Crypto-Gram

December 15, 2002

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@schneier.com
<http://www.counterpane.com>

A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography.

Back issues are available at <http://www.schneier.com/crypto-gram.html>. To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send a blank message to crypto-gram-subscribe@chaparraltree.com.

Copyright (c) 2002 by Counterpane Internet Security, Inc.

In this issue:

Counterattack

[Note: this article has been translated into French by G.-Joachim L. Dubuquoy-Portois.]

This must be an idea whose time has come, because I’m seeing it talked about everywhere. The entertainment industry floated a bill that would give it the ability to break into other people’s computers if they are suspected of copyright violation. Several articles have been written on the notion of automated law enforcement, where both governments and private companies use computers to automatically find and target suspected criminals. And finally, Tim Mullen and other security researchers start talking about “strike back,” where the victim of a computer assault automatically attacks back at the perpetrator.

The common theme here is vigilantism: citizens and companies taking the law into their own hands and going after their assailants. Viscerally, it’s an appealing idea. But it’s a horrible one, and one that society after society has eschewed.

Our society does not give us the right of revenge, and wouldn’t work very well if it did. Our laws give us the right to justice, in either the criminal or civil context. Justice is all we can expect if we want to enjoy our constitutional freedoms, personal safety, and an orderly society.

Anyone accused of a crime deserves a fair trial. He deserves the right to defend himself, the right to face his accuser, the right to an attorney, and the right to be held innocent until proven guilty.

Vigilantism flies in the face of these rights. It punishes people before they have been found guilty. Angry mobs lynching someone suspected of murder is wrong, even if that person is actually guilty. The MPAA disabling someone’s computer because he’s suspected of copying a movie is wrong, even if the movie was copied. Revenge is a basic human emotion, but revenge only becomes justice if carried out by the State.

And the State has more motivation to be fair. The RIAA sent a cease-and-desist letter to an ISP asking them to remove certain files that were the copyrighted works of George Harrison. One of the files: “Portrait of mrs. harrison Williams 1943.jpg.” The RIAA simply Googled for the string “harrison” and went after everyone who turned up. Vigilantism is wrong because the vigilante could be wrong. The goal of a State legal system is justice; the goal of the RIAA was expediency.

Systems of strike back are much the same. The idea is that if a computer is attacking you—sending you viruses, acting as a DDoS zombie, etc.—you might be able to forcibly shut that computer down or remotely install a patch. Again, a nice idea in theory but one that’s legally and morally wrong.

Imagine you’re a homeowner, and your neighbor has some kind of device on the outside of his house that makes noise. A lot of noise. All day and all night. Enough noise that any reasonable person would claim it to be a public nuisance. Even so, it is not legal for you to take matters into your own hand and stop the noise.

Destroying property is not a recognized remedy for stopping a nuisance, even if it is causing you real harm. Your remedies are to: 1) call the police and ask them to turn it off, break it, or insist that the neighbor turn it off; or 2) sue the neighbor and ask the court to enjoin him from using that device unless it is repaired properly, and to award you damages for your aggravation. Vigilante justice is simply not an option, no matter how right you believe your cause to be.

This is law, not technology, so there are all sorts of shades of gray to this issue. The interests at stake in the original attack, the nature of the property, liberty or personal safety taken away by the counterattack, the risk of being wrong, and the availability and effectiveness of other measures are all factors that go into the assessment of whether something is morally or legally right. The RIAA bill is at one extreme because copyright is a limited property interest, and there is a great risk of wrongful deprivation of use of the computer, and of the user’s privacy and security. A strikeback that disables a dangerous Internet worm is less extreme. Clearly this is something that the courts will have to sort out.

Way back in 1789, the Declaration of the Rights of Man and of the Citizen said that: “No person shall be accused, arrested, or imprisoned except in the cases and according to the forms prescribed by law. Any one soliciting, transmitting, executing, or causing to be executed any arbitrary order shall be punished.” And also: “As all persons are held innocent until they shall have been declared guilty, if arrest shall be deemed indispensable, all harshness not essential to the securing of the prisoner s person shall be severely repressed by law.”

