From: Bruce Schneier
To: [log in to unmask]
Sent: 15/10/03 04:58
Subject: CRYPTO-GRAM, October 15, 2003

                  CRYPTO-GRAM

                October 15, 2003

               by Bruce Schneier
                Founder and CTO
       Counterpane Internet Security, Inc.
            [log in to unmask]
            <http://www.schneier.com>
           <http://www.counterpane.com>


A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

Back issues are available at
<http://www.schneier.com/crypto-gram.html>. To subscribe, visit
<http://www.schneier.com/crypto-gram.html> or send a blank message to
[log in to unmask]


** *** ***** ******* *********** *************

In this issue:
      The Future of Surveillance
      Crypto-Gram Reprints
      SmartShield
      The Patriot Act and Mission Creep
      News
      Counterpane News
      More Beyond Fear Reviews
      Security Notes from All Over: Reaction to a Bomb Threat
      Pirating Movies
      Security Notes from All Over: Precision Stripping
      Issuing Identity Cards
      Security Risks of Monoculture
      Comments from Readers


** *** ***** ******* *********** *************

            The Future of Surveillance



At a gas station in Coquitlam, British Columbia, two employees
installed a camera in the ceiling in front of an ATM machine. They
recorded thousands of people as they typed in their PIN
numbers. Combined with a false front on the ATM that recorded account
numbers from the cards, the pair was able to steal millions before they
were caught.

In at least 14 Kinko's copy shops in New York City, Juju Jiang
installed keystroke loggers on the rentable computers. For over a year
he eavesdropped on people, capturing more than 450 user names and
passwords, and using them to access and open bank accounts online.

A lot has been written about the dangers of increased government
surveillance, but we also need to be aware of the potential for more
pedestrian forms of surveillance. A combination of forces -- the
miniaturization of surveillance technologies, the falling price of
digital storage, the increased power of computer programs to sort
through all of this data -- means that surveillance abilities that used
to be limited to governments are now, or soon will be, in the hands of
everyone.

Some uses of surveillance are benign. Fine restaurants sometimes have
cameras in their dining rooms so the chef can watch diners as they eat
their creations. Telephone help desks sometimes record customer
conversations in order to help train their employees.

Other uses are less benign. Some employers monitor the computer use of
their employees, including use of company machines on personal time. A
company is selling an e-mail greeting card that serriptiously installs
spyware on the recipient's computer. Some libraries keep records of
what books people check out, and Amazon keeps records of what books
people browse on their website.

And, as we've seen, some uses are criminal.

This trend will continue in the years ahead, because technology will
continue to improve. Cameras will become even smaller and more
inconspicuous. Imaging technology will be able to pick up even smaller
details, and will be increasingly able to "see" through walls and other
barriers. And computers will be able to process this information
better. Today, cameras are just mindlessly watching and recording, but
eventually sensors will be able to identify people. Photo IDs are just
temporary; eventually no one will have to ask you for an ID because
they'll already know who you are. Walk into a store, and you'll be
identified. Sit down at a computer, and you'll be identified. I don't
know if the technology will be face recognition, DNA sniffing, or
something else entirely. I don't know if this future is ten or twenty
years out -- but eventually it will work often enough and be cheap
enough for mass-market use. (Remember, in marketing, even a technology
with a high error rate can be good enough.)

The upshot of this is that you should consider the possibility, albeit
remote, that you are being observed whenever you're out in
public. Assume that all public Internet terminals are being
eavesdropped on; either don't use them or don't care. Assume that
cameras are watching and recording you as you walk down the
street. (In some cities, they probably are.) Assume that surveillance
technologies that were science fiction ten years ago are now
mass-market.

This loss of privacy is an important change to society. It means that
we will leave an even wider audit trail through our lives than we do
now. And it's not only a matter of making sure this audit trail is
accessed only by "legitimate" parties: an employer, the government,
etc. Once data is collected, it can be compiled, cross-indexed, and
sold; it can be used for all sorts of purposes. (In the U.S., data
about you is not owned by you. It is owned by the person or company
that collected it.) It can be accessed both legitimately and
illegitimately. And it can persist for your entire life. David Brin
got a lot of things wrong in his book The Transparent Society. But
this part he got right.


Kinko's story:
<http://www.computercops.us/article2568.html>
<http://www.securityfocus.com/news/6447>

ATM fraud story:
<http://www.globetechnology.com/servlet/story/RTGAM.20030812.gtatmm0812/

BNStory/Technology>
<http://canada.com/search/story.aspx?id=f07cac50-62c7-46d8-892a-b66dfa2f

1d88>

Net spying:
<http://www.nytimes.com/2003/10/10/technology/10SPY.html>
<http://news.com.com/2100-1029_3-5083874.html>


** *** ***** ******* *********** *************

              Crypto-Gram Reprints



Crypto-Gram is currently in its sixth year of publication. Back issues
cover a variety of security-related topics, and can all be found on
<http://www.schneier.com/crypto-gram-back.html>. These are a selection
of articles that appeared in this calendar month in other years.

