CRYPTO-GRAM, April 15, 2011
Bruce Schneier
schneier at SCHNEIER.COM
Fri Apr 15 00:13:34 PDT 2011
CRYPTO-GRAM
April 15, 2011
by Bruce Schneier
Chief Security Technology Officer, BT
schneier at schneier.com
http://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-1104.html>. These same essays and
news items appear in the "Schneier on Security" blog at
<http://www.schneier.com/blog>, along with a lively comment section. An
RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Detecting Cheaters
Ebook Fraud
Unanticipated Security Risk of Keeping Your Money in a Home Safe
News
Changing Incentives Creates Security Risks
Euro Coin Recycling Scam
Security Fears of Wi-Fi in London Underground
Schneier News
Epsilon Hack
Schneier's Law
How did the CIA and FBI Know that Australian Government
Computers Were Hacked?
** *** ***** ******* *********** *************
Detecting Cheaters
Our brains are specially designed to deal with cheating in social
exchanges. The evolutionary psychology explanation is that we evolved
brain heuristics for the social problems that our prehistoric ancestors
had to deal with. Once humans became good at cheating, they then had to
become good at detecting cheating -- otherwise, the social group would
fall apart.
Perhaps the most vivid demonstration of this can be seen with variations
on what's known as the Wason selection task, named after the psychologist
who first studied it. Back in the 1960s, it was a test of logical
reasoning; today, its used more as a demonstration of evolutionary
psychology. But before we get to the experiment, let's get into the
mathematical background.
Propositional calculus is a system for deducing conclusions from true
premises. It uses variables for statements because the logic works
regardless of what the statements are. College courses on the subject are
taught by either the mathematics or the philosophy department, and they're
not generally considered to be easy classes. Two particular rules of
inference are relevant here: *modus ponens* and *modus tollens*. Both
allow you to reason from a statement of the form, "if P, then Q." (If
Socrates was a man, then Socrates was mortal. If you are to eat dessert,
then you must first eat your vegetables. If it is raining, then Gwendolyn
had Crunchy Wunchies for breakfast. That sort of thing.) *Modus ponens*
goes like this:
If P, then Q. P. Therefore, Q.
In other words, if you assume the conditional rule is true, and if you
assume the antecedent of that rule is true, then the consequent is true.
So,
If Socrates was a man, then Socrates was mortal. Socrates was a man.
Therefore, Socrates was mortal.
*Modus tollens* is more complicated:
If P, then Q. Not Q. Therefore, not P.
If Socrates was a man, then Socrates was mortal. Socrates was not
mortal. Therefore, Socrates was not a man.
This makes sense: if Socrates was not mortal, then he'd be a demigod or a
stone statue or something.
Both are valid forms of logical reasoning. If you know "if P, then Q" and
"P," then you know "Q." If you know "if P, then Q" and "not Q," then you
know "not P." (The other two similar forms don't work. If you know "if P,
then Q" and "Q," you don't know anything about "P." And if you know "if P,
then Q" and "not P," then you don't know anything about "Q.")
If I explained this in front of an audience full of normal people, not
mathematicians or philosophers, most of them would be lost.
Unsurprisingly, they would have trouble either explaining the rules or
using them properly. Just ask any grad student who has had to teach a
formal logic class; people have trouble with this.
Consider the Wason selection task. Subjects are presented with four cards
next to each other on a table. Each card represents a person, with each
side listing some statement about that person. The subject is then given a
general rule and asked which cards he would have to turn over to ensure
that the four people satisfied that rule. For example, the general rule
might be, "If a person travels to Boston, then he or she takes a plane."
The four cards might correspond to travelers and have a destination on one
side and a mode of transport on the other. On the side facing the subject,
they read: "went to Boston," "went to New York," "took a plane," and "took
a car." Formal logic states that the rule is violated if someone goes to
Boston without taking a plane. Translating into propositional calculus,
there's the general rule: "if P, then Q." The four cards are "P," "not P,"
"Q," and "not Q." To verify that "if P, then Q" is a valid rule, you have
to verify *modus ponens* by turning over the "P" card and making sure that
the reverse says "Q." To verify *modus tollens*, you turn over the "not Q"
card and make sure that the reverse doesn't say "P."
Shifting back to the example, you need to turn over the "went to Boston"
card to make sure that person took a plane, and you need to turn over the
"took a car" card to make sure that person didn't go to Boston. You don't
-- as many people think -- need to turn over the "took a plane" card to see
if it says "went to Boston"; because you don't care. The person might have
been flying to Boston, New York, San Francisco, or London. The rule only
says that people going to Boston fly; it doesn't break the rule if someone
flies elsewhere.
