Britannia Radio

CRYPTO-GRAM

May 15, 2011

by Bruce Schneier

Chief Security Technology Officer, BT

http://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <http://www.schneier.com/crypto-gram-1105.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively comment section. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
Status Report: "The Dishonest Minority"
RFID Tags Protecting Hotel Towels
News
Hijacking the Coreflood Botnet
Schneier News
Drugging People and Then Robbing Them
Interviews with Me About the Sony Hack

** *** ***** ******* *********** *************

Status Report: "The Dishonest Minority"

Three months ago, I announced that I was writing a book on why security exists in human societies. This is basically the book's thesis statement:

All complex systems contain parasites. In any system of
cooperative behavior, an uncooperative strategy will be effective
-- and the system will tolerate the uncooperatives -- as long as
they're not too numerous or too effective. Thus, as a species
evolves cooperative behavior, it also evolves a dishonest minority
that takes advantage of the honest majority. If individuals
within a species have the ability to switch strategies, the
dishonest minority will never be reduced to zero. As a result,
the species simultaneously evolves two things: 1) security systems
to protect itself from this dishonest minority, and 2) deception
systems to successfully be parasitic.

Humans evolved along this path. The basic mechanism can be
modeled simply. It is in our collective group interest for
everyone to cooperate. It is in any given individual's short-term
self-interest not to cooperate: to defect, in game theory terms.
But if everyone defects, society falls apart. To ensure
widespread cooperation and minimal defection, we collectively
implement a variety of societal security systems.

Two of these systems evolved in prehistory: morals and reputation.
Two others evolved as our social groups became larger and more
formal: laws and technical security systems. What these security
systems do, effectively, is give individuals incentives to act in
the group interest. But none of these systems, with the possible
exception of some fanciful science-fiction technologies, can ever
bring that dishonest minority down to zero.

In complex modern societies, many complications intrude on this
simple model of societal security. Decisions to cooperate or
defect are often made by groups of people -- governments,
corporations, and so on -- and there are important differences
because of dynamics inside and outside the groups. Much of our
societal security is delegated -- to the police, for example --
and becomes institutionalized; the dynamics of this are also
important.

Power struggles over who controls the mechanisms of societal
security are inherent: "group interest" rapidly devolves to "the
king's interest." Societal security can become a tool for those
in power to remain in power, with the definition of "honest
majority" being simply the people who follow the rules.

The term "dishonest minority" is not a moral judgment; it simply
describes the minority who does not follow societal norm. Since
many societal norms are in fact immoral, sometimes the dishonest
minority serves as a catalyst for social change. Societies
without a reservoir of people who don't follow the rules lack an
important mechanism for societal evolution. Vibrant societies
need a dishonest minority; if society makes its dishonest minority
too small, it stifles dissent as well as common crime.

At this point, I have most of a first draft: 75,000 words. The tentative title is still "The Dishonest Minority: Security and its Role in Modern Society." I have signed a contract with Wiley to deliver a final manuscript in November for February 2012 publication. Writing a book is a process of exploration for me, and the final book will certainly be a little different -- and maybe even very different -- from what I wrote above. But that's where I am today.

And it's why my other writings -- and the issues of Crypto-Gram -- continue to be sparse.

Lots of comments -- over 200 -- to the blog post. Please comment there; I want the feedback.
http://www.schneier.com/blog/archives/2011/02/societal_securi.html

** *** ***** ******* *********** *************

RFID Tags Protecting Hotel Towels

The stealing of hotel towels isn't a big problem in the scheme of world problems, but it can be expensive for hotels. Sure, we have moral prohibitions against stealing -- that'll prevent most people from stealing the towels. Many hotels put their name or logo on the towels. That works as a reputational societal security system; most people don't want their friends to see obviously stolen hotel towels in their bathrooms. Sometimes, though, this has the opposite effect: making towels and other items into souvenirs of the hotel and thus more desirable to steal. It's against the law to steal hotel towels, of course, but with the exception of large-scale thefts, the crime will never be prosecuted. (This might be different in third world countries. In 2010, someone was sentenced to three months in jail for stealing two towels from a Nigerian hotel.) The result is that more towels are stolen than hotels want. And for expensive resort hotels, those towels are expensive to replace.

The only thing left for hotels to do is take security into their own hands. One system that has become increasingly common is to set prices for towels and other items -- this is particularly common with bathrobes -- and charge the guest for them if they disappear from the rooms. This works with some things, but it's too easy for the hotel to lose track of how many towels a guest has in his room, especially if piles of them are available at the pool.