National Strategy to Secure Cyberspace:
<http://www.schneier.com./crypto-gram-0210.html#1>

Cyberterrorism:
<http://www.schneier.com/crypto-gram-0110.html#1>

Dangers of Port 80
<http://www.schneier.com/crypto-gram-0110.html#9>

Semantic Attacks:
<http://www.schneier.com/crypto-gram-0010.html#1>

NSA on Security:
<http://www.schneier.com/crypto-gram-0010.html#7>

So, You Want to be a Cryptographer:
<http://www.schneier.com/crypto-gram-9910.html#SoYouWanttobeaCryptograph
er>

Key Length and Security:
<http://www.schneier.com/crypto-gram-9910.html#KeyLengthandSecurity>

Steganography: Truths and Fictions:
<http://www.schneier.com/crypto-gram-9810.html#steganography>

Memo to the Amateur Cipher Designer:
<http://www.schneier.com/crypto-gram-9810.html#cipherdesign>


** *** ***** ******* *********** *************

                   SmartShield



I've gone back and forth about whether to doghouse this. Although
silly, it's not as obviously nonsensical as my typical doghouse item.

It's a shield designed to protect contactless smart cards from
surreptitious access. A contactless smart card works in proximity to a
reader. It looks like a regular smart card, but there is an inductor
(i.e., a coil) running around the outer edge of the card. If you put
the card in a strong, varying field, it'll power itself from the coil
(and be able to communicate wirelessly). Conventional smart cards are
more common, but wireless smart cards are being used for applications
where it's awkward to have the customer remove the card from his wallet
and insert it in a slot (e.g., transit applications).

Your typical contactless smart card has a range of about ten
inches. Someone could, at least in theory, walk up behind someone
carrying one of these cards and access a card in his wallet. With
specialized equipment, like a directional antenna pumping out a lot
more power, an attacker could probably get the range quite a bit
higher. If the attacker knew the protocol, he might be able to steal
money or, even easier, cause the card to fail. A metal shield around
the card would prevent such attacks.

All security is a trade-off, and I don't think it's worth the
additional security to carry the shield around. Also, having to take
the card out of the shield every time you want to use it negates much
of the convenience of a contactless card. Honestly, the risk that
someone will steal the card, shield and all, is much greater.

<http://members.core.com/~jeffp/index.html>


** *** ***** ******* *********** *************

        The Patriot Act and Mission Creep



One of the problems with laws is that the crimes that justify their
passage are not always the crimes they are used against. In the United
States, the RICO (Racketeering Influenced Corrupt Organizations) law
was passed to help fight organized crime, but was used against
anti-abortion protesters and relatively minor drug offenders. And the
Patriot Act, passed to help fight terrorism, is being used against a
variety of other crimes.

According to a TRAC report, definitions of "terrorism" have broadened
considerably. The AP reports that the Justice Department admits that
the Patriot Act has been used "to crack down on currency smugglers and
seize money hidden overseas by alleged bookies, con artists, and drug
dealers." So someone with a pipe bomb in California is suddenly
charged with "terrorism using a weapon of mass destruction," and a
North Carolina man who had a methamphetamine lab is suddenly charged
with breaking a new state law barring the manufacture of chemical
weapons. The Justice Department has even been conducting seminars on
how to use the new wiretapping provisions in the Patriot Act in
non-terrorism cases.

It's a big deal. The guy with the meth lab could get 12 years to life
in prison for a crime that, under the old laws, was only worth about
six months. The Patriot Act was hurriedly passed less than two months
after 9/11 with almost no debate. That was a mistake, but it echoed
the national mood about terrorism. Having the law applied broadly
against common criminals is something that we shouldn't do
lightly. Security is a trade-off, and the trade-offs in the Patriot
Act were extreme. Maybe treating drug dealers like terrorists is
something Americans want. But we should debate it in public, and not
let the Justice Department sneak it by us.


