CRYPTO-GRAM

April 15, 2008

by Bruce Schneier
Founder and CTO
BT Counterpane
schneier@schneier.com
http://www.schneier.com
http://www.counterpane.com

A free monthly newsletter providing summaries, analyses, insights, and

commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit

<http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at

<http://www.schneier.com/crypto-gram-0804.html>. These same essays
appear in the "Schneier on Security" blog:
<http://www.schneier.com/blog>. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
Third Annual Movie-Plot Threat Contest
The Security Mindset
News
The Feeling and Reality of Security
Web Entrapment
Schneier/BT Counterpane News
Speeding Tickets and Agenda
Seat Belts and Compensating Behavior
Internet Censorship
Comments from Readers

** *** ***** ******* *********** *************

Third Annual Movie-Plot Threat Contest

For this contest, the goal is to create fear. Not just any fear, but a
fear that you can alleviate through the sale of your new product idea.
There are lots of risks out there, some of them serious, some of them so
unlikely that we shouldn't worry about them, and some of them completely
made up. And there are lots of products out there that provide security
against those risks.

Your job is to invent one. First, find a risk or create one. It can be
a terrorism risk, a criminal risk, a natural-disaster risk, a common
household risk -- whatever. The weirder the better. Then, create a
product that everyone simply *has to* buy to protect him- or herself
from that risk. And finally, write a catalog ad for that product.

Here's an example, pulled from page 25 of the Late Spring 2008 Skymall
catalog I'm reading on my airplane as I write this:

"A Turtle is Safe in Water, A Child is Not! Even with the most vigilant
supervision a child can disappear in seconds and not be missed until
it's too late. Our new wireless pool safety alarm system is a must for
pool owners and parents of young children. The Turtle Wristband locks
on the child's wrist (a special key is required to remove it) and
instantly detects immersion in water and sounds a shrill alarm at the
Base Station located in the house or within 100 feet of the pool, spa,
or backyard pond. Keep extra wristbands on hand for guests or to
protect the family dog."

Entries are limited to 150 words -- the example above had 97 words --
because fear doesn't require a whole lot of explaining. Tell us why we
should be afraid, and why we should buy your product.

Entries will be judged on creativity, originality, persuasiveness, and

plausibility. It's okay if the product you invent doesn't actually
exist, but this isn't a science fiction contest.

Portable salmonella detectors for salad bars. Acoustical devices that

estimate tiger proximity based on roar strength. GPS-enabled wallets
for use when you've been pickpocketed. Wrist cuffs that emit fake DNA
to fool DNA detectors. The Quantum Sleeper. Fear offers endless
business opportunities. Good luck.

Entries due by May 1. Submit them as entries to the blog post. And
even if you don't want to enter, go read some of the submissions. You
people are frighteningly creative.

Blog post:
http://www.schneier.com/blog/archives/2008/04/third_annual_mo.html

The First Movie-Plot Threat Contest rules:

http://www.schneier.com/blog/archives/2006/04/announcing_movi.html
And winners:
http://www.schneier.com/blog/archives/2006/06/movieplot_threa_1.html.
The Second Movie-Plot Threat Contest rules:
http://www.schneier.com/blog/archives/2007/04/announcing_seco.html
Semifinalists:
http://www.schneier.com/blog/archives/2007/06/second_annual_m.html
And winners:
http://www.schneier.com/blog/archives/2007/06/second_movieplo.html

** *** ***** ******* *********** *************

The Security Mindset

Uncle Milton Industries has been selling ant farms to children since
1956. Some years ago, I remember opening one up with a friend. There
were no actual ants included in the box. Instead, there was a card that
you filled in with your address, and the company would mail you some
ants. My friend expressed surprise that you could get ants sent to you
in the mail.

I replied: "What's really interesting is that these people will send a

tube of live ants to anyone you tell them to."

Security requires a particular mindset. Security professionals -- at

least the good ones -- see the world differently. They can't walk into a
store without noticing how they might shoplift. They can't use a
computer without wondering about the security vulnerabilities. They
can't vote without trying to figure out how to vote twice. They just
can't help it.

SmartWater is a liquid with a unique identifier linked to a particular

owner. "The idea is for me to paint this stuff on my valuables as proof
of ownership," I wrote when I first learned about the idea. "I think a
better idea would be for me to paint it on your valuables, and then call
the police."

Really, we can't help it.

This kind of thinking is not natural for most people. It's not natural
for engineers. Good engineering involves thinking about how things can
be made to work; the security mindset involves thinking about how things
can be made to fail. It involves thinking like an attacker, an adversary
or a criminal. You don't have to exploit the vulnerabilities you find,
but if you don't see the world that way, you'll never notice most
security problems.

