Friends

http://www.schneier.com/blog/archives/2009/12/the_behavioral.html

Good survey article by Alessandro Acquisti in IEEE Security & Privacy.

http://www.schneier.com/blog/archives/2009/12/separating_expl.html

Chechen terrorists did it in 2004. I said this in an interview with then TSA head Kip Hawley in 2007:

I don't want to even think about how much C4 I can strap to my legs and walk through your magnetometers.

And what sort of magical thinking is behind the rumored TSA rule about keeping passengers seated during the last hour of flight? Do we really think the terrorist won't think of blowing up their improvised explosive devices during the first hour of flight?

For years I've been saying this:

Only two things have made flying safer [since 9/11]: the reinforcement of cockpit doors, and the fact that passengers know now to resist hijackers.

This week, the second one worked over Detroit. Security succeeded.

EDITED TO ADD (12/26): Only one carry on? No electronics for the first hour of flight? I wish that, just once, some terrorist would try something that you can only foil by upgrading the passengers to first class and giving them free drinks.

http://www.schneier.com/blog/archives/2009/12/friday_squid_bl_213.html

Happy Squidmas, everybody.

http://www.schneier.com/blog/archives/2009/12/friday_squid_bl_212.html

A painting.

http://www.schneier.com/blog/archives/2009/12/intercepting_pr.html

Sometimes mediocre encryption is better than strong encryption, and sometimes no encryption is better still.

The Wall Street Journal reported this week that Iraqi, and possibly also Afghan, militants are using commercial software to eavesdrop on U.S. Predators, other unmanned aerial vehicles, or UAVs, and even piloted planes. The systems weren't "hacked" -- the insurgents can’t control them -- but because the downlink is unencrypted, they can watch the same video stream as the coalition troops on the ground.

The naive reaction is to ridicule the military. Encryption is so easy that HDTVs do it -- just a software routine and you're done -- and the Pentagon has known about this flaw since Bosnia in the 1990s. But encrypting the data is the easiest part; key management is the hard part. Each UAV needs to share a key with the ground station. These keys have to be produced, guarded, transported, used and then destroyed. And the equipment, both the Predators and the ground terminals, needs to be classified and controlled, and all the users need security clearance.

The command and control channel is, and always has been, encrypted -- because that's both more important and easier to manage. UAVs are flown by airmen sitting at comfortable desks on U.S. military bases, where key management is simpler. But the video feed is different. It needs to be available to all sorts of people, of varying nationalities and security clearances, on a variety of field terminals, in a variety of geographical areas, in all sorts of conditions -- with everything constantly changing. Key management in this environment would be a nightmare.

Additionally, how valuable is this video downlink is to the enemy? The primary fear seems to be that the militants watch the video, notice their compound being surveilled and flee before the missiles hit. Or notice a bunch of Marines walking through a recognizable area and attack them. This might make a great movie scene, but it's not very realistic. Without context, and just by peeking at random video streams, the risk caused by eavesdropping is low.

Contrast this with the additional risks if you encrypt: A soldier in the field doesn't have access to the real-time video because of a key management failure; a UAV can't be quickly deployed to a new area because the keys aren't in place; we can't share the video information with our allies because we can't give them the keys; most soldiers can't use this technology because they don't have the right clearances. Given this risk analysis, not encrypting the video is almost certainly the right decision.

There is another option, though. During the Cold War, the NSA's primary adversary was Soviet intelligence, and it developed its crypto solutions accordingly. Even though that level of security makes no sense in Bosnia, and certainly not in Iraq and Afghanistan, it is what the NSA had to offer. If you encrypt, they said, you have to do it "right."

The problem is, the world has changed. Today's insurgent adversaries don't have KGB-level intelligence gathering or cryptanalytic capabilities. At the same time, computer and network data gathering has become much cheaper and easier, so they have technical capabilities the Soviets could only dream of. Defending against these sorts of adversaries doesn't require military-grade encryption only where it counts; it requires commercial-grade encryption everywhere possible.

This sort of solution would require the NSA to develop a whole new level of lightweight commercial-grade security systems for military applications — not just office-data "Sensitive but Unclassified" or "For Official Use Only" classifications. It would require the NSA to allow keys to be handed to uncleared UAV operators, and perhaps read over insecure phone lines and stored in people's back pockets. It would require the sort of ad hoc key management systems you find in internet protocols, or in DRM systems. It wouldn't be anywhere near perfect, but it would be more commensurate with the actual threats.

And it would help defend against a completely different threat facing the Pentagon: The PR threat. Regardless of whether the people responsible made the right security decision when they rushed the Predator into production, or when they convinced themselves that local adversaries wouldn't know how to exploit it, or when they forgot to update their Bosnia-era threat analysis to account for advances in technology, the story is now being played out in the press. The Pentagon is getting beaten up because it's not protecting against the threat — because it's easy to make a sound bite where the threat sounds really dire. And now it has to defend against the perceived threat to the troops, regardless of whether the defense actually protects the troops or not. Reminds me of the TSA, actually.