Report: "Criminal Enforcement Against Terrorists and Spies in the Year
After the 9/11 Attacks":
<http://trac.syr.edu/tracreports/terrorism/fy2002.html>


** *** ***** ******* *********** *************

                       News



Small events can have large consequences. To me, the moral of this
very funny webpage is that you shouldn't base public policy on what's
possible; you should base it on what's likely. Much of the security
changes post 9/11 indicate that few really understand this moral.
<http://www.obvious.fsnet.co.uk/butterfly/butterfly.htm>

Canadian privacy commissioner rejects national ID cards:
<http://www.cbc.ca/stories/2003/09/19/idcard030919>

Lawyers are starting to look at security and liability. This article
is from a law journal: "Snake-Oil Security Claims: The Systematic
Misrepresentation of Product Security in the E-Commerce Arena."
<http://www.mttlr.org/volnine/michener.pdf>

CAPPS-II will color-code airline passengers. According to a Washington
Post article: "Most people will be coded green and sail through. But
up to 8% of passengers who board the nation's 26,000 daily flights will
be coded 'yellow' and will undergo additional screening at the
checkpoint, according to people familiar with the program. An
estimated 1% to 2% will be labeled 'red' and will be prohibited from
boarding. These passengers also will face police questioning and may
be arrested." Searching 10% of airline passengers daily will be a
logistical nightmare. The TSA doesn't have the manpower.
<http://www.washingtonpost.com/wp-dyn/articles/A45434-2003Sep8.html>

The CEO of Symantec is advocating "legislation to criminalize the
sharing of information and tools online that can be used by malicious
hackers and virus writers." Doesn't he realize that most of his
company's engineers would end up in jail?
<http://www.wired.com/news/infostructure/0,1377,60391,00.html>

U.S. State Department was disrupted by a virus:
<http://computerworld.com/newsletter/0,4902,85290,00.html?nlid=SEC2>

"A 40-year-old man was arrested Wednesday and charged with stealing a
computerized tracking device that uses a global positioning system to
keep track of jail prisoners on home detention." Police just turned
the unit on to find him.
<http://www.sfgate.com/cgi-bin/article.cgi?file=/gate/archive/2003/09/04

/MNdumbthief.DTL> or <http://tinyurl.com/qrfb>

Someone steals the identity of another, but the person whose identity
he stole was a child molester.
<http://www.sexcriminals.com/news/15382/>

The U.S. Department of Homeland Security has announced the creation of
a US-CERT (Computer Emergency Response Team).
<http://www.fcw.com/fcw/articles/2003/0915/web-dhs-09-15-03.asp>
<http://www.computerworld.com/printthis/2003/0,4814,84985,00.html>
<http://www.gcn.com/vol1_no1/daily-updates/23534-1.html>

Microsoft is the defendant of a proposed class-action suit on security
<http://news.com.com/2100-1009-5085730.html?tag=nl>
<http://computerworld.com/newsletter/0,4902,85631,00.html?nlid=SEC2>
http://www.nytimes.com/2003/10/06/technology/06SOFT.html
http://news.zdnet.co.uk/software/applications/0,39020384,39116969,00.htm
The lawsuit complaint:
<http://www.computerbytesman.com/security/hamilton_v_microsoft_complaint

.htm>

How not to point out a security flaw. "A computer security specialist
who claimed he hacked into top-secret military computers to show how
vulnerable they were to snooping by terrorists was arrested and charged
Monday with six felony counts that could bring a 30-year prison
sentence."
<http://www.latimes.com/technology/la-me-hack30sep30,1,2684627.story>

Despite admitting that Diebold voting machines have a high risk of
compromise, the state of Maryland is going to buy them:
<http://www.wired.com/news/business/0,1367,60583,00.html>

Security on the Massachusetts Turnpike toll booths:
<http://www.zug.com/pranks/turnpike/>

Report on the DSN 2003 Workshop on Principles of Dependable Systems
<http://lpdwww.epfl.ch/fgaertner/podsy2003/report.html>

A 19-year-old used a fake website to lure victims into downloading his
Trojaned software, and then captured their stock account information
and traded stocks in their name.
<http://www.washingtonpost.com/wp-dyn/articles/A6081-2003Oct9.html>
The scary thing is how effective this attack could be. This guy was
pretty stupid, but imagine for a minute what the results would be if a
smart attacker planned his attack better. He could make millions and
be out of the country before anyone knew.

