-----Original Message-----
From: Bruce Schneier [mailto:[log in to unmask]]
Sent: 15 January 2006 07:36
To: [log in to unmask]
Subject: CRYPTO-GRAM, January 15, 2006

                  CRYPTO-GRAM

               January 15, 2006

               by Bruce Schneier
                Founder and CTO
       Counterpane Internet Security, Inc.
            [log in to unmask]
            <http://www.schneier.com>
           <http://www.counterpane.com>


A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at
<http://www.schneier.com/crypto-gram-0601.html>. These same essays
appear in the "Schneier on Security" blog:
<http://www.schneier.com/blog>. An RSS feed is available.


** *** ***** ******* *********** *************

In this issue:
      Anonymity and Accountability
      Cell Phone Companies and Security
      Crypto-Gram Reprints
      Dutch Botnet
      Internet Explorer Sucks
      Security Notes from All Over: Electronic Shackles and
        Telephone Communications
      News
      Insider Threat Statistics
      Are Computer-Security Export Controls Back?
      Vehicle Tracking in the UK
      Counterpane News
      NSA and Bush's Illegal Eavesdropping
      The Security Threat of Unchecked Presidential Power
      Project Shamrock
      Comments from Readers

** *** ***** ******* *********** *************

      Anonymity and Accountability



In a recent essay, Kevin Kelly warns of the dangers of anonymity. It's
OK in small doses, he maintains, but too much of it is a problem: "(I)n
every system that I have seen where anonymity becomes common, the
system fails. The recent taint in the honor of Wikipedia stems from the
extreme ease which anonymous declarations can be put into a very
visible public record. Communities infected with anonymity will either
collapse, or shift the anonymous to pseudo-anonymous, as in eBay, where
you have a traceable identity behind an invented nickname."

Kelly has a point, but it comes out all wrong. Anonymous systems are
inherently easier to abuse and harder to secure, as his eBay example
illustrates. In an anonymous commerce system -- where the buyer does
not know who the seller is and vice versa -- it's easy for one to cheat
the other. This cheating, even if only a minority engaged in it, would
quickly erode confidence in the marketplace, and eBay would be out of
business. The auction site's solution was brilliant: a feedback system
that attached an ongoing "reputation" to those anonymous user names,
and made buyers and sellers accountable for their actions.

And that's precisely where Kelly makes his mistake. The problem isn't
anonymity; it's accountability. If someone isn't accountable, then
knowing his name doesn't help. If you have someone who is completely
anonymous, yet just as completely accountable, then -- heck, just call
him Fred.

History is filled with bandits and pirates who amass reputations
without anyone knowing their real names.

EBay's feedback system doesn't work because there's a traceable
identity behind that anonymous nickname. EBay's feedback system works
because each anonymous nickname comes with a record of previous
transactions attached, and if someone cheats someone else then
everybody knows it.

Similarly, Wikipedia's veracity problems are not a result of anonymous
authors adding fabrications to entries. They're an inherent property of
an information system with distributed accountability. People think of
Wikipedia as an encyclopedia, but it's not. We all trust Britannica
entries to be correct because we know the reputation of that company,
and by extension its editors and writers. On the other hand, we all
should know that Wikipedia will contain a small amount of false
information because no particular person is accountable for accuracy --
and that would be true even if you could mouse over each sentence and
see the name of the person who wrote it.

Historically, accountability has been tied to identity, but there's no
reason why it has to be so. My name doesn't have to be on my credit
card. I could have an anonymous photo ID that proved I was of legal
drinking age. There's no reason for my e-mail address to be related to
my legal name.

This is what Kelly calls pseudo-anonymity. In these systems, you hand
your identity to a trusted third party that promises to respect your
anonymity to a limited degree. For example, I have a credit card in
another name from my credit-card company. It's tied to my account, but
it allows me to remain anonymous to merchants I do business with.

The security of pseudo-anonymity inherently depends on how trusted that
"trusted third party" is. Depending on both local laws and how much
they're respected, pseudo-anonymity can be broken by corporations, the
police or the government. It can be broken by the police collecting a
whole lot of information about you, or by ChoicePoint collecting
billions of tiny pieces of information about everyone and then making
correlations. Pseudo-anonymity is only limited anonymity. It's
anonymity from those without power, and not from those with power.
Remember that anon.penet.fi couldn't stay up in the face of government.

In a perfect world, we wouldn't need anonymity. It wouldn't be
necessary for commerce, since no one would ostracize or blackmail you
based on what you purchased. It wouldn't be necessary for internet
activities, because no one would blackmail or arrest you based on who
you corresponded with or what you read. It wouldn't be necessary for
AIDS patients, members of fringe political parties or people who call
suicide hotlines. Yes, criminals use anonymity, just like they use
everything else society has to offer. But the benefits of anonymity --
extensively discussed in an excellent essay by Gary T. Marx -- far
outweigh the risks.

In Kelly's world -- a perfect world -- limited anonymity is enough
because the only people who would harm you are individuals who cannot
learn your identity, and not those in power who can.

We do not live in a perfect world. We live in a world where information
about our activities -- even ones that are perfectly legal -- can
easily be turned against us. Recent news reports have described a
student being hounded by his college because he said uncomplimentary
things in his blog, corporations filing SLAPP lawsuits against people
who criticize them, and people being profiled based on their political
speech.

We live in a world where the police and the government are made up of
less-than-perfect individuals who can use personal information about
people, together with their enormous power, for imperfect purposes.
Anonymity protects all of us from the powerful by the simple measure of
not letting them get our personal information in the first place.