A more recent system, still not widespread, is to embed washable RFID chips into the towels and track them that way. The one data point I have for this is an anonymous Hawaii hotel that claims they've reduced towel theft from 4,000 a month to 750, saving $16,000 in replacement costs monthly.

Assuming the RFID tags are relatively inexpensive and don't wear out too quickly, that's a pretty good security trade-off.

Blog entry URL:
http://www.schneier.com/blog/archives/2011/05/rfid_tags_prote.html

Stealing hotel items:
http://today.msnbc.msn.com/id/31046570

Nigerian case:
http://travel.usatoday.com/hotels/post/2010/09/woman-faces-jailed-for-stealing-hotel-towels-at-hilton-hotel-/114364/1 or http://tinyurl.com/3z7p98w

RFID chips in towels:
http://intransit.blogs.nytimes.com/2011/04/11/gee-how-did-that-towel-end-up-in-my-suitcase/ or http://tinyurl.com/6bp4lkr

** *** ***** ******* *********** *************

News

WikiLeaks cable about Chinese hacking of U.S. networks:
http://www.schneier.com/blog/archives/2011/04/wikileaks_cable.html

Increasingly, chains of evidence include software steps. It's not just the RIAA suing people -- and getting it wrong -- based on automatic systems to detect and identify file sharers. It's forensic programs used to collect and analyze data from computers and smart phones. It's audit logs saved and stored by ISPs and websites. It's location data from cell phones. It's e-mails and IMs and comments posted to social networking sites. It's tallies from digital voting machines. It's images and meta-data from surveillance cameras. The list goes on and on. We in the security field know the risks associated with trusting digital data, but this evidence is routinely assumed by courts to be accurate. Sergey Bratus is starting to look at this problem. His paper, written with Ashlyn Lembree and Anna Shubina, is "Software on the Witness Stand: What Should it Take for Us to Trust it?."
http://www.schneier.com/blog/archives/2011/04/software_as_evi.html

Interesting blog post on the security costs for the $50B Air Force bomber program -- estimated to be $8B. This isn't all computer security, but the original article specifically calls out Chinese computer espionage as a primary threat.
http://taosecurity.blogspot.com/2011/04/apt-drives-up-bomber-cost.html

A criminal gang is stealing truckloads of food. It's a professional operation. The group knew how wholesale foodstuff trucking worked. They set up a bogus trucking company. They bid for jobs, collected the trailers, and disappeared. Presumably they knew how to fence the goods, too.
http://www.nytimes.com/2011/04/15/business/15bandits.html

The CIA has just declassified six documents about World War I security techniques. (The media is reporting they're CIA documents, but the CIA didn't exist before 1947.) Lots of stuff about secret writing and pre-computer tradecraft.
http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-one.pdf
http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-two.pdf
http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-three.pdf
http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-four.pdf
http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-five.pdf
http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-six.pdf
http://www.fas.org/blog/secrecy/2011/04/cia_wwi.html
http://www.huffingtonpost.com/2011/04/19/cia-world-war-one-documents-declassified_n_851281.html or http://tinyurl.com/6h5e6zg

Hard-drive steganography through fragmentation:
http://www.newscientist.com/article/mg21028095.200-covert-hard-drive-fragmentation-embeds-a-spys-secrets.html or http://tinyurl.com/4xz4vc5
http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V8G-51BBKRS-1&_user=10&_coverDate=01%2F31%2F2011&_rdoc=1&_fmt=high&_orig=gateway&_origin=gateway&_sort=d&_docanchor=&view=c&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=ee913861b3d05b46b905bd4d52ca9380&searchtype=aor http://tinyurl.com/3cyhves

As I've written before, I run an open wi-fi network. After the stories of people being arrested and their homes being invaded based on other people using their networks to download child porn, I rethought that position -- and decided I *still* want to run an open wireless network.
http://arstechnica.com/tech-policy/news/2011/04/fbi-child-porn-raid-a-strong-argument-for-locking-down-wifi-networks.ars or http://tinyurl.com/3nvokkh
http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html
The EFF is calling for an open wireless movement.
https://www.eff.org/deeplinks/2011/04/open-wireless-movement

It's standard sociological theory that a group experiences social solidarity in response to external conflict. This paper studies the phenomenon in the United States after the 9/11 terrorist attacks.
http://septembereleven2001.files.wordpress.com/2010/06/collins_2004_rituals_of_solidarity.pdf or http://tinyurl.com/3oxwkm5
http://onlinelibrary.wiley.com/doi/10.1111/j.1467-9558.2004.00204.x/abstract or http://tinyurl.com/3moz2en