I've often speculated about how much of this is innate, and how much is
teachable. In general, I think it's a particular way of looking at the
world, and that it's far easier to teach someone domain expertise --
cryptography or software security or safecracking or document forgery --
than it is to teach someone a security mindset.

Which is why CSE 484, an undergraduate computer-security course taught

this quarter at the University of Washington, is so interesting to
watch. Professor Tadayoshi Kohno is trying to teach a security mindset.

You can see the results in the blog the students are keeping. They're
encouraged to post security reviews about random things: smart pill
boxes, Quiet Care Elder Care monitors, Apple's Time Capsule, GM's
OnStar, traffic lights, safe deposit boxes, and dorm room security.

One recent one is about an automobile dealership. The poster described

how she was able to retrieve her car after service just by giving the
attendant her last name. Now any normal car owner would be happy about
how easy it was to get her car back, but someone with a security mindset
immediately thinks: "Can I really get a car just by knowing the last
name of someone whose car is being serviced?"

The rest of the blog post speculates on how someone could steal a car by
exploiting this security vulnerability, and whether it makes sense for
the dealership to have this lax security. You can quibble with the
analysis -- I'm curious about the liability that the dealership has, and
whether their insurance would cover any losses -- but that's all domain
expertise. The important point is to notice, and then question, the
security in the first place.

The lack of a security mindset explains a lot of bad security out there:
voting machines, electronic payment cards, medical devices, ID cards,
internet protocols. The designers are so busy making these systems work
that they don't stop to notice how they might fail or be made to fail,
and then how those failures might be exploited. Teaching designers a
security mindset will go a long way toward making future technological
systems more secure.

That part's obvious, but I think the security mindset is beneficial in

many more ways. If people can learn how to think outside their narrow
focus and see a bigger picture, whether in technology or politics or
their everyday lives, they'll be more sophisticated consumers, more
skeptical citizens, less gullible people.

If more people had a security mindset, services that compromise privacy

wouldn't have such a sizable market share -- and Facebook would be
totally different. Laptops wouldn't be lost with millions of unencrypted
Social Security numbers on them, and we'd all learn a lot fewer security
lessons the hard way. The power grid would be more secure. Identity
theft would go way down. Medical records would be more private. If
people had the security mindset, they wouldn't have tried to look at
Britney Spears' medical records, since they would have realized that
they would be caught.

There's nothing magical about this particular university class; anyone

can exercise his security mindset simply by trying to look at the world
from an attacker's perspective. If I wanted to evade this particular
security device, how would I do it? Could I follow the letter of this
law but get around the spirit? If the person who wrote this
advertisement, essay, article or television documentary were
unscrupulous, what could he have done? And then, how can I protect
myself from these attacks?

The security mindset is a valuable skill that everyone can benefit from,
regardless of career path.

SmartWater
http://www.smartwater.com/products/securitySolutions.html
http://www.schneier.com/blog/archives/2005/02/smart_water.html

CSE484:
http://www.cs.washington.edu/education/courses/484/08wi/
http://cubist.cs.washington.edu/Security/2007/11/22/why-a-computer-security-course-
blog/
or http://tinyurl.com/3m94ag

CSE484 blog:
http://cubist.cs.washington.edu/Security/
http://cubist.cs.washington.edu/Security/category/security-reviews/
http://cubist.cs.washington.edu/Security/2008/03/14/security-review-michaels-
toyota-service-center/
or http://tinyurl.com/456b5y

Britney Spears' medical records:

http://www.msnbc.msn.com/id/23640143

This essay originally appeared on Wired.com.

http://www.wired.com/politics/security/commentary/securitymatters/2008/03/securitym
atters_0320
or http://tinyurl.com/2lkg5f

Comments:
http://www.freedom-to-tinker.com/?p=1268
http://blog.ungullible.com/2008/03/hacking-yourself-to-ungullibility-part.html
or http://tinyurl.com/3fl9np
http://www.daemonology.net/blog/2008-03-21-security-is-mathematics.html
or http://tinyurl.com/34y2en

** *** ***** ******* *********** *************

News

Camera that sees under clothes:

http://www.reuters.com/article/technologyNews/idUSL0926757420080309
If this is real, it seems much less invasive than backscatter X ray.
http://www.schneier.com/blog/archives/2005/06/backscatter_x-r.html

Four items from Montana. The difficulty of implementing REAL-ID in

areas so remote they don't have a permanent DMV.
http://www.economist.com/research/articlesBySubject/displaystory.cfm?subjectid=7933
598&story_id=10751175#Thursday
or http://tinyurl.com/3w7cnj
The difficulty of implementing airport security at airports so remote
they average only two passengers per flight.
http://www.usatoday.com/news/nation/2008-03-04-airport-screenings_N.htm
or http://tinyurl.com/2m3xlv
This is the best: Brian Schweitzer, Montana's governor, speaking about
his opposition to REAL ID.
http://www.npr.org/templates/story/story.php?storyId=87991791
More on Montana and REAL-ID.
http://blog.wired.com/27bstroke6/2008/03/montana-gov-dhs.html

