Steve's Views Rotating Header Image

June, 2006:

A deeper insight into security – CRYPTO-GRAM

Here’s a reprint of Crypto-Gram by Bruce Schneier. His newsletter is one of the most read on the subject. It is a strongly recommended reading for all who care about themselves and others.

Schneier also gives a good insight into how to motivate security in any area. (See Aligning Interest with Capability, below.)

Here in it’s entirety is:


June 15, 2006

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit

You can read this issue on the web at
. These same essays
appear in the “Schneier on Security” blog:
. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
The Value of Privacy
Movie-Plot Threat Contest Winner
Crypto-Gram Reprints
Diebold Doesn’t Understand the Security Threat
Hacking Computers Over USB
The Doghouse: KRYPTO 2.0
Counterpane News
Aligning Interest with Capability
Comments from Readers

** *** ***** ******* *********** *************

The Value of Privacy

Last month, revelation of yet another NSA surveillance effort against
the American people rekindled the privacy debate. Those in favor of
these programs have trotted out the same rhetorical question we hear
every time privacy advocates oppose ID checks, video cameras, massive
databases, data mining, and other wholesale surveillance measures: “If
you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no
cause to watch me.” “Because the government gets to define what’s
wrong, and they keep changing the definition.” “Because you might do
something wrong with my information.” My problem with quips like these
— as right as they are — is that they accept the premise that privacy
is about hiding a wrong. It’s not. Privacy is an inherent human right,
and a requirement for maintaining the human condition with dignity and

Two proverbs say it best: “Quis custodiet ipsos custodes?” (“Who
watches the watchers?”) and “Absolute power corrupts absolutely.”

Cardinal Richelieu understood the value of surveillance when he
famously said, “If one would give me six lines written by the hand of
the most honest man, I would find something in them to have him
hanged.” Watch someone long enough, and you’ll find something to arrest
— or just blackmail — him with. Privacy is important because without
it, surveillance information will be abused: to peep, to sell to
marketers, and to spy on political enemies — whoever they happen to be
at the time.

Privacy protects us from abuses by those in power, even if we’re doing
nothing wrong at the time of surveillance.

We do nothing wrong when we make love or go to the bathroom. We are not
deliberately hiding anything when we seek out private places for
reflection or conversation. We keep private journals, sing in the
privacy of the shower, and write letters to secret lovers and then burn
them. Privacy is a basic human need.

A future in which privacy would face constant assault was so alien to
the framers of the Constitution that it never occurred to them to call
out privacy as an explicit right. Privacy was inherent to the nobility
of their being and their cause. Of course being watched in your own
home was unreasonable. Watching at all was an act so unseemly as to be
inconceivable among gentlemen in their day. You watched convicted
criminals, not free citizens. You ruled your own home. It’s intrinsic
to the concept of liberty.

For if we are observed in all matters, we are constantly under threat
of correction, judgment, criticism, even plagiarism of our own
uniqueness. We become children, fettered under watchful eyes,
constantly fearful that — either now or in the uncertain future —
patterns we leave behind will be brought back to implicate us, by
whatever authority has now become focused upon our once-private and
innocent acts. We lose our individuality, because everything we do is
observable and recordable.

How many of us have paused during conversations in the past
four-and-a-half years, suddenly aware that we might be eavesdropped on?
Probably it was a phone conversation, although maybe it was an e-mail
or instant message exchange or a conversation in a public place. Maybe
the topic was terrorism, or politics, or Islam. We stop suddenly,
momentarily afraid that our words might be taken out of context, then
we laugh at our paranoia and go on. But our demeanor has changed, and
our words are subtly altered.

This is the loss of freedom we face when our privacy is taken from us.
This was life in the former East Germany, or life in Saddam Hussein’s
Iraq. And it’s our future as we allow an ever-intrusive eye into our
personal, private lives.

