the National Audit Office in London. Did he 
have to? Doubtful. The best defense against data loss is to not have the 
data in the first place.

Failing that, you can try to convince the authorities that you don't 
have the encryption key. This works better if it's a zipped archive than 
the whole disk. You can argue that you're transporting the files for 
your boss, or that you forgot the key long ago. Make sure the time stamp 
on the files matches your claim, though.

There are other encryption programs out there. If you're a Windows Vista 
user, you might consider BitLocker. This program, embedded in the 
operating system, also encrypts the computer's entire drive. But it only 
works on the C: drive, so it won't help with external disks or USB 
tokens. And it can't be used to make encrypted zip files. But it's easy 
to use, and it's free.  And many people like the open-source and free 
program, TrueCrypt. I know nothing about it.

This essay previously appeared on Wired.com.
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/se...

Why was the UK event such a big deal?  Certainly the scope: 40% of the 
British population.  Also the data: bank account details; plus 
information about children.  There's already a larger debate on the 
issue of a database on kids that this feeds into.  And it's a 
demonstration of government incompetence (think Hurricane Katrina).  In 
any case, this issue isn't going away anytime soon.  Prime Minister 
Gordon Brown has apologized.  The head of the Revenue and Customs office 
has resigned.  More fallout is probably coming.

UK's privacy Chernobyl:
http://www.timesonline.co.uk/tol/news/uk/article2910705.ece
http://news.bbc.co.uk/1/hi/uk_politics/7104945.stm
http://politics.guardian.co.uk/economics/story/0,,2214566,00.html
http://www.timesonline.co.uk/tol/news/uk/article2910635.ece
http://www.theregister.co.uk/2007/11/21/response_data_breach/

U.S. VA privacy breach:
http://www.wired.com/techbiz/media/news/2006/05/70961

PGP Disk:
http://www.pgp.com/products/wholediskencryption/

Choosing a secure password:
http://www.schneier.com/blog/archives/2007/01/choosing_secure.html
http://www.iusmentis.com/security/passphrasefaq/

Risks of losing small memory devices:
http://www.schneier.com/blog/archives/2005/07/risks_of_losing.html

Laptop snatching:
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/04/08... 
or http://tinyurl.com/fszeh

Microsoft BitLocker:
http://www.schneier.com/blog/archives/2006/05/bitlocker.html

TrueCrypt:
http://www.truecrypt.org/

** *** ***** ******* *********** *************

     Defeating the Shoe Scanning Machine at Heathrow Airport

For a while now, Terminal 3 at Heathrow Airport has had a unique setup 
for scanning shoes.  Instead of taking your shoes off during the normal 
screening process, as you do in U.S. airports, you go through the metal 
detector with your shoes on.  Then, later, there is a special shoe 
scanning X-ray machine.  You take your shoes off, send them through the 
machine, and put them on at the other end.

It's definitely faster, but it's an easy system to defeat.  The 
vulnerability is that no one verifies that the shoes you walked through 
the metal detector with are the same shoes you put on the scanning machine.

Here's how the attack works.  Assume that you have two pairs of shoes: a 
clean pair that passes all levels of screening, and a dangerous pair 
that doesn't.  (Ignore for a moment the ridiculousness of screening 
shoes in the first place, and assume that an X-ray machine can detect 
the dangerous pair.)  Put the dangerous shoes on your feet and the clean 
shoes in your carry-on bag.  Walk through the metal detector.  Then, at 
the shoe X-ray machine, take the dangerous shoes off and put them in 
your bag, and take the clean shoes out of your bag and place them on the 
X-ray machine.  You've now managed to get through security without 
having your shoes screened.

This works because the two security systems are decoupled.  And the shoe 
screening machine is so crowded and chaotic, and so poorly manned, that 
no one notices the switch.

U.S. airports force people to put their shoes through the X-ray machine 
and walk through the metal detector shoeless, ensuring that all shoes 
get screened.  That might be slower, but it works.