New research on how the brain estimates risk.

http://www.sciencedaily.com/releases/2008/03/080312093854.htm

Bomb squad defuses turnip. Props to the writer who came up with the
first sentence of the story: "A raw turnip was at the root of a bomb
scare that last for hours at a law office."
http://ap.google.com/article/ALeqM5g5qxveGlCNPGT6iLRlEhEUbZcepAD8VDF0AO0
or http://tinyurl.com/37km5m
http://www.journalgazette.net/apps/pbcs.dll/article?AID=/20080315/LOCAL07/803150407
/1002/LOCAL
or http://tinyurl.com/2jug84
Comment on my blog from someone claiming to be the turnip mailer:
http://www.schneier.com/blog/archives/2008/03/bomb_squad_defu.html#c256420
or http://tinyurl.com/4z7nko

Another dispatch from the continuing slide towards thoughtcrime: a

suggestion from the UK of putting primary-school children in a DNA
database "exhibit behaviour indicating they may become criminals in
later life." Thankfully, the article contains some reasonable reactions
to this proposal.
http://www.guardian.co.uk/society/2008/mar/16/youthjustice.children

This is another excellent series of posts on threat modeling at

Microsoft, this time from Adam Shostack.
First post:
http://blogs.msdn.com/sdl/archive/2007/09/26/the-trouble-with-threat-modeling-
2.aspx
or http://tinyurl.com/2tvxhx
Entire series as Word document:
http://blogs.msdn.com/sdl/attachment/7702305.ashx
I already linked to this series by Larry Osterman.
http://www.schneier.com/blog/archives/2007/10/threat_modeling.html

Despite "heartbeat sensors, CO2 probes to detect exhaled breath and

'passive millimetre wave' scanners which can 'see' through vehicles,"
it's easy to sneak into the UK from Calais due to inadequate fencing.
Remember: security is only as strong as the weakest link.
http://news.bbc.co.uk/1/hi/uk_politics/7277771.stm

Wacky airplane security idea of the month: Force everyone to wear a

bracelet that, when remotely activated, gives the person a debilitating
shock. No, really. A company is trying to commercialize this idea.
The mind boggles.
http://www.lamperdlesslethal.com/
http://patft.uspto.gov/netacgi/nph-
Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G
&l=50&s1=6,933,851.PN.&OS=PN/6,933,851&RS=PN/6,933,851
or http://tinyurl.com/2j6jp8

This sort of credit card fraud is nothing new, but it's rare to see
statistics of actual fraud.
http://www.schneier.com/blog/archives/2008/03/fraud_due_to_a.html
My guess is that it's an inside job.

MC Frontalot raps about encryption:

http://www.frontalot.com/index.php/?page=mp3
http://www.frontalot.com/index.php/?page=lyrics&lyricid=41

Really good blog post on the future potential of quantum computing and
its effects on cryptography.
http://www.emergentchaos.com/archives/2008/03/quantum_progress.html
A quantum computer scientist responds:
http://scienceblogs.com/pontiff/2008/03/shor_calculations.php

If you're fearful, you think you're more at risk than if you're angry:
http://www.hks.harvard.edu/news-events/publications/insight/management/jennifer-
lerner
or http://tinyurl.com/3gflds
http://content.ksg.harvard.edu/lernerlab/pdfs/Lerner_2003_PS_Paper.pdf

Build your own paper Enigma machine:

http://mckoss.com/Crypto/Enigma.htm
An Enigma on an old Atari 2600 video game:
http://brainwagon.org/the-enigma-2600/
Excellent and well-written article on the Enigma by the NSA:
http://www.nsa.gov/publications/publi00016.cfm

At the DISI conference last December, Martin Hellman gave a lecture on

the invention of public-key cryptography.
http://video.google.com/videoplay?docid=8991737124862867507

This article from The Wall Street Journal outlines how the NSA is
increasingly engaging in domestic surveillance, data collection, and
data mining. The result is essentially the same as Total Information
Awareness.
http://online.wsj.com/article/SB120511973377523845.html
Barry Steinhardt of the ACLU comments.
http://www.dailykos.com/storyonly/2008/3/11/14380/5939/606/474351
More commentary:
http://blogs.zdnet.com/Ratcliffe/?p=334&tag=nl.e622

Hypnotist thief in Italy. This is weird:

http://news.bbc.co.uk/1/hi/world/europe/7309947.stm
http://dilbertblog.typepad.com/the_dilbert_blog/2008/03/hypnotist-thief.html
or http://tinyurl.com/33xjou

