Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] FW: CRYPTO-GRAM, December 15, 2011

  • From: Howell, Paul
  • Date: Mon Dec 19 18:40:17 2011

From: Bruce Schneier [schneier@xxxxxxxxxxxx]
Sent: Thursday, December 15, 2011 1:49 AM
To: CRYPTO-GRAM-LIST@xxxxxxxxxxxxxxxxxxxx
Subject: CRYPTO-GRAM, December 15, 2011


               December 15, 2011

               by Bruce Schneier
       Chief Security Technology Officer, BT

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit

You can read this issue on the web at
<>.  These same essays and
news items appear in the "Schneier on Security" blog at
<>, along with a lively comment section.  An
RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
      Status Report: Liars and Outliers
      Malware on Smart Phones
      The SCADA Attack that Wasn't
      Carrier IQ Spyware
      Biological Link Between Altruism and Fairness
      Schneier News
      Iranians Capture U.S. Drone
      Recent Developments in Full Disclosure

** *** ***** ******* *********** *************

      Status Report: Liars and Outliers

After a long and hard year, Liars and Outliers is done.  I submitted the
manuscript to the publisher on November 1, got edits back from both an
outside editor and a copyeditor about a week later, spent another week
integrating the comments and edits, and submitted the final manuscript
to the publisher just before Thanksgiving.  I had a chance to proofread
the laid-out pages in early December, and now it's off to the printers.

It really feels great to be done.  This is the hardest book I've
written, and the most ambitious.  Now I have to see how it's received.
I know I should be thinking about creating a talk based on the book, but
I want some time away from the ideas.  I'll get back to that task in

Meanwhile, the publisher and I have been working on the cover.  We
settled on the art and layout months ago, but there's the back cover
copy, the inside flaps copy, the author's bio, and the blurbs.  I'm
really happy with the blurbs I've received, and we're deciding what goes
on the front cover, what goes on the back cover, and what goes inside on
the first couple of pages of the book.  Much of this text will also be
used at various online bookstores as well, and at my own webpage for the
book.  I'll post the whole cover when it's final.

After that, the publisher will create the various e-book formats.  I'm
not sure how the figures and tables will translate, but I'll figure it
out.  Publication is still scheduled for mid-February, in time for the
RSA Conference in San Francisco at the end of the month.  I'll be doing
a short interview about my book in something called the "Author's
Studio" on Wednesday, and will have a book signing at the conference
bookstore sometime that week.

Meanwhile, my publisher is printing galley copies. If anyone out there
has a legitimate reason to get one, like writing book reviews for a
newspaper, magazine, popular blog, etc., send me an e-mail and I'll
forward your request to Wiley's PR department.  I think they'll be ready
in a week or so, although it might be after the new year.

Additionally, I'm going to get 10 to 20 copies that I'd like to give
away to readers of Crypto-Gram and my blog.  I'm not sure how to do it,
though.  Offering copies to "the first N people who leave a comment"
would discriminate based on time zone.  Giving copies away randomly to
commenters seems, well, too easy.  The person in charge of PR at Wiley
wants me to give copies away randomly to people who "like" me on
Facebook or tweet about me to their friends, or do some other sort of
fake distributed marketing thing, but I'm not going to do that.

So to start, I've decided to give away a free galley copy of Liars and
Outliers to the person who can come up with the best way to give away
free galley copies of Liars and Outliers.  Leave your suggestions in
blog comments.

Leave suggestions for a galley-copy give-away:

** *** ***** ******* *********** *************

      Malware on Smart Phones

Two articles of note here.  The first is about the prevalence of malware
on Android phones.  I'm not surprised by this at all.  The Android
platform is where the malware action is.  I believe that smart phones
are going to become the primary platform of attack for cybercriminals in
the coming years.  As the phones become more integrated into people's
lives -- smart phone banking, electronic wallets -- they're simply going
to become the most valuable device for criminals to go after.  And I
don't believe the iPhone will be more secure because of Apple's rigid
policies for the app store.