Really good FAQ on Internet worms:
<http://www.networm.org/faq/>

Balancing security and liberties:
<http://www.eweek.com/article2/0,4149,1306445,00.asp>

There's a new SANS Top 20 list. This is a list of the top 20
vulnerabilities in Windows and UNIX. If we just secured these 20
things, we'd all be a lot safer.
<http://computerworld.com/newsletter/0,4902,85848,00.html>

China is getting a copy of the Windows source code. I've already
written about the security risks of open-source versus proprietary
software. One of the problems with open source is that the bad guys
get to look at the code. One of the good things about open source is
that the good guys get to look at the code, too. If I were the Chinese
government, I'd turn that code upside down looking for vulnerabilities,
and then not tell anyone about them. This seems like a huge security
risk to me, even though Microsoft might consider it a smart business
move.
<http://news.com.com/2102-1016_3-5083458.html>

A Polish hacking group claims to have taken control of 450,000 Windows
computers, and is selling services to spammers based on that control.
<http://www.wired.com/news/business/0,1367,60747,00.html>


** *** ***** ******* *********** *************

                Counterpane News



Two interviews with Schneier:
<http://www.csoonline.com/read/090103/evolution.html>
<http://www.cips.ca/news/national/news.asp?aID=1711>

Schneier has written an op-ed piece on fixing national intelligence:
<http://www.upi.com/view.cfm?StoryID=20030930-121435-8571r>

Counterpane is hiring:
<http://www.counterpane.com/jobsfull.html>


** *** ***** ******* *********** *************

            More Beyond Fear Reviews



The book is continuing to get great reviews. I've sent about 100 books
to Capital Hill, into the offices of representitives who are involved
in these issues. And it's continued to get excellent reviews in
magazines, newspapers, and weblogs.

"What Schneier could have chosen to do in this book -- or for that
matter any book he writes -- was to create a treatise for experts. He
has the expertise to do it, is eminently qualified to do so and would
be taken seriously if he did. Instead, he has chosen to cater to the
masses and written what is, in my opinion, the best primer on security,
one that can be understood by the man in the street."
        --Sydney Morning Herald
<http://www.smh.com.au/articles/2003/09/17/1063625084009.html>

"Once again Schneier proves he is the one of few people who indeed
understand security, and what is more important and more difficult,
that he can explain complex security concepts to people not
specialising in security. Whatever your trade and whatever your
background, go ahead and read it because security affects your life."
        --TECS (The Encyclopedia of Computer Security)
<http://www.itsecurity.com/itsecpep/bookschneier1.htm>

All reviews are archived on the book's website:
<http://www.schneier.com/bf.html>


** *** ***** ******* *********** *************

   Security Notes from All Over: Reaction to a Bomb Threat


I found this in Tim Bray's weblog: "In the speakers' room at Seybold,
there were plenty of Cat5 drops but a shortage of DHCP leases. When
they announced the bomb threat, Lauren saw people unplugging and
leaving, brightened up and said 'Oh good, I can grab my e-mail' and
plugged in. Is that great or what, and I ask: why would a geek ever
marry a non-geek?"

This is a great story: someone taking advantage of the Internet
services made temporarily available because of a bomb threat. And
honestly, this would probably have been my reaction as well. Bombings
are much less common than bomb threats, and staying in a threatened
building is only slightly less dangerous than leaving. But getting
your e-mail -- now that's important.

Security is always a trade-off.

<http://www.tbray.org/ongoing/When/200x/2003/09/11/SSF2003>


** *** ***** ******* *********** *************

                Pirating Movies



Understandably, the movie industry is really incensed by the movie
copies that are traded back and forth on the Internet. The industry
has responded by trying to make DVDs harder to copy, citing consumers
as the culprit. But a new research paper out of AT&T Labs indicates
otherwise. The researchers collected 285 popular movies on file
sharing networks, and found that 77% of them were leaked by industry
insiders. These files include various warnings and messages. For
example, "Property of Miramax Films, for screening purposes only," or a
time code indicating a production copy. Indeed, most of the samples
appeared on file sharing networks prior to their official consumer DVD
release date.

One of the first rules of security is that you need to know who your
attacker is before you consider countermeasures. In this case, the
movie industry has the threat wrong. The attackers aren't DVD owners
making illegal copies and putting them on file sharing networks. The
attackers are industry insiders making illegal copies long before the
DVD is ever on the market.

The paper:
<http://lorrie.cranor.org/pubs/drm03.html>


** *** ***** ******* *********** *************

   Security Notes from All Over: Precision Stripping



One of the security countermeasures used to help prevent car thefts is
Vehicle Identification Numbers (VINs) stamped on the chassis. This
unique number makes it possible to track individual cars, and to
determine if a used car has been stolen. Criminals have devised two
primary responses to this. One, they steal cars and then ship them to
countries that don't care very much about VINs. Two, they steal cars,
take them apart, and sell the parts. This is very common; "chop shops"
can strip a car and turn it into parts in a few hours.

There's a third response: precision stripping. Here's how it works. A
criminal steals a car. A chop shop strips it down to the chassis, and
saves all the parts. Then the criminal takes the empty chassis and
dumps it on the street.