Too many wrongly characterize the debate as “security versus privacy.”
The real choice is liberty versus control. Tyranny, whether it arises
under threat of foreign physical attack or under constant domestic
authoritative scrutiny, is still tyranny. Liberty requires security
without intrusion, security plus privacy. Widespread police
surveillance is the very definition of a police state. And that’s why
we should champion privacy even when we have nothing to hide.

A version of this essay originally appeared on,70886-0.html

Daniel Solove comments:

** *** ***** ******* *********** *************

Movie-Plot Threat Contest Winner

I can tell you one thing, you guys are really imaginative. The
response to my Movie-Plot Threat Contest was more than I could imagine:
892 comments. I printed them all out — 195 pages, double sided — and
spiral bound them, so I could read them more easily. The cover read:
“The Big Book of Terrorist Plots.” I tried not to wave it around too
much in airports.

I almost didn’t want to pick a winner, because the real point is the
enormous list of them all. And because it’s hard to choose. But after
careful deliberation, the winning entry is by Tom Grant. Although
planes filled with explosives is already cliche, destroying the Grand
Coulee Dam is inspired. Here it is:

“Mission: Terrorize Americans. Neutralize American economy, make
America feel completely vulnerable, and all Americans unsafe.

“Scene 1: A rented van drives from Spokane, WA, to a remote setting in
Idaho and loads up with shoulder-mounted rocket launchers and a couple
of people dressed in fatigues.

“Scene 2: Terrorists dressed in ‘delivery man’ garb take over the UPS
cargo depot at the Spokane, WA, airport. A van full of explosives is
unloaded at the depot.

“Scene 3: Terrorists dressed in ‘delivery man’ garb take over the UPS
cargo depot at the Kamloops, BC, airport. A van full of explosives is
unloaded at the depot.

“Scene 4: A van with mercenaries drives through the Idaho forests en
route to an unknown destination. Receives cell communiqué that
locations Alpha and Bravo are secured.

“Scene 5: UPS cargo plane lands in Kamloops and is met at the depot by
terrorists who overtake the plane and its crew. Explosives are loaded
aboard the aircraft. The same scene plays out in Spokane moments
later, and that plane is loaded with explosives. Two pilots board
each of the cargo planes and ask for takeoff instructions as night
falls across the West.

“Scene 6: Two cargo jets go airborne from two separate locations. A
van with four terrorists arrives at its destination, parked on an
overlook ridge just after nightfall. They use infrared glasses to scope
the target. The camera pans down and away from the van, exposing the
target. Grand Coulee Dam. The cell phone rings and notification comes
to the leader that ‘Nighthawks alpha and bravo have launched.’

“Scene 7: Two radar operators in separate locations note with alarm
that UPS cargo jets they have been tracking have dropped off the radar
and may have crashed. Aboard each craft the pilots have turned off
navigational radios and are flying on ‘manual’ at low altitude. One
heading South, one heading North.

“Scene 8: Planes are closing in on the ‘target’ and the rocket
launcher crew goes to work. With precision they strike lookout and
defense positions on the dam, then target the office structures
below. As they finish, a cargo jet approaches from the North at high
velocity, slamming into the back side of the dam just above the
waterline and exploding, shuddering the earth. A large portion of the
center-top of the dam is missing. Within seconds a cargo plane coming
from the South slams into the front face of the dam, closer to the
base, and explodes in a blinding flash, shuddering the earth. In
moments, the dam begins to fail, and a final volley from four rocket
launchers on the hill above helps break open the face of the dam. The
40-mile-long Lake Roosevelt begins to pour down the Columbia River
Valley, uncontrolled. No warning is given to the dams downriver, other
than the generation at G.C. is now offline.

“Scene 9: Through the night, the surging wall of water roars down the
Columbia waterway, overtopping dam after dam and gaining momentum (and
huge amounts of water) along the way. The cities of Wenatchee and
Kennewick are inundated and largely swept away. A van of renegades
retreats to Northern Idaho to hide.