The U.S. has a new cyber-security czar, Rod A. Beckstrom, who has no
cyber-security experience.
http://www.washingtonpost.com/wp-
dyn/content/article/2008/03/19/AR2008031903125.html
or http://tinyurl.com/2yh2qv
http://arstechnica.com/news.ars/post/20080328-meet-the-new-us-cybersecurity-
czar.html
or http://tinyurl.com/2h53u6

Malware targeted against pro-Tibet groups. Seems to be the Chinese

government, although -- of course -- there's really no way to prove this.
http://www.f-secure.com/weblog/archives/00001406.html
Blog entry URL:
http://www.schneier.com/blog/archives/2008/03/malware_targete.html

Science fiction writers offer homeland security advice. It's embarrassing.

http://www.nationaldefensemagazine.org/issues/2008/March/SecurityBeat.htm#Science
or http://tinyurl.com/3a3b2z

Good list of common corporate security pitfalls:

http://www.infoworld.com/article/08/03/17/12NF-security-landmines_1.html
or http://tinyurl.com/2sv49l

The N-DEx National Intelligence System: more data collection on everyone.

http://www.washingtonpost.com/wp-
dyn/content/article/2008/03/05/AR2008030503656_pf.html
or http://tinyurl.com/yqoy3w

A church pastor is an identity thief.

http://www.pennlive.com/news/patriotnews/index.ssf?/base/news/120641100692450.xml&c
oll=1
or http://tinyurl.com/536d4y
The more trusted a thief is, the harder he is to catch.

Got an idea how to build a liquid bottle scanner? The TSA wants to give
you money.
http://www.gsnmagazine.com/cms/resources/business-opportunities/624.html
or http://tinyurl.com/2bo5c9

The Quantum Sleeper Unit: fearmongering and security theater at its finest.
http://www.qsleeper.com/

The Chaos Computer Club published the fingerprint of Germany's interior

minister, Wolfgang Schauble. This is 1) a good demonstration that a
fingerprint is not a secret, and 2) a great political hack. Schauble is
a strong supporter of collecting biometric data on everyone as an
antiterrorist measure. Because, um, because it sounds like a good idea.
http://www.theregister.co.uk/2008/03/30/german_interior_minister_fingerprint_approp
riated/
or http://tinyurl.com/2husjv
http://www.heise.de/english/newsticker/news/105728
http://www.ccc.de/updates/2008/schaubles-finger
The fingerprint itself, ready to print out:
http://www.ccc.de/images/misc/schaeuble-attrappe.png
English-language guide to lifting and using fingerprints.
http://www.ccc.de/biometrie/fingerabdruck_kopieren?language=en
Me on biometrics from ten years ago:
http://www.schneier.com/crypto-gram-9808.html#biometrics

The U.S. is outsourcing the manufacture of its RFID passports to some

questionable companies. This is a great illustration of the maxim
"security trade-offs are often made for non-security reasons." I can
imagine the manager in charge: "Yes, it's insecure. But think of the
savings!"
http://washingtontimes.com/apps/pbcs.dll/article?AID=/20080326/NATION/%20840186493/
0/BUSINESS
or http://tinyurl.com/345f6u
http://www.upi.com/NewsTrack/Top_News/2008/03/26/outsourcing_passports_profound_lia
bility/9799/
or http://tinyurl.com/26u35h

Australia may outlaw laser pointers, because they were used against
planes last month. I'm sure criminals also used cars in Australia last
week. Will the country ban them next? On the other hand, I'm sick and
tired of laser pointers myself. But the cats of Australia will be
terribly disappointed.
http://www.smh.com.au/news/national/lasers-face-import-
ban/2008/03/30/1206850709183.html
or http://tinyurl.com/4v3kzk

An eerily prescient article from The Atlantic in 1967 about the future
of data privacy and security. It presents all of the basic arguments
for strict controls on data collection of personal information, and it's
remarkably accurate in its predictions of the future development and
importance of computers as well as all of all of the ways the government
would abuse them. Well worth reading.
http://blog.modernmechanix.com/2008/03/31/the-national-data-center-and-personal-
privacy/
or http://tinyurl.com/2rg864

This labyrinth security lock is an April Fool's joke, but I want one.
http://www.thinkgeek.com/stuff/41/titaniumlabyrinth.html?cpg=70H

