Author Archive

Schneier on Security: Friday Squid Blogging: 1,057 Squid T-Shirts

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

That’s a lot.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

And commenting was broken for a couple of days. It’s fixed now, I hope.

Schneier on Security: Hacking a Video Poker Machine

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Kevin Poulsen has written an interesting story about two people who successfully exploited a bug in a popular video poker machine.

Schneier on Security: NSA Classification ECI = Exceptionally Controlled Information

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

ECI is a classification above Top Secret. It’s for things that are so sensitive they’re basically not written down, like the names of companies whose cryptography has been deliberately weakened by the NSA, or the names of agents who have infiltrated foreign IT companies.

As part of the Intercept story on the NSA’s using agents to infiltrate foreign companies and networks, it published a list of ECI compartments. It’s just a list of code names and three-letter abbreviations, along with the group inside the NSA that is responsible for them. The descriptions of what they all mean would never be in a computer file, so it’s only of value to those of us who like code names.

This designation is why there have been no documents in the Snowden archive listing specific company names. They’re all referred to by these ECI code names.

Schneier on Security: DEA Sets Up Fake Facebook Page in Woman’s Name

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is a creepy story. A woman has her phone seized by the Drug Enforcement Agency and gives them permission to look at her phone. Without her knowledge or consent, they steal photos off of the phone (the article says they were “racy”) and use it to set up a fake Facebook page in her name.

The woman sued the government over this. Extra creepy was the government’s defense in court: “Defendants admit that Plaintiff did not give express permission for the use of photographs contained on her phone on an undercover Facebook page, but state the Plaintiff implicitly consented by granting access to the information stored in her cell phone and by consenting to the use of that information to aid in an ongoing criminal investigations [sic].”

The article was edited to say: “Update: Facebook has removed the page and the Justice Department said it is reviewing the incident.” So maybe this is just an overzealous agent and not official DEA policy.

But as Marcy Wheeler said, this is a good reason to encrypt your cell phone.

Schneier on Security: FOXACID Operations Manual

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

A few days ago, I saw this tweet: “Just a reminder that it is now *a full year* since Schneier cited it, and the FOXACID ops manual remains unpublished.” It’s true.

The citation is this:

According to a top-secret operational procedures manual provided by Edward Snowden, an exploit named Validator might be the default, but the NSA has a variety of options. The documentation mentions United Rake, Peddle Cheap, Packet Wrench, and Beach Head-­all delivered from a FOXACID subsystem called Ferret Cannon.

Back when I broke the QUANTUM and FOXACID programs, I talked with the Guardian editors about publishing the manual. In the end, we decided not to, because the information in it wasn’t useful to understanding the story. It’s been a year since I’ve seen it, but I remember it being just what I called it: an operation procedures manual. It talked about what to type into which screens, and how to deal with error conditions. It didn’t talk about capabilities, either technical or operational. I found it interesting, but it was hard to argue that it was necessary in order to understand the story.

It will probably never be published. I lost access to the Snowden documents soon after writing that essay — Greenwald broke with the Guardian, and I have never been invited back by the Intercept — and there’s no one looking at the documents with an eye to writing about the NSA’s technical capabilities and how to securely design systems to protect against government surveillance. Even though we now know that the same capabilities are being used by other governments and cyber criminals, there’s much more interest in stories with political ramifications.

Schneier on Security: Surveillance in Schools

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This essay, “Grooming students for a lifetime of surveillance,” talks about the general trends in student surveillance.

Related: essay on the need for student privacy in online learning.

Schneier on Security: How James Bamford Came to Write <i>The Puzzle Palace</i>

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Interesting essay about James Bamford and his efforts to publish The Puzzle Palace over the NSA’s objections. Required reading for those who think the NSA’s excesses are somehow new.

Schneier on Security: NSA Has Undercover Operatives in Foreign Companies

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The latest Intercept article on the Snowden NSA documents talks about their undercover operatives working in foreign companies. There are no specifics, although the countries China, Germany, and South Korea are mentioned. It’s also hard to tell if the NSA has undercover operatives working in companies in those countries, or has undercover contractors visiting those companies. The document is dated 2004, although there’s no reason to believe that the NSA has changed its behavior since then.

The most controversial revelation in Sentry Eagle might be a fleeting reference to the NSA infiltrating clandestine agents into “commercial entities.” The briefing document states that among Sentry Eagle’s most closely guarded components are “facts related to NSA personnel (under cover), operational meetings, specific operations, specific technology, specific locations and covert communications related to SIGINT enabling with specific commercial entities (A/B/C)””

It is not clear whether these “commercial entities” are American or foreign or both. Generally the placeholder “(A/B/C)” is used in the briefing document to refer to American companies, though on one occasion it refers to both American and foreign companies. Foreign companies are referred to with the placeholder “(M/N/O).” The NSA refused to provide any clarification to The Intercept.