“Scene 10: As day breaks in the West, there is no power from Seattle
to Los Angeles. The Western power grid has failed. Commerce has ground
to a halt west of the Rocky Mountains. Water is sweeping down the
Columbia River gorge, threatening to overtop Bonneville dam and wipe
out the large metro area of Portland, OR.

“Scene 11: Bin Laden releases a video on Al Jazeera that claims
victory over the Americans.

“Scene 12: Pandemonium, as water sweeps into a panicked Portland,
Oregon, washing all away in its path, and surging water well up the
Willamette valley.

“Scene 13: Washington situation room…little input is coming in from
the West. Some military bases have emergency power and sat phones, and
are reporting that the devastation of the dam infrastructure is
complete. Seven major and five minor dams have been destroyed.
Re-powering the West coast will take months, as connections from the
Eastern grid will have to be made through the New Mexico Mountains.

“Scene 14: Worst U.S. market crash in history. America’s GNP drops
from the top of the charts to 20th worldwide. Exports and imports cease
on the West coast. Martial law fails to control mass exodus from
Seattle, San Francisco, and L.A. as millions flee to the east. Gas
shortages and vigilante mentality take their toll on the panicked
populace. The West is ‘wild’ once more. The East is overrun with
millions seeking homes and employment.”

Congratulations, Tom. I’m still trying to figure out what you win.

Contest rules and all entries:

Announcing: Movie-Plot Threat Contest

Update, including selection criteria:

Movie Plot Threat Contest: Status Report

Winning entry:

Announcing: Movie-Plot Threat Contest

** *** ***** ******* *********** *************

Crypto-Gram Reprints

Crypto-Gram is currently in its ninth year of publication. Back issues
cover a variety of security-related topics, and can all be found on
. These are a selection
of articles that appeared in this calendar month in other years.

Internet Attack Trends:

U.S. Medical Privacy Law Gutted:

Breaking Iranian Codes:

The Witty Worm:

The Risks Of Cyberterrorism:

Fixing Intelligence Failures:

Honeypots and the Honeynet Project

Microsoft SOAP:

The Data Encryption Standard (DES):

The internationalization of cryptography policy:
and products:

The new breeds of viruses, worms, and other malware:

Timing attacks, power analysis, and other “side-channel” attacks
against cryptosystems:

** *** ***** ******* *********** *************

In the long term, corporate data mining efforts are more of a privacy
risk than government data mining efforts. And here’s an off-the-shelf
product from IBM:
an&appname=iSource&supplier=649&letternum=ENUSA06-0519 or

The UK Intelligence and Security Committee has issued a report on the
July 7 terrorist bombings in London:
uly_report.pdf or
The UK government has issued a response:
_7july.pdf or
About the Intelligence and Security Committee:

From a list of 100,000 passwords for a German dating site, we learn
that “123456” works 1.4% of the time and that 2.5% of all passwords
begin with “1234.” Interesting.

Bank defends its bad security by saying that everyone else does it, too.

Interesting essay about how EU law would treat the NSA’s collection of
everyone’s phone records.

Animated political cartoon on NSA eavesdropping. And a song, too.,0,1906650.flash

You can audit “Welcome to Practical Aspects of Modern Cryptography”:
University of Washington, Winter 2006, by Josh Benaloh, Brian
LaMacchia, and John Manferdelli. The course materials and videos of
the lectures are online.

Fascinating interview with a debit card scammer. Moral: securing this
system isn’t going to be easy.

And some comments from a fake ID salesman, in case you thought
hard-to-forge national ID cards would solve the problem:
l or

“How to Avoid Going to Jail under 18 U.S.C. Section 1001 for Lying to
Government Agents.”

Nice article discussing the hype, and reality, over the threat of
homebrew chemical weapons.

Just hide this gadget in someone’s car or briefcase — or maybe sew it
into his coat — and then track his every move using GPS. You have to
recover the device to play it back, but presumably the next generation
will be queryable remotely.