We finally have some actual information about the "liquid bomb" that was
planned by that London group arrested in 2006: "The court heard the
bombers intended to use hydrogen peroxide and mix it with a product
called Tang, used in soft drinks, to turn it into an explosive. They
intended to carry it on board disguised as 500ml bottles of Oasis or
Lucozade by using food dye to recreate the drinks' distinctive colour.
The detonator would have been disguised as AA 1.5 batteries. The
contents of the batteries would have been removed and an electric
element such as a light bulb or wiring would have been inserted. A
disposable camera would have provided a power source."
http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=555465&
in_page_id=1770&ct=5
or http://tinyurl.com/2xnabh
Much commentary on my blog about the feasibility of this:
http://www.schneier.com/blog/archives/2008/04/the_liquid_bomb.html
The KeeLoq keyless entry system is used by Chrysler, Daewoo, Fiat,
General Motors, Honda, Toyota, Lexus, Volvo, Volkswagen, Jaguar, and
probably others. It's broken.
http://www.crypto.rub.de/keeloq/index.html
http://www.theregister.co.uk/2008/04/03/keeloq_master_key_found/

This is a weird story. A burglar gives himself cover by posting a hoax

Craigslist ad saying that the owner of a home had to leave suddenly, and
his belongings were free for the taking. He steals stuff, as do other
people who believe the ad.
http://www.schneier.com/blog/archives/2008/03/craigslist_scam.html

Would-be bomber caught at Orlando Airport due to behavioral profiling.

My comments are here:
http://www.schneier.com/blog/archives/2008/04/wouldbe_bomber_1.html

Data from San Francisco demonstrating the ineffectiveness of security

cameras. This quote is instructive: "Mayor Gavin Newsom called the
report 'conclusively inconclusive' on Thursday but said he still wants
to install more cameras around the city because they make residents feel
safer." That's right: the cameras aren't about security, they're about
security theater. More comments on the general issue here.
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2008/03/21/MN27VNFET.DTL
or http://tinyurl.com/2h4d65
http://gritsforbreakfast.blogspot.com/2005/03/why-surveillance-cameras-dont-
reduce.html
or http://tinyurl.com/4r9qt
http://gritsforbreakfast.blogspot.com/2008/04/best-way-to-terminate-
surveillance.html
or http://tinyurl.com/3oqzz7

NSA has released its version of Linux. So, do you trust it?
http://www.upi.com/International_Security/Emerging_Threats/Briefing/2008/03/24/nsa_
releases_new_version_of_linux_software/9918/
or http://tinyurl.com/6bzc2f
NSA's guide to securing Linux:
http://www.nsa.gov/snac/os/redhat/rhel5-guide-i731.pdf

More colleges offer degrees in homeland security:

http://www.slate.com/?id=2187648

Tracking vehicles through tire-pressure monitors: just another example

of our surveillance future.
http://www.hexview.com/sdp/node/44
http://www.canadiandriver.com/articles/jk/070404.htm
http://www.canadiandriver.com/articles/jm/tpms2.htm

This is a great essay by a mom who let her 9-year-old son ride the New
York City subway alone, and the whole discussion is illustrative how we
overestimate threats against children:
http://www.schneier.com/blog/archives/2008/04/overestimating.html

There's a plan to create a nationwide emergency alert system using text

messages. The real question is whether the benefits outweigh the risks.
I could certainly imagine scenarios where getting short text messages
out to everyone in a particular geographic area is a good thing, but I
can also imagine the hacking possibilities. And once this system is
developed for emergency use, can a bulk SMS business be far behind?
http://www.schneier.com/blog/archives/2008/04/bulk_text_messa.html
In this article analyzing a security failure resulting in live nuclear
warheads being flown over the U.S., there's an interesting commentary on
people and security produres: "'Let's not forget that the existing rules
were pretty tight,' says Hans Kristensen, director of the Nuclear
Information Project for the Federation of American Scientists. 'Much of
what went wrong occurred because people didn't follow these tight rules.
You can have all sorts of rules and regulations, but they still won't do
any good if the people don't follow them.' Procedures are a tough
balancing act. If they're too lax, there will be security problems. If
they're too tight, people will get around them and there will be
security problems.
http://www.military.com/features/0,15240,165396,00.html

Pentagon may issue pocket lie detectors to American soldiers in

Afghanistan, even though they don't work.
http://www.msnbc.msn.com/id/23926278/

Good article on the difficulty of keeping drugs out of prisons. Lots of

ways to evade security, including making use of corrupt guards.
http://news.bbc.co.uk/go/em/fr/-/1/hi/magazine/7340533.stm

I previously wrote about the UK's Regulation of Investigatory Powers Act

(RIPA), which was sold as a means to tackle terrorism, and other serious
crimes, being used against animal rights protestors. The latest news
from the UK is that a local council has used provisions of the act to
put a couple and their children under surveillance, for "suspected
fraudulent school place applications." This kind of thing happens again
and again. When campaigning for a law's passage, the authorities invoke
the most heinous of criminals -- terrorists, kidnappers, drug dealers,
child pornographers -- but after the law is passed, they start using it
in more mundane situations.
http://news.bbc.co.uk/1/hi/england/dorset/7341179.stm
http://www.theregister.co.uk/2008/04/11/poole_council_ripa/
http://www.schneier.com/blog/archives/2007/11/animal_rights_a.html

** *** ***** ******* *********** *************

The Feeling and Reality of Security

Security is both a feeling and a reality, and they're different. You can
feel secure even though you're not, and you can be secure even though
you don't feel it. There are two different concepts mapped onto the same
word -- the English language isn't working very well for us here -- and
it can be hard to know which one we're talking about when we use the word.