** *** ***** ******* *********** *************

     News

Dan Bernstein wrote an interesting paper on the security lessons he's 
learned from qmail.
http://cr.yp.to/qmail/qmailsec-20071101.pdf

Possible Hizbullah mole inside the FBI and CIA
http://newsweek.com/id/70309

I previously wrote about Dan Egerstad, a security researcher who ran a 
Tor anonymity network and was able to sniff some pretty impressive 
usernames and passwords. Swedish police arrested him last month.
http://www.smh.com.au/news/security/police-swoop-on-hacker-of-the-year/2007/... 
or http://tinyurl.com/2ou5df
My previous essay:
http://www.schneier.com/blog/archives/2007/09/anonymity_and_t_1.html
Here's a good article on what he did; it was published just before the 
arrest.
http://www.smh.com.au/news/security/the-hack-of-the-year/2007/11/12/11947665... 
or http://tinyurl.com/23u4nr

The World War II factoring machine, Colossus, is back online.
http://news.bbc.co.uk/1/hi/technology/7094881.stm
Photos:
http://fungu.notlong.com/
http://deeke.notlong.com/
Not surprisingly, a modern PC is faster.
http://news.bbc.co.uk/1/hi/technology/7098005.stm
http://www.physorg.com/news114422189.html

Hacking a soda machine: an instructional video.  The idea is simple: 
prevent the machine from completing an action and place it in an error 
state, and then exploit that state.  In this instance, the hacker 
prevents the machine from dispensing the drink bottle.  The machine 
refunds the money, but the bottle stays on the conveyor belt.  Then the 
hacker purchases a second bottle, and receives them both.
http://www.5min.com/Video/How-To-Hack-a-Soda-Machine-2497

This is a story of hard drives sold with pre-installed Trojans.  I don't 
know if it's true, but it's certainly possible:
http://www.taipeitimes.com/News/taiwan/archives/2007/11/11/2003387202
http://forum.rpg.net/showthread.php?t=365473

More "War on the Unexpected."
In Australia, a man was kicked out of a pub for reading a book called 
"The Unknown Terrorist."
http://www.cairnspost.com.au/article/2007/11/15/4555_news.html
At the US/Canadian border, a fire truck responding to a fire -- with 
lights and sirens -- was stopped for about eight minutes.
http://www.cnn.com/2007/US/11/14/border.firetruck/
Police tasered a man on a Leeds bus when he went into a diabetic coma.
http://news.bbc.co.uk/1/hi/england/west_yorkshire/7096456.stm
A mixture of flour and sugar closed down a Maine airport:
http://www.seacoastonline.com/apps/pbcs.dll/article?AID=/20071108/NEWS/71108... 
or http://tinyurl.com/386hle
A blind calypso musician and his band removed from an airplane:
http://www.guardian.co.uk/terrorism/story/0,,2218533,00.html
A Jewish man removed from a train for praying:
http://www.ynetnews.com/articles/0,7340,L-3477136,00.html
A bomb squad in Sarasota, Florida, is called in to detonate a typewriter:
http://www.heraldtribune.com/article/20071203/BREAKING01/71203010
Fear is winning.  Refuse to be terrorized, people.
http://www.schneier.com/blog/archives/2006/08/what_the_terror.html

At first, I discounted this story of fake dynamite prompting an 
evacuation as another example of knee-jerk overreaction to a nonexistent 
threat.  Evacuating everyone within a mile radius seemed excessive, even 
for real dynamite.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/11/21/MN0OTGV9P.DTL 
or http://tinyurl.com/2dnzlx
But assuming that the information in this article is correct, it might 
not have been that big an overreaction.  It was an intentional bomb 
threat hoax.
http://www.ktvu.com/news/14663960/detail.html

No two-person control or complicated safety features: until 1998, you 
could arm British nukes with a bicycle lock key.  Certainly most of the 
security was procedural.  But still....
http://news.bbc.co.uk/1/hi/programmes/newsnight/7097101.stm

"Passengers at Liverpool's Lime Street station face airport-style 
searches and bag-screening, under swingeing new anti-terror measures 
unveiled yesterday.  And security barriers, vehicle exclusion zones and 
blast-resistant buildings will be introduced at airports, ports and up 
to 250 of the busiest train stations, Gordon Brown announced."  What the 
headline should have read:  "UK Spends Billions to Force Rail Terrorists 
to Drive a Little Further."  Less busy stations are only a few minutes 
away by car.
http://icliverpool.icnetwork.co.uk/0100news/0100regionalnews/tm_headline=lim... 
or http://tinyurl.com/2zjrxn