So the military is now committed to encrypting the video ... eventually. The next generation Predators, called Reapers -- Who names this stuff? Second-grade boys? -- will have the same weakness. Maybe we’ll have encrypted video by 2010, or 2014, but I don't think that's even remotely possible unless the NSA relaxes its key management and classification requirements and embraces a lightweight, less secure encryption solution for these sorts of situations. The real failure here is the failure of the Cold War security model to deal with today's threats.

This essay originally appeared on Wired.com.

EDITED TO ADD (12/24): Good article from The New Yorker on the uses -- and politics -- of these UAVs.

http://www.schneier.com/blog/archives/2009/12/plant_security.html

The essay is about veganism and plant eating, but I found the descriptions of plant security countermeasures interesting:

Plants can’t run away from a threat but they can stand their ground. “They are very good at avoiding getting eaten,” said Linda Walling of the University of California, Riverside. “It’s an unusual situation where insects can overcome those defenses.” At the smallest nip to its leaves, specialized cells on the plant’s surface release chemicals to irritate the predator or sticky goo to entrap it. Genes in the plant’s DNA are activated to wage systemwide chemical warfare, the plant’s version of an immune response. We need terpenes, alkaloids, phenolics — let’s move.

“I’m amazed at how fast some of these things happen,” said Consuelo M. De Moraes of Pennsylvania State University. Dr. De Moraes and her colleagues did labeling experiments to clock a plant’s systemic response time and found that, in less than 20 minutes from the moment the caterpillar had begun feeding on its leaves, the plant had plucked carbon from the air and forged defensive compounds from scratch.

Just because we humans can’t hear them doesn’t mean plants don’t howl. Some of the compounds that plants generate in response to insect mastication — their feedback, you might say — are volatile chemicals that serve as cries for help. Such airborne alarm calls have been shown to attract both large predatory insects like dragon flies, which delight in caterpillar meat, and tiny parasitic insects, which can infect a caterpillar and destroy it from within.

Enemies of the plant’s enemies are not the only ones to tune into the emergency broadcast. “Some of these cues, some of these volatiles that are released when a focal plant is damaged,” said Richard Karban of the University of California, Davis, “cause other plants of the same species, or even of another species, to likewise become more resistant to herbivores.”

There's more in the essay.

http://www.schneier.com/blog/archives/2009/12/luggage_locator.html

Wow, is this a bad idea:

The Luggage Locator is an innovative product that travellers or anyone can use to locate items. It has been specifically engineered to help people find their luggage quickly and can also be used around the home or office.

A battery operated, two unit system, the Luggage Locator consists of a small transmitter about the size of a key chain and a lightweight receiver that attaches to any luggage handle. With the simple push of a button, the transmitter activates the receiver causing a bright flashing light and loud chirping sound. Locating your luggage after a long trip has never been quicker nor easier.

Anyone care to guess what's most likely to happen if a piece of luggage in an airport starts flashing and chirping? I think it'll be taken out to the tarmac and blown up using remote controlled bazookas.

http://www.schneier.com/blog/archives/2009/12/howard_schmidt_1.html

I head this rumor two days ago, and The New York Times is reporting today.

Reporters are calling me for reactions and opinions, but I just don't know. Schmidt is good, but I don't know if anyone can do well in a job with lots of responsibility but no actual authority. But maybe Obama will imbue the position with authority -- I don't know.

http://www.schneier.com/blog/archives/2009/12/santas_naughtyn.html

This is very serious.

http://www.schneier.com/blog/archives/2009/12/defeating_micro.html

Defeating BitLocker, even with a TPM.

Related.

http://www.schneier.com/blog/archives/2009/12/friday_squid_bl_211.html

Neat.

http://www.schneier.com/blog/archives/2009/12/yet_another_sch_1.html

This one for ZDNet.uk.

http://www.schneier.com/blog/archives/2009/12/live_face-off_w.html

Here are the six links to the face-off Marcus Ranum and I did on stage at the Information Security Decisions conference in Chicago.

http://www.schneier.com/blog/archives/2009/12/magneprint_tech.html

This seems like a solution in search of a problem:

MagTek discovered that no two magnetic strips are identical. This is due to the manufacturing process. Similar to DNA, the structure of every magnetic stripe is different and the differences are distinguishable.

Knowing that, MagTek pairs the card's magnetic strip signature with the card user's personal data to create a one-of-a-kind digital identifier. MagTek calls this technology MagnePrint.

Basically, each card gets a "fingerprint" of the magnetic strip printed on it. And the reader (merchant terminal, ATM machine, whatever) verifies not only the card information, but the fingerprint as well. So a thief can't skim your card information and make another card.

I see a couple of issues here. One, any fraud solution that requires the credit card companies to issue new readers simply isn't going to happen in the U.S. If it were, we'd have embedded chips in our credit cards already. Trying to convince the merchants to type additional data in by hand isn't going to work, either. We finally got merchants to type in a 3–4 digit CVV code -- that basically does the same thing as this idea (albeit with less security).

Two, physically cloning cards is much less of a threat than virtually cloning them: buying things over the phone and Internet, etc. Yes, there are losses here, but I'm sure they're not great enough to justify all of this infrastructure change.

Still, a clever security idea. I expect there's an application for this somewhere.

http://www.schneier.com/blog/archives/2009/12/australia_resto.html

Welcome news:

Carry-on baggage rules will be relaxed under a shake-up of aviation security announced by the Federal Government today.

The changes will see passengers again allowed to carry some sharp implements, such as nail files and clippers, umbrellas, crochet and knitting needles on board aircraft from July next year.

Metal cutlery will return to return to cabin meals and airport restaurants following Government recognition that security arrangements must be targeted at 'real risks'.

I'm sure these rules won't apply to flights to the U.S., where security arrangements must still be targeted at movie-plot threats.

http://www.schneier.com/blog/archives/2009/12/the_politics_of.html

Thoughful blog post by The Atlantic's Marc Ainbinder:

We allow Google, Amazon.com, credit companies and all manner of private corporations to collect intimate information about our lives, but we reflexively recoil when the government proposes to monitor (and not even collect) a fraction of that information, even with legal safeguards. We carry in our wallets credit cards with RFID chips. Data companies send unmarked vans in our neighborhoods, mapping wireless networks. The IBM scientist and tech guru Jeff Jonas noted on his blog that every time we send a text message, we're contributing to a cloud where "powerful analytics commingle space-time-travel data with tertiary data." Geolocated tweets can tell everyone where we are, what we're doing, and who we like. Sure, The data is ostensibly anonymized, but the reality is a bit different: we provide so much of it that, as Jonas notes, we tend to re-identify ourselves -- out our identity -- fairly quickly. This is good and bad; the world becomes more efficient, we leave less of a footprint, we get what we want more quickly. But we also sacrifice privacy, individuality, and other goods that can't be measured in dollars and cents.

Government power is just different than corporate power. Our engagement with technology implies a certain consent to give up information to companies. A deeper mistrust of government is healthy, so far as the it places pressure on lawmakers to properly oversee the exercise of state power. Warrantless domestic surveillance by NSA during the Bush administration doubtless ensnared a number of innocent Americans and monitored the communications of people who posed no harm to anyone. Where the standard is personal privacy and the rule of law, the violation is severe.

But where the standard is harm, the damage is minimal compared to the information that is routinely and legally collected by non-state entities -- information that is used to target us for political appeals, to sell us something, or to steal money, to pilfer intellectual property or abuse technology. 85 percent of infrastructure in this country is in private hands; it is extremely vulnerable to attack and even to catastrophic resource failure.

[...]

This asymmetry is distorting the politics of cyber security. It frustrates the front line cyber folks to no end, but they are, in some ways, responsible for it.

For one thing, the NSA lacks credibility with many Americans and with some lawmakers because of its aforementioned activities. And yet the NSA is -- really -- the only entity with the expertise, the size, and the capability to secure the cyber realm. For another, the government remains obsessed with secrecy. The NSA and the Department of Defense can penetrate virtually any computer network on the face of the planet, and probably do so with regularity for defense purposes. Their capabilities in this "offensive" realm are awesome, and kind of scary. The technology that'll be used to defend the country from cyber attacks of all types is the same technology used to track insurgents in Iraq (classified), tap into terrorist net-centered communications (classified), probe nation-state computer defenses (classified), figure out how to electronically hack into missile guidance systems (classified). Also: they're worried that terrorists would figure out how vulnerable we really are if they knew everything. Here's the weird part: China, Russia, savvy cyber terrorists -- they know all this. They have the same technology.

My essay on who should be in charge of cybersecurity.

http://www.schneier.com/blog/archives/2009/12/facial_recognit.html

Only $456.

http://www.schneier.com/blog/archives/2009/12/telcoms_securit.html

A very good four-part series: "Risk and Security in the Telecommunications Industry."

http://www.schneier.com/blog/archives/2009/12/the_us_civil_ri.html

This is interesting:

Most Americans fail to appreciate that the Civil Rights movement was about the overthrow of an entrenched political order in each of the Southern states, that the segregationists who controlled this order did not hesitate to employ violence (law enforcement, paramilitary, mob) to preserve it, and that for nearly a century the federal government tacitly or overtly supported the segregationist state governments. That the Civil Rights movement employed nonviolent tactics should fool us no more than it did the segregationists, who correctly saw themselves as being at war. Significant change was never going to occur within the political system: it had to be forced. The aim of the segregationists was to keep the federal government on the sidelines. The aim of the Civil Rights movement was to "capture" the federal government -- to get it to apply its weight against the Southern states. As to why it matters: a major reason we were slow to grasp the emergence and extent of the insurgency in Iraq is that it didn't -- and doesn't -- look like a classic insurgency. In fact, the official Department of Defense definition of insurgency still reflects a Vietnam era understanding of the term. Looking at the Civil Rights movement as an insurgency is useful because it assists in thinking more comprehensively about the phenomenon of insurgency and assists in a more complete -- and therefore more useful -- definition of the term.

The link to his talk is broken, unfortunately.

EDITED TO ADD (12/15): Video here. Thanks, mcb.