Good paper: "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy," by Jerry Brito and Tate Watkins.
http://mercatus.org/publication/loving-cyber-bomb-dangers-threat-inflation-cybersecurity-policy or http://tinyurl.com/3dcahg3
http://arstechnica.com/security/news/2011/04/are-we-talking-cyber-war-like-the-bush-admin-talked-wmds.ars or http://tinyurl.com/3pdmlou
Also worth reading is an earlier paper by Sean Lawson: "Beyond Cyber Doom."
http://mercatus.org/publication/beyond-cyber-doom

"ReallyVirtual" tweeted the bin Laden assassination without realizing it.
http://chirpstory.com/li/1288

The Nikon image authentication has been cracked.
http://blog.crackpassword.com/2011/04/nikon-image-authentication-system-compromised/ or http://tinyurl.com/4yv49pw
http://www.theregister.co.uk/2011/04/28/nikon_image_faking_hack/
Canon's system is just as bad, by the way.
http://www.elcomsoft.com/canon.html
Fifteen years ago, I co-authored a paper on the problem. The idea was to use a hash chain to better deal with the possibility of a secret-key compromise.
http://www.schneier.com/paper-camera.html

According to this article, students are no longer learning how to write in cursive. And, if they are learning it, they're forgetting how. Certainly the ubiquity of keyboards is leading to a decrease in writing by hand. Relevant to security, the article claims that this is making signatures easier to forge. I'm skeptical. Everyone has a scrawl of some sort; mine has been completely illegible for years. But I don't see document forgery as a big risk; far bigger is the automatic authentication systems that don't have anything to do with traditional forgery.
http://www.nytimes.com/2011/04/28/us/28cursive.html

Unintended security consequences of the new Pyrex recipe: because it's no longer useful in cooking crack cocaine, drug makers now have to steal better stuff from laboratories.
http://www.popsci.com/science/article/2011-03/gray-matter-cant-take-heat or http://tinyurl.com/6967a22

"Operation Pumpkin": Wouldn't it have been great if this were not a joke: the security contingency in place if Kate Middleton tried to run away just before the wedding.
http://www.theregister.co.uk/2011/04/28/operation_pumpkin/

Bin Laden's death causes spike in suspicious package reports. It's not that the risk is greater, it's that the fear is greater.
http://www.schneier.com/blog/archives/2011/05/osamas_death_ca.html

Exactly how did they confirm it was bin Laden's body?
http://www.newscientist.com/article/dn20439-osama-bin-laden-how-dna-identified-his-body.html or http://tinyurl.com/3vrate8
http://www.cnn.com/2011/HEALTH/05/02/bin.laden.body.id/index.html

Here's a clever Web app that locates your stolen camera by searching the EXIF data on public photo databases for your camera's serial number.
http://www.stolencamerafinder.com/

Forged memory: a scary development in rootkits.
http://www.techrepublic.com/blog/security/forged-memory-fools-antimalware-a-new-development-in-rootkits/5443 or http://tinyurl.com/3dpxsyk

New vulnerability in online payment system: the connection between the merchant site and PayPal.
http://www.newscientist.com/article/mg21028095.600-hackers-trick-goods-out-of-online-shopping-sites.html or http://tinyurl.com/3q3j4ob
http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf

In online hacking, we've moved to the world of "steal everything." As both data storage and data processing becomes cheaper, more and more data is collected and stored. An unanticipated effect of this is that more and more data can be stolen and used. As the article says, data minimization is the most effective security tool against this sort of thing. But -- of course -- it's not in the database owner's interest to limit the data it collects; it's in the interests of those whom the data is about.
http://www.bbc.co.uk/news/technology-13213632

Medieval tally stick discovered in Germany. Note the security built into this primitive contract system. Neither side can cheat -- alter the notches -- because if they do, the two sides won't match.
http://www.schneier.com/blog/archives/2011/05/medieval_tally.html

"Resilience of the Internet Interconnection Ecosystem," by Richard Clayton -- worth reading.
http://www.lightbluetouchpaper.org/2011/04/12/resilience-of-the-internet-interconnection-ecosystem/ or http://tinyurl.com/69fcyql
http://www.enisa.europa.eu/act/res/other-areas/inter-x/report/interx-report/at_download/fullReport or http://tinyurl.com/3kkzdmq
http://www.enisa.europa.eu/act/res/other-areas/inter-x/report/interx-report/at_download/execSummary or http://tinyurl.com/3fmskr7

FBI surveillance tools:
https://www.eff.org/deeplinks/2011/04/CIPAV_Post

** *** ***** ******* *********** *************

Hijacking the Coreflood Botnet

Earlier this month, the FBI seized control of the Coreflood botnet and shut it down: "According to the filing, ISC, under law enforcement supervision, planned to replace the servers with servers that it controlled, then collect the IP addresses of all infected machines communicating with the criminal servers, and send a remote 'stop' command to infected machines to disable the Coreflood malware operating on them."