Clever way of using Google to crack hashed passwords:
http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/ 
or http://tinyurl.com/3b5ftq

Excellent article on the problem with copyright law by John Tehranian: 
"Infringement Nation: Copyright Reform and the Law/Norm Gap."  The point 
of the article is how, simply by acting normally, all of us are 
technically lawbreakers many times over every day.  When laws are this 
far outside the social norms, it's time to change them.
http://www.turnergreen.com/publications/Tehranian_Infringement_Nation.pdf 
or http://tinyurl.com/2rgn9c

In yet another front on the war on the unexpected, firefighters are 
being asked to look out for terrorism while doing their normal jobs. 
"Unlike police, firefighters and emergency medical personnel don't need 
warrants to access hundreds of thousands of homes and buildings each 
year, putting them in a position to spot behavior that could indicate 
terrorist activity or planning."  Because it's such a good idea for 
people to start fearing firefighters....
http://ap.google.com/article/ALeqM5gek2oSZ_67sh2ukVvXaCGCXzpypwD8T3IFL81 
or http://tinyurl.com/2co9qs

Good article on cybercrime vs. cyberterrorism, and stuff I've been 
saying for a while now.
http://www.siliconvalley.com/ci_7442979

Animal rights activists are being forced to hand over encryption keys, 
based on a new UK law.
http://news.bbc.co.uk/2/hi/technology/7102180.stm
More about the new law here.  If you remember, this was sold to the 
public as essential for fighting terrorism.  It's already being misused.
http://www.schneier.com/blog/archives/2007/10/uk_police_can_n.html

How to harvest passwords:  Just put up a password strength meter and 
encourage people to submit their passwords for testing.  You might want 
to collect names and e-mail addresses, too.
http://www.codeassembly.com/How-to-make-a-password-strength-meter-for-your-r... 
or http://tinyurl.com/2jfu7s
Note that I am not accusing Codeassembly of harvesting passwords, only 
pointing out that you could harvest passwords that way.  For the record, 
here's how to choose a secure password:
http://www.schneier.com/blog/archives/2007/01/choosing_secure.html

Movie-plot threat described in the press as a movie-plot threat.
http://www.azstarnet.com/sn/relatedstories/213503.php
In the end, it was nothing more than fiction (of course).

Trucker drives through the front gate of the Guinness brewery in Dublin 
and steals 450 kegs of beer.  Moral, look like you belong.
http://www.rte.ie/news/2007/1129/guinness.html
http://www.ireland.com/newspaper/breaking/2007/1129/breaking41.htm
It seems they were caught before they drank it all.
http://www.ireland.com/newspaper/breaking/2007/1205/breaking85.htm

Every year SANS publishes a list of the 20 most important 
vulnerabilities.  It's always a great list, and this year is no different.
http://www.sans.org/top20/

MI5 sounds alarm on internet spying from China.  This has been going on 
for years, so why did MI5 go public -- or, at least, send out a private 
document that was sure to be leaked?  At first, I thought that someone 
in MI5 was pissed off at China.  But now I think that someone in MI5 was 
pissed that he wasn't getting any budget.
http://business.timesonline.co.uk/tol/business/industry_sectors/technology/a... 
or http://tinyurl.com/yptg68

Microsoft's wireless keyboard encryption cracked:
http://www.heise-security.co.uk/news/99873
http://www.dreamlab.net/download/articles/Press%20Release%20Dreamlab%20Techn... 
or http://tinyurl.com/2qmf8c
http://www.dreamlab.net/download/articles/27_Mhz_keyboard_insecurities.pdf 
or http://tinyurl.com/3yqdrf

California's Secretary of State doubts that electronic voting machines 
will ever be good enough to use in her state's elections:
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/12/02/BASRTMOPE.DTL 
or http://tinyurl.com/3dsafg
Ed Felten comments:
http://www.freedom-to-tinker.com/?p=1232
I've written a lot on this issue:
http://www.schneier.com/blog/archives/2004/11/the_problem_wit.html
http://www.schneier.com/blog/archives/2006/11/voting_technolo.html
http://www.schneier.com/blog/archives/2006/11/more_on_electro.html