The U.S. government is asking ISPs to save personal data about you, in
case they need access to it.,0,622125.story?co
ll=la-home-headlines or
Note that the Justice Department invoked two of the Four Horsemen of
the Internet Apocalypse: child pornographers and terrorists. If they
can figure out how to work kidnappers and drug dealers in, they can
probably do anything they want.

From “Assassination in the United States: An Operational Study of
Recent Assassins, Attackers, and Near-Lethal Approachers,” (a 1999
article published in the “Journal of Forensic Sciences”): “Few
attackers or near-lethal approachers possessed the cunning or the
bravado of assassins in popular movies or novels. The reality of
American assassination is much more mundane, more banal than
assassinations depicted on the screen. Neither monsters nor martyrs,
recent American assassins, attackers, and near-lethal approachers
engaged in pre-incident patterns of thinking and behaviour.” The quote
is from the last page. The whole thing is interesting reading.

Interesting law review article by Helen Nissenbaum: “Privacy as
Contextual Integrity.”

New directions in chemical warfare: chemicals that make enemy soldiers
sexually irresistible to each other, attract swarms of enraged wasps,
or cause “severe and lasting halitosis”:
Technology always gets better; it never gets worse. There will be a
time, probably in our lifetimes, when weapons like these will be real.

NSA surveillance cartoon:

Interesting paper on the security of contactless smartcards:

Wireless surveillance camera detector:

Great article comparing the barrier Israel is erecting to protect
itself from the West Bank with the hypothetical barrier the U.S. would
build to protect itself from Mexico: “No wonder the [Israeli] fence is
considered a good deal by those living on its western side. But
applying this model to the U.S.-Mexico border will not be easy. U.S.
citizens will find it hard to justify such tough measures when their
only goal is to stop people coming in for work — rather than
preventing them from trying to commit murder. And the cost will be more
important. It’s much easier to open your wallet when someone is
threatening to blow up your local cafe.”

$1M VoIP scam:

NIST has just published “Recommendation for Random Number Generation
Using Deterministic Random Bit Generators.”

The NSA is combing through MySpace:
-sights-on-social-networking-websites.html or

** *** ***** ******* *********** *************

Hacking Computers Over USB

I’ve previously written about the risks of small portable computing
devices; how more and more data can be stored on them, and then lost or
stolen. But there’s another risk: if an attacker can convince you to
plug his USB device into your computer, he can take it over. From CSO

“Plug an iPod or USB stick into a PC running Windows and the device can
literally take over the machine and search for confidential documents,
copy them back to the iPod or USB’s internal storage, and hide them as
“deleted” files. Alternatively, the device can simply plant spyware, or
even compromise the operating system. Two features that make this
possible are the Windows AutoRun facility and the ability of
peripherals to use something called direct memory access (DMA). The
first attack vector you can and should plug; the second vector is the
result of a design flaw that’s likely to be with us for many years to

The article has the details, but basically you can configure a file on
your USB device to automatically run when it’s plugged into a
computer. That file can, of course, do anything you want it to.

Recently I’ve been seeing more and more written about this attack. The
Spring 2006 issue of 2600 Magazine, for example, contains a short
article called “iPod Sneakiness” (unfortunately, not online). The
author suggests that you can innocently ask someone at an Internet cafe
if you can plug your iPod into his computer to power it up — and then
steal his passwords and critical files.

And about someone used this trick in a penetration test:

“We figured we would try something different by baiting the same
employees that were on high alert. We gathered all the worthless vendor
giveaway thumb drives collected over the years and imprinted them with
our own special piece of software. I had one of my guys write a Trojan
that, when run, would collect passwords, logins and machine-specific
information from the user’s computer, and then email the findings back
to us.

“The next hurdle we had was getting the USB drives in the hands of the
credit union’s internal users. I made my way to the credit union at
about 6 a.m. to make sure no employees saw us. I then proceeded to
scatter the drives in the parking lot, smoking areas, and other areas
employees frequented.

“Once I seeded the USB drives, I decided to grab some coffee and watch
the employees show up for work. Surveillance of the facility was worth
the time involved. It was really amusing to watch the reaction of the
employees who found a USB drive. You know they plugged them into their
computers the minute they got to their desks.

