Scott Granneman

 Contact | Site Map | Search
HomeWritingPresentationsTeachingWeb DevTech InfoUseful LinksPersonal
Home > Personal > Commonplace Book > Security > Schneier's Crypto-Gram

Bruce Schneier's Crypto-Gram

Notes from Bruce Schneier's Crypto-Gram of 15 July 2004

1

There was a single guard watching the X-ray machine's monitor, and a line of people putting their bags onto the machine. The people themselves weren't searched at all. Even worse, no guard was watching the people. So when I walked with everyone else in line and just didn't put my bag onto the machine, no one noticed.

It was all good fun, and I very much enjoyed describing this to FinCorp's VP of Corporate Security. He explained to me that he got a $5 million rate reduction from his insurance company by installing that X-ray machine and having some dogs sniff around the building a couple of times a week.

I thought the building's security was a waste of money. It was actually a source of corporate profit.

The point of this story is one that I've made in 'Beyond Fear' and many other places: security decisions are often made for non-security reasons.

2

Regarding the former, banning iPods and USB devices doesn't do any good...because the thief will ignore the ban. USB thumb drives are tiny. What are you going to do, strip search everyone who goes in and out of the building? ...

Regarding the latter, it may do some good but not enough to make it worthwhile. Exactly how is my iPod going to accidentally download sensitive files, and then accidentally upload them somewhere insecure? I use my USB thumb drive for file transfer because it's easier than a CD-R. It's not magically more or less dangerous than a CD-R.

Notes from Bruce Schneier's Crypto-Gram of 15 April 2004

1

My argument may not be obvious, but it's not hard to follow, either. It centers around the notion that security must be evaluated not based on how it works, but on how it fails.

It doesn't really matter how well an ID card works when used by the hundreds of millions of honest people that would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.

The first problem is the card itself. No matter how unforgeable we make it, it will be forged. And even worse, people will get legitimate cards in fraudulent names. ...

Not that there would ever be such thing as a single ID card. Currently about 20 percent of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself is capable of abuse. ...

But the main problem with any ID system is that it requires the existence of a database. In this case it would have to be an immense database of private and sensitive information on every American -- one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.

The security risks are enormous. Such a database would be a kludge of existing databases; databases that are incompatible, full of erroneous data, and unreliable. ...

What good would it have been to know the names of Timothy McVeigh, the Unabomber, or the DC snipers before they were arrested? Palestinian suicide bombers generally have no history of terrorism. The goal is here is to know someone's intentions, and their identity has very little to do with that.

2

Since 9/11, airport security has started opening checked luggage more. If they find a locked suitcase, they break the lock. But some travelers lock their suitcases, as they don't want the bags either accidentally opening up in transit or being opened up by some baggage handler looking for something to filch. In an attempt to satisfy both of these requirements, there's now a key escrow lock. You lock and unlock your suitcase normally, but there's a special TSA key that allows airport security to unlock it, too.

3

Here's a story of a woman who posts an ad requesting a nanny. When a potential nanny responds, she asks for references for a background check. Then she places another ad, using the reference material as a fake identity. She gets a job with the good references -- they're real, although for another person -- and then robs the family who hires her. And then she repeats the process.

Look what's going on here. She inserts herself in the middle of a communication between the real nanny and the real employer, pretending to be one to the other. The nanny sends her references to someone she assumes to be a potential employer, not realizing that it is a criminal. The employer receives the references and checks them, not realizing that they don't actually belong to the person who is sending them.

Notes from Bruce Schneier's Crypto-Gram of 15 November 2003

"From: Russell Nelson

> A New York detective was once asked whether pickpockets in
> Manhattan dressed in suits and ties to facilitate their crimes
> subsequent escape. He responded by saying that in twenty years
> he had never arrested even one pickpocket in a tie.

Do you mean this as evidence to bolster your point or to counter it? It seems to me that if he never arrested even one pickpocket in a tie, that would be very good evidence that pickpockets wearing ties escape arrest."

Notes from Bruce Schneier's Crypto-Gram of 15 October 2003

1

"In the US, data about you isn't owned by you; instead, it's owned by those who collected it."

2

"Polish hacking group claims that it has taken control of 450,000 computers, and is now offering to "sell" them to spammers to use. See http://www.wired.com/news/business/0,1367,60747,00.html";

3

"Precision stripping: criminal steals car, chop shop strips car completely down to chassis, chassis dumped on street, cops tow chassis away, chassis sold at auction, criminal buys chassis, chop shop reattaches parts. Result: legitimate car that can be legally sold used. The VIN has been 'laundered'."

Notes from Bruce Schneier's Crypto-Gram of 15 August 2003

1

"It's actually easy to fly on someone else's ticket. Here's how: First, have an upstanding citizen buy an e-ticket. (This also works if you steal someone's identity or credit card.) Second, on the morning of the flight print the boarding pass at home. (Most airlines now offer this convenient feature.) Third, change the name on the e-ticket boarding pass you print out at home to your own. (You can do this with any half-way decent graphics software package.) Fourth, go to the airport, go through security, and get on the airplane."

2

"You can even make a knife on board the plane. Buy some steel epoxy glue at a local hardware store. It comes in two tubes: a base with steel dust and a hardener. Make a knifelike mold by folding a piece of cardboard in half. Then mix equal parts from each tube and form into a knife shape, using a metal fork from your first-class dinner service (or a metal spoon you carry aboard) for the handle. Fifteen minutes later you've got a reasonably sharp, very pointy, black steel knife."

3

"In a recent research paper, S.D. Byers went out on the Internet to see what sorts of hidden information he could find. He concentrated on Microsoft Word, because Word documents are notorious for containing private information that people would sometimes rather not share. This information includes people who wrote or edited the document (as Blair's government discovered), information about the computers and networks and printers involved in the document, text that had been deleted from the document at some prior time, and in some cases text from completely unrelated documents.

Byers collected 100,000 MS Word documents, at random, from the Web. He built three scripts to look for hidden text, and found it in all documents. Most of it was uninteresting -- the name of the author -- but sometimes it was very interesting. His conclusion was that this problem is pervasive.

MS Word was the subject of Byers's paper, but other data files can leak private information: Excel, PowerPoint, PDF, PostScript, etc."

See Byers's research paper: http://www.user-agent.org/word_docs.pdf

4

"When I called to activate an American Express credit card I had received in the mail, the automated system told me that I would have to associate a PIN with it. The system told me that other users liked the idea of using their mother's birthday as a four digit PIN. After some experimentation, I discovered that the system would accept only those four digit PINs that corresponded to dates: 0229 was acceptable but not 0230 and certainly not 3112 (New Year's Eve, European style.) Thus the system policy administrators had reduced the 10,000 possible four-digit PINs to 366." </p.