If you're confused, you aren't alone. When Wason first did this study,
fewer than 10 percent of his subjects got it right. Others replicated the
study and got similar results. The best result I've seen is "fewer than 25
percent." Training in formal logic doesn't seem to help very much.
Neither does ensuring that the example is drawn from events and topics with
which the subjects are familiar. People are just bad at the Wason
selection task. They also tend to only take college logic classes upon
requirement.
This isn't just another "math is hard" story. There's a point to this.
The one variation of this task that people are surprisingly good at
getting right is when the rule has to do with cheating and privilege. For
example, change the four cards to children in a family -- "gets dessert,"
"doesn't get dessert," "ate vegetables," and "didn't eat vegetables" -- and
change the rule to "If a child gets dessert, he or she ate his or her
vegetables." Many people -- 65 to 80 percent -- get it right immediately.
They turn over the "ate dessert" card, making sure the child ate his
vegetables, and they turn over the "didn't eat vegetables" card, making
sure the child didn't get dessert. Another way of saying this is that they
turn over the "benefit received" card to make sure the cost was paid. And
they turn over the "cost not paid" card to make sure no benefit was
received. They look for cheaters.
The difference is startling. Subjects don't need formal logic training.
They don't need math or philosophy. When asked to explain their
reasoning, they say things like the answer "popped out at them."
Researchers, particularly evolutionary psychologists Leda Cosmides and
John Tooby, have run this experiment with a variety of wordings and
settings and on a variety of subjects: adults in the US, UK, Germany,
Italy, France, and Hong Kong; Ecuadorian schoolchildren; and Shiriar
tribesmen in Ecuador. The results are the same: people are bad at the
Wason selection task, except when the wording involves cheating.
In the world of propositional calculus, there's absolutely no difference
between a rule about traveling to Boston by plane and a rule about eating
vegetables to get dessert. But in our brains, there's an enormous
difference: the first is a arbitrary rule about the world, and the second
is a rule of social exchange. It's of the form "If you take Benefit B, you
must first satisfy Requirement R."
Our brains are optimized to detect cheaters in a social exchange. We're
good at it. Even as children, we intuitively notice when someone gets a
benefit he didn't pay the cost for. Those of us who grew up with a
sibling have experienced how the one child not only knew that the other
cheated, but felt compelled to announce it to the rest of the family. As
adults, we might have learned that life isn't fair, but we still know who
among our friends cheats in social exchanges. We know who doesn't pay his
or her fair share of a group meal. At an airport, we might not notice the
rule "If a plane is flying internationally, then it boards 15 minutes
earlier than domestic flights." But we'll certainly notice who breaks the
"If you board first, then you must be a first-class passenger" rule.
This essay was originally published in IEEE Security & Privacy
http://www.schneier.com/essay-337.html
It is an excerpt from the draft of my new book.
http://www.schneier.com/blog/archives/2011/02/societal_securi.html
Another explanation of the Wason Selection Task, with a possible
correlation with psychopathy.
http://thelastpsychiatrist.com/2010/12/test_of_psychopathy.html
** *** ***** ******* *********** *************
Ebook Fraud
There is an interesting post -- and discussion -- on the blog Making Light
about ebook fraud. Currently there are two types of fraud. The first is
content farming, discussed in two interesting blog posts linked to below.
People are creating automatically generated content, web-collected content,
or fake content, turning it into a book, and selling it on an ebook site
like Amazon.com. Then they use multiple identities to give it good
reviews. (If it gets a bad review, the scammer just relists the same
content under a new name.) That second blog post contains a screen shot of
something called "Autopilot Kindle Cash," which promises to teach people
how to post dozens of ebooks to Amazon.com per day.
The second type of fraud is stealing a book and selling it as an ebook. So
someone could scan a real book and sell it on an ebook site, even though he
doesn't own the copyright. It could be a book that isn't already available
as an ebook, or it could be a "low cost" version of a book that is already
available. Amazon doesn't seem particularly motivated to deal with this
sort of fraud. And it too is suitable for automation.
Broadly speaking, there's nothing new here. All complex ecosystems have
parasites, and every open communications system we've ever built gets
overrun by scammers and spammers. Far from making editors superfluous,
systems that democratize publishing have an even greater need for editors.