The second article is a good debunking of the first article.  The author
is right.  Malware on portable devices isn't going to look or act the
same way as malware on traditional computers. It isn't going to spread
from phone to phone.  I'm more worried about Trojans, either on
legitimate or illegitimate apps, malware embedded in webpages, fake
updates, and so on.  A lot of this will involve social engineering the
user, but I don't see that as much of a problem.

But I do see mobile devices as the new target of choice.  And I worry
much more about privacy violations.  Your phone knows your location.
Your phone knows who you talk to and -- with a recorder -- what you say.
  And when your phone becomes your digital wallet, your phone is going
to know a lot more intimate things about you.  All of this will be
useful to both criminals and marketers, and we're going to see all sorts
of illegal and quasi-legal ways both of those groups will go after that

And securing those devices is going to be hard, because we don't have
the same low-level access to these devices we have with computers.

Anti-virus companies are using FUD to sell their products, but there are
real risks here.  And the time to start figuring out how to solve them
is now.

** *** ***** ******* *********** *************


I thought this article on self-defense was very interesting.  Sam
Harris's three principles are: 1) Avoid dangerous people and dangerous
places, 2) Do not defend your property, and 3) Respond immediately and

Really nice article on cryptographer Paul Kocher and his company,
Cryptography Research, Inc.

Detecting psychopaths by their speech patterns:
I worry about people being judged by these criteria.  Psychopaths make
up about 1% of the population, so even a small false-positive rate can
be a significant problem.

The European Union has banned X-ray full body scanners at airports.
Millimeter wave scanners are allowed as long as they conform to privacy

Dan Boneh of Stanford University is teaching a free cryptography class
starting in January.

The DHS partners with Major League Soccer to promote fear:

Spider webs that contain ant poison:

There's a company that is tracking people in shopping malls using their
cell phones.
Two malls have shelved the system for now:

If something is protected by heavy security, it's obviously worth
stealing.  Here's an example from the insect world:

I have no idea if this story about CIA spies in Lebanon is true, and it
will almost certainly never be confirmed or denied:

The debate over full disclosure in computer security has been going on
for the better part of two decades now.  The stakes are much higher in

According to researchers, full-disk encryption is hampering police

Interesting essay on walls and their effects as security theater:

Seems the press reports about hacking into HP printers and setting them
on fire were more hype than reality.

GCHQ is holding a hacking contest to drum up new recruits.
The contest has been cracked, but only because the administrators didn't
hide the solution page from search engine spiders.

Invasive U.S. surveillance programs, either illegal like the NSA's
wiretapping of AT&T phone lines or legal as authorized by the PATRIOT
Act, are causing foreign companies to think twice about putting their
data in U.S. cloud systems.  I think these are legitimate concerns.  I
don't trust the U.S. government, law or no law, not to spy on my data if
it thought it was a good idea.  The more interesting question is: which
government should I trust instead?

In Montreal, police marked protesters with invisible ink to be able to
identify them later.  The next step is going to be a spray that marks
people surreptitiously, maybe with SmartWater.

A new Skype security flaw:

DARPA held an unshredding contest, and there's a winner.

Just in time for Christmas, a USB drive housed in a physical combination

Robbing a bank as part of a penetration test: a funny story.

This first-person account by a TSA airport screener is a few years old,
but I seem not to have linked to it before.

Dumbest camera ban ever: in London, of course: "While photography bans
are pretty common, the station has decided to only ban DSLRs due to
'their combination of high quality sensor and high resolution.' Other
cameras are allowed in, as long as they don't look 'big' enough to shoot
amazing photos.

This article on airplane security says many of the same things I've been
saying for years.
The author is a former Delta advisor.  Wired talked to him.

Yet more fear mongering from the DHS: Al Qaeda is sewing bombs into
people.  Actually, not really.  This is an "aspirational" terrorist
threat, which basically means that someone mentioned it while drunk in a
bar somewhere.  Of course, that won't stop the DHS from trying to
terrorize people with the idea and the security-industrial complex from
selling us an expensive "solution" to reduce our fears.  Wired:  "So: a
disruptive, potentially expensive panic based on a wild aspirational
scheme? Actually, that sounds a *lot* like al-Qaida. And the TSA."
Me: "Refuse to be terrorized."