That program is SENTRY OSPREY, which is a program under SENTRY EAGLE.

The document makes no other reference to NSA agents working under cover. It is not clear whether they might be working as full-time employees at the “commercial entities,” or whether they are visiting commercial facilities under false pretenses.

Least fun job right now: being the NSA person who fielded the telephone call from the The Intercept to clarify that (A/B/C)/(M/N/O) thing. “Hi. We’re going public with SENTRY EAGLE next week. There’s one thing in the document we don’t understand, and we wonder if you could help us….” Actually, that’s wrong. The person who fielded the phone call had no idea what SENTRY EAGLE was. The least fun job belongs to the person up the command chain who did.

Wired article. SlashDot and Hacker News threads.

Schneier on Security: Friday Squid Blogging: Flash-Fried Squid Recipe

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Recipe from Tom Douglas.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Schneier on Security: Online Activism and the Computer Fraud and Abuse Act

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Good essay by Molly Sauter: basically, there is no legal avenue for activism and protest on the Internet.

Also note Sauter’s new book, The Coming Swarm.

Schneier on Security: Dynamic Encryption for Voice

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This article reads like snake oil. But the company was founded by Lars Knudsen, so it can’t possibly be.

I’m curious.

Schneier on Security: USB Cufflinks

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Just the thing for smuggling data out of secure locations.

Schneier on Security: BadUSB Code Has Been Published

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In July, I wrote about an unpatchable USB vulnerability called BadUSB. Code for the vulnerability has been published.

Schneier on Security: <i>Data and Goliath</I> Is Finished

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World is finished. I submitted it to my publisher, Norton, this morning. In a few weeks, I’ll get the copyedited manuscript back, and a few weeks after that, it’ll go into production. Stacks of printed books will come out the other end in February, and the book will be published on March 9. There’s already an Amazon page, but it’s still pretty preliminary. And I expect the price to go down.

Books are both a meandering and clarifying process for me, and I figure out what I’m writing about as I write about it. Data and Goliath started out being about security and power in cyberspace, and ended up being about digital surveillance and what to do about it.

This is the table of contents:

Part 1: The World We’re Creating

Chapter 1: Data as a By-Product of Computing
Chapter 2: Data as Surveillance
Chapter 3: Analyzing our Data
Chapter 4: The Business of Surveillance
Chapter 5: Government Surveillance and Control
Chapter 6: Consolidation of Institutional Surveillance

Part 2: What’s at Stake

Chapter 7: Political Liberty and Justice
Chapter 8: Commercial Fairness and Equality
Chapter 9: Business Competitiveness
Chapter 10: Privacy
Chapter 11: Security

Part 3: What to Do About It

Chapter 12: Principles
Chapter 13: Solutions for Government
Chapter 14: Solutions for Corporations
Chapter 15: Solutions for the Rest of Us
Chapter 16: Social Norms and the Big Data Trade-off

Fundamentally, the issues surrounding mass surveillance are tensions group interest vs. self-interest, a topic I covered in depth in Liars and Outliers. We’re promised great benefits if we allow all of our data to be collected in one place; at the same time, it can be incredibly personal. I see this tension playing out in many areas: location data, social graphs, medical data, search histories. Figuring out the proper balances between group and self-interests, and ensuring that those balances are maintained, is the fundamental issue of the information age. It’s how we are going to be judged by our descendents fifty years from now.

Anyway, the book is done and at the publisher. I’m happy with it; the manuscript is so tight you can bounce a quarter off of it. This is a complicated topic, and I think I distilled it down into 80,000 words that are both understandable by the lay reader and interesting to the policy wonk or technical geek. It’s also an important topic, and I hope the book becomes a flash point for discussion and debate.

But that’s not for another five months. You might think that’s a long time, but in publishing that’s incredibly fast. I convinced Norton to go with this schedule by stressing that the book becomes less timely every second it’s not published. (An exaggeration, I know, but they bought it.) Now I just hope that nothing major happens between now and then to render the book obsolete.

For now, I want to get back to writing shorter pieces. Writing a book can be all-consuming, and I generally don’t have time for anything else. Look at my essays. Last year, I wrote 59 essays. This year so far: 17. That’s an effect of writing the book. Now that it’s done, expect more essays on news websites and longer posts on this blog. It’ll be good to be thinking about something else for a change.