This is a big deal; it's the first time the FBI has done something like this. My guess is that we're going to see a lot more of this sort of thing in the future; it's the obvious solution for botnets.

Not that the approach is without risks: "'Even if we could absolutely be sure that all of the infected Coreflood botnet machines were running the exact code that we reverse-engineered and convinced ourselves that we understood,' said Chris Palmer, technology director for the Electronic Frontier Foundation, 'this would still be an extremely sketchy action to take. It's other people's computers and you don't know what's going to happen for sure. You might blow up some important machine.'"

I just don't see this argument convincing very many people. Leaving Coreflood in place could blow up some important machine. And leaving Coreflood in place not only puts the infected computers at risk; it puts the whole Internet at risk. Minimizing the collateral damage is important, but this feels like a place where the interest of the Internet as a whole trumps the interest of those affected by shutting down Coreflood.

The problem as I see it is the slippery slope. Because next, the RIAA is going to want to remotely disable computers they feel are engaged in illegal file sharing. And the FBI is going to want to remotely disable computers they feel are encouraging terrorism. And so on. It's important to have serious legal controls on this counterattack sort of defense.

http://www.wired.com/threatlevel/2011/04/coreflood/
http://baylinks.com/blogs/?p=181
http://krebsonsecurity.com/2011/04/u-s-government-takes-down-coreflood-botnet/ or http://tinyurl.com/63qupg8
http://garwarner.blogspot.com/2011/04/bold-fbi-move-shutters-coreflood-bot.html or http://tinyurl.com/3koydsp

** *** ***** ******* *********** *************

Schneier News

Last year, I spoke last year at a regional TED event: TEDxPSU. The talk is now on the TED website.
http://on.ted.com/Schneier

** *** ***** ******* *********** *************

Interviews with Me About the Sony Hack

These two interviews are what I get for giving interviews when I'm in a bad mood. For the record, I think Sony did a terrible job with its customers' security. I also think that most companies do a terrible job with customers' security, simply because there isn't a financial incentive to do better. And that most of us are pretty secure, despite that.

One of my biggest complaints with these stories is how little actual information we have. We often don't know if any data was actually stolen, only that hackers had access to it. We rarely know how the data was accessed: what sort of vulnerability was used by the hackers. We rarely know the motivations of the hackers: were they criminals, spies, kids, or someone else? We rarely know if the data is actually used for any nefarious purposes; it's generally impossible to connect a data breach with a corresponding fraud incident. Given all of that, it's impossible to say anything useful or definitive about the attack. But the press always wants definitive statements.

http://m.kotaku.com/5797602/dont-blame-sony-you-cant-trust-any-networks
http://www.20minutes.fr/article/718918/bruce-schneier-une-intrusion-informatique-comme-meurtre-impossible-proteger-100

** *** ***** ******* *********** *************

Drugging People and Then Robbing Them

This is a pretty scary criminal tactic from Turkey. Burglars dress up as doctors, and ring doorbells handing out pills under some pretense or another. They're actually powerful sedatives, and when people take them they pass out, and the burglars can ransack the house.

According to the article, when the police tried the same trick with placebos, they got an 86% compliance rate.

Kind of like a real-world version of those fake anti-virus programs that actually contain malware.

http://au.news.yahoo.com/odd/a/-/odd/9268075/police-dress-up-as-doctors-to-test-citizens/ or http://tinyurl.com/3flomba

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.

Copyright (c) 2011 by Bruce Schneier.

** *** ***** ******* *********** *************

To unsubscribe, click this link:

http://listserv.modwest.com/cgi-bin/wa?TICKET=NzM0MzAxIGguaG9mZm1hbkBCVE9QRU5XT1JMRC5DT00gQ1JZUFRPLUdSQU0tTElTVBwP/nhV/PYi&c=SIGNOF

Sunday, 15 May 2011

Search This Blog.80,290 ARTICLES TO DATE

Donate using Paypal

Stat Counter

monthly visitors to site

Current Events and Weekly Recordings, Interviews, Conversations

Global Government Confirmed!

Connecting the Dots...E.U RULES, REGULATIONS, DIRECTIVES and Comments.

Global Government Confirmed!

THE ERA OF MADNESS. Occupied territory of the UK.THE PEOPLE WILL BE AT WAR WITH THE GOVERNMENT.

we want our referendum

Oppression of Christians World Wide.