Sparrows have fewer surviving offspring if they feel insecure,
regardless of whether they actually are insecure.  Seems as if the
sparrows could use a little security theater.

This is a really good analysis about the Buckshot Yankee attack against
the classified military computer network in 2008.  It contains a bunch
of details I had not previously known.

** *** ***** ******* *********** *************

      The SCADA Attack that Wasn't

Last month, there was a report of a hack against a SCADA system
controlling a water pump in Illinois that destroyed the pump.
Supposedly the Russians did it.  Then it was revealed that it was all a

The end of the second article makes the most important point, I think:

     Joe Weiss says he's shocked that a report like this was put out
     without any of the information in it being investigated and
     corroborated first.

     "If you can't trust the information coming from a fusion center,
     what is the purpose of having the fusion center sending anything
     out? That's common sense," he said. "When you read what's in
     that [report] that is a really, really scary letter. How could DHS
     not have put something out saying they got this [information but]
     it's preliminary?"

     Asked if the fusion center is investigating how information that
     was uncorroborated and was based on false assumptions got into a
     distributed report, spokeswoman Bond said an investigation of that
     sort is the responsibility of DHS and the other agencies who
     compiled the report. The center's focus, she said, was on how
     Weiss received a copy of the report that he should never have

     "We're very concerned about the leak of controlled information,"
     Bond said. "Our internal review is looking at how did this
     information get passed along, confidential or controlled
     information, get disseminated and put into the hands of users that
     are not approved to receive that information. That's number one."

Notice that the problem isn't that a non-existent threat was overhyped
in a report circulated in secret, but that the report became public.
Never mind that if the report hadn't become public, the report would
have never been revealed as erroneous.  How many other reports like this
are being used to justify policies that are as erroneous as the data
that supports them?

** *** ***** ******* *********** *************

      Carrier IQ Spyware

Spyware on many smart phones monitors your every action, including
collecting individual keystrokes.  The company that makes and runs this
software on behalf of different carriers, Carrier IQ, freaked when a
security researcher outed them.  It initially claimed it didn't monitor
keystrokes -- an easily refuted lie -- and threatened to sue the
researcher.  It took EFF getting involved to get the company to back
down.  (A good summary of the details is here. This is pretty good, too.)

Carrier IQ is reacting really badly here.  Threatening the researcher
was a panic reaction, but I think it's still clinging to the notion that
it can keep the details of what it does secret, or hide behind marketing
statements and hair-splitting denials.

Several things matter here: 1) what data the Carrier IQ app collects on
the handset, 2) what data the Carrier IQ app routinely transmits to the
carriers, and 3) what data can the Carrier IQ app transmit to the
carrier if asked.  Can the carrier enable the logging of everything in
response to a request from the FBI?  We have no idea.

Expect this story to unfold considerably in the coming weeks.  Everyone
is pointing fingers of blame at everyone else, and Sen. Franken has
asked the various companies involved for details.

One more detail is worth mentioning.  Apple announced it no longer uses
Carrier IQ in iOS5.  I'm sure this means that they have their own
surveillance software running, not that they're no longer conducting
surveillance on their users.

Apple and Carrier IQ:

Excellent roundup of everything that's known about Carrier IQ:

** *** ***** ******* *********** *************

      Biological Link Between Altruism and Fairness

I write a lot about altruism, fairness, and cooperation in my new book
(out in February!), so research on the link between altruism and
fairness interests me a lot.  This experiment found a correlation in
15-month old babies.

Both psychology and neuroscience have a lot to say about these topics,
and the resulting debate reads like a subset of the "Is there such a
thing as free will?" debate.  I think those who believe there is no free
will are misdefining the term.

What does this have to do with security?  Everything.  It's not until we
understand the natural human tendencies of fairness and altruism that we
can really understand people who take advantage of those tendencies, and
build systems to prevent them from taking advantage.

