Schneier on Security

A blog covering security and security technology.

The Politics and Philosophy of National Security

This essay explains why we're all living in failed Hobbesian states:

What do these three implications -- states have a great deal of freedom to determine what threatens a people and how to respond to those threats, and in making those determinations, they are influenced by the interests and ideologies of their primary constituencies; states have strong incentives and have been given strong justifications for exaggerating threats; and while states aspire, rhetorically, to a unity of will and judgment, they seldom achieve it in practice -- tell us about the relationship between security and freedom? What light do they shed on the question of why security is such a potent argument for the suppression of rights and liberties?

Security is an ideal language for suppressing rights because it combines a universality and neutrality in rhetoric with a particularity and partiality in practice. Security is a good that everyone needs, and, we assume, that everyone needs in the same way and to the same degree. It is "the most vital of all interests," John Stuart Mill wrote, which no one can "possibly do without." Though Mill was referring here to the security of persons rather than of nations or states, his argument about personal security is often extended to nations and states, which are conceived to be persons writ large.

Unlike other values -- say justice or equality -- the need for and definition of security is not supposed to be dependent upon our beliefs or other interests and it is not supposed to favor any one set of beliefs or interests. It is the necessary condition for the pursuit of any belief or interest, regardless of who holds that belief or has that interest. It is a good, as I've said, that is universal and neutral. That's the theory.

The reality, as we have seen, is altogether different. The practice of security involves a state that is rife with diverse and competing ideologies and interests, and these ideologies and interests fundamentally help determine whether threats become a focus of attention, and how they are perceived and mobilized against. The provision of security requires resources, which are not limitless. They must be distributed according to some calculus, which, like the distribution calculus of any other resource (say income or education), will reflect controversial and contested assumption about justice and will be the subject of debate. National security is as political as Social Security, and just as we argue about the latter, so do we argue about the former.

Posted on January 10, 2013 at 6:49 AM • 7 Comments

Denial-of-Service Attack Against Facebook

Just claim the person is dead. All you need to do is fake an online obituary.

Posted on January 9, 2013 at 6:44 AM • 13 Comments

Cat Smuggler

Not a cat burglar, a cat smuggler.

Guards thought there was something suspicious about a little white cat slipping through a prison gate in northeastern Brazil. A prison official says that when they caught the animal, they found a cellphone, drills, small saws and other contraband taped to its body.

Another article, with video.

A prison spokesperson was quoted by local paper Estado de S. Paulo as saying: "It's tough to find out who's responsible for the action as the cat doesn't speak."

Posted on January 8, 2013 at 1:36 PM • 20 Comments

DHS Gets to Spy on Everyone

This Wall Street Journal investigative piece is a month old, but well worth reading. Basically, the Total Information Awareness program is back with a different name:

The rules now allow the little-known National Counterterrorism Center to examine the government files of U.S. citizens for possible criminal behavior, even if there is no reason to suspect them. That is a departure from past practice, which barred the agency from storing information about ordinary Americans unless a person was a terror suspect or related to an investigation.

Now, NCTC can copy entire government databases -- flight records, casino-employee lists, the names of Americans hosting foreign-exchange students and many others. The agency has new authority to keep data about innocent U.S. citizens for up to five years, and to analyze it for suspicious patterns of behavior. Previously, both were prohibited. Data about Americans "reasonably believed to constitute terrorism information" may be permanently retained.

Note that this is government data only, not commercial data. So while it includes "almost any government database, from financial forms submitted by people seeking federally backed mortgages to the health records of people who sought treatment at Veterans Administration hospitals" as well lots of commercial data, it's data the corporations have already given to the government. It doesn't include, for example, your detailed cell phone bills or your tweets.

See also this supplementary blog post to the article.

Posted on January 8, 2013 at 6:28 AM • 48 Comments

Details of an Internet Scam

Interesting details of an Amazon Marketplace scam. Worth reading.

Most scams use a hook to cause a reaction. The idea being that if you are reacting, they get to control you. If you take the time to stop and think things through, you take control back and can usually spot the scam. Common hooks involve Urgency, Uncertainty, Sex, Fear or Anger. In this case, it's all about Urgency, Uncertainty and Fear. By setting the price so low, they drive urgency high, as you're afraid that you might miss the deal. They then compound this by telling me there was an error in the shipment, trying to make me believe they are incompetent and if I act quickly, I can take advantage of their error.

The second email hypes the urgency, trying to get me to pay quickly. I did not reply, but if I had, the next step in a scam like this is to sweeten the deal if I were to act immediately, often by pretending to ship my non-existent camera with a bonus item (like a cell phone) overnight if I give them payment information immediately.

Of course, if I ever did give them my payment information, they'd empty my checking account and, if they're with a larger attacker group, start using my account to traffic stolen funds.

Posted on January 7, 2013 at 6:31 AM • 23 Comments

Friday Squid Blogging: Giant Squid Finally Captured on Video

We'll see it later this month.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

EDITED TO ADD (1/8): Some more news stories here.

Posted on January 4, 2013 at 3:36 PM • 33 Comments

What Facebook Gives the Police

This is what Facebook gives the police in response to a subpoena. (Note that this isn't in response to a warrant; it's in response to a subpoena.) This might be the first one of these that has ever become public.

EDITED TO ADD (1/4): Commenters point out that this case is four years old, and that Facebook claims to have revised its policies since then.

Posted on January 4, 2013 at 7:48 AM • 30 Comments

Classifying a Shape

This is a great essay:

Spheres are special shapes for nuclear weapons designers. Most nuclear weapons have, somewhere in them, that spheres-within-spheres arrangement of the implosion nuclear weapon design. You don’t have to use spheres -- cylinders can be made to work, and there are lots of rumblings and rumors about non-spherical implosion designs around these here Internets -- but spheres are pretty common.

[...]

Imagine the scenario: you’re a security officer working at Los Alamos. You know that spheres are weapon parts. You walk into a technical area, and you see spheres all around! Is that an ashtray, or it is a model of a plutonium pit? Anxiety mounts -- does the ashtray go into a safe at the end of the day, or does it stay out on the desk? (Has someone been tapping their cigarettes out into the pit model?)

All of this anxiety can be gone -- gone! -- by simply banning all non-nuclear spheres! That way you can effectively treat all spheres as sensitive shapes.

What I love about this little policy proposal is that it illuminates something deep about how secrecy works. Once you decide that something is so dangerous that the entire world hinges on keeping it under control, this sense of fear and dread starts to creep outwards. The worry about what must be controlled becomes insatiable ­ and pretty soon the mundane is included with the existential.

The essay continues with a story of a scientist who received a security violation for leaving an orange on his desk.

Two points here. One, this is a classic problem with any detection system. When it's hard to build a system that detects the thing you're looking for, you change the problem to detect something easier -- and hope the overlap is enough to make the system work. Think about airport security. It's too hard to detect actual terrorists with terrorist weapons, so instead they detect pointy objects. Internet filtering systems work the same way, too. (Remember when URL filters blocked the word "sex," and the Middlesex Public Library found that it couldn't get to its municipal webpages?)

Two, the Los Alamos system only works because false negatives are much, much worse than false positives. It really is worth classifying an abstract shape and annoying an officeful of scientists and others to protect the nuclear secrets. Airport security fails because the false-positive/false-negative cost ratio is different.

Posted on January 3, 2013 at 6:03 AM • 33 Comments

Apollo Robbins, Pickpocket

Fascinating story:

"Come on," Jillette said. "Steal something from me."

Again, Robbins begged off, but he offered to do a trick instead. He instructed Jillette to place a ring that he was wearing on a piece of paper and trace its outline with a pen. By now, a small crowd had gathered. Jillette removed his ring, put it down on the paper, unclipped a pen from his shirt, and leaned forward, preparing to draw. After a moment, he froze and looked up. His face was pale.

"Fuck. You," he said, and slumped into a chair.

Robbins held up a thin, cylindrical object: the cartridge from Jillette’s pen.

Really -- read the whole thing.

EDITED TO ADD (1/6): A video accompanying the article. There's much more on YouTube.

Posted on January 2, 2013 at 8:44 AM • 31 Comments

Terms of Service as a Security Threat

After the Instagram debacle, where it changed its terms of service to give itself greater rights over user photos and reversed itself after a user backlash, it's worth thinking about the security threat stemming from terms of service in general.

As cloud computing becomes the norm, as Internet security becomes more feudal, these terms of service agreements define what our service providers can do, both with the data we post and with the information they gather about how we use their service. The agreements are very one-sided -- most of the time, we're not even paying customers of these providers -- and can change without warning. And, of course, none of us ever read them.

Here's one example. Prezi is a really cool presentation system. While you can run presentations locally, it's basically cloud-based. Earlier this year, I was at a CISO Summit in Prague, and one of the roundtable discussions centered around services like Prezi. CISOs were worried that sensitive company information was leaking out of the company and being stored insecurely in the cloud. My guess is that they would have been much more worried if they read Prezi's terms of use:

With respect to Public User Content, you hereby do and shall grant to Prezi (and its successors, assigns, and third party service providers) a worldwide, non-exclusive, perpetual, irrevocable, royalty-free, fully paid, sublicensable, and transferable license to use, reproduce, modify, create derivative works from, distribute, publicly display, publicly perform, and otherwise exploit the content on and in connection with the manufacture, sale, promotion, marketing and distribution of products sold on, or in association with, the Service, or for purposes of providing you with the Service and promoting the same, in any medium and by any means currently existing or yet to be devised.

With respect to Private User Content, you hereby do and shall grant to Prezi (and its successors, assigns, and third party service providers) a worldwide, non-exclusive, perpetual, irrevocable, royalty-free, fully paid, sublicensable, and transferable license to use, reproduce, modify, create derivative works from, distribute, publicly display, publicly perform, and otherwise exploit the content solely for purposes of providing you with the Service.

Those paragraphs sure sound like Prezi can do anything it wants, including start a competing business, with any presentation I post to its site. (Note that Prezi's human readable -- but not legally correct -- terms of use document makes no mention of this.) Yes, I know Prezi doesn't currently intend to do that, but things change, companies fail, assets get bought, and what matters in the end is what the agreement says.

I don't mean to pick on Prezi; it's just an example. How many other of these Trojan horses are hiding in commonly used cloud provider agreements: both from providers that companies decide to use as a matter of policy, and providers that company employees use in violation of policy, for reasons of convenience?

Posted on December 31, 2012 at 6:44 AM • 41 Comments

Friday Squid Blogging: William Gilly, Squid Researcher

Good article.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on December 28, 2012 at 3:16 PM • 17 Comments

I Seem to Be a Verb

From "The Insider's TSA Dictionary":

Bruce Schneiered: (V, ints) When a passenger uses logic in order to confound and perplex an officer into submission. Ex: "A TSA officer took my Swiss army knife, but let my scissors go. I then asked him wouldn't it be more dangerous if I were to make my scissors into two blades, or to go into the bathroom on the secure side and sharpen my grandmother's walking stick with one of the scissor blades into a terror spear. Then after I pointed out that all of our bodies contain a lot more than 3.4 ounces of liquids, the TSA guy got all pissed and asked me if I wanted to fly today. I totally Schneirered [sic] his ass."

Supposedly the site is by a former TSA employee. I have no idea if that's true.

Posted on December 28, 2012 at 12:34 PM • 19 Comments

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.