This essay originally appeared in Wired:
<http://www.wired.com/news/columns/0,70000-0.html>

Kelly's original essay:
<http://www.edge.org/q2006/q06_4.html>

Gary T. Marx on anonymity:
<http://web.mit.edu/gtmarx/www/anon.html>


** *** ***** ******* *********** *************

      Cell Phone Companies and Security



This is a fascinating story of cell phone fraud, security, economics,
and externalities. Its moral is obvious, and demonstrates how economic
considerations drive security decisions. According to "The Globe and
Mail":

"Susan Drummond was a customer of Rogers Wireless, a large Canadian
cell phone company. Her phone was cloned while she was on vacation,
and she got a $12,237.60 phone bill (her typical bill was $75). Rogers
maintains that there is nothing to be done, and that Drummond has to pay."

Like all cell phone companies, Rogers has automatic fraud detection
systems that detect this kind of abnormal cell phone usage. They don't
turn the cell phones off, though, because they don't want to annoy
their customers.

"Ms. Hopper [a manager in Roger's security department] said terrorist
groups had identified senior cell phone company officers as perfect
targets, since the company was loath to shut off their phones for
reasons that included inconvenience to busy executives and, of course,
the public-relations debacle that would take place if word got out."

As long as Rogers can get others to pay for the fraud, this makes
perfect sense. Shutting off a phone based on an automatic
fraud-detection system costs the phone company in two ways: people
inconvenienced by false alarms, and bad press. But the major cost of
not shutting off a phone remains an externality: the customer pays for it.

In fact, there seems be some evidence that Rogers decides whether or
not to shut off a suspicious phone based on the customer's ability to pay:

"Ms. Innes [a vice-president with Rogers Communications] said that
Rogers has a policy of contacting consumers if fraud is suspected. In
some cases, she admitted, phones are shut off automatically, but
refused to say what criteria were used. (Ms. Drummond and Mr. Gefen
believe that the company bases the decision on a customer's
creditworthiness. 'If you have the financial history, they let the
meter run,' Ms. Drummond said.) Ms. Drummond noted that she has a
salary of more than $100,000, and a sterling credit history. 'They knew
something was wrong, but they thought they could get the money out of
me. It's ridiculous.'"

Makes sense from Rogers' point of view. High-paying customers are 1)
more likely to pay, and 2) more damaging if pissed off in a false
alarm. Again, economic considerations trump security.

Rogers is defending itself in court, and shows no signs of backing down:

"In court filings, the company has made it clear that it intends to
hold Ms. Drummond responsible for the calls made on her phone. '. . .
the plaintiff is responsible for all calls made on her phone prior to
the date of notification that her phone was stolen,' the company says.
'The Plaintiff's failure to mitigate deprived the Defendant of the
opportunity to take any action to stop fraudulent calls prior to the
28th of August 2005.'"

The solution here is obvious: Rogers should not be able to charge its
customers for telephone calls they did not make. Ms. Drummond's phone
was cloned; there is no possible way she could notify Rogers of this
before she saw calls she did not make on her bill. She is also
completely powerless to affect the anti-cloning security in the Rogers
phone system. To make her liable for the fraud is to ensure that the
problem never gets fixed.

Rogers is the only party in a position to do something about the
problem. The company can, and according to the article has,
implemented automatic fraud-detection software.

Rogers customers will pay for the fraud in any case. If they are
responsible for the loss, either they'll take their chances and pay a
lot only if they are the victims, or there'll be some insurance scheme
that spreads the cost over the entire customer base. If Rogers is
responsible for the loss, then the customers will pay in the form of
slightly higher prices. But only if Rogers is responsible for the loss
will they implement security countermeasures to limit fraud.

And if they do that, everyone benefits.

<http://www.globetechnology.com/servlet/story/RTGAM.20051217.wxcellphone
1217/BNStory/Technology/> or <http://tinyurl.com/ajl83>
<http://it.slashdot.org/article.pl?sid=05/12/17/1729245&tid=172&tid=215>
  or <http://tinyurl.com/cb7j2>


** *** ***** ******* *********** *************

      Crypto-Gram Reprints



Crypto-Gram is currently in its ninth year of publication. Back issues
cover a variety of security-related topics, and can all be found on
<http://www.schneier.com/crypto-gram-back.html>. These are a selection
of articles that appeared in this calendar month in other years.

Fingerprinting Students:
<http://www.schneier.com/crypto-gram-0501.html#1>

Cyberwar:
<http://www.schneier.com/crypto-gram-0501.html#10>

Diverting Aircraft and National Intelligence:
<http://www.schneier.com/crypto-gram-0401.html#11>

Fingerprinting Foreigners:
<http://www.schneier.com/crypto-gram-0401.html#3>

Color-coded Terrorist Threat Levels:
<http://www.schneier.com/crypto-gram-0401.html#1>

Militaries and Cyber-War:
<http://www.schneier.com./crypto-gram-0301.html#1>

A cyber Underwriters Laboratories?
<http://www.schneier.com/crypto-gram-0101.html#1>

Code signing:
<http://www.schneier.com/crypto-gram-0101.html#10>

Block and stream ciphers:
<http://www.schneier.com/crypto-gram-0001.html#BlockandStreamCiphers>


** *** ***** ******* *********** *************

      Dutch Botnet



Back in October, the Dutch police arrested three people who created a
large botnet and used it to extort money from U.S. companies. When the
trio was arrested, authorities said that the botnet consisted of about
100,000 computers. The actual number was 1.5 million computers.