Neither the interests of sysadmins on the Internet, nor the interests of companies like Disney, should be allowed to trump these rights.

Automated law enforcement:
<http://www.foxnews.com/story/0,2933,64688,00.html>

Mullen’s essay:
<http://www.hammerofgod.com/strikeback.txt>

Berman legislation:
<http://www.schneier.com/crypto-gram-0208.html#5>

Crypto-Gram Reprints

Crypto-Gram is currently in its fifth year of publication. Back issues cover a variety of security-related topics, and can all be found on <http://www.schneier.com/crypto-gram.html>. These are a selection of articles that appeared in this calendar month in other years.

National ID Cards:
<http://www.schneier.com/crypto-gram-0112.html#1>

Judges Punish Bad Security:
<http://www.schneier.com/crypto-gram-0112.html#2>

Computer Security and Liabilities:
<http://www.schneier.com/crypto-gram-0112.html#4>

Fun with Vulnerability Scanners:
<http://www.schneier.com/crypto-gram-0112.html#9>

Voting and Technology:
<http://www.schneier.com/crypto-gram-0012.html#1>

“Security Is Not a Product; It’s a Process”
<http://www.schneier.com/…>

Echelon Technology:
<http://www.schneier.com/…>

European Digital Cellular Algorithms:
<http://www.schneier.com/…>

The Fallacy of Cracking Contests:
<http://www.schneier.com/…>

How to Recognize Plaintext:
<http://www.schneier.com/…>

Comments on the Department of Homeland Security

The promise of the newly formed Department of Homeland Security is to improve our nation’s security from terrorism. Unfortunately, the results are far more likely to be the opposite. Centralizing security responsibilities has the downside of making our security more brittle, by instituting a commonality of approach and a uniformity of thinking. Unless the new department distributes security responsibility even as it centralizes coordination, it won’t improve our nation’s security. Security has two universal truisms relevant to this discussion. One, security decisions need to be made as close to the problem as possible. This has many implications: protecting potential terrorist targets should be done by people who understand the targets; bombing decisions should be made by the generals on the ground in the war zone, not by Washington; and investigations should be approved by the FBI office that’s closest to the investigation. This mode of operation has more opportunities for abuse, so competent oversight is vital. But it is also more robust, and is the best way to make security work.

Two, security analysis needs to happen as far away from the sources as possible. Intelligence involves finding relevant information amongst enormous reams of irrelevant data, and then organizing all those disparate pieces of information into coherent predictions about what will happen next. It requires smart people who can see connections, and who have access to information from many disparate government agencies. It can’t be the sole purview of anyone, not the FBI, CIA, NSA, or the new Department of Homeland Security. The whole picture is larger than any single agency, and each only has access to a small slice of it.

The implication of these two truisms is that security will work better if it is centrally coordinated but implemented in a distributed manner. We’re more secure if every government agency implements its own security, within the context of its department, with different strengths and weaknesses. Our security is stronger if multiple departments overlap each other. To this end, it is a good thing that the institutions best funded and equipped to defend our nation against terrorism aren’t part of this new department: the FBI, the CIA, and the military’s intelligence organizations.

But all these organizations have to communicate with each other, and that’s the primary value of a Department of Homeland Security. One organization needs to be a single point for coordination and analysis of terrorist threats and responses. One organization needs to see the big picture, and make decisions and set policies based on it.

The human body defends itself through overlapping security systems. It has a complex immune system specifically to fight disease, but disease fighting is also distributed throughout every organ and every cell. The body has all sorts of security systems, ranging from your skin to keep harmful things out of your body, to your liver filtering harmful things from your bloodstream, to the defenses in your digestive system. These systems all do their own thing in their own way. They overlap each other, and to a certain extent one can compensate when another fails. It might seem redundant and inefficient, but it’s more robust, reliable, and secure. You’re alive and reading this because of it.