The police tow the chassis away and, eventually, someone (either the
police or the township or the insurance company) sells it at
auction. The original criminals buy it back and reattach the
parts. Now the criminals have a legitimately purchased car that they
can sell on the used market; the VIN has effectively been "laundered."

<http://moneymanager.smh.com.au/articles/2003/05/22/1053196683126.html>
<http://www.aic.gov.au/conferences/cartheft/davidson.pdf>
<http://elmo.shore.ctc.edu/webbtide/v38.13/print_feat01.htm>


** *** ***** ******* *********** *************

             Issuing Identity Cards



There are a lot of things wrong with the proliferation of identity
checks at airports, hotels, government buildings, and the like. One,
they don't actually solve any real security problem; seeing the
identity card of someone doesn't make him any less likely to commit a
terrorist act, for example. Two, it's easy to obtain a fake ID and
it's really hard for a security guard to distinguish a good fake ID
from a real ID. And three, they're expensive to implement and
inconvenient for everyone. Given the minimal additional security these
checks provide and the large cost associated with them, most of the
time they're not a good security trade-off.

There's one other problem with identity documents: the ease of getting
legitimate documents in fraudulent names. Several of the 9/11
terrorists obtained fraudulent IDs from the Virginia Department of
Motor Vehicles by paying a corrupt employee $1000 each. These weren't
fake IDs. These were real IDs in fake names, with all the holograms
and micro printing and whatever else the driver's licenses have to make
them hard to forge.

Turns out this kind of thing is surprisingly easy to do.

In the 1972 book "The Day of the Jackal," an assassin obtains a real
British passport in someone else's name by wandering around graveyards
looking for a headstone belonging to a dead boy born at about the same
time he was. He then gets a copy of the boy's birth certificate and,
pretending to be that boy, gets a British passport in the boy's
name. A real British passport. According to the BBC, this loophole
*may* be fixed this year.

Any security countermeasure works within a larger system. In
evaluating the effectiveness of the countermeasure, you need to
understand the system. It's not just how hard the document is to
forge. You need to look at the security of the issuance process and
the security of the revocation process. People will lose their
documents; what's the security of the backup system, and what's the
security of the reissuance system? How trusted are the people who
handle the blank documents, or the databases those documents are tied
into? Again and again, the weak link in a security system turns out to
be the people.


Using birth certificates of the dead to get UK passports in fraudulent
names:
<http://news.bbc.co.uk/1/hi/magazine/3098104.stm>

Obtaining driver's licenses in fraudulent names in the U.S.:
<http://www.msnbc.com/news/962326.asp?cp1=1>


** *** ***** ******* *********** *************

          Security Risks of Monoculture



The ubiquity of the Microsoft operating system is a security
risk. There's an inherent security risk in any monoculture, and we're
seeing the effects of it: vulnerabilities, exploits, worms and viruses
have catastrophic effects, because they affect so many systems. How
good or bad Microsoft is at security is, in some ways, beside the
point. Because all of our OS eggs are in one basket, there's a
significant security risk.

In some ways this has nothing to with Microsoft in particular. Our
concerns would be no different if everyone ran Macintosh OS X, or
Linux. Security researchers sounded the same alarm in 1988, when the
Morris Worm infected about 5% of the UNIX systems on the
Internet. Today the monoculture is much more pervasive.

In other ways this is very much about Microsoft. My worry here is that
Microsoft is using security as a justification to give itself even
further competitive advantages in the marketplace. After their
antitrust trial, they refused to divulge file format information and
cited security concerns. They're developing a document security
feature for Office programs that will make it harder for competitors to
build compatible products. And NGSCB (Palladium) promises to be a
significant barrier to competition. In economics this is called "lock
in": actions by a company to ensure that its customers can't
switch. It's bad for society, and it's also bad for security.

It's important to put this in context. Monoculture is just one
security risk networks face. There are other risks, and diversifying
operating systems isn't going to magically fix those other ones. But
when our nation's critical infrastructure increasingly relies on a
single system that can be attacked everywhere at the same time, we
should worry.

The report:
<http://www.ccianet.org/papers/cyberinsecurity.pdf>

A rebuttal:
<http://www.ranum.com/security/computer_security/index.html>

For the record, no one funded the report. The CCIA distributed the
report, but they had no hand in the writing, nor did they pay anybody
anything.

One unfortunate outcome of this report is that the principal
instigator, Dan Geer, was fired from his job as CTO of @Stake. @Stake
gets a considerable amount of consulting work from Microsoft, and tried
to distance itself from both Geer and the report.

Security researchers write and speak all the time, and are almost
always speaking for themselves and not their company. Crypto-Gram is
my newsletter, not Counterpane's. And Counterpane management regularly
cringes when I talk about companies they might want to partner with, or
companies our investors are investing in. But I don't think anyone
confuses my position with Counterpane's position.