Man-in-the-middle attack by Tor exit node.  So often man-in-the-middle 
attacks are theoretical; it's fascinating to see one in the wild.
http://www.teamfurry.com/wordpress/2007/11/20/tor-exit-node-doing-mitm-attac... 
or http://tinyurl.com/2h8xrv
The guy claims that he just misconfigured his Tor node.  I don't know 
enough about Tor to have any comment about this.
http://forum.fachinformatiker.de/security/110838-ssl-man-middle-ueber-tor-sc... 
or http://tinyurl.com/2g6ko9
I've written about anonymity and the Tor network before.
http://www.schneier.com/blog/archives/2007/09/anonymity_and_t_1.html

Fascinating article on how an overdependence on technology hurt us in Iraq.
http://www.wired.com/politics/security/magazine/15-12/ff_futurewar
http://www.schneier.com/blog/archives/2007/12/an_overdependen.html#c222154 
or http://tinyurl.com/2bpob4

Bizarre new security risk: blankets.
http://www.news.com.au/perthnow/story/0,21598,22860627-2761,00.html

Monopoly sets with real money for World War II POWs:
http://www.boingboing.net/2007/11/20/pow-editions-of-mono.html

Interesting blog post on defeating CAPTCHAs:
http://www.codinghorror.com/blog/archives/001001.html
This group is the best out there at defeating CAPTCHAs:
http://www.ocr-research.org.ua/index.html

The "Handbook of Applied Cryptography" is available online -- 
legitimately.  This is a good book, and well worth downloading.
http://www.cacr.math.uwaterloo.ca/hac/index.html

Teen secretly records his police interrogation session, resulting in a 
perjury case against a detective.  My guess is that this sort of perjury 
occurs more than we realize.  If there's one place I think cameras 
should be rolling at all times, it's in police station interrogation 
rooms.
http://abcnews.go.com/TheLaw/wireStory?id=3968795

Local police are putting yellow stickers on cars with visible packages, 
making it easier for thieves to identify which cars are worth breaking into.
http://www.rockdalecitizen.com/print.asp?SectionID=2&SubSectionID=2&ArticleID=453 
or http://tinyurl.com/2cwxx7

Interesting study on the effects of security-breach notification laws in 
the U.S.
http://www.law.berkeley.edu/clinics/samuelson/cso_study.pdf

Secret bank vault plans found in German trash:
http://today.reuters.com/news/articlenews.aspx?type=oddlyEnoughNews&storyid=2007-12-07T051401Z_01_L06102154_RTRUKOC_0_US-BUNDESBANK-SAFE.xml 
or http://tinyurl.com/2a2say

"Time Magazine" article on Chinese hackers.
http://www.time.com/time/magazine/article/0,9171,1692063,00.html

"Security Question," short fiction by Ramon Rozas III.
http://www.everydayfiction.com/security-question-by-ramon-rozas-iii/

** *** ***** ******* *********** *************

     Gitmo Manual Leaked

A 2003 "Camp Delta Standard Operating Procedures" manual has been leaked 
to the Internet.  This is the same manual that the ACLU has 
unsuccessfully sued the government to get a copy of.  Others can debate 
the legality of some of the procedures; on my blog I was interested in 
comments about the security.

See, for example, this quote on page 27.3:

"b) Upon arrival will enter the gate by entering the number (1998) in 
the combination lock

"(c) Proceed to the junction box with the number (7012-83) Breaker Box 
and open the box.  The number for the lock on the breaker box is (224)."

Many more comments from readers online.

Manual:
http://wikileaks.org/wiki/Camp_Delta_Standard_Operating_Procedure

Other articles:
http://www.nytimes.com/2007/11/16/washington/16gitmo.html?ex=1352869200&en=76e443e8322c06f9&ei=5090&partner=rssuserland&emc=rss 
or http://tinyurl.com/28zyqm
http://www.wired.com/politics/onlinerights/news/2007/11/gitmo

Blog entry:
http://www.schneier.com/blog/archives/2007/11/gitmo_manual_le_1.html

** *** ***** ******* *********** *************

     Schneier/BT Counterpane News

I did a Q&A on the Freakonomics blog.  Nothing regular readers of this 
blog haven't heard before, but it was fun all the same.
http://freakonomics.blogs.nytimes.com/2007/12/04/bruce-schneier-blazes-throu... 
or http://tinyurl.com/2zan6q
There's also a Slashdot thread on the Q&A.
http://it.slashdot.org/it/07/12/04/2128256.shtml

** *** ***** ******* *********** *************

     Security in Ten Years

This is a conversation between myself and Marcus Ranum.  Usually, I only 
reprint my half of these exchanges.  But since this one has multiple 
back and forths, it only really makes sense to include the whole thing.