There is considerable value in separating out the two concepts: in

explaining how the two are different, and understanding when we're
referring to one and when the other. There is value as well in
recognizing when the two converge, understanding why they diverge, and
knowing how they can be made to converge again.

Some fundamentals first. Viewed from the perspective of economics,

security is a trade-off. There's no such thing as absolute security, and
any security you get has some cost: in money, in convenience, in
capabilities, in insecurities somewhere else, whatever. Every time
someone makes a decision about security -- computer security, community
security, national security -- he makes a trade-off.

People make these trade-offs as individuals. We all get to decide,

individually, if the expense and inconvenience of having a home burglar
alarm is worth the security. We all get to decide if wearing a
bulletproof vest is worth the cost and tacky appearance. We all get to
decide if we're getting our money's worth from the billions of dollars
we're spending combating terrorism, and if invading Iraq was the best
use of our counterterrorism resources. We might not have the power to
*implement* our opinion, but we get to decide if we think it's worth it.

Now we may or may not have the expertise to make those trade-offs
intelligently, but we make them anyway. All of us. People have a natural
intuition about security trade-offs, and we make them, large and small,
dozens of times throughout the day. We can't help it: It's part of being
alive.

Imagine a rabbit, sitting in a field eating grass. And he sees a fox.

He's going to make a security trade-off: Should he stay or should he
flee? Over time, the rabbits that are good at making that trade-off will
tend to reproduce, while the rabbits that are bad at it will tend to get
eaten or starve.

So, as a successful species on the planet, you'd expect that human

beings would be really good at making security trade-offs. Yet, at the
same time, we can be hopelessly bad at it. We spend more money on
terrorism than the data warrants. We fear flying and choose to drive
instead. Why?

The short answer is that people make most trade-offs based on the
*feeling* of security and not the reality.

I've written a lot about how people get security trade-offs wrong, and
the cognitive biases that cause us to make mistakes. Humans have
developed these biases because they make evolutionary sense. And most of
the time, they work.

Most of the time -- and this is important -- our feeling of security

matches the reality of security. Certainly, this is true of prehistory.
Modern times are harder. Blame technology, blame the media, blame
whatever. Our brains are much better optimized for the security
trade-offs endemic to living in small family groups in the East African
highlands in 100,000 B.C. than to those endemic to living in 2008 New York.

If we make security trade-offs based on the feeling of security rather

than the reality, we choose security that makes us *feel* more secure
over security that actually makes us more secure. And that's what
governments, companies, family members and everyone else provide. Of
course, there are two ways to make people feel more secure. The first is
to make people actually more secure and hope they notice. The second is
to make people feel more secure without making them actually more
secure, and hope they don't notice.

The key here is whether we notice. The feeling and reality of security
tend to converge when we take notice, and diverge when we don't. People
notice when 1) there are enough positive and negative examples to draw a
conclusion, and 2) there isn't too much emotion clouding the issue.
Both elements are important. If someone tries to convince us to spend
money on a new type of home burglar alarm, we as society will know
pretty quickly if he's got a clever security device or if he's a
charlatan; we can monitor crime rates. But if that same person advocates
a new national antiterrorism system, and there weren't any terrorist
attacks before it was implemented, and there weren't any after it was
implemented, how do we know if his system was effective?

People are more likely to realistically assess these incidents if they

don't contradict preconceived notions about how the world works. For
example: It's obvious that a wall keeps people out, so arguing against
building a wall across America's southern border to keep illegal
immigrants out is harder to do.

The other thing that matters is agenda. There are lots of people,
politicians, companies and so on who deliberately try to manipulate your
feeling of security for their own gain. They try to cause fear. They
invent threats. They take minor threats and make them major. And when
they talk about rare risks with only a few incidents to base an
assessment on -- terrorism is the big example here -- they are more
likely to succeed.

Unfortunately, there's no obvious antidote. Information is important. We

can't understand security unless we understand it. But that's not
enough: Few of us really understand cancer, yet we regularly make
security decisions based on its risk. What we do is accept that there
are experts who understand the risks of cancer, and trust them to make
the security trade-offs for us.