If anyone works for a publication, and wants to write a review, conduct an interview, publish an excerpt, or otherwise help me get the word out about the book, please e-mail me and I will pass you on to Norton’s publicity department. I think this book has a real chance of breaking out of my normal security market.

Schneier on Security: iPhone Encryption and the Return of the Crypto Wars

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last week Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone’s encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it.

From now on, all the phone’s data is protected. It can no longer be accessed by criminals, governments, or rogue employees. Access to it can no longer be demanded by totalitarian governments. A user’s iPhone data is now more secure.

To hear U.S. law enforcement respond, you’d think Apple’s move heralded an unstoppable crime wave. See, the FBI had been using that vulnerability to get into peoples’ iPhones. In the words of cyberlaw professor Orin Kerr, “How is the public interest served by a policy that only thwarts lawful search warrants?”

Ah, but that’s the thing: You can’t build a “back door” that only the good guys can walk through. Encryption protects against cybercriminals, industrial competitors, the Chinese secret police and the FBI. You’re either vulnerable to eavesdropping by any of them, or you’re secure from eavesdropping from all of them.

Back-door access built for the good guys is routinely used by the bad guys. In 2005, some unknown group surreptitiously used the lawful-intercept capabilities built into the Greek cell phone system. The same thing happened in Italy in 2006.

In 2010, Chinese hackers subverted an intercept system Google had put into Gmail to comply with U.S. government surveillance requests. Back doors in our cell phone system are currently being exploited by the FBI and unknown others.

This doesn’t stop the FBI and Justice Department from pumping up the fear. Attorney General Eric Holder threatened us with kidnappers and sexual predators.

The former head of the FBI’s criminal investigative division went even further, conjuring up kidnappers who are also sexual predators. And, of course, terrorists.

FBI Director James Comey claimed that Apple’s move allows people to “place themselves beyond the law” and also invoked that now overworked “child kidnapper.” John J. Escalante, chief of detectives for the Chicago police department now holds the title of most hysterical: “Apple will become the phone of choice for the pedophile.”

It’s all bluster. Of the 3,576 major offenses for which warrants were granted for communications interception in 2013, exactly one involved kidnapping. And, more importantly, there’s no evidence that encryption hampers criminal investigations in any serious way. In 2013, encryption foiled the police nine times, up from four in 2012­and the investigations proceeded in some other way.

This is why the FBI’s scare stories tend to wither after public scrutiny. A former FBI assistant director wrote about a kidnapped man who would never have been found without the ability of the FBI to decrypt an iPhone, only to retract the point hours later because it wasn’t true.

We’ve seen this game before. During the crypto wars of the 1990s, FBI Director Louis Freeh and others would repeatedly use the example of mobster John Gotti to illustrate why the ability to tap telephones was so vital. But the Gotti evidence was collected using a room bug, not a telephone tap. And those same scary criminal tropes were trotted out then, too. Back then we called them the Four Horsemen of the Infocalypse : pedophiles, kidnappers, drug dealers, and terrorists. Nothing has changed.

Strong encryption has been around for years. Both Apple’s FileVault and Microsoft’s BitLocker encrypt the data on computer hard drives. PGP encrypts email. Off-the-Record encrypts chat sessions. HTTPS Everywhere encrypts your browsing. Android phones already come with encryption built-in. There are literally thousands of encryption products without back doors for sale, and some have been around for decades. Even if the U.S. bans the stuff, foreign companies will corner the market because many of us have legitimate needs for security.

Law enforcement has been complaining about “going dark” for decades now. In the 1990s, they convinced Congress to pass a law requiring phone companies to ensure that phone calls would remain tappable even as they became digital. They tried and failed to ban strong encryption and mandate back doors for their use. The FBI tried and failed again to ban strong encryption in 2010. Now, in the post-Snowden era, they’re about to try again.

We need to fight this. Strong encryption protects us from a panoply of threats. It protects us from hackers and criminals. It protects our businesses from competitors and foreign spies. It protects people in totalitarian governments from arrest and detention. This isn’t just me talking: The FBI also recommends you encrypt your data for security.

As for law enforcement? The recent decades have given them an unprecedented ability to put us under surveillance and access our data. Our cell phones provide them with a detailed history of our movements. Our call records, email history, buddy lists, and Facebook pages tell them who we associate with. The hundreds of companies that track us on the Internet tell them what we’re thinking about. Ubiquitous cameras capture our faces everywhere. And most of us back up our iPhone data on iCloud, which the FBI can still get a warrant for. It truly is the golden age of surveillance.