The biological metaphor is very apt. Terrorism is hard to defend against because it subverts our institutions and turns our own freedoms and capabilities against us. It invades our society, festers and grows, and then attacks. It’s hard to fight, in the same way that cancer is hard to fight. If we are to best defend ourselves against terrorism, security needs to be pervasive. It can’t be in just one department; it has to be everywhere. Every federal department needs to do its part to secure our nation. Fighting terrorism requires defense in depth. This means overlapping responsibilities to reduce single points of failures, both for the actual defensive measures and for the intelligence functions.

Our nation would be less secure if the new Department of Homeland Security took over all security responsibility from the other departments. The last thing we want is for the Department of Energy, the Department of Commerce, and the Department of State to say: “Security; that’s the responsibility of the Department of Homeland Security.” Security is the responsibility of everyone in government. We won’t defeat terrorism by finding a single thing that works all the time. We’ll defeat terrorism when every little thing works in its own way, and together provides an immune system for our society. The new Department of Homeland Security needs to coordinate but not subsume.

News

Microsoft is saying that it will patch vulnerabilities in older versions of its operating systems, even though it may mean breaking existing applications in the process. Security vs. functionality is one of the basic tensions of our business. Even though I’ve read some essays blasting Microsoft for this pronouncement, I think it’s great. I think Microsoft should patch everything, no matter how old it is. Then, a user whose application breaks because of the patch can make his own choice: security vs. functionality. I want Microsoft to let users make that choice, rather than deciding for everyone.
<http://www.wired.com/news/technology/…>

David Kahn’s lecture at the 50th anniversary of the NSA:
<http://www.fas.org/irp/eprint/kahn.html>

“The Peon’s Guide to Secure Systems Development.” Good essay on the topic.
<http://m.bacarella.com/papers/secsoft/html/>

Here’s a report that claims that the Macintosh OS is the least vulnerable to attack, because they have the fewest vulnerabilities.
<http://www.mi2g.com/cgi/mi2g/reports/int_briefings/…>
Microsoft has cried foul, claiming that because Windows is the most popular OS it is attacked more, but that doesn’t mean it’s less secure.
<http://www.nwfusion.com/news/2002/1107msfoul.html>
Microsoft does have a point, but it’s a subtle one. And it’s not one necessarily in the company’s favor. Certainly more exploits are written for Windows than for Mac, and hackers tend to target Windows more than the Mac. This doesn’t necessarily mean that Windows is inherently less secure than Mac; there could be zillions of Macintosh vulnerabilities that no one has found yet. But it does mean that there are more published Windows vulnerabilities, and more widely available Windows attack tools. And since most attackers use published vulnerabilities and existing attack tools, Windows computers are broken into more. If I were choosing an operating system solely on the basis of security, I would never choose Windows. Regardless of whether or not it is inherently more secure, why would I want to use the popular target?

Kevin Mitnick’s book, “The Art of Deception,” is a good read. The missing first chapter, deleted at the last minute by the publisher, is on the Internet. The chapter talks about Mitnick’s life as a hacker and a fugitive, and his arrest and trial. It’s very interesting reading.
<http://www.wired.com/news/culture/0,1284,56187,00.html>
<http://littlegreenguy.fateback.com/chapter1/…>

109-bit elliptic curve key cracked. I’ve been trying to get complexity estimates of this crack. The best I can find is that it took “massive amount of computing power including 10,000 computers (mostly PCs) running 24 hours a day for 549 days.” Operational systems use 163-bit elliptic curve keys (or more), so there’s absolutely nothing new to worry about because of this result.
<http://www.certicom.com/about/pr/02/…>

Seems like HP wireless keyboards don’t have any built-in authentication. Here’s a story about one person’s keyboard talking to another person’s computer, through walls 150 meters away.
<http://www.aftenposten.no/english/local/…>

NIST and the NSA have published Common Criteria Protection Profiles for operating systems, firewalls, intrusion detection systems, tokens and public-key infrastructures.
<http://www.gcn.com/vol1_no1/daily-updates/20373-1.html>

California law now requires businesses and government agencies to report cyber-attacks that may have compromised confidential information. There’s a large loophole for information that may adversely affect an ongoing investigation, so I don’t expect much change from this.
<http://www.businessweek.com/technology/content/…>

Computer sabotage stories:
<http://www.techtv.com/cybercrime/viceonline/story/…>

Interesting article about getting the first step of security completely wrong: not understanding what problem a security system is supposed to solve. After 9/11, Ashcroft began enforcing a rule that required non-U.S. citizens to notify the federal government whenever they move. Change of address cards have been pouring into the government office by the hundreds of thousands. There’s no staff to enter the address changes into a computer, and they’re sitting in boxes in storage. And even if someone did enter the data, so what? How exactly is this going to solve any security problem? Is a terrorist going to send a card in when he moves? I don’t think so.
<http://www.ilw.com/lawyers/colum_article/articles/…>

DMCA Abuse. Wal-Mart and other retailers are using the DMCA to stop consumer Web sites from publishing information about their sale prices. This flagrant abuse of the DMCA is yet more evidence of how bad a law it is.
<http://www.nytimes.com/2002/11/21/technology/…>
<http://www.theregister.co.uk/content/6/28223.html>
<http://www.wired.com/news/business/0,1367,56504,00.html>
<http://www.fatwallet.com/forums/messageview.cfm?…>
Wal-Mart has backpedaled on this issue, and has decided not to prosecute. Before you cheer, realize that the damage has already been done. The DMCA is much less a law to prosecute people under and much more a law to intimidate people by. The intimidation has already been done.
<http://news.com.com/2100-1023-976296.html>

Steganography, and whether or not terrorists are using it:
<http://elonka.com/steganography/>

Further evidence that sysadmins don’t install security patches. This is a well-done scientific survey, and a really important result.
<http://www.newscientist.com/news/news.jsp?id=ns99993090>
<http://www.rtfm.com/upgrade.html>

Excellent paper on DRM, copyright, and peer-to-peer file sharing. Don’t let the fact that this is written by Microsoft people fool you; this is good stuff.
<http://crypto.stanford.edu/DRM2002/darknet5.doc>

Good paper on home network security:
<http://intel.com/technology/itj/2002/…>

2002 computer security survey:
<www.scmagazine.com/artframe_art_cs.html>

Counterpane News

Still can’t talk about what I can’t talk about. Sorry.

Interview with Schneier on CNet:
<http://news.com.com/1200-1120-975429.html>

Another article on Schneier:
<http://www.zdnet.com.au/newstech/communications/…>

Interview with Schneier in Portuguese:
<http://www.modulo.com.br/index.jsp?…>

Security Notes from All Over: Dan Cooper

On 24 November 1971, someone using the alias “Dan Cooper” invented a new way to hijack an aircraft, or at least a new way of getting away. He took over a Northwest Orient flight from Portland to Seattle by claiming he had a bomb. On the ground in Seattle, he exchanged the passengers and flight attendants for two hundred thousand dollars and four parachutes. Taking off again, he told the pilots to fly at 10,000 feet toward Nevada. Then, somewhere over southwest Washington, he lowered the plane’s back stairs and parachuted away. He was never caught, and the FBI still doesn’t know who he is or whether he survived.

This attack was new. It was thinking outside the box. The attack exploited a vulnerability in the seams of the security system: we spend a lot of effort securing entry and exit to aircraft on the ground, but don’t really think about securing it in the air. (Also notice the cleverness in asking for four parachutes. The FBI had to assume that he would force some of the hostages to jump with him, and could not risk giving him dud chutes.) Cooper “cheated” and got away with it.

He also inspired lots of copycats. In fact, so many attackers tried the same trick that Boeing installed something called a Cooper Vane on their planes, preventing the back stairs from opening in flight.

N.B. A police officer erroneously called him “D.B. Cooper” and the name stuck, giving rise to both a ballad and a movie.

Crime: The Internet’s Next Big Thing

I think the next big Internet security trend is going to be crime. Not the spray-painting cow-tipping annoyance-causing crime we’ve been seeing over the past few years. Not the viruses and Trojans and DDoS attacks for fun and bragging rights. Not even the epidemics that sweep the Internet in hours and cause millions of dollars of damage. Real crime. On the Internet.

Crime on the Internet is nothing new. We’ve all heard isolated stories of competitors breaking into each others networks, hackers breaking into networks and extorting money from dazed sysadmins, and industrial espionage, identity theft, credit card-number theft, simple monetary theft from banks and other financial institutions, but it’s the Nimdas and the root-name-server attacks that make the headlines. And while we’re worrying about those threats, the criminals are slipping by unnoticed. They’re stealing money and things they can sell for money. They’re stealing credit card numbers and identity information and using it to commit fraud. They’re engaging in industrial espionage. The crimes never change; it’s only the tactics that are new.

I predict that people will start noticing. Companies have a strong self-interest not to publicize any real crime against their networks. The bad press from making an attack public is often more harmful than the attack itself. But the times are changing. Just this year, California passed a law—with large loopholes, unfortunately—requiring companies to make these attacks public. I predict more of these sorts of laws in the future.

Criminals tend to lag behind technology by five to ten years, but eventually they figure it out. Just as Willie Sutton robbed banks because “that’s where the money is,” modern criminals will attack computer networks. Increasingly, value is online instead of in a vault; illicitly changing a number in a bank database can be significantly more lucrative than walking into a branch office waving a gun around.

Real crime is hard to detect. When your network is being scanned dozens of times a day by script kiddies, the one serious criminal can sneak in unnoticed. At Counterpane, we monitor hundreds of networks against attack. Our hardest job, and the thing we spend the most time worrying about, is catching the real criminals among the hundreds of annoying hackers. It’s the insider trying to change his salary in the human resources computer. It’s the robbers trying to manipulate account balances on a bank computer. This is the real crime on the net, and when we catch these guys our customers are elated. More and more, this is going to be where companies want their computer security dollars to be spent.

Comments from Readers

From: Anomymous
Subject: Embedded Systems – July 15, 2002 Cryptogram

A draft of this sat in my mail program for several months. I noticed there were no replies with similar comments in later Cryptograms, so I’m sending this.

Regarding your comments on embedded systems: I agree that threats like bombs and germs (as well as hurricanes and earthquakes) are far more likely than hackers, but these systems still have some serious security issues.

A few comments from personal experience (I coordinate the IT aspects of some energy management systems for my employer):

* These systems are moving away from direct hard-wire connections to TCP/IP-based communications, since institutions can take advantage of existing network infrastructure rather than spend a lot of money to run and maintain dedicated hardwired connections. While they’ll (hopefully) use a restricted network for their equipment, chances are they’ll have a gateway on the open Internet so users (maintenance staff as well as contractors) can check on the equipment remotely.

* Users of these systems are moving away from proprietary systems to open protocols like LonMark (aka LonWorks, EcheLon), BACnet, ModBus over IP, etc. Forget about security through obscurity.

* The people who have designed these protocols know about their respective systems (fire alarms, heating/cooling systems, electrical metering, etc.) and little about network security, if even about computer networks. (I recall one vendor’s BACnet system that required users setting them up to create their own MAC addresses.) What little security they implement may be a simple plaintext username and password.

* Web-based (Java) interfaces are becoming more popular. Institutions prefer this since systems can be accessed from any computer with a web browser, instead of a specific computer with specialized software.

* For the usual reasons, systems which are designed to take advantage of Internet Explorer’s features are quite popular. Imagine analyzing a problem from a nearby office instead of going down 50 floors to the sub-basement of the building, or having a contractor quickly fixing a problem from his office rather than making a visit at $100+/hour, and you’ll understand the appeal. Of course, this means anybody can get to such systems. A hacker does not even need to know about protocols, only the right Web site and password.

* These systems may use proprietary or lesser-known Web servers, which don’t have the same degree of testing or evaluation that something like Apache or even IIS has.

* Often these systems have little or no logging facilities to say who logged in when (or tried to) and did what.

