CRYPTO-GRAM, May 15, 2011
Bruce Schneier
schneier at SCHNEIER.COM
Sat May 14 18:04:28 PDT 2011
CRYPTO-GRAM
May 15, 2011
by Bruce Schneier
Chief Security Technology Officer, BT
schneier at schneier.com
http://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-1105.html>. These same essays and
news items appear in the "Schneier on Security" blog at
<http://www.schneier.com/blog>, along with a lively comment section. An
RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Status Report: "The Dishonest Minority"
RFID Tags Protecting Hotel Towels
News
Hijacking the Coreflood Botnet
Schneier News
Drugging People and Then Robbing Them
Interviews with Me About the Sony Hack
** *** ***** ******* *********** *************
Status Report: "The Dishonest Minority"
Three months ago, I announced that I was writing a book on why security
exists in human societies. This is basically the book's thesis statement:
All complex systems contain parasites. In any system of
cooperative behavior, an uncooperative strategy will be effective
-- and the system will tolerate the uncooperatives -- as long as
they're not too numerous or too effective. Thus, as a species
evolves cooperative behavior, it also evolves a dishonest minority
that takes advantage of the honest majority. If individuals
within a species have the ability to switch strategies, the
dishonest minority will never be reduced to zero. As a result,
the species simultaneously evolves two things: 1) security systems
to protect itself from this dishonest minority, and 2) deception
systems to successfully be parasitic.
Humans evolved along this path. The basic mechanism can be
modeled simply. It is in our collective group interest for
everyone to cooperate. It is in any given individual's short-term
self-interest not to cooperate: to defect, in game theory terms.
But if everyone defects, society falls apart. To ensure
widespread cooperation and minimal defection, we collectively
implement a variety of societal security systems.
Two of these systems evolved in prehistory: morals and reputation.
Two others evolved as our social groups became larger and more
formal: laws and technical security systems. What these security
systems do, effectively, is give individuals incentives to act in
the group interest. But none of these systems, with the possible
exception of some fanciful science-fiction technologies, can ever
bring that dishonest minority down to zero.
In complex modern societies, many complications intrude on this
simple model of societal security. Decisions to cooperate or
defect are often made by groups of people -- governments,
corporations, and so on -- and there are important differences
because of dynamics inside and outside the groups. Much of our
societal security is delegated -- to the police, for example --
and becomes institutionalized; the dynamics of this are also
important.
Power struggles over who controls the mechanisms of societal
security are inherent: "group interest" rapidly devolves to "the
king's interest." Societal security can become a tool for those
in power to remain in power, with the definition of "honest
majority" being simply the people who follow the rules.
The term "dishonest minority" is not a moral judgment; it simply
describes the minority who does not follow societal norm. Since
many societal norms are in fact immoral, sometimes the dishonest
minority serves as a catalyst for social change. Societies
without a reservoir of people who don't follow the rules lack an
important mechanism for societal evolution. Vibrant societies
need a dishonest minority; if society makes its dishonest minority
too small, it stifles dissent as well as common crime.
At this point, I have most of a first draft: 75,000 words. The tentative
title is still "The Dishonest Minority: Security and its Role in Modern
Society." I have signed a contract with Wiley to deliver a final
manuscript in November for February 2012 publication. Writing a book is a
process of exploration for me, and the final book will certainly be a
little different -- and maybe even very different -- from what I wrote
above. But that's where I am today.
And it's why my other writings -- and the issues of Crypto-Gram --
continue to be sparse.
Lots of comments -- over 200 -- to the blog post. Please comment there; I
want the feedback.
http://www.schneier.com/blog/archives/2011/02/societal_securi.html
** *** ***** ******* *********** *************
RFID Tags Protecting Hotel Towels
The stealing of hotel towels isn't a big problem in the scheme of world
problems, but it can be expensive for hotels. Sure, we have moral
prohibitions against stealing -- that'll prevent most people from stealing
the towels. Many hotels put their name or logo on the towels. That works
as a reputational societal security system; most people don't want their
friends to see obviously stolen hotel towels in their bathrooms.
Sometimes, though, this has the opposite effect: making towels and other
items into souvenirs of the hotel and thus more desirable to steal. It's
against the law to steal hotel towels, of course, but with the exception of
large-scale thefts, the crime will never be prosecuted. (This might be
different in third world countries. In 2010, someone was sentenced to
three months in jail for stealing two towels from a Nigerian hotel.) The
result is that more towels are stolen than hotels want. And for expensive
resort hotels, those towels are expensive to replace.
The only thing left for hotels to do is take security into their own
hands. One system that has become increasingly common is to set prices
for towels and other items -- this is particularly common with bathrobes
-- and charge the guest for them if they disappear from the rooms. This
works with some things, but it's too easy for the hotel to lose track of
how many towels a guest has in his room, especially if piles of them are
available at the pool.