“I immediately called my guy that wrote the Trojan and asked if
anything was received at his end. Slowly but surely info was being
mailed back to him. I would have loved to be on the inside of the
building watching as people started plugging the USB drives in,
scouring through the planted image files, then unknowingly running our
piece of software.”

There is a partial defense. From the first article:

“AutoRun is just a bad idea. People putting CD-ROMs or USB drives into
their computers usually want to see what’s on the media, not have
programs automatically run. Fortunately you can turn AutoRun off. A
simple manual approach is to hold down the “Shift” key when a disk or
USB storage device is inserted into the computer. A better way is to
disable the feature entirely by editing the Windows Registry. There are
many instructions for doing this online (just search for ‘disable
autorun’) or you can download and use Microsoft’s TweakUI program,
which is part of the Windows XP PowerToys download. With Windows XP you
can also disable AutoRun for CDs by right-clicking on the CD drive icon
in the Windows explorer, choosing the AutoPlay tab, and then selecting
‘Take no action’ for each kind of disk that’s listed. Unfortunately,
disabling AutoPlay for CDs won’t always disable AutoPlay for USB
devices, so the registry hack is the safest course of action.”

In the 1990s, the Macintosh operating system had this feature, which
was removed after a virus made use of it in 1998. Microsoft needs to
remove this feature as well.

But it’s only a partial defense. In the penetration test, they didn’t
use AutoRun. They just created a sufficiently enticing file, and the
people who found the USB drives manually invoked the executable.

My previous essay:

Risks of Losing Portable Devices

** *** ***** ******* *********** *************

The Doghouse: KRYPTO 2.0

The website is hysterical:

“Proof of the Krypto security !
Which would be, if one would try one of Krypto coded file unauthorized
to decode.
A coded file with the length of 18033 indications has therefore
according to computation, 256 bits highly 18033 indications =
file possibilities. Each file possibility has exactly 18033 indications
Multiplied by the number of file possibilities then need results in the
Those are then: 1,1152248840041161000440562362208e+43432 byte.
Those are then: 1,038634110245961789082788150963è+43423 Giga byte data
That is a number with 43424 places.
I can surely maintain as much memory place give it in the whole world
not never.
And the head problem now is, which is now the correctly decoded file.
Who it does not know can only say there. That does not know so exactly !
They can code naturally naturally also still successively several
times, even up to
the infinity.”

Machine translated (on the website; not by me) from German into
English. My head hurts just trying to read that.

** *** ***** ******* *********** *************

Counterpane News

Schneier is speaking at the FIRST Conference in Baltimore on June 30:

Interview with Bruce Schneier:

Counterpane announced two pretty cool service agreements:

Network World wrote about Counterpane at the Gartner Security Conference:

** *** ***** ******* *********** *************

Aligning Interest with Capability

Have you ever been to a retail store and seen this sign on the
register: “Your purchase free if you don’t get a receipt”? You almost
certainly didn’t see it in an expensive or high-end store. You saw it
in a convenience store, or a fast-food restaurant, or maybe a liquor
store. That sign is a security device, and a clever one at that. And
it illustrates a very important rule about security: it works best when
you align interests with capability.

If you’re a store owner, one of your security worries is employee
theft. Your employees handle cash all day, and dishonest ones will
pocket some of it for themselves. The history of the cash register is
mostly a history of preventing this kind of theft. Early cash
registers were just boxes with a bell attached. The bell rang when an
employee opened the box, alerting the store owner — who was presumably
elsewhere in the store — that an employee was handling money.

The register tape was an important development in security against
employee theft. Every transaction is recorded in write-only media, in
such a way that it’s impossible to insert or delete transactions. It’s
an audit trail. Using that audit trail, the store owner can count the
cash in the drawer, and compare the amount with the register tape. Any
discrepancies can be docked from the employee’s paycheck.