Bruce Schneier: Predictions are easy and difficult. Roy Amara of the 
Institute for the Future once said: "We tend to overestimate the effect 
of a technology in the short run and underestimate the effect in the 
long run."

Moore's Law is easy: In 10 years, computers will be 100 times more 
powerful. My desktop will fit into my cell phone, we'll have gigabit 
wireless connectivity everywhere, and personal networks will connect our 
computing devices and the remote services we subscribe to. Other aspects 
of the future are much more difficult to predict. I don't think anyone 
can predict what the emergent properties of 100x computing power will 
bring: new uses for computing, new paradigms of communication. A 100x 
world will be different, in ways that will be surprising.

But throughout history and into the future, the one constant is human 
nature. There hasn't been a new crime invented in millennia. Fraud, 
theft, impersonation and counterfeiting are perennial problems that have 
been around since the beginning of society. During the last 10 years, 
these crimes have migrated into cyberspace, and over the next 10, they 
will migrate into whatever computing, communications and commerce 
platforms we're using.

The nature of the attacks will be different: the targets, tactics and 
results. Security is both a trade-off and an arms race, a balance 
between attacker and defender, and changes in technology upset that 
balance. Technology might make one particular tactic more effective, or 
one particular security technology cheaper and more ubiquitous. Or a new 
emergent application might become a favored target.

I don't see anything by 2017 that will fundamentally alter this. Do you?

Marcus Ranum:  I think you're right; at a meta-level, the problems are 
going to stay the same. What's shocking and disappointing to me is that 
our responses to those problems also remain the same, in spite of the 
obvious fact that they aren't effective. It's 2007 and we haven't seemed 
to accept that:

* You can't turn shovelware into reliable software by patching it a 
whole lot.

*You shouldn't mix production systems with non-production systems.

* You actually have to know what's going on in your networks.

* If you run your computers with an open execution runtime model you'll 
always get viruses, spyware and Trojan horses.

* You can pass laws about locking barn doors after horses have left, but 
it won't put the horses back in the barn.

* Security has to be designed in, as part of a system plan for 
reliability, rather than bolted on afterward.

The list could go on for several pages, but it would be too depressing. 
It would be "Marcus' list of obvious stuff that everybody knows but 
nobody accepts."

You missed one important aspect of the problem: By 2017, computers will 
be even more important to our lives, economies and infrastructure.

If you're right that crime remains a constant, and I'm right that our 
responses to computer security remain ineffective, 2017 is going to be a 
lot less fun than 2007 was.

I've been pretty dismissive of the concepts of cyberwar and cyberterror. 
That dismissal was mostly motivated by my observation that the 
patchworked and kludgy nature of most computer systems acts as a form of 
defense in its own right, and that real-world attacks remain more 
cost-effective and practical for terror purposes.

I'd like to officially modify my position somewhat: I believe it's 
increasingly likely that we'll suffer catastrophic failures in critical 
infrastructure systems by 2017. It probably won't be terrorists that do 
it, though. More likely, we'll suffer some kind of horrible outage 
because a critical system was connected to a non-critical system that 
was connected to the Internet so someone could get to MySpace -- and 
that ancillary system gets a piece of malware. Or it'll be some 
incomprehensibly complex software, layered with Band-Aids and patches, 
that topples over when some "merely curious" hacker pushes the wrong 
e-button. We've got some bad-looking trend lines; all the indicators 
point toward a system that is more complex, less well-understood and 
more interdependent. With infrastructure like that, who needs enemies?

You're worried criminals will continue to penetrate into cyberspace, and 
I'm worried complexity, poor design and mismanagement will be there to 
meet them.

Bruce Schneier:  I think we've already suffered that kind of critical 
systems failure. The August 2003 blackout that covered much of 
northeastern United States and Canada -- 50 million people -- was caused 
by a software bug.