And I've heard reports from reputable sources that the actual actual
number was "significantly higher."

And it may still be growing. The bots continually scan the network and
try to infect other machines. They do this autonomously, even after
the command and control node was shut down. Since most of those 1.5
million machines -- or however many there are -- still have the botnet
software running on them, it's reasonable to believe that the botnet is
still growing.

<http://informationweek.com/story/showArticle.jhtml?articleID=172303265>
  or <http://tinyurl.com/95s5e>


** *** ***** ******* *********** *************

      Internet Explorer Sucks



This study is from August, but I missed it. The researchers tracked
three browsers (MSIE, Firefox, Opera) in 2004 and counted which days
they were "known unsafe." Their definition of "known unsafe": a
remotely exploitable security vulnerability had been publicly announced
and no patch was yet available.

MSIE was 98% unsafe. There were only 7 days in 2004 without an
unpatched publicly disclosed security hole.

Firefox was 15% unsafe. There were 56 days with an unpatched publicly
disclosed security hole. 30 of those days were a Mac hole that only
affected Mac users. Windows Firefox was 7% unsafe.

Opera was 17% unsafe: 65 days. That number is accidentally a little
better than it should be, as two of the unpatched periods happened to
overlap.

This underestimates the risk, because it doesn't count vulnerabilities
known to the bad guys but not publicly disclosed (and it's foolish to
think that such things don't exist). So the "98% unsafe" figure for
MSIE is generous, and the situation might be even worse.

<http://bcheck.scanit.be/bcheck/page.php?name=STATS2004>


** *** ***** ******* *********** *************

      Security Notes from All Over: Electronic Shackles and
        Telephone Communications



The article is in Hebrew, but the security story is funny in any language.

It's about a prisoner who was forced to wear an electronic shackle to
monitor that he did not violate his home arrest. The shackle is pretty
simple: if the suspect leaves the defined detention area, the
electronic shackle signals through the telephone line to the local police.

How do you defeat a system such as this? Just stop paying your phone
bill and wait for the phone company to shut off service.

<http://www.haaretz.co.il/hasite/pages/ShArt.jhtml?contrassID=1&subContr
assID=5&sbSubContrassID=0&itemNo=660328> or <http://tinyurl.com/bjhth>


** *** ***** ******* *********** *************

      News



Two stories that shamelessly hype computer crime:
<http://www.cnn.com/SPECIALS/2005/online.security/>
<http://www.usatoday.com/tech/news/internetprivacy/2005-12-14-meth-onlin
e-theft_x.htm> or <http://tinyurl.com/a2be8>
Beware the Four Horsemen of the Information Apocalypse: terrorists,
drug dealers, kidnappers, and child pornographers. Seems like you can
scare the public into allowing the government to do anything with those
four.

Microsoft received a Common Criteria (CC) EAL 4+ certification for
Windows, demonstrating how weak such a certification really is:
<http://www.eweek.com/article2/0,1895,1901965,00.asp>

After FBI agents expressed frustration that the Office of Intelligence
Policy and Review wasn't approving their orders under Section 215 of
the Patriot Act, procedural changes were made allowing the FBI to
bypass that office.
<http://www.epic.org/foia_notes/note10.html>
Remember, the issue here is not whether or not the FBI can engage in
counterterrorism. The issue is the erosion of judicial oversight --
the only check we have on police power. And this power grab is
dangerous regardless of which party is in the White House at the moment.

Meanwhile, the U.S. military is spying on Americans. Specifically, the
Department of Defense is collecting data on legal and peaceful war
protesters, in violation of U.S. law.
<http://www.msnbc.msn.com/id/10454316/>

Four hundred pounds of high explosive stolen from a "bunker" outside
Albuquerque owned by Cherry Engineering. Note that it had no guards
and no surveillance cameras:
<http://www.abcnews.go.com/GMA/story?id=1424214>
It was recovered:
<http://www.atf.gov/press/fy06press/field/122405pho_atf_new_mexico.htm>
or <http://tinyurl.com/d6gc4>

An interesting interview with OpenSSH developer Damien Miller:
<http://www.securityfocus.com/columnists/375>

Adaptable criminals: as automobile security devices become more
effective, thieves are more likely to break into homes in order to
steal the keys.
<http://www.themercury.news.com.au/common/story_page/0,5936,17605616^346
2,00.html> or <http://tinyurl.com/8ytkp>

Idiotic article on TPM:
<http://www.msnbc.msn.com/ID/10441443>
My commentary:
<http://www.schneier.com/blog/archives/2005/12/idiotic_article.html>

Here's a child pornographer who received the Sober.Y worm. This worm
has an official-sounding message to entice recipients to open the
attachment. He got so scared that he turned himself into the police.
<http://news.yahoo.com/s/nm/20051220/wr_nm/crime_germany_worm_dc>

The story of the UMass Dartmouth student who claimed that Homeland
Security agents visited him after he requested Mao Zedong's "Little Red
Book" from the library is a hoax:
<http://www.southcoasttoday.com/daily/12-05/12-24-05/a01lo719.htm>
I don't know what the moral is, here. 1) He's an idiot. 2) Don't
believe everything you read. 3) We live in such an invasive political
climate that such stories are easily believable. 4) He's definitely an
idiot.

New TSA guidelines from The Onion:
<http://www.theonion.com/content/node/43716>

Richard M Smith has some interesting ideas on how to test if the NSA is
eavesdropping on your e-mail.
<http://www.computerbytesman.com/privacy/emailsnooping.htm>
The only problem is that you might get a knock on your door by some
random investigative agency. Or get searched every time you try to get
on an airplane. But I think that risk is pretty low, actually. If
people actually do this, please report back. I'm very curious.

Good essay on bug bounties, and why they're not a substitute for
security auditing:
<http://www.pebbleandavalanche.com/weblog/2005/12/19/blog-20051219T0454>
  or <http://tinyurl.com/896bh>
This is not to say that bug bounties aren't a good idea. They're a
good addition to rigorous software development and testing.

Bomb-sniffing wasps may be more effective--and cheaper--than alternatives:
<http://www.usatoday.com/tech/news/2005-12-26-wasps-terrorism_x.htm>
Bomb-sniffing bees, too:
<http://www.defensetech.org/archives/001754.html>

Here's how to make an RFID-blocking wallet out of duct tape:
<http://www.rpi-polymath.com/ducttape/RFIDWallet.php>

The U.S. Department of Justice is no better than anyone else at
protecting individual privacy:
<http://www.informationweek.com/news/showArticle.jhtml?articleID=1754001
50> or <http://tinyurl.com/exs27>

Good stuff about the unforeseen security effects of weak ID cards:
<http://www.theregister.co.uk/2005/12/28/lords_voluntary_id_register_pla
n> or <http://tinyurl.com/7nvz4>

EPIC's Top Ten Privacy Stories of 2005, and their Top Ten Issues to
Watch in 2006. Definitely worth reading.
<http://www.epic.org/alert/EPIC_Alert_yir2005.html>

The Treasury Department estimates that cybercrime netted $105 billion
in 2004, more than illegal drugs. The question always is: how did they
calculate that number? If I download an audio CD, is that $15 in
cybercrime? If so, don't believe the total.
<http://money.cnn.com/2005/12/29/technology/computer_security/index.htm>
  or <http://tinyurl.com/aaskv>

A hand-held device that disables passive RFID chips:
<https://events.ccc.de/congress/2005/wiki/RFID-Zapper(EN)>

A fascinating data-mining experiment using Amazon wish lists:
<http://www.applefritter.com/node/view/10074>
Now, imagine the false alarms and abuses that are possible if you have
lots more data, and lots more computers to slice and dice it. Of
course, there are applications where this sort of data mining makes a
whole lot of sense. But finding terrorists isn't one of them. It's a
needle-in-a-haystack problem, and piling on more hay doesn't help
matters much.

In Wisconsin, electronic voting machines must produce paper ballots and
have open-source software.
<http://wistechnology.com/article.php?id=2585>
My previous essays on electronic voting:
<http://www.schneier.com/essay-068.html>
<http://www.schneier.com/crypto-gram-0312.html#9>
<http://www.schneier.com/crypto-gram-0012.html#1>

An airline passenger wrote the words "suicide bomber" in his journal,
and was arrested.
<http://news.yahoo.com/s/nm/20060105/od_uk_nm/oukoe_uk_life_passenger>
<http://www.mercurynews.com/mld/mercurynews/news/local/states/california
/the_valley/13551154.htm> or <http://tinyurl.com/b2yu7>
My commentary is here:
<http://www.schneier.com/blog/archives/2006/01/stupid_band_nam.html>

Anyone can get anyone's phone records:
<http://www.suntimes.com/output/news/cst-nws-privacy05.html>
<http://www.concurringopinions.com/archives/2006/01/cell_phone_reco_1.html>
<http://www.boingboing.net/2006/01/08/online_service_claim.html>
<http://west.epic.org/archives/2006/01/pretexting_isnt.html>
Seems like this is done by something called "pretexting," which means
calling up the phone company and lying about who you are. Sounds like
fraud to me.

Annoying people anonymously on the Internet is against U.S. law:
<http://news.com.com/Create+an+e-annoyance%2C+go+to+jail/2010-1028_3-602
2491.html> or <http://tinyurl.com/a2kqp>
See the comment by an attorney, who says this was previously true:
<http://www.boingboing.net/2006/01/09/flame_someone_anonym.html>
What does it mean for our society when obviously stupid laws like this
get passed, and we have to rely on the police being nice enough to not
enforce them?

Security checks for space travelers, including physical screening and
matching people against a watch list:
<http://www.cnn.com/2006/TECH/space/01/04/space.travel.reut>
<http://news.bbc.co.uk/1/hi/sci/tech/4589072.stm>

"Residents of a trendy London neighbourhood are to become the first in
Britain to receive 'Asbo TV' -- television beamed live to their homes
from CCTV cameras on the surrounding streets."
<http://www.timesonline.co.uk/article/0,,2087-1974974,00.html>

Interesting story about forged credentials and security:
<http://www.schneier.com/blog/archives/2006/01/forged_credenti.html>

REAL ID is turning out to be more expensive than initially anticipated.
<http://news.yahoo.com/s/ap/20060112/ap_on_re_us/real_id>
Remember, security is a trade-off. REAL ID is a bad idea primarily
because the security gained is not worth the enormous expense.

The ACLU has a new site on REAL ID:
<http://www.realnightmare.org/>


** *** ***** ******* *********** *************

      Insider Threat Statistics



Interesting statistics from Europe. (I doubt they're any different in
the U.S.)

* One in five workers (21%) let family and friends use company laptops
and PCs to access the Internet.

* More than half (51%) connect their own devices or gadgets to their
work PC.

* A quarter of these do so every day.

* Around 60% admit to storing personal content on their work PC.

* One in ten confessed to downloading content at work they shouldn't.

* Two thirds (62%) admitted they have a very limited knowledge of IT
Security.

* More than half (51%) had no idea how to update the anti-virus
protection on their company PC.

* Five percent say they have accessed areas of their IT system they
shouldn't have.

One caveat: the study is from McAfee, who has a vested interest in
inflating this sort of threat.

I like their "four types of employees who put their workplace at
risk": the Security Softie, the Gadget Geek, the Squatter, and the
Saboteur.

<http://www.theregister.co.uk/2005/12/15/mcafee_internal_security_survey
/> or <http://tinyurl.com/8rjz5>


** *** ***** ******* *********** *************

      Are Computer-Security Export Controls Back?



I thought U.S. export regulations were finally over and done with, at
least for software. Then why is Symantec sending this to foreign
customers:

"Unfortunately, due to strict US Government export regulations Symantec
is only able to fulfill new LC5 orders or offer technical support
directly with end-users located in the United States and commercial
entities in Canada, provided all screening is successful.

"Commodities, technology or software is subject to U.S. Dept. of
Commerce, Bureau of Industry and Security control if exported or
electronically transferred outside of the USA. Commodities, technology
or software are controlled under ECCN 5A002.c.1, cryptanalytic.

"You can also access further information on our web site at the
following address:
<http://www.symantec.com/region/reg_eu/techsupp/enterprise/index.html>"

The software in question is the password breaking and auditing tool
called LC5, better known as L0phtCrack. Look to me like they're just
killing it, and using the government as an excuse.

<http://www.theregister.co.uk/2005/11/25/symantec_l0phtcrack_export_cont
roversy/> or <http://tinyurl.com/89vto>
<http://it.slashdot.org/article.pl?sid=05/12/22/1548209>


** *** ***** ******* *********** *************

      Vehicle Tracking in the UK



Universal automobile surveillance is coming. According to "The
Independent":

"Britain is to become the first country in the world where the
movements of all vehicles on the roads are recorded. A new national
surveillance system will hold the records for at least two years.

"Using a network of cameras that can automatically read every passing
number plate, the plan is to build a huge database of vehicle movements
so that the police and security services can analyse any journey a
driver has made over several years.

"The network will incorporate thousands of existing CCTV cameras which
are being converted to read number plates automatically night and day
to provide 24/7 coverage of all motorways and main roads, as well as
towns, cities, ports and petrol-station forecourts.

"By next March a central database installed alongside the Police
National Computer in Hendon, north London, will store the details of 35
million number-plate "reads" per day. These will include time, date and
precise location, with camera sites monitored by global positioning
satellites. "

In another article, "The Independent" opines that this is only the
beginning:

"The new national surveillance network for tracking car journeys, which
has taken more than 25 years to develop, is only the beginning of plans
to monitor the movements of all British citizens. The Home Office
Scientific Development Branch in Hertfordshire is already working on
ways of automatically recognising human faces by computer, which many
people would see as truly introducing the prospect of Orwellian street
surveillance, where our every move is recorded and stored by machines.

"Although the problems of facial recognition by computer are far more
formidable than for car number plates, experts believe it is only a
matter of time before machines can reliably pull a face out of a crowd
of moving people.

"If the police and security services can show that a national
surveillance operation based on recording car movements can protect the
public against criminals and terrorists, there will be a strong
political will to do the same with street cameras designed to monitor
the flow of human traffic. "

I've already written about the security risks of what I call "wholesale
surveillance." Once this information is collected, it will be misused,
lost, and stolen. It will be filled with errors. The problems and
insecurities that come from living in a surveillance society more than
outweigh any crimefighting (and terrorist-fighting) advantages.

<http://news.independent.co.uk/uk/transport/article334686.ece>
<http://news.independent.co.uk/world/science_technology/article334684.ece>

My previous essays on wholesale surveillance:
<http://www.schneier.com/essay-061.html>
<http://www.schneier.com/essay-057.html>


** *** ***** ******* *********** *************

      Counterpane News



Counterpane announced a partnership with Verano to extend monitoring to
real-time control systems.
<http://www.counterpane.com/pr-20060109.html>

Schneier is speaking at the RSA Conference, February 14-26, in San
Jose. He will speak on "The Economics of Security" at 4:30 PM on the
14th, and again on "Why Security Has So Little to Do with Security" at
2:00 PM on the 15th. He will participate in a main-stage panel on ID
cards at 8:00 AM on the 16th.
<http://2006.rsaconference.com/us/>

Gartner has named Counterpane as the leading visionary company in its
December 2005 Managed Security Services Provider Magic Quadrant report.
<http://www.counterpane.com/pr-20060113.html>



** *** ***** ******* *********** *************

      NSA and Bush's Illegal Eavesdropping



(Note: I wrote this essay in the days after the scandal broke.)

When President Bush directed the National Security Agency to secretly
eavesdrop on American citizens, he transferred an authority previously
under the purview of the Justice Department to the Defense Department
and bypassed the very laws put in place to protect Americans against
widespread government eavesdropping. The reason may have been to tap
the NSA's capability for data-mining and widespread surveillance.

Illegal wiretapping of Americans is nothing new. In the 1950s and '60s,
in a program called "Project Shamrock," the NSA intercepted every
single telegram coming into or going out of the United States. It
conducted eavesdropping without a warrant on behalf of the CIA and
other agencies. Much of this became public during the 1975 Church
Committee hearings and resulted in the now famous Foreign Intelligence
Surveillance Act (FISA) of 1978.

The purpose of this law was to protect the American people by
regulating government eavesdropping. Like many laws limiting the power
of government, it relies on checks and balances: one branch of the
government watching the other. The law established a secret court, the
Foreign Intelligence Surveillance Court (FISC), and empowered it to
approve national-security-related eavesdropping warrants. The Justice
Department can request FISA warrants to monitor foreign communications
as well as communications by American citizens, provided that they meet
certain minimal criteria.

The FISC issued about 500 FISA warrants per year from 1979 through
1995, and has slowly increased subsequently -- 1,758 were issued in
2004. The process is designed for speed and even has provisions where
the Justice Department can wiretap first and ask for permission later.
In all that time, only four warrant requests were ever rejected: all in
2003. (We don't know any details, of course, as the court proceedings
are secret.)

FISA warrants are carried out by the FBI, but in the days immediately
after the terrorist attacks, there was a widespread perception in
Washington that the FBI wasn't up to dealing with these new threats --
they couldn't uncover plots in a timely manner. So instead the Bush
administration turned to the NSA. They had the tools, the expertise,
the experience, and so they were given the mission.

The NSA's ability to eavesdrop on communications is exemplified by a
technological capability called Echelon. Echelon is the world's largest
information "vacuum cleaner," sucking up a staggering amount of voice,
fax, and data communications -- satellite, microwave, fiber-optic,
cellular and everything else -- from all over the world: an estimated 3
billion communications per day. These communications are then processed
through sophisticated data-mining technologies, which look for simple
phrases like "assassinate the president" as well as more complicated
communications patterns.

Supposedly Echelon only covers communications outside of the United
States. Although there is no evidence that the Bush administration has
employed Echelon to monitor communications to and from the U.S., this
surveillance capability is probably exactly what the president wanted
and may explain why the administration sought to bypass the FISA
process of acquiring a warrant for searches.

Perhaps the NSA just didn't have any experience submitting FISA
warrants, so Bush unilaterally waived that requirement. And perhaps
Bush thought FISA was a hindrance -- in 2002 there was a widespread but
false belief that the FISC got in the way of the investigation of
Zacarias Moussaoui (the presumed "20th hijacker") -- and bypassed the
court for that reason.

Most likely, Bush wanted a whole new surveillance paradigm. You can
think of the FBI's capabilities as "retail surveillance": It eavesdrops
on a particular person or phone. The NSA, on the other hand, conducts
"wholesale surveillance." It, or more exactly its computers, listens to
everything. An example might be to feed the computers every voice, fax,
and e-mail communication looking for the name "Ayman al-Zawahiri." This
type of surveillance is more along the lines of Project Shamrock, and
not legal under FISA. As Sen. Jay Rockefeller wrote in a secret memo
after being briefed on the program, it raises "profound oversight issues."

It is also unclear whether Echelon-style eavesdropping would prevent
terrorist attacks. In the months before 9/11, Echelon noticed
considerable "chatter": bits of conversation suggesting some sort of
imminent attack. But because much of the planning for 9/11 occurred
face-to-face, analysts were unable to learn details.

The fundamental issue here is security, but it's not the security most
people think of. James Madison famously said: "If men were angels, no
government would be necessary. If angels were to govern men, neither
external nor internal controls on government would be necessary."
Terrorism is a serious risk to our nation, but an even greater threat
is the centralization of American political power in the hands of any
single branch of the government.

Over 200 years ago, the framers of the U.S. Constitution established an
ingenious security device against tyrannical government: they divided
government power among three different bodies. A carefully thought out
system of checks and balances in the executive branch, the legislative
branch, and the judicial branch, ensured that no single branch became
too powerful.

After watching tyrannies rise and fall throughout Europe, this seemed
like a prudent way to form a government. Courts monitor the actions of
police. Congress passes laws that even the president must follow. Since
9/11, the United States has seen an enormous power grab by the
executive branch. It's time we brought back the security system that's
protected us from government for over 200 years.

A version of this essay originally appeared in Salon:
<http://www.salon.com/opinion/feature/2005/12/20/surveillance/>

Text of FISA:
<http://www.law.cornell.edu/uscode/html/uscode50/usc_sup_01_50_10_36_20_
I.html> or <http://tinyurl.com/d7ra4>

Summary of annual FISA warrants:
<http://www.epic.org/privacy/wiretap/stats/fisa_stats.html>

Rockefeller's secret memo:
<http://talkingpointsmemo.com/docs/rock-cheney1.html>

Much more here:
<http://www.schneier.com/blog/archives/2005/12/nsa_and_bushs_i.html>


** *** ***** ******* *********** *************

      The Security Threat of Unchecked Presidential Power



Last Thursday [15 December 2005], the "New York Times" exposed the most
significant violation of federal surveillance law in the post-Watergate
era. President Bush secretly authorized the National Security Agency to
engage in domestic spying, wiretapping thousands of Americans and
bypassing the legal procedures regulating this activity.

This isn't about the spying, although that's a major issue in itself.
This is about the Fourth Amendment protections against illegal search.
This is about circumventing a teeny tiny check by the judicial branch,
placed there by the legislative branch, placed there 27 years ago -- on
the last occasion that the executive branch abused its power so broadly.

In defending this secret spying on Americans, Bush said that he relied
on his constitutional powers (Article 2) and the joint resolution
passed by Congress after 9/11 that led to the war in Iraq. This
rationale was spelled out in a memo written by John Yoo, a White House
attorney, less than two weeks after the attacks of 9/11. It's a dense
read and a terrifying piece of legal contortionism, but it basically
says that the president has unlimited powers to fight terrorism. He can
spy on anyone, arrest anyone, and kidnap anyone and ship him to another
country ... merely on the suspicion that he might be a terrorist. And
according to the memo, this power lasts until there is no more
terrorism in the world.

Yoo starts by arguing that the Constitution gives the president total
power during wartime. He also notes that Congress has recently been
quiescent when the president takes some military action on his own,
citing President Clinton's 1998 strike against Sudan and Afghanistan.

Yoo then says: "The terrorist incidents of September 11, 2001, were
surely far graver a threat to the national security of the United
States than the 1998 attacks. ... The President's power to respond
militarily to the later attacks must be correspondingly broader."

This is novel reasoning. It's as if the police would have greater
powers when investigating a murder than a burglary.

More to the point, the congressional resolution of Sept. 14, 2001,
specifically refused the White House's initial attempt to seek
authority to preempt any future acts of terrorism, and narrowly gave
Bush permission to go after those responsible for the attacks on the
Pentagon and World Trade Center.

Yoo's memo ignored this. Written 11 days after Congress refused to
grant the president wide-ranging powers, it admitted that "the Joint
Resolution is somewhat narrower than the President's constitutional
authority," but argued "the President's broad constitutional power to
use military force ... would allow the President to ... [take] whatever
actions he deems appropriate ... to pre-empt or respond to terrorist
threats from new quarters."

Even if Congress specifically says no.

The result is that the president's wartime powers, with its armies,
battles, victories, and congressional declarations, now extend to the
rhetorical "War on Terror": a war with no fronts, no boundaries, no
opposing army, and -- most ominously -- no knowable "victory."
Investigations, arrests, and trials are not tools of war. But according
to the Yoo memo, the president can define war however he chooses, and
remain "at war" for as long as he chooses.

This is indefinite dictatorial power. And I don't use that term
lightly; the very definition of a dictatorship is a system that puts a
ruler above the law. In the weeks after 9/11, while America and the
world were grieving, Bush built a legal rationale for a dictatorship.
Then he immediately started using it to avoid the law.

This is, fundamentally, why this issue crossed political lines in
Congress. If the president can ignore laws regulating surveillance and
wiretapping, why is Congress bothering to debate reauthorizing certain
provisions of the Patriot Act? Any debate over laws is predicated on
the belief that the executive branch will follow the law.

This is not a partisan issue between Democrats and Republicans; it's a
president unilaterally overriding the Fourth Amendment, Congress and
the Supreme Court. Unchecked presidential power has nothing to do with
how much you either love or hate George W. Bush. You have to imagine
this power in the hands of the person you most don't want to see as
president, whether it be Dick Cheney or Hillary Rodham Clinton, Michael
Moore or Ann Coulter.

Laws are what give us security against the actions of the majority and
the powerful. If we discard our constitutional protections against
tyranny in an attempt to protect us from terrorism, we're all less safe
as a result.

This essay was published on December 21 as an op-ed in the "Minneapolis
Star Tribune."
<http://www.startribune.com/562/story/138326.html>

Here's the opening paragraph of the Yoo memo. Remember, think of this
power in the hands of your least favorite politician when you read it:

"You have asked for our opinion as to the scope of the President's
authority to take military action in response to the terrorist attacks
on the United States on September 11, 2001. We conclude that the
President has broad constitutional power to use military force.
Congress has acknowledged this inherent executive power in both the War
Powers Resolution, Pub. L. No. 93-148, 87 Stat. 555 (1973), codified at
50 U.S.C. '' 1541-1548 (the "WPR"), and in the Joint Resolution passed
by Congress on September 14, 2001, Pub. L. No. 107-40, 115 Stat. 224
(2001). Further, the President has the constitutional power not only to
retaliate against any person, organization, or State suspected of
involvement in terrorist attacks on the United States, but also against
foreign States suspected of harboring or supporting such organizations.
Finally, the President may deploy military force preemptively against
terrorist organizations or the States that harbor or support them,
whether or not they
  can be linked to the specific terrorist incidents of September 11."

There's a similar reasoning in the Braybee memo, which was written in
2002 about torture:

Yoo memo:
<http://www.usdoj.gov/olc/warpowers925.htm>

Braybee Memo:
<http://www.washingtonpost.com/wp-srv/nation/documents/dojinterrogationm
emo20020801.pdf>

This story has taken on a life of its own. But there are about a
zillion links and such listed here:
<http://www.schneier.com/blog/archives/2005/12/the_security_th_1.html>
I am especially amused by the bit about NSA shift supervisors making
decisions legally reserved for the FISA court.


** *** ***** ******* *********** *************

      Project Shamrock



Decades before 9/11, and the subsequent Bush order that directed the
NSA to eavesdrop on every phone call, e-mail message, and
who-knows-what-else going into or out of the United States, U.S.
citizens included, they did the same thing with telegrams. It was
called Project Shamrock, and anyone who thinks this is new legal and
technological terrain should read up on that program.

 From Wikipedia: "Project SHAMROCK...was an espionage exercise that
involved the accumulation of all telegraphic data entering into or
exiting from the United States. The Armed Forces Security Agency (AFSA)
and its successor NSA were given direct access to daily microfilm
copies of all incoming, outgoing, and transiting telegraphs via the
Western Union and its associates RCA and ITT. Operation Shamrock lasted
well into the 1960s when computerized operations (HARVEST) made it
possible to search for keywords rather than read through all
communications.