If you’re a dishonest employee, you have to keep transactions off the
register. If someone hands you money for an item and walks out, you
can pocket that money without anyone being the wiser. And, in fact,
that’s how employees steal cash in retail stores.

What can the store owner do? He can stand there and watch the
employee, of course. But that’s not very efficient; the whole point of
having employees is so that the store owner can do other things. The
customer is standing there anyway, but the customer doesn’t care one
way or another about a receipt.

So here’s what the employer does: he hires the customer. By putting up
a sign saying “Your purchase free if you don’t get a receipt,” the
employer is getting the customer to guard the employee. The customer
makes sure the employee gives him a receipt, and employee theft is
reduced accordingly.

There is a general rule in security to align interest with
capability. The customer has the capability of watching the employee;
the sign gives him the interest.

In Beyond Fear, I wrote about ATM fraud; you can see the same mechanism
at work:

“When ATM cardholders in the US complained about phantom withdrawals
from their accounts, the courts generally held that the banks had to
prove fraud. Hence, the banks’ agenda was to improve security and keep
fraud low, because they paid the costs of any fraud. In the UK, the
reverse was true: The courts generally sided with the banks and assumed
that any attempts to repudiate withdrawals were cardholder fraud, and
the cardholder had to prove otherwise. This caused the banks to have
the opposite agenda; they didn’t care about improving security, because
they were content to blame the problems on the customers and send them
to jail for complaining. The result was that in the US, the banks
improved ATM security to forestall additional losses–most of the fraud
actually was not the cardholder’s fault — while in the UK, the banks
did nothing.”

The banks had the capability to improve security. In the US, they also
had the interest. But in the UK, only the customer had the
interest. It wasn’t until the UK courts reversed themselves and
aligned interest with capability that ATM security improved.

Computer security is no different. For years I have argued in favor of
software liabilities. Software vendors are in the best position to
improve software security; they have the capability. But,
unfortunately, they don’t have much interest. Features, schedule, and
profitability are far more important. Software liabilities will change
that. They’ll align interest with capability, and they’ll improve
software security.

One last story. In Italy, tax fraud used to be a national hobby. (It
may still be; I don’t know.) The government was tired of retail stores
not reporting sales and paying taxes, so they passed a law regulating
the customers. Any customer having just purchased an item and stopped
within a certain distance of a retail store, had to produce a receipt
or they would be fined. Just as in the “Your purchase free if you
don’t get a receipt” story, the law turned the customers into tax
inspectors. They demanded receipts from merchants, which in turn
forced the merchants to create a paper audit trail for the purchase and
pay the required tax.

This was a great idea, but it didn’t work very well. Customers,
especially tourists, didn’t like to be stopped by police. People
started demanding that the police prove they just purchased the
item. Threatening people with fines if they didn’t guard merchants
wasn’t as effective an enticement as offering people a reward if they
didn’t get a receipt.

Interest must be aligned with capability, but you need to be careful
how you generate interest.

This essay originally appeared on,71032-0.html

** *** ***** ******* *********** *************

Comments from Readers

There are hundreds of comments — many of them interesting — on these
topics on my blog. Search for the story you want to comment on, and
join in.

** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on security: computer and otherwise. You
can subscribe, unsubscribe, or change your address on the Web at
. Back issues are also
available at that URL.

Comments on CRYPTO-GRAM should be sent to Permission to print comments is assumed
unless otherwise stated. Comments may be edited for length and clarity.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who
will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
the best sellers “Beyond Fear,” “Secrets and Lies,” and “Applied
Cryptography,” and an inventor of the Blowfish and Twofish
algorithms. He is founder and CTO of Counterpane Internet Security
Inc., and is a member of the Advisory Board of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See .

Counterpane is the world’s leading protector of networked information –
the inventor of outsourced security monitoring and the foremost
authority on effective mitigation of emerging IT threats. Counterpane
protects networks for Fortune 1000 companies and governments
world-wide. See .

Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of Counterpane Internet Security, Inc.

Copyright (c) 2006 by Bruce Schneier.