Dan Geer was in a similar situation. He is a researcher with an
impeccable reputation for honesty and integrity. When @Stake first
formed, Dan was immediately hired for those exact qualities. @Stake
was formed from the L0pht, one of the best hacker groups in the world
with a reputation for irritating Microsoft. Now there's only one L0pht
member left at @Stake, and Dan Geer was fired for displaying the same
qualities that got him hired.

<http://www2.cio.com/research/security/edit/a09302003.html>
<http://www.securityfocus.com/news/7069>
<http://www.computerworld.com/securitytopics/security/story/0,10801,8544

6,00.html> or <http://tinyurl.com/qrfi>

Dan Geer's comments:
<http://www.eweek.com/article2/0,4149,1304620,00.asp>
<http://www.computerworld.com/securitytopics/security/story/0,10801,8556

3,00.html?nas=SEC2-85563> or <http://tinyurl.com/qrfs>


** *** ***** ******* *********** *************


               Comments from Readers



From: Scott Tousley <[log in to unmask]>
Subject: Accidents and Security Incidents

I think you failed to mention something very important. You talk about
the interconnectedness of our systems as a base reason why these events
turn into large-scale disasters. But there is an additional and
equally important reason for our problem.

An effective attacker anticipates responses and plans the attack to
leverage response into a stronger outcome. Like the Arkansas case
where the killers pulled the fire alarm and then shot as kids responded.

So in addition to understanding interconnectedness, we must have
knowledgeable operators that understand "normal" accidents, have some
communication with intelligence personnel and systems, and can quickly
recognize when events smell like more than just a normal accident or
random incident. The better our intelligent operator feedback systems,
the faster we can respond and mitigate the efforts of the intelligent
adversary. I believe this is Counterpane's value proposition.

Our challenge is to nurture and build intelligent system response to
catch back up to and pass the massive growth in interconnectedness that
we have seen in the past decade. We must accelerate our society's
movement from lemming to bird-flock behavior.



From: Brad Knowles <[log in to unmask]>
Subject: Denial-of-Service Attack

"An interesting, inadvertent, distributed denial-of-service. An
accident, not an attacker.
<http://www.cs.wisc.edu/~plonka/netgear-sntp/>"

This statement does not place the problem in the proper
perspective. Let me quote from the abstract: "In May 2003, the
University of Wisconsin - Madison found that it was the recipient of a
continuous large scale flood of inbound Internet traffic destined for
one of the campus' public Network Time Protocol (NTP) servers. The
flood traffic rate was hundreds-of-thousands of packets-per-second, and
hundreds of megabits-per-second."

The only recourse available to the University was to go to their ISP
and get them to null-route all this traffic to their servers, meanwhile
paying a huge increase in bandwidth costs -- an increase that seriously
hurt their budget, and would have quickly bankrupted them if they
hadn't been able to get their ISP to null-route the traffic.

In the NTP world, this is an attack nearly on the scale of the
airplanes crashing into the World Trade Center twin towers on
9/11. Damn few places in the world would be able to sustain that kind
of DDoS attack. People have been put in jail for long periods of time
for much, much less.

While NetGear has "fixed" this problem in their latest router images,
very few customers have bothered to update their firmware, and the
attack continues to this day. NetGear needs to be given the necessary
incentive (i.e., risk being put out of business, and the management put
behind bars) to actively induce all customers to update their routers
ASAP, so that this attack can finally be put behind us.

Other software has caused similar problems for other sites. For
example, NetTime was the reason why ultimeth.net was taken off the air,
and yet the owners of what is now ultimeth.com continue to see very
high DNS traffic for the time servers which no longer exist at the
original IP addresses, and where even the names were removed from the
DNS long ago. Many of the source IP addresses are generating queries
on the order of one per second, which gets unbelievably high when you
start talking about thousands or tens of thousands of clients worldwide.

The issue is all those damn PCs running Microsoft OSs, with seriously
broken DNS resolvers, which don't do any caching and which can re-query
for nonexistent data as quickly as your program can ask for the
information. Since NetTime can be set to recheck the time sync every
second, this causes very severe problems.



From: Derek Schatz <[log in to unmask]>
Subject: Acxiom Hack

 > Shouldn't Acxiom have been required to send its
 > California customers an embarrassing confession?

Well, no. The Acxiom hack occurred last December, while the California
Security Breach Information Act didn't go into effect until July 1,
2003 (I think "ex post facto" is the appropriate term here). Also,
there were indications that some of the data was encrypted, which would
absolve Acxiom from the SBIA. Last, unless I missed something, I
didn't see any indication that there was actually personally
identifiable info that was compromised. Maybe there was, but
"marketing databases" can be analyzed without customer names.