There are some complex feedback loops going on here, between emotion and
reason, between reality and our knowledge of it, between feeling and
familiarity, and between the understanding of how we reason and feel
about security and our analyses and feelings. We're never going to stop
making security trade-offs based on the feeling of security, and we're
never going to completely prevent those with specific agendas from
trying to take care of us. But the more we know, the better trade-offs
we'll make.

Getting security trade-offs wrong:

http://www.schneier.com/essay-162.html

Cognitive biases that affect security:

http://www.schneier.com/essay-155.html

"In Praise of Security Theater"

http://www.schneier.com/essay-154.html

The security lemon's market:

http://www.schneier.com/essay-165.html

Airline security and agenda:

http://www.schneier.com/blog/archives/2005/08/airline_securit_2.html

This essay originally appeared in Wired.com.

http://www.wired.com/politics/security/commentary/securitymatters/2008/04/securitym
atters_0403
or http://tinyurl.com/2xu2zb
** *** ***** ******* *********** *************

Web Entrapment

Frightening sting operation by the FBI. They posted links to supposed

child porn videos on boards frequented by those types, and obtained
search warrants based on access attempts.

This seems like incredibly flimsy evidence. Someone could post the link
as an embedded image, or send out e-mail with the link embedded, and
completely mess with the FBI's data -- and the poor innocents' lives.
Such are the problems when the mere clicking on a link is justification
for a warrant.

http://www.news.com/8301-13578_3-9899151-38.html?tag=nefd.pop
http://yro.slashdot.org/yro/08/03/20/2323247.shtml
http://arstechnica.com/news.ars/post/20080323-rick-rolled-to-child-porn-youre-a-
pedophile-says-fbi.html
or http://tinyurl.com/2ffhs2

** *** ***** ******* *********** *************

Schneier/BT Counterpane News

Interviews with Schneier:

http://www.scienceprogress.org/2008/03/the-halfway-house-between-science-and-
secrets/
or http://tinyurl.com/2f483v
http://www.ebizq.net/blogs/news_security/2008/03/does_the_security_industry_hav.php
or http://tinyurl.com/27udzp
http://flashplayer.streamos.com/flvplayer.php?url=http://rsa.edgeboss.net/flash/rsa
/rsaconference/2008/us/podcasts/bruce_schneier.mp3
or http://tinyurl.com/3jnpwq
http://rsa.edgeboss.net/download/rsa/rsaconference/2008/us/podcasts/bruce_schneier.
mp3
or http://tinyurl.com/4vqssb
http://www.schneier.com/news-055.html

Schneier is speaking at the Hack-in-the-Box Security Conference in Dubai

on April 16th:
http://conference.hitb.org/hitbsecconf2008dubai/

Schneier is speaking at the IT Security and Society Conference in

Eindhoven, Netherlands, on April 21:
http://www.win.tue.nl/eipsi/

Schneier is speaking at InfoSecurity Europe in London on April 23:

http://www.infosec.co.uk/

Schneier is speaking at the Universitat Autonoma de Barcelona in

Barcelona, Spain, on April 24:
http://www.uab.es/anycomputacio/cicles_activitats2.htm

** *** ***** ******* *********** *************

 Speeding Tickets and Agenda

If you ever need an example to demonstrate that security is a function

of agenda, use this story about speed cameras. Cities that have
installed speed cameras are discovering motorists are driving slower,
which is decreasing revenues from fines. So they're turning the cameras
off.

Fines should never be considered part of a revenue stream: it gives the

police a whole new incentive -- and one we don't want them to have.

http://www.msnbc.msn.com/id/23710970

** *** ***** ******* *********** *************

Seat Belts and Compensating Behavior

There is a theory that people have an inherent risk thermostat that

seeks out an optimal level of risk. When something becomes inherently
safer -- a law is passed requiring motorcycle riders to wear helmets,
for example -- people compensate by riding more recklessly. I first
read this theory in a 1999 paper by John Adams at the University of
Reading, although it seems to have originated with Sam Peltzman.