I don't disagree that things will continue to get worse. Complexity is 
the worst enemy of security, and the Internet -- and the computers and 
processes connected to it -- is getting more complex all the time. So 
things are getting worse, even though security technology is improving. 
One could say those critical insecurities are another emergent property 
of the 100x world of 2017.

Yes, IT systems will continue to become more critical to our 
infrastructure -- banking, communications, utilities, defense, everything.

By 2017, the interconnections will be so critical that it will probably 
be cost-effective -- and low-risk -- for a terrorist organization to 
attack over the Internet. I also deride talk of cyberterror today, but I 
don't think I will in another 10 years.

While the trends of increased complexity and poor management don't look 
good, there is another trend that points to more security -- but neither 
you nor I is going to like it. That trend is IT as a service.

By 2017, people and organizations won't be buying computers and 
connectivity the way they are today. The world will be dominated by 
telcos, large ISPs and systems integration companies, and computing will 
look a lot like a utility. Companies will be selling services, not 
products: email services, application services, entertainment services. 
We're starting to see this trend today, and it's going to take off in 
the next 10 years. Where this affects security is that by 2017, people 
and organizations won't have a lot of control over their security. 
Everything will be handled at the ISPs and in the backbone. The 
free-wheeling days of general-use PCs will be largely over. Think of the 
iPhone model: You get what Apple decides to give you, and if you try to 
hack your phone, they can disable it remotely. We techie geeks won't 
like it, but it's the future. The Internet is all about commerce, and 
commerce won't survive any other way.

Marcus Ranum:  You're right about the shift toward services -- it's the 
ultimate way to lock in customers.

If you can make it difficult for the customer to get his data back after 
you've held it for a while, you can effectively prevent the customer 
from ever leaving. And of course, customers will be told "trust us, your 
data is secure," and they'll take that for an answer. The back-end 
systems that will power the future of utility computing are going to be 
just as full of flaws as our current systems. Utility computing will 
also completely fail to address the problem of transitive trust unless 
people start shifting to a more reliable endpoint computing platform.

That's the problem with where we're heading: the endpoints are not going 
to get any better. People are attracted to appliances because they get 
around the headache of system administration (which, in today's security 
environment, equates to "endless patching hell"), but underneath the 
slick surface of the appliance we'll have the same insecure nonsense 
we've got with general-purpose desktops. In fact, the development of 
appliances running general-purpose operating systems really does raise 
the possibility of a software monoculture. By 2017, do you think system 
engineering will progress to the point where we won't see a vendor 
release a new product and instantly create an installed base of 1 
million-plus users with root privileges? I don't, and that scares me.

So if you're saying the trend is to continue putting all our eggs in one 
basket and blithely trusting that basket, I agree.

Another trend I see getting worse is government IT know-how. At the rate 
outsourcing has been brain-draining the federal workforce, by 2017 there 
won't be a single government employee who knows how to do anything with 
a computer except run PowerPoint and Web surf. Joking aside, the result 
is that the government's critical infrastructure will be almost entirely 
managed from the outside. The strategic implications of such a shift 
have scared me for a long time; it amounts to a loss of control over 
data, resources and communications.

Bruce Schneier:  You're right about the endpoints not getting any 
better. I've written again and again how measures like two-factor 
authentication aren't going to make electronic banking any more secure. 
The problem is if someone has stuck a Trojan on your computer, it 
doesn't matter how many ways you authenticate to the banking server; the 
Trojan is going to perform illicit transactions after you authenticate.

It's the same with a lot of our secure protocols. SSL, SSH, PGP and so 
on all assume the endpoints are secure, and the threat is in the 
communications system. But we know the real risks are the endpoints.

And a misguided attempt to solve this is going to dominate computing by 
2017. I mentioned software-as-a-service, which you point out is really a 
trick that allows businesses to lock up their customers for the long 
haul. I pointed to the iPhone, whose draconian rules about who can write 
software for that platform accomplishes much the same thing. We could 
also point to Microsoft's Trusted Computing, which is being sold as a 
security measure but is really another lock-in mechanism designed to 
keep users from switching to "unauthorized" software or OSes.