From: Ernst Jan Plugge <[log in to unmask]>

Some time ago, I went on a short business trip from the Netherlands to
the UK. This was my first flight since the Sep. 11 attacks. I'd
brought a single carry-on bag containing, among other things, a shaving
kit with one of those safety blades. Not anyone's choice for a weapon,
but it might do some damage if necessary, I suppose. I saw a
handwritten notice that razor blades of any kind were not allowed in
carry-on luggage.

I didn't feel like checking my bag, considering the high failure rate
of checked baggage handling, and I wanted the contents for some reading
material on board. I also didn't want to toss the blade because I
didn't know how hard it would be to buy a new one before the next
morning. It turns out that's extremely easy, which should have been
pretty obvious, but I didn't realize that. So I decided to just leave
the blade in my bag, and play dumb if anyone caught me. Zero points
for smarts, but that's what happened.

I wasn't caught, although my bag went through an X-ray scanner several
times. But all the way to the hotel, I was extremely anxious. Not
about terrorists -- they barely crossed my mind the whole time. I was
anxious about what a derailed security apparatus at a small airport
could do to me over nothing more than an innocent safety razor. I'd
heard about the awful way innocent people have been treated over issues
that wouldn't have raised an eyebrow a little over two years ago, even
outside the US.

I was actually more afraid of the people who are supposed to protect me
than of a terrorist attack. Looking back, that worries me a lot.

On the way back I tossed the blade, of course, but I still had a very
uncomfortable time at both airports. I actually felt safer and more
comfortable on board than on the ground, which is a weird sensation,
because it used to be the other way around.



From: andre szykier <[log in to unmask]>
Subject: Benevolent Worms

Your response to benevolent worms was interesting but only partially
correct. Where you faltered is in the idea that the "average" person
needs to opt-in or agree to some action to happen on his/her
computer. Specifically you stated:

"A good software distribution mechanism has the following
characteristics:
    1) People can choose the options they want.
    2) Installation is adapted to the host it's running on.
    3) It's easy to stop an installation in progress, or uninstall the
software.
    4) It's easy to know what has been installed where."

Items 1 through 4 assume an active and participatory role by the
user. Face it, Bruce, you are talking to the 80% plus of users who are
grateful if their AOL e-mail and messenger software is working, without
even addressing things such as virus updates and MSFT security settings
on their browser.

Perhaps benevolent but signed worms are the model of the future for
security. I believe that this will be the method for "fixing" bad
software that requires continual patching. Why should a user belonging
to the 80% of the users who have no idea what they should do to be
secure be involved in a decision-making process where their input is
almost random in outcome.

I suggest that you be less elitist and more pragmatic. After all, when
your car is up for service, do you need to know what service is
required, even if you have no idea how the car runs? Yes, you can be
the decision maker, but so maybe can your pet. Both of you have just
about the same technical know-how to make the right decision about
timing chain replacement, computer ignition settings and so on.



From: "Peter Schaeffer" <[log in to unmask]>
Subject: Hats in Banks

Your article about hat bans as a security measure shows a significant
ignorance of bank operations. Your thesis that the teller will press
her (male tellers are common) button, before the guard approaches a
potential criminal, assumes that banks have guards. They don't. Big
downtown banks typically do have security guards. However, the vast
numbers of branch banks dotting suburbia and urban areas don't. For
example, in 2001 94% of all bank robberies were in branch banks
<http://www.bankrate.com/brm/news/chk/20020607a.asp?prodtype=bank>.
Even banks with security guards don't rush to arrest everyone they
think has committed bank robbery.

Of course, someone entering a bank in Atlanta, in July, with a ski mask
is likely to set off alarms, both literally and figuratively. As a
consequence, bank employees are likely to respond immediately. If the
bank robber doesn't make his way to the counter and get his money very
quickly, he is likely to be caught by police arriving at the scene. If
the bank has guards, they may well respond by drawing weapons or at
least preparing to do so.

In practice, this means that only the most dangerous robbers attempt
crimes using ski masks and guns. Given how quickly the authorities
respond to such severe incidents and the likely substantial criminal
penalties, deterrence works and such crimes are relatively
rare. Stated differently, the "ban" (de facto) on ski masks in banks
does work, not perfectly of course, but to a quite substantial
extent. If anything, the ski mask analogy supports a hypothetical ban
on hats, not the other way around.

As for false alarms (harmless folks wearing hats), of course this is an
issue. However, any bank that is serious about a no-hat policy will
post signs to that effect. Since most folks use the same bank
repeatedly, they will quickly learn what rules are in
effect. Certainly anyone who is asked to remove his/her hat will
probably remember the rules the next time they visit the bank. In
practice, the issue is substantially moot. Very few Americans wear
hats these days (true since the 1950s).