The solutions are not new, either: reputation-based systems, trusted
recommenders, white lists, takedown notices. Google has implemented a
bunch of security countermeasures against content farming; ebook sellers
should implement them as well. It'll be interesting to see what particular
sort of mix works in this case.
http://nielsenhayden.com/makinglight/archives/012933.html
http://www.impactmedia.co.uk/blog/search-marketing/are-ebooks-the-new-content-farms-2901/
or http://tinyurl.com/5rvs5kw
http://www.publishingtrends.com/2011/03/the-kindle-swindle/
"All complex ecosystems have parasites":
http://craphound.com/complexecosystems.txt
** *** ***** ******* *********** *************
Unanticipated Security Risk of Keeping Your Money in a Home Safe
In Japan, lots of people -- especially older people -- keep their life
savings in cash in their homes. (The country's banks pay very low
interest rates, so the incentive to deposit that money into bank accounts
is lower than in other countries.) This is all well and good, until a
tsunami destroys your home and washes your money out to sea. Then, when it
washes up onto the beach, the police collect it.
They have thousands, and -- in most cases -- no way of determining who
owns them.
After three months, the money goes to the government.
http://news.yahoo.com/s/ap/20110411/ap_on_bi_ge/as_japan_earthquake_lost_money
or http://tinyurl.com/3emdp5x
** *** ***** ******* *********** *************
News
Hacking cars with MP3 files: "By adding extra code to a digital music
file, they were able to turn a song burned to CD into a Trojan horse. When
played on the car's stereo, this song could alter the firmware of the car's
stereo system, giving attackers an entry point to change other components
on the car."
http://www.itworld.com/security/139794/with-hacking-music-can-take-control-your-car
or http://tinyurl.com/4klcuot
http://www.technologyreview.com/computing/35094/
http://www.nytimes.com/2011/03/10/business/10hack.html
Hacking ATM users by gluing down keys.
http://www.sfexaminer.com/local/crime/2011/03/glue-gun-goons-target-unwary-atm-users
or http://tinyurl.com/4uhfgn3
Zombie fungus: as far as natural-world security stories go, this one is
pretty impressive.
http://www.schneier.com/blog/archives/2011/03/zombie_fungus.html
RSA Security, Inc. hacked. The company, not the algorithm.
http://www.schneier.com/blog/archives/2011/03/rsa_security_in.html
I didn't post the video of a Times Square video screen being hacked with
an iPhone when I first saw it because I suspected a hoax. Turns out, I
was right. It wasn't even two guys faking hacking a Times Square video
screen. It was a movie studio faking two guys faking hacking a Times
Square video screen.
http://blog.movies.yahoo.com/blog/951-buzzy-viral-video-actually-a-promotion-for-limitless
or http://tinyurl.com/67wj3er
This is a really interesting paper: "Folk Models of Home Computer
Security," by Rick Wash. It was presented at SOUPS, the Symposium on
Usable Privacy and Security, last year.
http://www.rickwash.com/papers/rwash-homesec-soups10-final.pdf
I found this article on the difference between threats and vulnerabilities
to be very interesting. I like his taxonomy.
http://jps.anl.gov/Volume4_iss2/Paper3-RGJohnston.pdf
Technology for transmitting data through steel.
http://www.schneier.com/blog/archives/2011/03/transmitting_da.html
What's interesting is that this technology can be used to transmit through
TEMPEST shielding.
Detecting words and phrases in encrypted VoIP calls.
http://portal.acm.org/citation.cfm?doid=1880022.1880029
http://www.cs.unc.edu/~fabian/papers/tissec2010.pdf
I wrote about this in 2008.
http://www.schneier.com/blog/archives/2008/06/eavesdropping_o_2.html
Interesting research: "One Bad Apple Spoils the Bunch: Exploiting P2P
Applications to Trace and Profile Tor Users"
http://hal.inria.fr/inria-00574178/en/
A really interesting article on how to authenticate a launch order in a
nuclear command and control system.
http://www.slate.com/id/2286735
Interesting article on William Friedman and biliteral ciphers.
http://www.cabinetmagazine.org/issues/40/sherman.php
Nice infographic on detecting liars.
http://blogs.westword.com/showandtell/2011/03/how_to_spot_a_liar_gratuitous_randomness.php
or http://tinyurl.com/6fuxj7f
New paper by Ross Anderson: "Can We Fix the Security Economics of
Federated Authentication?"
http://spw.stca.herts.ac.uk/2.pdf
Also a blog post on the research.
http://www.lightbluetouchpaper.org/2011/03/24/can-we-fix-federated-authentication/
or http://tinyurl.com/4tavapf
In this amusing story of a terrorist plotter using pencil-and-paper
cryptography instead of actually secure cryptography, there's this great
paragraph: "Despite urging by the Yemen-based al Qaida leader Anwar Al
Anlaki, Karim also rejected the use of a sophisticated code program called
'Mujhaddin Secrets', which implements all the AES candidate cyphers,
'because "kaffirs", or non-believers, know about it so it must be less
secure.'" Actually, that's not how peer review works.
http://www.theregister.co.uk/2011/03/22/ba_jihadist_trial_sentencing/
The FBI asks for cryptanalysis help from the community.
http://www.fbi.gov/news/stories/2011/march/cryptanalysis_032911/cryptanalysis_032911
or http://tinyurl.com/4aqdqhs
http://www.networkworld.com/community/blog/fbi-wants-public-help-solving-encrypted-notes
or http://tinyurl.com/4d56zsz
http://news.yahoo.com/s/yblog_thelookout/20110329/ts_yblog_thelookout/fbi-asks-public-for-help-breaking-encrypted-notes-tied-to-1999-murder
or http://tinyurl.com/47rmo62
Comodo Group issues bogus SSL certificates. This isn't good.
http://www.wired.com/threatlevel/2011/03/comodo-compromise/
http://www.wired.com/threatlevel/2008/08/revealed-the-in/
http://threatpost.com/en_us/blogs/phony-web-certificates-issued-google-yahoo-skype-others-032311#
or http://tinyurl.com/4rdgqrb
http://www.bbc.co.uk/news/technology-12847072
http://www.zdnet.com/blog/security/microsoft-warns-fraudulent-digital-certificates-issued-for-high-value-websites/8488
or http://tinyurl.com/4e6tzsp
https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
Fake certs for Google, Yahoo, and Skype? Wow. This isn't the first time
Comodo has screwed up with certificates. The safest thing for us users to
do would be to remove the Comodo root certificate from our browsers so that
none of their certificates work, but we don't have the capability to do
that. The browser companies -- Microsoft, Mozilla, Opera, etc. -- could do
that, but my guess is they won't. The economic incentives don't work
properly. Comodo is likely to sue any browser company that takes this sort
of action, and Comodo's customers might as well. So it's smarter for the
browser companies to just ignore the issue and pass the problem to us
users.
34 SCADA vulnerabilities published. It's hard to tell how serious this is.
http://www.wired.com/threatlevel/2011/03/scada-vulnerabilities/
Here's some very clever thinking from India's chief economic adviser. In
order to reduce bribery, he proposes legalizing the giving of bribes. The
idea is that after a bribe is given, both the briber and the bribee are
partners in the crime, and neither wants the bribe to become public.
However, if it is legal it give the bribe but illegal to take it, then
after the bribe the bribe giver is much more likely to cooperate with the
police. He notes that this only works for a certain class of bribes: when
you have to bribe officials for something you are already entitled to
receive. It won't work for any long-term bribery relationship, or in any
situation where the briber would otherwise not want the bribe to become
public.
http://finmin.nic.in/WorkingPaper/Act_Giving_Bribe_Legal.pdf
http://blogs.wsj.com/indiarealtime/2011/03/30/kaushik-basu-says-make-bribe-giving-legal/
or http://tinyurl.com/3e6zytr
"Terror, Security, and Money: Balancing the Risks, Benefits, and Costs of
Homeland Security," by John Mueller and Mark Stewart. Of course, it's not
cost effective.
http://polisci.osu.edu/faculty/jmueller/MID11TSM.PDF
An optical stun ray has been patented; no idea if it actually works.
http://www.scientificamerican.com/article.cfm?id=patent-watch-apr-11
New research allows a computer to be pinpointed to within 690 meters, from
over the Internet. Impressive, and scary.
http://www.newscientist.com/article/dn20336-internet-probe-can-track-you-down-to-within-690-metres.html
or http://tinyurl.com/6hfz8gz
Terrorist alerts of Facebook and Twitter. What could possibly go wrong?
http://www.schneier.com/blog/archives/2011/04/get_your_terror.html
The former CIA general counsel, John A. Rizzo, talks about his agency's
assassination program, which has increased dramatically under the Obama
administration.
http://www.newsweek.com/2011/02/13/inside-the-killing-machine.html
And the ACLU Deputy Legal Director comments on the interview.
http://www.latimes.com/news/opinion/commentary/la-oe-jaffer-nationalsecurity-20110406,0,5838521.story
or http://tinyurl.com/6hbnzx7
New French law mandates sites save personal information even when it is no
longer required.
http://www.schneier.com/blog/archives/2011/04/new_french_law.html
Israel is thinking about creating a counter-cyberterrorism unit. You'd
think the country would already have one of those.
http://www.theregister.co.uk/2011/04/06/isreal_mulls_elite_counter_hacker_unit/
or http://tinyurl.com/67a368q
** *** ***** ******* *********** *************
Changing Incentives Creates Security Risks
One of the things I am writing about in my new book is how security
equilibriums change. They often change because of technology, but they
sometimes change because of incentives.
An interesting example of this is the recent scandal in the Washington,
DC, public school system over teachers changing their students' test
answers.
In the U.S., under the No Child Left Behind Act, students have to pass
certain tests; otherwise, schools are penalized. In the District of
Columbia, things went further. Michelle Rhee, chancellor of the public
school system from 2007 to 2010, offered teachers $8,000 bonuses -- and
threatened them with termination -- for improving test scores. Scores did
increase significantly during the period, and the schools were held up as
examples of how incentives affect teaching behavior.
It turns out that a lot of those score increases were faked. In addition
to teaching students, teachers cheated on their students' tests by changing
wrong answers to correct ones. That's how the cheating was discovered;
researchers looked at the actual test papers and found more erasures than
usual, and many more erasures from wrong answers to correct ones than could
be explained by anything other than deliberate manipulation.
Teachers were always able to manipulate their students' test answers, but
before, there wasn't much incentive to do so. With Rhee's changes, there
was a much greater incentive to cheat.
The point is that whatever security measures were in place to prevent
teacher cheating before the financial incentives and threats of firing
wasn't sufficient to prevent teacher cheating afterwards. Because Rhee
significantly increased the costs of cooperation (by threatening to fire
teachers of poorly performing students) and increased the benefits of
defection ($8,000), she created a security risk. And she should have
increased security measures to restore balance to those incentives.
http://www.usatoday.com/news/education/2011-03-28-1Aschooltesting28_CV_N.htm
or http://tinyurl.com/6epluee
This is not isolated to DC. It has happened elsewhere as well.
http://www.schneier.com/blog/archives/2010/06/cheating_on_tes_1.html
** *** ***** ******* *********** *************
Euro Coin Recycling Scam
This story is just plain weird. Regularly, damaged coins are taken out of
circulation. They're destroyed and then sold to scrap metal dealers. That
makes sense, but it seems that one- and two-euro coins aren't destroyed
very well. They're both bi-metal designs, and they're just separated into
an inner core and an outer ring and then sold to Chinese scrap metal
dealers. The dealers, being no dummies, put the two parts back together
and sold them back to a German bank at face value. The bank was chosen
because they accept damaged coins and don't inspect them very carefully.
Is this not entirely predictable? If you're going to take coins out of
circulation, you had better use a metal shredder. (Except for U.S.
pennies, which are worth more in component metals.)
http://www.spiegel.de/international/germany/0,1518,754238,00.html
Pennies.
http://www.snopes.com/business/money/pennycost.asp
** *** ***** ******* *********** *************
Security Fears of Wi-Fi in London Underground
The London Underground is getting Wi-Fi. Of course there are security
fears. The article below worries that this will enable people to use
their laptop as a cell phone, and that in Afghanistan and Iraq bomb
attacks have been detonated using cell phones. Also, eavesdropping
software exists.
This is just silly. We could have a similar conversation regarding any
piece of our infrastructure. Yes, the bad guys could use it, just as they
use telephones and automobiles and all-night restaurants. If we didn't
deploy technologies because of this fear, we'd still be living in the
Middle Ages.
http://www.bbc.co.uk/news/uk-england-london-12856289
** *** ***** ******* *********** *************
Schneier News
I'm speaking at InfoSec Europe in London on April 20.
http://www.infosec.co.uk/page.cfm/Link=687
I'm also speaking at the Activate conference in New York on April 28.
http://www.guardian.co.uk/activate/new-york-programme
** *** ***** ******* *********** *************
Epsilon Hack
I have no idea why the Epsilon hack is getting so much press.
Yes, millions of names and e-mail addresses might have been stolen. Yes,
other customer information might have been stolen, too. Yes, this
personal information could be used to create more personalized and better
targeted phishing attacks.
So what? These sorts of breaches happen all the time, and even more
personal information is stolen.
I get that over 50 companies were affected, and some of them are big
names. But the hack of the century? Hardly.
http://www.bloomberg.com/news/2011-04-04/marriott-hilton-hit-by-data-breach-giving-access-to-customer-information.html
or http://tinyurl.com/3ar42xk
http://www.infosecurity-magazine.com/view/17088/epsilon-hack-50-companies-hit-by-data-breach/
or http://tinyurl.com/42l987f
http://articles.cnn.com/2011-04-04/tech/epsilon.stolen.emails_1_fake-e-mail-phishing-security-breach
or http://tinyurl.com/3ouylro
http://www.usatoday.com/tech/news/2011-04-04-epsilon-hacking-poses-phishing-threat.htm
or http://tinyurl.com/3o3696f
http://www.huffingtonpost.com/2011/04/03/epsilon-hack_n_844212.html
"The hack of the century":
http://blogs.computerworld.com/18079/epsilon_breach_hack_of_the_century or
http://tinyurl.com/3f56qkn
** *** ***** ******* *********** *************
Schneier's Law
Back in 1998, I wrote: "Anyone, from the most clueless amateur to the
best cryptographer, can create an algorithm that he himself can't break."
In 2004, Cory Doctorow called this Schneier's law: "...what I think of as
Schneier's Law: 'any person can invent a security system so clever that she
or he can't think of how to break it.'"
The general idea is older than my writing. Wikipedia points out that in
The Codebreakers, David Kahn writes: "Few false ideas have more firmly
gripped the minds of so many intelligent men than the one that, if they
just tried, they could invent a cipher that no one could break."
The idea is even older. Back in 1864, Charles Babbage wrote: "One of the
most singular characteristics of the art of deciphering is the strong
conviction possessed by every person, even moderately acquainted with it,
that he is able to construct a cipher which nobody else can decipher."
My phrasing is different, though. Here's my original quote in context:
"Anyone, from the most clueless amateur to the best cryptographer, can
create an algorithm that he himself can't break. It's not even hard. What
is hard is creating an algorithm that no one else can break, even after
years of analysis. And the only way to prove that is to subject the
algorithm to years of analysis by the best cryptographers around."
And here's me in 2006: "Anyone can invent a security system that he
himself cannot break. I've said this so often that Cory Doctorow has named
it 'Schneier's Law': When someone hands you a security system and says, 'I
believe this is secure,' the first thing you have to ask is, 'Who the hell
are you?' Show me what you've broken to demonstrate that your assertion of
the system's security means something."
And that's the point I want to make. It's not that people believe they
can create an unbreakable cipher; it's that people create a cipher that
they themselves can't break, and then use that as evidence they've created
an unbreakable cipher.
Me in 1998:
http://www.schneier.com/crypto-gram-9810.html#cipherdesign
Me in 2006:
http://www.schneier.com/crypto-gram-0608.html#7
Cory Doctorow:
http://craphound.com/msftdrm.txt
Charles Babbage:
http://www-history.mcs.st-and.ac.uk/history/Extras/Babbage_deciphering.html
** *** ***** ******* *********** *************
How did the CIA and FBI Know that Australian Government
Computers Were Hacked?
Newspapers are reporting that, for about a month, hackers had access to
computers "of at least 10 federal ministers including the Prime Minister,
Foreign Minister and Defence Minister."
That's not much of a surprise. What is odd is the statement that
"Australian intelligence agencies were tipped off to the cyber-spy raid by
US intelligence officials within the Central Intelligence Agency and the
Federal Bureau of Investigation."
How did the CIA and the FBI know? Did they see some intelligence traffic
and assume that those computers were where the stolen e-mails were coming
from? Or something else?
http://www.dailytelegraph.com.au/news/national/hackers-log-in-to-federal-mps-emails/story-e6freuzr-1226029677394
or http://tinyurl.com/6hm3fk9
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer and
otherwise. You can subscribe, unsubscribe, or change your address on the
Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also
available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the
best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies,"
and "Applied Cryptography," and an inventor of the Blowfish, Twofish,
Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security
Technology Officer of BT BCSG, and is on the Board of Directors of the
Electronic Privacy Information Center (EPIC). He is a frequent writer and
lecturer on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of BT.
Copyright (c) 2011 by Bruce Schneier.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list