Essay on free will:

Related research with dogs:

** *** ***** ******* *********** *************

      Schneier News

Last weekend, I received an honorary PhD from the University of
Westminster, in London.  I have had mixed feelings about this since I
was asked early this year.  The best piece of advice I've read is: "It's
a great honor, but it is an honor, not a degree."

** *** ***** ******* *********** *************

      Iranians Capture U.S. Drone

Iran has captured a U.S. surveillance drone.  No one is sure how it
happened.  Looking at the pictures of the drone, it wasn't shot down and
it didn't crash.  The various fail-safe mechanisms on the drone seem to
have failed; otherwise, it would have returned home.  The U.S. claims
that it was a simple "malfunction," but that doesn't make a whole lot of

The Iranians claim they used "electronic warfare" to capture the drone,
implying that they somehow took control of it in the air and steered it
to the ground.  It would be a serious security design failure if they
could do that.  Two years ago, there was a story about al Qaeda
intercepting video signals from drones.  The command-and-control channel
is different; I assumed that there was some pretty strong encryption
protecting that.

Photo analysis of the captured drone:

** *** ***** ******* *********** *************

      Recent Developments in Full Disclosure

Last week, I had a long conversation with Robert Lemos over an article
he was writing about full disclosure.  He had noticed that companies
have recently been reacting more negatively to security researchers
publishing vulnerabilities about their products.

The debate over full disclosure is as old as computing, and I've written
about it before.  Disclosing security vulnerabilities is good for
security and good for society, but vendors really hate it. It results in
bad press, forces them to spend money fixing vulnerabilities, and comes
out of nowhere.  Over the past decade or so, we've had an uneasy truce
between security researchers and product vendors.  That truce seems to
be breaking down.

Lemos believes the problem is that because today's research targets
aren't traditional computer companies -- they're phone companies, or
embedded system companies, or whatnot -- they're not aware of the
history of the debate or the truce, and are responding more viscerally.
  For example, Carrier IQ threatened legal action against the researcher
that outed it, and only backed down after the EFF got involved.  I am
reminded of the reaction of locksmiths to Matt Blaze's vulnerability
disclosures about lock security; they thought he was evil incarnate for
publicizing hundred-year-old security vulnerabilities in lock systems.
And just last week, I posted about a full-disclosure debate in the
virology community.

I think Lemos has put his finger on part of what's going on, but that
there's more.  I think that companies, both computer and non-computer,
are trying to retain control over the situation.  Apple's heavy-handed
retaliation against researcher Charlie Miller is an example of that.  On
one hand, Apple should know better than to do this.  On the other hand,
it's acting in the best interest of its brand: the fewer researchers
looking for vulnerabilities, the fewer vulnerabilities it has to deal with.

It's easy to believe that if only people wouldn't disclose problems, we
could pretend they didn't exist, and everything would be better.
Certainly this is the position taken by the DHS over terrorism: public
information about the problem is worse than the problem itself.  It's
similar to Americans' willingness to give both Bush and Obama the power
to arrest and indefinitely detain any American without any trial
whatsoever.  It largely explains the common public backlash against
whistle-blowers.  What we don't know can't hurt us, and what we do know
will also be known by those who want to hurt us.

There's some profound psychological denial going on here, and I'm not
sure of the implications of it all.  It's worth paying attention to,
though.  Security requires transparency and disclosure, and if we
willingly give that up, we're a lot less safe as a society.

My previous essay on full disclosure:

Carrier IQ backing down:

Locks and full disclosure:

Apple's retaliation against Charlie Miller:

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise.  You can subscribe, unsubscribe, or change your address
on the Web at <>.  Back issues
are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable.  Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is the author of the
best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies,"
and "Applied Cryptography," and an inventor of the Blowfish, Twofish,
Threefish, Helix, Phelix, and Skein algorithms.  He is the Chief
Security Technology Officer of BT BCSG, and is on the Board of Directors
of the Electronic Privacy Information Center (EPIC).  He is a frequent
writer and lecturer on security topics.  See <>.

Crypto-Gram is a personal newsletter.  Opinions expressed are not
necessarily those of BT.

Copyright (c) 2011 by Bruce Schneier.

** *** ***** ******* *********** *************

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.