A more recent system, still not widespread, is to embed washable RFID
chips into the towels and track them that way. The one data point I have
for this is an anonymous Hawaii hotel that claims they've reduced towel
theft from 4,000 a month to 750, saving $16,000 in replacement costs
monthly.
Assuming the RFID tags are relatively inexpensive and don't wear out too
quickly, that's a pretty good security trade-off.
Blog entry URL:
http://www.schneier.com/blog/archives/2011/05/rfid_tags_prote.html
Stealing hotel items:
http://today.msnbc.msn.com/id/31046570
Nigerian case:
http://travel.usatoday.com/hotels/post/2010/09/woman-faces-jailed-for-stealing-hotel-towels-at-hilton-hotel-/114364/1
or http://tinyurl.com/3z7p98w
RFID chips in towels:
http://intransit.blogs.nytimes.com/2011/04/11/gee-how-did-that-towel-end-up-in-my-suitcase/
or http://tinyurl.com/6bp4lkr
** *** ***** ******* *********** *************
News
WikiLeaks cable about Chinese hacking of U.S. networks:
http://www.schneier.com/blog/archives/2011/04/wikileaks_cable.html
Increasingly, chains of evidence include software steps. It's not just
the RIAA suing people -- and getting it wrong -- based on automatic
systems to detect and identify file sharers. It's forensic programs used
to collect and analyze data from computers and smart phones. It's audit
logs saved and stored by ISPs and websites. It's location data from cell
phones. It's e-mails and IMs and comments posted to social networking
sites. It's tallies from digital voting machines. It's images and
meta-data from surveillance cameras. The list goes on and on. We in the
security field know the risks associated with trusting digital data, but
this evidence is routinely assumed by courts to be accurate. Sergey Bratus
is starting to look at this problem. His paper, written with Ashlyn
Lembree and Anna Shubina, is "Software on the Witness Stand: What Should it
Take for Us to Trust it?."
http://www.schneier.com/blog/archives/2011/04/software_as_evi.html
Interesting blog post on the security costs for the $50B Air Force bomber
program -- estimated to be $8B. This isn't all computer security, but the
original article specifically calls out Chinese computer espionage as a
primary threat.
http://taosecurity.blogspot.com/2011/04/apt-drives-up-bomber-cost.html
A criminal gang is stealing truckloads of food. It's a professional
operation. The group knew how wholesale foodstuff trucking worked. They
set up a bogus trucking company. They bid for jobs, collected the
trailers, and disappeared. Presumably they knew how to fence the goods,
too.
http://www.nytimes.com/2011/04/15/business/15bandits.html
The CIA has just declassified six documents about World War I security
techniques. (The media is reporting they're CIA documents, but the CIA
didn't exist before 1947.) Lots of stuff about secret writing and
pre-computer tradecraft.
http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-one.pdf
http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-two.pdf
http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-three.pdf
http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-four.pdf
http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-five.pdf
http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-six.pdf
http://www.fas.org/blog/secrecy/2011/04/cia_wwi.html
http://www.huffingtonpost.com/2011/04/19/cia-world-war-one-documents-declassified_n_851281.html
or http://tinyurl.com/6h5e6zg
Hard-drive steganography through fragmentation:
http://www.newscientist.com/article/mg21028095.200-covert-hard-drive-fragmentation-embeds-a-spys-secrets.html
or http://tinyurl.com/4xz4vc5
http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V8G-51BBKRS-1&_user=10&_coverDate=01%2F31%2F2011&_rdoc=1&_fmt=high&_orig=gateway&_origin=gateway&_sort=d&_docanchor=&view=c&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=ee913861b3d05b46b905bd4d52ca9380&searchtype=a
or http://tinyurl.com/3cyhves
As I've written before, I run an open wi-fi network. After the stories of
people being arrested and their homes being invaded based on other people
using their networks to download child porn, I rethought that position --
and decided I *still* want to run an open wireless network.
http://arstechnica.com/tech-policy/news/2011/04/fbi-child-porn-raid-a-strong-argument-for-locking-down-wifi-networks.ars
or http://tinyurl.com/3nvokkh
http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html
The EFF is calling for an open wireless movement.
https://www.eff.org/deeplinks/2011/04/open-wireless-movement
It's standard sociological theory that a group experiences social
solidarity in response to external conflict. This paper studies the
phenomenon in the United States after the 9/11 terrorist attacks.
http://septembereleven2001.files.wordpress.com/2010/06/collins_2004_rituals_of_solidarity.pdf
or http://tinyurl.com/3oxwkm5
http://onlinelibrary.wiley.com/doi/10.1111/j.1467-9558.2004.00204.x/abstract
or http://tinyurl.com/3moz2en
Good paper: "Loving the Cyber Bomb? The Dangers of Threat Inflation in
Cybersecurity Policy," by Jerry Brito and Tate Watkins.
http://mercatus.org/publication/loving-cyber-bomb-dangers-threat-inflation-cybersecurity-policy
or http://tinyurl.com/3dcahg3
http://arstechnica.com/security/news/2011/04/are-we-talking-cyber-war-like-the-bush-admin-talked-wmds.ars
or http://tinyurl.com/3pdmlou
Also worth reading is an earlier paper by Sean Lawson: "Beyond Cyber Doom."
http://mercatus.org/publication/beyond-cyber-doom
"ReallyVirtual" tweeted the bin Laden assassination without realizing it.
http://chirpstory.com/li/1288
The Nikon image authentication has been cracked.
http://blog.crackpassword.com/2011/04/nikon-image-authentication-system-compromised/
or http://tinyurl.com/4yv49pw
http://www.theregister.co.uk/2011/04/28/nikon_image_faking_hack/
Canon's system is just as bad, by the way.
http://www.elcomsoft.com/canon.html
Fifteen years ago, I co-authored a paper on the problem. The idea was to
use a hash chain to better deal with the possibility of a secret-key
compromise.
http://www.schneier.com/paper-camera.html
According to this article, students are no longer learning how to write in
cursive. And, if they are learning it, they're forgetting how. Certainly
the ubiquity of keyboards is leading to a decrease in writing by hand.
Relevant to security, the article claims that this is making signatures
easier to forge. I'm skeptical. Everyone has a scrawl of some sort; mine
has been completely illegible for years. But I don't see document forgery
as a big risk; far bigger is the automatic authentication systems that
don't have anything to do with traditional forgery.
http://www.nytimes.com/2011/04/28/us/28cursive.html
Unintended security consequences of the new Pyrex recipe: because it's no
longer useful in cooking crack cocaine, drug makers now have to steal
better stuff from laboratories.
http://www.popsci.com/science/article/2011-03/gray-matter-cant-take-heat
or http://tinyurl.com/6967a22
"Operation Pumpkin": Wouldn't it have been great if this were not a joke:
the security contingency in place if Kate Middleton tried to run away just
before the wedding.
http://www.theregister.co.uk/2011/04/28/operation_pumpkin/
Bin Laden's death causes spike in suspicious package reports. It's not
that the risk is greater, it's that the fear is greater.
http://www.schneier.com/blog/archives/2011/05/osamas_death_ca.html
Exactly how did they confirm it was bin Laden's body?
http://www.newscientist.com/article/dn20439-osama-bin-laden-how-dna-identified-his-body.html
or http://tinyurl.com/3vrate8
http://www.cnn.com/2011/HEALTH/05/02/bin.laden.body.id/index.html
Here's a clever Web app that locates your stolen camera by searching the
EXIF data on public photo databases for your camera's serial number.
http://www.stolencamerafinder.com/
Forged memory: a scary development in rootkits.
http://www.techrepublic.com/blog/security/forged-memory-fools-antimalware-a-new-development-in-rootkits/5443
or http://tinyurl.com/3dpxsyk
New vulnerability in online payment system: the connection between the
merchant site and PayPal.
http://www.newscientist.com/article/mg21028095.600-hackers-trick-goods-out-of-online-shopping-sites.html
or http://tinyurl.com/3q3j4ob
http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
In online hacking, we've moved to the world of "steal everything." As
both data storage and data processing becomes cheaper, more and more data
is collected and stored. An unanticipated effect of this is that more and
more data can be stolen and used. As the article says, data minimization
is the most effective security tool against this sort of thing. But -- of
course -- it's not in the database owner's interest to limit the data it
collects; it's in the interests of those whom the data is about.
http://www.bbc.co.uk/news/technology-13213632
Medieval tally stick discovered in Germany. Note the security built into
this primitive contract system. Neither side can cheat -- alter the
notches -- because if they do, the two sides won't match.
http://www.schneier.com/blog/archives/2011/05/medieval_tally.html
"Resilience of the Internet Interconnection Ecosystem," by Richard Clayton
-- worth reading.
http://www.lightbluetouchpaper.org/2011/04/12/resilience-of-the-internet-interconnection-ecosystem/
or http://tinyurl.com/69fcyql
http://www.enisa.europa.eu/act/res/other-areas/inter-x/report/interx-report/at_download/fullReport
or http://tinyurl.com/3kkzdmq
http://www.enisa.europa.eu/act/res/other-areas/inter-x/report/interx-report/at_download/execSummary
or http://tinyurl.com/3fmskr7
FBI surveillance tools:
https://www.eff.org/deeplinks/2011/04/CIPAV_Post
** *** ***** ******* *********** *************
Hijacking the Coreflood Botnet
Earlier this month, the FBI seized control of the Coreflood botnet and
shut it down: "According to the filing, ISC, under law enforcement
supervision, planned to replace the servers with servers that it
controlled, then collect the IP addresses of all infected machines
communicating with the criminal servers, and send a remote 'stop' command
to infected machines to disable the Coreflood malware operating on them."
This is a big deal; it's the first time the FBI has done something like
this. My guess is that we're going to see a lot more of this sort of
thing in the future; it's the obvious solution for botnets.
Not that the approach is without risks: "'Even if we could absolutely be
sure that all of the infected Coreflood botnet machines were running the
exact code that we reverse-engineered and convinced ourselves that we
understood,' said Chris Palmer, technology director for the Electronic
Frontier Foundation, 'this would still be an extremely sketchy action to
take. It's other people's computers and you don't know what's going to
happen for sure. You might blow up some important machine.'"
I just don't see this argument convincing very many people. Leaving
Coreflood in place could blow up some important machine. And leaving
Coreflood in place not only puts the infected computers at risk; it puts
the whole Internet at risk. Minimizing the collateral damage is
important, but this feels like a place where the interest of the Internet
as a whole trumps the interest of those affected by shutting down
Coreflood.
The problem as I see it is the slippery slope. Because next, the RIAA is
going to want to remotely disable computers they feel are engaged in
illegal file sharing. And the FBI is going to want to remotely disable
computers they feel are encouraging terrorism. And so on. It's important
to have serious legal controls on this counterattack sort of defense.
http://www.wired.com/threatlevel/2011/04/coreflood/
http://baylinks.com/blogs/?p=181
http://krebsonsecurity.com/2011/04/u-s-government-takes-down-coreflood-botnet/
or http://tinyurl.com/63qupg8
http://garwarner.blogspot.com/2011/04/bold-fbi-move-shutters-coreflood-bot.html
or http://tinyurl.com/3koydsp
** *** ***** ******* *********** *************
Schneier News
Last year, I spoke last year at a regional TED event: TEDxPSU. The talk
is now on the TED website.
http://on.ted.com/Schneier
** *** ***** ******* *********** *************
Interviews with Me About the Sony Hack
These two interviews are what I get for giving interviews when I'm in a
bad mood. For the record, I think Sony did a terrible job with its
customers' security. I also think that most companies do a terrible job
with customers' security, simply because there isn't a financial incentive
to do better. And that most of us are pretty secure, despite that.
One of my biggest complaints with these stories is how little actual
information we have. We often don't know if any data was actually stolen,
only that hackers had access to it. We rarely know how the data was
accessed: what sort of vulnerability was used by the hackers. We rarely
know the motivations of the hackers: were they criminals, spies, kids, or
someone else? We rarely know if the data is actually used for any nefarious
purposes; it's generally impossible to connect a data breach with a
corresponding fraud incident. Given all of that, it's impossible to say
anything useful or definitive about the attack. But the press always wants
definitive statements.
http://m.kotaku.com/5797602/dont-blame-sony-you-cant-trust-any-networks
http://www.20minutes.fr/article/718918/bruce-schneier-une-intrusion-informatique-comme-meurtre-impossible-proteger-100
** *** ***** ******* *********** *************
Drugging People and Then Robbing Them
This is a pretty scary criminal tactic from Turkey. Burglars dress up as
doctors, and ring doorbells handing out pills under some pretense or
another. They're actually powerful sedatives, and when people take them
they pass out, and the burglars can ransack the house.
According to the article, when the police tried the same trick with
placebos, they got an 86% compliance rate.
Kind of like a real-world version of those fake anti-virus programs that
actually contain malware.
http://au.news.yahoo.com/odd/a/-/odd/9268075/police-dress-up-as-doctors-to-test-citizens/
or http://tinyurl.com/3flomba
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer and
otherwise. You can subscribe, unsubscribe, or change your address on the
Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also
available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the
best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies,"
and "Applied Cryptography," and an inventor of the Blowfish, Twofish,
Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security
Technology Officer of BT BCSG, and is on the Board of Directors of the
Electronic Privacy Information Center (EPIC). He is a frequent writer and
lecturer on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of BT.
Copyright (c) 2011 by Bruce Schneier.
** *** ***** ******* *********** *************
To unsubscribe, click this link:
http://listserv.modwest.com/cgi-bin/wa?TICKET=NzM0MzAxIGV1Z2VuQExFSVRMLk9SRyBDUllQVE8tR1JBTS1MSVNUIGg6aBKpZV2t&c=SIGNOFF
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list