I'm reminded of the post-9/11 anti-terrorist hysteria -- we've confused 
security with control, and instead of building systems for real 
security, we're building systems of control. Think of ID checks 
everywhere, the no-fly list, warrantless eavesdropping, broad 
surveillance, data mining, and all the systems to check up on scuba 
divers, private pilots, peace activists and other groups of people. 
These give us negligible security, but put a whole lot of control in the 
government's hands.

Computing is heading in the same direction, although this time it is 
industry that wants control over its users. They're going to sell it to 
us as a security system -- they may even have convinced themselves it 
will improve security -- but it's fundamentally a control system. And in 
the long run, it's going to hurt security.

Imagine we're living in a world of Trustworthy Computing, where no 
software can run on your Windows box unless Microsoft approves it. That 
brain drain you talk about won't be a problem, because security won't be 
in the hands of the user. Microsoft will tout this as the end of 
malware, until some hacker figures out how to get his software approved. 
That's the problem with any system that relies on control: Once you 
figure out how to hack the control system, you're pretty much golden. So 
instead of a zillion pesky worms, by 2017 we're going to see fewer but 
worse super worms that sail past our defenses.

By then, though, we'll be ready to start building real security. As you 
pointed out, networks will be so embedded into our critical 
infrastructure -- and there'll probably have been at least one real 
disaster by then -- that we'll have no choice. The question is how much 
we'll have to dismantle and build over to get it right.

Marcus Ranum:  I agree regarding your gloomy view of the future. It's 
ironic the counterculture "hackers" have enabled (by providing an 
excuse) today's run-patch-run-patch-reboot software environment and 
tomorrow's software Stalinism.

I don't think we're going to start building real security. Because real 
security is not something you build -- it's something you get when you 
leave out all the other garbage as part of your design process. 
Purpose-designed and purpose-built software is more expensive to build, 
but cheaper to maintain. The prevailing wisdom about software return on 
investment doesn't factor in patching and patch-related downtime, 
because if it did, the numbers would stink. Meanwhile, I've seen 
purpose-built Internet systems run for years without patching because 
they didn't rely on bloated components. I doubt industry will catch on.

The future will be captive data running on purpose-built back-end 
systems -- and it won't be a secure future, because turning your data 
over always decreases your security. Few possess the understanding of 
complexity and good design principles necessary to build reliable or 
secure systems. So, effectively, outsourcing -- or other forms of making 
security someone else's problem -- will continue to seem attractive.
That doesn't look like a very rosy future to me. It's a shame, too, 
because getting this stuff correct is important. You're right that there 
are going to be disasters in our future.

I think they're more likely to be accidents where the system crumbles 
under the weight of its own complexity, rather than hostile action. Will 
we even be able to figure out what happened, when it happens?

Folks, the captains have illuminated the "Fasten your seat belts" sign. 
We predict bumpy conditions ahead.

This essay originally appeared in "Information Security Magazine."

Commentary on the point/counterpoint.
http://www.channelregister.co.uk/2007/12/04/security_in_2017/

Slashdot thread:
http://it.slashdot.org/article.pl?sid=07/12/03/1840243

** *** ***** ******* *********** *************

     Comments from Readers

There are hundreds of comments -- many of them interesting -- on these 
topics on my blog. Search for the story you want to comment on, and join 
in.

http://www.schneier.com/blog

** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, 
insights, and commentaries on security: computer and otherwise.  You can 
subscribe, unsubscribe, or change your address on the Web at 
<http://www.schneier.com/crypto-gram.html>.  Back issues are also 
available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to 
colleagues and friends who will find it valuable.  Permission is also 
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is the author of the 
best sellers "Beyond Fear," "Secrets and Lies," and "Applied 
Cryptography," and an inventor of the Blowfish and Twofish algorithms. 
He is founder and CTO of BT Counterpane, and is a member of the Board of 
Directors of the Electronic Privacy Information Center (EPIC).  He is a 
frequent writer and lecturer on security topics.  See 
<http://www.schneier.com>.

BT Counterpane is the world's leading protector of networked information 
- the inventor of outsourced security monitoring and the foremost 
authority on effective mitigation of emerging IT threats.  BT 
Counterpane protects networks for Fortune 1000 companies and governments 
world-wide.  See <http://www.counterpane.com>.

Crypto-Gram is a personal newsletter.  Opinions expressed are not 
necessarily those of BT or BT Counterpane.

Copyright (c) 2007 by Bruce Schneier.

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE