bruce_schneier

http://www.schneier.com/blog/archives/2009/12/separating_expl.html

Chechen terrorists did it in 2004. I said this in an interview with then TSA head Kip Hawley in 2007:

I don't want to even think about how much C4 I can strap to my legs and walk through your magnetometers.

And what sort of magical thinking is behind the rumored TSA rule about keeping passengers seated during the last hour of flight? Do we really think the terrorist won't think of blowing up their improvised explosive devices during the first hour of flight?

For years I've been saying this:

Only two things have made flying safer [since 9/11]: the reinforcement of cockpit doors, and the fact that passengers know now to resist hijackers.

This week, the second one worked over Detroit. Security succeeded.

EDITED TO ADD (12/26): Only one carry on? No electronics for the first hour of flight? I wish that, just once, some terrorist would try something that you can only foil by upgrading the passengers to first class and giving them free drinks.

bruce_schneier

http://www.schneier.com/blog/archives/2009/12/friday_squid_bl_213.html

Happy Squidmas, everybody.

bruce_schneier

http://www.schneier.com/blog/archives/2009/12/friday_squid_bl_212.html

A painting.

bruce_schneier

http://www.schneier.com/blog/archives/2009/12/intercepting_pr.html

Sometimes mediocre encryption is better than strong encryption, and sometimes no encryption is better still.

The Wall Street Journal reported this week that Iraqi, and possibly also Afghan, militants are using commercial software to eavesdrop on U.S. Predators, other unmanned aerial vehicles, or UAVs, and even piloted planes. The systems weren't "hacked" -- the insurgents can’t control them -- but because the downlink is unencrypted, they can watch the same video stream as the coalition troops on the ground.

The naive reaction is to ridicule the military. Encryption is so easy that HDTVs do it -- just a software routine and you're done -- and the Pentagon has known about this flaw since Bosnia in the 1990s. But encrypting the data is the easiest part; key management is the hard part. Each UAV needs to share a key with the ground station. These keys have to be produced, guarded, transported, used and then destroyed. And the equipment, both the Predators and the ground terminals, needs to be classified and controlled, and all the users need security clearance.

The command and control channel is, and always has been, encrypted -- because that's both more important and easier to manage. UAVs are flown by airmen sitting at comfortable desks on U.S. military bases, where key management is simpler. But the video feed is different. It needs to be available to all sorts of people, of varying nationalities and security clearances, on a variety of field terminals, in a variety of geographical areas, in all sorts of conditions -- with everything constantly changing. Key management in this environment would be a nightmare.

Additionally, how valuable is this video downlink is to the enemy? The primary fear seems to be that the militants watch the video, notice their compound being surveilled and flee before the missiles hit. Or notice a bunch of Marines walking through a recognizable area and attack them. This might make a great movie scene, but it's not very realistic. Without context, and just by peeking at random video streams, the risk caused by eavesdropping is low.

Contrast this with the additional risks if you encrypt: A soldier in the field doesn't have access to the real-time video because of a key management failure; a UAV can't be quickly deployed to a new area because the keys aren't in place; we can't share the video information with our allies because we can't give them the keys; most soldiers can't use this technology because they don't have the right clearances. Given this risk analysis, not encrypting the video is almost certainly the right decision.

There is another option, though. During the Cold War, the NSA's primary adversary was Soviet intelligence, and it developed its crypto solutions accordingly. Even though that level of security makes no sense in Bosnia, and certainly not in Iraq and Afghanistan, it is what the NSA had to offer. If you encrypt, they said, you have to do it "right."

The problem is, the world has changed. Today's insurgent adversaries don't have KGB-level intelligence gathering or cryptanalytic capabilities. At the same time, computer and network data gathering has become much cheaper and easier, so they have technical capabilities the Soviets could only dream of. Defending against these sorts of adversaries doesn't require military-grade encryption only where it counts; it requires commercial-grade encryption everywhere possible.

This sort of solution would require the NSA to develop a whole new level of lightweight commercial-grade security systems for military applications — not just office-data "Sensitive but Unclassified" or "For Official Use Only" classifications. It would require the NSA to allow keys to be handed to uncleared UAV operators, and perhaps read over insecure phone lines and stored in people's back pockets. It would require the sort of ad hoc key management systems you find in internet protocols, or in DRM systems. It wouldn't be anywhere near perfect, but it would be more commensurate with the actual threats.

And it would help defend against a completely different threat facing the Pentagon: The PR threat. Regardless of whether the people responsible made the right security decision when they rushed the Predator into production, or when they convinced themselves that local adversaries wouldn't know how to exploit it, or when they forgot to update their Bosnia-era threat analysis to account for advances in technology, the story is now being played out in the press. The Pentagon is getting beaten up because it's not protecting against the threat — because it's easy to make a sound bite where the threat sounds really dire. And now it has to defend against the perceived threat to the troops, regardless of whether the defense actually protects the troops or not. Reminds me of the TSA, actually.

So the military is now committed to encrypting the video ... eventually. The next generation Predators, called Reapers -- Who names this stuff? Second-grade boys? -- will have the same weakness. Maybe we’ll have encrypted video by 2010, or 2014, but I don't think that's even remotely possible unless the NSA relaxes its key management and classification requirements and embraces a lightweight, less secure encryption solution for these sorts of situations. The real failure here is the failure of the Cold War security model to deal with today's threats.

This essay originally appeared on Wired.com.

EDITED TO ADD (12/24): Good article from The New Yorker on the uses -- and politics -- of these UAVs.

theljstaff

news

Holiday debuggery

We know there were a few kinks with the holiday promotion. We've been working very hard to get them ironed out. If you have a paid/permanent account, keep on sending those coupons. Here's an update:

• If you were unable to send out multiple coupons at a time, please perform a hard refresh, and you should be good to go.
• If you redeemed a coupon to upgrade your account and the balance at checkout was $0 instead of $9.95 or $15, this means your upgrade did not go through (nor were you charged). We've straightened this out, so you can now apply your holiday coupon toward the purchase of an annual paid account.
• If you tried to redeem a holiday coupon and had trouble using a gift certificate to cover the balance of an annual paid account, we identified the root problem. If this happened to you, you can now use your holiday coupon together with your gift certificate.
• If the number of holiday coupons you have available suddenly goes up (instead of down), this might be due to recipients declining the coupons, at which point your pool of available coupons will be replenished and, therefore, increase.
• If you need assistance with holiday coupons or pretty much anything else (well, LiveJournal related), please open a support request and we'll be more than happy to help!

Tweaks

• There were some initial glitches displaying results on My Guests, but we've worked them out. We hope you'll check out who's been checking you out!
• Some of you reported formatting issues using the Rich Text Editor (i.e., line breaks were being removed incorrectly). We've implemented a fix! Thanks so much for your patience.

Give a little extra!

We're pleased to report that we've already sold over 100 virtual red ribbons in honor of National AIDS Awareness month. Remember, for each charitable vgift you purchase for $2.99, we'll donate 100 percent of gross proceeds to IAVI.org (the International AIDS Vaccine Initiative) to fund the development of an HIV vaccine. Once again, we thank you for your generosity.

Celebrate with holiday vGifts!

Stop by the Virtual Gift Shop and share some holiday magic with your LiveJournal friends.

Photos of the week

We're back with more dazzling pictures from around the world. Congrats to marlenemcc, who has been awarded a virtual blue ribbon as the winner of our fourth photo contest. We hope you'll click over to LJ_Photophile poll and tell us your picks in pics!

For more fantastic user content, we'll meet you under the cut. ( Read more... )

Curtains

Thanks, again, for reading. Here's wishing you the very merriest of holidays. We'll see you next year!

bruce_schneier

http://www.schneier.com/blog/archives/2009/12/plant_security.html

The essay is about veganism and plant eating, but I found the descriptions of plant security countermeasures interesting:

Plants can’t run away from a threat but they can stand their ground. “They are very good at avoiding getting eaten,” said Linda Walling of the University of California, Riverside. “It’s an unusual situation where insects can overcome those defenses.” At the smallest nip to its leaves, specialized cells on the plant’s surface release chemicals to irritate the predator or sticky goo to entrap it. Genes in the plant’s DNA are activated to wage systemwide chemical warfare, the plant’s version of an immune response. We need terpenes, alkaloids, phenolics — let’s move.

“I’m amazed at how fast some of these things happen,” said Consuelo M. De Moraes of Pennsylvania State University. Dr. De Moraes and her colleagues did labeling experiments to clock a plant’s systemic response time and found that, in less than 20 minutes from the moment the caterpillar had begun feeding on its leaves, the plant had plucked carbon from the air and forged defensive compounds from scratch.

Just because we humans can’t hear them doesn’t mean plants don’t howl. Some of the compounds that plants generate in response to insect mastication — their feedback, you might say — are volatile chemicals that serve as cries for help. Such airborne alarm calls have been shown to attract both large predatory insects like dragon flies, which delight in caterpillar meat, and tiny parasitic insects, which can infect a caterpillar and destroy it from within.

Enemies of the plant’s enemies are not the only ones to tune into the emergency broadcast. “Some of these cues, some of these volatiles that are released when a focal plant is damaged,” said Richard Karban of the University of California, Davis, “cause other plants of the same species, or even of another species, to likewise become more resistant to herbivores.”

There's more in the essay.

bruce_schneier

http://www.schneier.com/blog/archives/2009/12/luggage_locator.html

Wow, is this a bad idea:

The Luggage Locator is an innovative product that travellers or anyone can use to locate items. It has been specifically engineered to help people find their luggage quickly and can also be used around the home or office.

A battery operated, two unit system, the Luggage Locator consists of a small transmitter about the size of a key chain and a lightweight receiver that attaches to any luggage handle. With the simple push of a button, the transmitter activates the receiver causing a bright flashing light and loud chirping sound. Locating your luggage after a long trip has never been quicker nor easier.

Anyone care to guess what's most likely to happen if a piece of luggage in an airport starts flashing and chirping? I think it'll be taken out to the tarmac and blown up using remote controlled bazookas.

bruce_schneier

http://www.schneier.com/blog/archives/2009/12/howard_schmidt_1.html

I head this rumor two days ago, and The New York Times is reporting today.

Reporters are calling me for reactions and opinions, but I just don't know. Schmidt is good, but I don't know if anyone can do well in a job with lots of responsibility but no actual authority. But maybe Obama will imbue the position with authority -- I don't know.

bruce_schneier

http://www.schneier.com/blog/archives/2009/12/santas_naughtyn.html

This is very serious.

bruce_schneier

http://www.schneier.com/blog/archives/2009/12/defeating_micro.html

Defeating BitLocker, even with a TPM.

Related.

bruce_schneier

http://www.schneier.com/blog/archives/2009/12/friday_squid_bl_211.html

Neat.

bruce_schneier

http://www.schneier.com/blog/archives/2009/12/yet_another_sch_1.html

This one for ZDNet.uk.

bruce_schneier

http://www.schneier.com/blog/archives/2009/12/live_face-off_w.html

Here are the six links to the face-off Marcus Ranum and I did on stage at the Information Security Decisions conference in Chicago.

bruce_schneier

http://www.schneier.com/blog/archives/2009/12/magneprint_tech.html

This seems like a solution in search of a problem:

MagTek discovered that no two magnetic strips are identical. This is due to the manufacturing process. Similar to DNA, the structure of every magnetic stripe is different and the differences are distinguishable.

Knowing that, MagTek pairs the card's magnetic strip signature with the card user's personal data to create a one-of-a-kind digital identifier. MagTek calls this technology MagnePrint.

Basically, each card gets a "fingerprint" of the magnetic strip printed on it. And the reader (merchant terminal, ATM machine, whatever) verifies not only the card information, but the fingerprint as well. So a thief can't skim your card information and make another card.

I see a couple of issues here. One, any fraud solution that requires the credit card companies to issue new readers simply isn't going to happen in the U.S. If it were, we'd have embedded chips in our credit cards already. Trying to convince the merchants to type additional data in by hand isn't going to work, either. We finally got merchants to type in a 3–4 digit CVV code -- that basically does the same thing as this idea (albeit with less security).

Two, physically cloning cards is much less of a threat than virtually cloning them: buying things over the phone and Internet, etc. Yes, there are losses here, but I'm sure they're not great enough to justify all of this infrastructure change.

Still, a clever security idea. I expect there's an application for this somewhere.