"Project SHAMROCK became so successful that in 1966 the NSA and CIA set
up a front company in lower Manhattan (where the offices of the
telegraph companies were located) under the codename LPMEDLEY. At the
height of Project SHAMROCK, 150,000 messages a month were printed and
analyzed by NSA agents. In May 1975 however, congressional critics
began to investigate and expose the program. As a result, NSA director
Lew Allen terminated it. The testimony of both the representatives from
the cable companies and of director Allen at the hearings prompted
Senate Intelligence Committee chairman Sen. Frank Church to conclude
that Project SHAMROCK was 'probably the largest government interception
program affecting Americans ever undertaken.'"

If you want details, the best place is James Bamford's books about the
NSA: his 1982 book, "The Puzzle Palace," and his 2001 book, "Body of
Secrets." This quote is from the latter book, page 440:

"Among the reforms to come out of the Church Committee investigation
was the creation of the Foreign Intelligence Surveillance Act (FISA),
which for the first time outlined what NSA was and was not permitted to
do. The new statute outlawed wholesale, warrantless acquisition of raw
telegrams such as had been provided under Shamrock. It also outlawed
the arbitrary compilation of watch list containing the names of
Americans. Under FISA, a secret federal court was set up, the Foreign
Intelligence Surveillance Court. In order for NSA to target an
American citizen or a permanent resident alien--a "green card"
holder--within the United States, a secret warrant must be obtained
from the court. To get the warrant, NSA officials must show that the
person they wish to target is either an agent of a foreign power or
involved in espionage or terrorism."

A lot of people are trying to say that it's a different world today,
and that eavesdropping on a massive scale is not covered under the FISA
statute, because it just wasn't possible or anticipated back
then. That's a lie. Project Shamrock began in the 1950s, and ran for
about twenty years. It too had a massive program to eavesdrop on all
international telegram communications, including communications to and
from American citizens. It too was to counter a terrorist threat
inside the United States. It too was secret, and illegal. It is
exactly, by name, the sort of program that the FISA process was
supposed to get under control.

Twenty years ago, Senator Frank Church warned of the dangers of letting
the NSA get involved in domestic intelligence gathering. He said that
the "potential to violate the privacy of Americans is unmatched by any
other intelligence agency." If the resources of the NSA were ever
used domestically, "no American would have any privacy left.... There
would be no place to hide.... We must see to it that this agency and
all agencies that possess this technology operate within the law and
under proper supervision, so that we never cross over that abyss. That
is an abyss from which there is no return."

Bush's eavesdropping program was explicitly anticipated in 1978, and
made illegal by FISA. There might not have been fax machines, or
e-mail, or the Internet, but the NSA did the exact same thing with
telegrams.

We can decide as a society that we need to revisit FISA. We can debate
the relative merits of police-state surveillance tactics and
counterterrorism. We can discuss the prohibitions against spying on
American citizens without a warrant, crossing over that abyss that
Church warned us about twenty years ago. But the president can't
simply decide that the law doesn't apply to him.

This issue is not about terrorism. It's not about intelligence
gathering. It's about the executive branch of the United States
ignoring a law, passed by the legislative branch and signed by
President Jimmy Carter: a law that directs the judicial branch to
monitor eavesdropping on Americans in national security investigations.

It's not the spying, it's the illegality.

Wikipedia entry:
<http://en.wikipedia.org/wiki/Project_SHAMROCK>


** *** ***** ******* *********** *************

      Comments from Readers



There are hundreds of comments -- many of them interesting -- on these
topics on my blog. Search for the story you want to comment on, and
join in.

<http://www.schneier.com/blog>


** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on security: computer and otherwise. You
can subscribe, unsubscribe, or change your address on the Web at
<http://www.schneier.com/crypto-gram.html>. Back issues are also
available at that URL.

Comments on CRYPTO-GRAM should be sent to
[log in to unmask] Permission to print comments is assumed
unless otherwise stated. Comments may be edited for length and clarity.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who
will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
the best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish
algorithms. He is founder and CTO of Counterpane Internet Security
Inc., and is a member of the Advisory Board of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See <http://www.schneier.com>.

Counterpane is the world's leading protector of networked information -
the inventor of outsourced security monitoring and the foremost
authority on effective mitigation of emerging IT threats. Counterpane
protects networks for Fortune 1000 companies and governments
world-wide. See <http://www.counterpane.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of Counterpane Internet Security, Inc.

Copyright (c) 2006 by Bruce Schneier.

--
This message has been scanned for viruses and dangerous
content by the NorMAN MailScanner Service and is believed
to be clean.

The NorMAN MailScanner Service is operated by Information
Systems and Services, University of Newcastle upon Tyne.


====
This e-mail is intended solely for the addressee. It may contain private and
confidential information. If you are not the intended addressee, please take
no action based on it nor show a copy to anyone. Please reply to this e-mail
to highlight the error. You should also be aware that all electronic mail
from, to, or within Northumbria University may be the subject of a request
under the Freedom of Information Act 2000 and related legislation, and
therefore may be required to be disclosed to third parties.
This e-mail and attachments have been scanned for viruses prior to leaving
Northumbria University. Northumbria University will not be liable for any
losses as a result of any viruses being passed on.

************************************************************************************
Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion
list made up of people who are interested in the interdisciplinary academic
study of Cyber Society in all its manifestations.To join the list please visit:
http://www.jiscmail.ac.uk/lists/cyber-society-live.html
*************************************************************************************