After considering the issue, Orin Kerr rethought his position, looking at this in terms of a technological-legal trade-off. I think he’s right.

Given everything that has made it easier for governments and others to intrude on our private lives, we need both technological security and legal restrictions to restore the traditional balance between government access and our security/privacy. More companies should follow Apple’s lead and make encryption the easy-to-use default. And let’s wait for some actual evidence of harm before we acquiesce to police demands for reduced security.

This essay previously appeared on CNN.com

EDITED TO ADD (10/6): Three more essays worth reading. As is this on all the other ways Apple and the government have to get at your iPhone data.

And a Washington Post editorial manages to say this:

How to resolve this? A police “back door” for all smartphones is undesirable–a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant.

Because a “secure golden key” is completely different from a “back door.”

Schneier on Security: Friday Squid Blogging: Squid Burger

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

McDonald’s has a Halloween-themed burger with a squid-ink bun. Only in Japan.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Schneier on Security: William Binney Explains NSA Surveillance Using Snowden’s Documents

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Former NSA employee — not technical director, as the link says — explains how NSA bulk surveillance works, using some of the Snowden documents. Very interesting.

Schneier on Security: The NSA’s Private Cloud

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The NSA is building a private cloud with its own security features:

As a result, the agency can now track every instance of every individual accessing what is in some cases a single word or name in a file. This includes when it arrived, who can access it, who did access it, downloaded it, copied it, printed it, forwarded it, modified it, or deleted it.

[...]

“All of this I can do in the cloud but–in many cases–it cannot be done in the legacy systems, many of which were created before such advanced data provenance technology existed.” Had this ability all been available at the time, it is unlikely that U.S. soldier Bradley Manning would have succeeded in obtaining classified documents in 2010.

Maybe.

Schneier on Security: Firechat

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Firechat is a secure wireless peer-to-peer chat app:

Firechat is theoretically resistant to the kind of centralized surveillance that the Chinese government (as well as western states, especially the US and the UK) is infamous for. Phones connect directly to one another, establish encrypted connections, and transact without sending messages to servers where they can be sniffed and possibly decoded.

EDITED TO ADD (10/1): Firechat has security issues.

Schneier on Security: Security Theater in China

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The Chinese government checked ten thousand pigeons for “dangerous materials.” Because fear.

Schneier on Security: NSA Patents Available for License

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There’s a new article on NSA’s Technology Transfer Program, a 1990s-era program to license NSA patents to private industry. I was pretty dismissive about the offerings in the article, but I didn’t find anything interesting in the catalog. Does anyone see something I missed?

My guess is that the good stuff remains classified, and isn’t “transferred” to anyone.

Slashdot thread.

Schneier on Security: Friday Squid Blogging: Squid Fishing Moves North in California

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Warmer waters are moving squid fishing up the California coast.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Schneier on Security: Medical Records Theft and Fraud

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There’s a Reuters article on new types of fraud using stolen medical records. I don’t know how much of this is real and how much is hype, but I’m certain that criminals are looking for new ways to monetize stolen data.

Schneier on Security: Security Trade-offs of Cloud Backup

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is a good essay on the security trade-offs with cloud backup:

iCloud backups have not eliminated this problem, but they have made it far less common. This is, like almost everything in tech, a trade-off:

  • Your data is far safer from irretrievable loss if it is synced/backed up, regularly, to a cloud-based service.

  • Your data is more at risk of being stolen if it is synced/backed up, regularly, to a cloud-based service.

Ideally, the companies that provide such services minimize the risk of your account being hijacked while maximizing the simplicity and ease of setting it up and using it. But clearly these two goals are in conflict. There’s no way around the fact that the proper balance is somewhere in between maximal security and minimal complexity.

Further, I would wager heavily that there are thousands and thousands more people who have been traumatized by irretrievable data loss (who would have been saved if they’d had cloud-based backups) than those who have been victimized by having their cloud-based accounts hijacked (who would have been saved if they had only stored their data locally on their devices).

It is thus, in my opinion, terribly irresponsible to advise people to blindly not trust Apple (or Google, or Dropbox, or Microsoft, etc.) with “any of your data” without emphasizing, clearly and adamantly, that by only storing their data on-device, they greatly increase the risk of losing everything.

It’s true. For most people, the risk of data loss is greater than the risk of data theft.

Schneier on Security: Nasty Vulnerability found in Bash

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It’s a big and nasty one.

Invariably we’re going to see articles pointing at this and at Heartbleed and claim a trend in vulnerabilities in open-source software. If anyone has any actual data other than two instances and the natural human tendency to generalize, I’d like to see it.