Antisemitism-Incidences World Wide.

swine flu alerts and updates

Announcement on the future of Britannia Radio

About Britannia Radio

Welcome to our site. We bring you an alternative early warning service, joining the dots of Geo Politics - alerting you to what is in store for us all if we do not wake up and unite.

The site provides sourced, named articles, reported in the world wide press and the alternative media, presenting an overview of global events.

We bring you:

Weekly News Review, Recordings, Interviews & Conversations.

We have sections for:

Videos to Watch from the UK and across the world.

Also available:

Access to Links and Daily Newspapers.

Over 25,000 current and archive articles in our Search facilities.

We have added new pages which include:

Ecological Matters, Chinese Blog, Religion, Health Watch, Larf out Loud and the seperate britanniaradio.blogspot.com

We are in the process of setting up a live internet radio station to come on line, when your demand -demands it.

Our goal is to provide live interviews, news alerts and phone-in facilities but we need your help to make this happen!

To go live, we must attract 4000-5000 visitors per day.

So, please recommend this site to as many people as possible, submit research material and make donations.

Make it grow and make a difference!

Contact us by email at info@britanniaradio.co.uk

Current Weekly News Reviews

Archive

Links

Videos to view

Current Health Watch

Current Ecological Matters

Current Larf Out Loud

Current Religion

Conversations to remember

Chris Everard. Controversial? Yes Definitely. Thought Provoking? Undoubtedly!
Four weekly interviews
1a: Secret Societies; Illuminati.
click to listen
1b: Spirit Worlds; Illuminati.
click to listen
2: Royalty,
EU,
Space Programmes.
Very Revealing!
click to listen
3:Magic
click to listen

Sunday, 15 May 2011

Search This Blog.80,290 ARTICLES TO DATE

Donate using Paypal

Stat Counter

monthly visitors to site

Current Events and Weekly Recordings, Interviews, Conversations

Global Government Confirmed!

Connecting the Dots...E.U RULES, REGULATIONS, DIRECTIVES and Comments.

Global Government Confirmed!

THE ERA OF MADNESS. Occupied territory of the UK.THE PEOPLE WILL BE AT WAR WITH THE GOVERNMENT.

we want our referendum

Oppression of Christians World Wide.

Antisemitism-Incidences World Wide.

swine flu alerts and updates

Announcement on the future of Britannia Radio

About Britannia Radio

Welcome to our site. We bring you an alternative early warning service, joining the dots of Geo Politics - alerting you to what is in store for us all if we do not wake up and unite.

The site provides sourced, named articles, reported in the world wide press and the alternative media, presenting an overview of global events.We bring you:

Weekly News Review, Recordings, Interviews & Conversations.We have sections for:

Videos to Watch from the UK and across the world.

Also available:

Access to Links and Daily Newspapers.

Over 25,000 current and archive articles in our Search facilities.We have added new pages which include:

Ecological Matters, Chinese Blog, Religion, Health Watch, Larf out Loud and the seperate britanniaradio.blogspot.com

We are in the process of setting up a live internet radio station to come on line, when your demand -demands it.

Our goal is to provide live interviews, news alerts and phone-in facilities but we need your help to make this happen!

To go live, we must attract 4000-5000 visitors per day.

So, please recommend this site to as many people as possible, submit research material and make donations.Make it grow and make a difference!Contact us by email at info@britanniaradio.co.uk

Current Weekly News Reviews

Archive

Links

Videos to view

Current Health Watch

Current Ecological Matters

Current Larf Out Loud

Current Religion

Conversations to remember

Chris Everard. Controversial? Yes Definitely. Thought Provoking? Undoubtedly! Four weekly interviews1a: Secret Societies; Illuminati.click to listen1b: Spirit Worlds; Illuminati.click to listen2: Royalty,EU,Space Programmes.Very Revealing!click to listen3:Magicclick to listen

Subscribe To

The site provides sourced, named articles, reported in the world wide press and the alternative media, presenting an overview of global events.

We bring you:

Weekly News Review, Recordings, Interviews & Conversations.

We have sections for:

Over 25,000 current and archive articles in our Search facilities.

We have added new pages which include:

So, please recommend this site to as many people as possible, submit research material and make donations.

Make it grow and make a difference!

Contact us by email at info@britanniaradio.co.uk

Chris Everard. Controversial? Yes Definitely. Thought Provoking? Undoubtedly!
Four weekly interviews
1a: Secret Societies; Illuminati.
click to listen
1b: Spirit Worlds; Illuminati.
click to listen
2: Royalty,
EU,
Space Programmes.
Very Revealing!
click to listen
3:Magic
click to listen