Your note mentions that a ban on hats is probably intentioned to enable
security cameras to get a better look at bank robbers. This is
correct. In practice, security cameras are a (the?) primary mechanism
for catching bank robbers. Given that bank robbers presumably don't
want to be prosecuted, getting better pictures of them is a very
positive benefit to society. Clearly, the bank in Alabama must have
thought so.

Consider some of the practical details. Say a robber enters a bank
wearing a hat and is asked to remove it. If he refuses, alarms go off
to some greater or lesser extent. Unless the robber immediately draws
a weapon and orders everyone onto the floor, the robbery will end right
there. Fortunately, very few bank robbers have any interest in
confrontations of any kind. A more likely outcome is that the robber
will just leave. Another possibility is that the robber will remove
his or her hat and then proceed with the robbery. In that case, the
cameras will get a much better look at the perpetrator. Note that bank
robbers routinely wait in line before demanding money.

As for bank robbers dressing up as "a nun, an Orthodox Jew, a Sikh in a
turban or a burqa-clad Muslim woman." Of course, they could. In real
life, they don't. A New York detective was once asked whether
pickpockets in Manhattan dressed in suits and ties to facilitate their
crimes and subsequent escape. He responded by saying that in twenty
years he had never arrested even one pickpocket in a tie.

As for hats in cold climates, I have lived, worked, and played in some
of the coldest parts of the U.S., including Montana, Alaska, Colorado,
and (worst of all) Chicago. Hats (much less ski masks) are not all
that common even in areas with extreme climates. And yes, when people
go indoors they take them off.

The broader point is that imperfect security measures add value in real
life situations. Of course they can be circumvented. However, history
has shown that barriers (figurative and literal) work, even if they
don't work perfectly.



From: MacMinn <[log in to unmask]>
Subject: Hats in Banks

In the real world, prohibiting hats in banks is likely to be more
effective than you give it credit for. Judging by admittedly anecdotal
evidence, a significant number of bank robbers aren't operating on all
cylinders. They're robbing a bank, after all! Data to back this up
can be found at any number of "stupid criminal" websites, including:

<http://www.kooi.com/bozo/>
<http://www.globe-rider.com/bull1e.html>
<http://www.frontiernet.net/~viper1/stupid.html>

... the list goes on.

I'm guessing that many garden variety prospective bank robbers (if
there is such a thing) faced with the situation in the Alabama bank
would simply remove their hats to try to "fit in," without stopping to
consider the effect on their image in the security camera. In short,
this may be an effective detective (catch 'em) measure, although not
necessarily a good (preventive) security measure.

All this leaves aside whether it's good public relations or business
practice.



From: Don Hurter <[log in to unmask]>
Subject: Hats in Banks

Regarding your commentary on hats and bank robbers, I've seen an
earlier article (no URL available) which did a better job explaining
the real reason. Overhead security cameras cannot easily capture the
robber's face if he is wearing a hat with a long visor. Even the
article you cited mentions this, but does not give it proper emphasis:

"It is going to potentially inhibit bank robberies, and more
importantly, it will produce better imagery from the surveillance
cameras."

Another rule some banks now enforce is no sunglasses, for the same
reason. Other than for recent pupil-dilation patients it would be a
more difficult rule to dispute. I personally wish we lived in a
society where such rules are unnecessary, but it's a sign of the
times...


** *** ***** ******* *********** *************


CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on security: computer and otherwise. Back
issues are available on <http://www.schneier.com/crypto-gram.html>.

To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send
a blank message to [log in to unmask] To
unsubscribe, visit <http://www.schneier.com/crypto-gram-faq.html>.

Comments on CRYPTO-GRAM should be sent to
[log in to unmask] Permission to print comments is assumed
unless otherwise stated. Comments may be edited for length and clarity.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who
will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
the best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish, Twofish,
algorithms. He is founder and CTO of Counterpane Internet Security
Inc., and is a member of the Advisory Board of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See <http://www.schneier.com>.

Counterpane Internet Security, Inc. is the world leader in Managed
Security Monitoring. Counterpane's expert security analysts protect
networks for Fortune 1000 companies world-wide. See
<http://www.counterpane.com>.

Copyright (c) 2003 by Bruce Schneier.

************************************************************************************
Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion
list made up of people who are interested in the interdisciplinary academic
study of Cyber Society in all its manifestations.To join the list please visit:
http://www.jiscmail.ac.uk/lists/cyber-society-live.html
*************************************************************************************