* The people who use and maintain these systems on a day-to-day basis are not the most computer literate. Who regularly checks on the computers, installs service packs or patches, examines logs, etc.?

* My experience with some contractors is that they are used to just throwing these systems onto whatever network connections they get and installing software onto a computer used by the maintenance staff. I suspect there are many institutions where the IT department has no idea such systems exist on their networks.

* Likewise, the contractors usually send somebody who is an expert in the a specific field (HVAC, electronic locks, fire alarms) but knows little about setting up or maintaining a Windows NT or Linux box.

* The maintenance staff often makes the purchasing decisions with no input from the IT staff.

* Queries or complaints to the vendors about security of their systems either disappear down the black hole of “we’ll have development look at it” or result in defensive responses from their sales staff.

* Throw in the usual sloppiness about users writing down passwords on their desks, sharing passwords or using easy-to-guess passwords, vendors using one password for all of their clients’ systems, default passwords left unchanged….

That’s the tip of the iceberg.

From: “Christian Gruber” <cgruber infotriever.com>
Subject: National Strategy to Secure Cyberspace

This is in response to a letter you included in the November Cryptogram. In it, a reader indicated that protecting the commons was best achieved by parceling it up, and sectioning it out to private ownership, who would “keep it clean” because they had incentive, since it was theirs, with the caveat: “The tricky bit is dividing the commons up into the proper chunks of property to insure that the greatest number of people can still use it at a fair price.”

There are three flaws here.

The first is in the assumption that people keep what is theirs clean and accessible at all. I almost never weed my lawn. My wife gets allergy attacks when I use pesticides, and I’m not outdoorsy enough to take care of it myself. Because it’s mine, I don’t tend to take out the dandelions. I only do so when I am pressured by subtle and/or angry hints from my neighbours. Frankly, that’s external pressure, unrelated to property ownership. That’s them defending the commons of the beauty of the neighbourhood, combined with the commons of the airspace we share through which dandelion seeds fly. My “private” owned lot itself provides no incentive pressure to keep clean, nor do I have incentive to allow others onto it—especially when they are just going to complain about my weeds. So indeed, parceling up “commons” seems to have no advantage to the common folk, but has great benefit to me, since I get to own property with which I can do what I please (more or less).

Second, the statement “laws don’t work” is patently ridiculous. If laws don’t work, then I invite the reader to take tea with me the day after I brutally kill his dog. Since he will establish that I “damaged his property” and bring those same pesky community enforcement arms (popo’s, for you ghetto kids) to arrest me on that basis. You see, if he is enforcing property rights under the law, he is saying laws work. Just not the laws FOR the commons.

Thirdly, he’s comparing the best of private ownership and minimalist governance against the worst of public trust governance. “Private owners are good, honest people, who will keep their own streets clean” but “Pork-barrel politicians are just waiting for that bribe to ignore environmental laws, whilst feeding at the public trough in the first place.” The inverse picture is made by opponents of privatization, etc. “Those nasty megacorporations are polluting the earth” and “We need our big daddy the government to legislate moral behavior into corporations.” Both are extreme comparisons of the worst of each side against the best, depending on which the speaker prefers. The truth is more moderate.

The point is I smell bias here. Laws work for our friend. What doesn’t work for the dear reader are laws that don’t support an agenda of private ownership taking priority over public ownership. That’s a fine position to take, and I am somewhat sympathetic to laws that enforce property rights. His presentation, however, tries to pass off a partisan bit of rhetoric as sensible argument, when it is in fact self-contradictory, and (albeit anecdotally) demonstrably false.

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on computer security and cryptography. Back issues are available on <http://www.schneier.com/crypto-gram.html>.

To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit <http://www.schneier.com/crypto-gram-faq.html>.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of “Secrets and Lies” and “Applied Cryptography,” and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on computer security and cryptography.

Counterpane Internet Security, Inc. is the world leader in Managed Security Monitoring. Counterpane’s expert security analysts protect networks for Fortune 1000 companies world-wide.

Sidebar photo of Bruce Schneier by Joe MacInnis.