In any case, a new paper presents data that contradicts that thesis:
"This paper investigates the effects of mandatory seat belt laws on
driver behavior and traffic fatalities. Using a unique panel data set on
seat belt usage in all U.S. jurisdictions, we analyze how such laws, by
influencing seat belt use, affect the incidence of traffic fatalities.
Allowing for the endogeneity of seat belt usage, we find that such usage
decreases overall traffic fatalities. The magnitude of this effect,
however, is significantly smaller than the estimate used by the National
Highway Traffic Safety Administration. In addition, we do not find
significant support for the compensating-behavior theory, which suggests
that seat belt use also has an indirect adverse effect on fatalities by
encouraging careless driving. Finally, we identify factors, especially
the type of enforcement used, that make seat belt laws more effective in
increasing seat belt usage."

http://www.stanford.edu/~leinav/pubs/RESTAT2003.pdf

John Adams:
http://www.cato.org/pubs/pas/pa-335es.html

** *** ***** ******* *********** *************

Internet Censorship

A review of Access Denied, edited by Ronald Deibert, John Palfrey, Rafal

Rohozinski and Jonathan Zittrain, MIT Press: 2008.
In 1993, Internet pioneer John Gilmore said "the net interprets
censorship as damage and routes around it", and we believed him. In
1996, cyberlibertarian John Perry Barlow issued his 'Declaration of the
Independence of Cyberspace' at the World Economic Forum at Davos,
Switzerland, and online. He told governments: "You have no moral right
to rule us, nor do you possess any methods of enforcement that we have
true reason to fear."

At the time, many shared Barlow's sentiments. The Internet empowered

people. It gave them access to information and couldn't be stopped,
blocked or filtered. Give someone access to the Internet, and they have
access to everything. Governments that relied on censorship to control
their citizens were doomed.

Today, things are very different. Internet censorship is flourishing.

Organizations selectively block employees' access to the Internet. At
least 26 countries -- mainly in the Middle East, North Africa, Asia, the
Pacific and the former Soviet Union -- selectively block their citizens'
Internet access. Even more countries legislate to control what can and
cannot be said, downloaded or linked to. "You have no sovereignty where
we gather," said Barlow. Oh yes we do, the governments of the world have
replied.

Access Denied is a survey of the practice of Internet filtering, and a

sourcebook of details about the countries that engage in the practice.
It is written by researchers of the OpenNet Initiative (ONI), an
organization that is dedicated to documenting global Internet filtering
around the world.

The first half of the book comprises essays written by ONI researchers
on the politics, practice, technology, legality and social effects of
Internet filtering. There are three basic rationales for Internet
censorship: politics and power; social norms, morals and religion; and
security concerns.

Some countries, such as India, filter only a few sites; others, such as
Iran, extensively filter the Internet. Saudi Arabia tries to block all
pornography (social norms and morals). Syria blocks everything from the
Israeli domain ".il" (politics and power). Some countries filter only at
certain times. During the 2006 elections in Belarus, for example, the
website of the main opposition candidate disappeared from the Internet.

The effectiveness of Internet filtering is mixed; it depends on the

tools used and the granularity of filtering. It is much easier to block
particular URLs or entire domains than it is to block information on a
particular topic. Some countries block specific sites or URLs based on
some predefined list but new URLs with similar content appear all the
time. Other countries -- notably China -- try to filter on the basis of
keywords in the actual web pages. A halfway measure is to filter on the
basis of URL keywords: names of dissidents or political parties, or
sexual words.

Much of the technology has other applications. Software for filtering is

a legitimate product category, purchased by schools to limit access by
children to objectionable material and by corporations trying to prevent
their employees from being distracted at work. One chapter discusses the
ethical implications of companies selling products, services and
technologies that enable Internet censorship.
Some censorship is legal, not technical. Countries have laws against
publishing certain content, registration requirements that prevent
anonymous Internet use, liability laws that force Internet service
providers to filter themselves, or surveillance. Egypt does not engage
in technical Internet filtering; instead, its laws discourage the
publishing and reading of certain content -- it has even jailed people
for their online activities.

The second half of Access Denied consists of detailed descriptions of

Internet use, regulations and censorship in eight regions of the world,
and in each of 40 different countries. The ONI found evidence of
censorship in 26 of those 40. For the other 14 countries, it summarizes
the legal and regulatory framework surrounding Internet use, and tests
the results that indicated no censorship. This leads to 200 pages of
rather dry reading, but it is vitally important to have this information
well-documented and easily accessible. The book's data are from 2006,
but the authors promise frequent updates on the ONI website.

No set of Internet censorship measures is perfect. It is often easy to

find the same information on uncensored URLs, and relatively easy to get
around the filtering mechanisms and to view prohibited web pages if you
know what you're doing. But most people don't have the computer skills
to bypass controls, and in a country where doing so is punishable by
jail -- or worse -- few take the risk. So even porous and ineffective
attempts at censorship can become very effective socially and politically.

In 1996, Barlow said: "You are trying to ward off the virus of liberty
by erecting guard posts at the frontiers of cyberspace. These may keep
out the contagion for some time, but they will not work in a world that
will soon be blanketed in bit-bearing media."

Brave words, but premature. Certainly, there is much more information

available to many more people today than there was in 1996. But the
Internet is made up of physical computers and connections that exist
within national boundaries. Today's Internet still has borders and,
increasingly, countries want to control what passes through them. In
documenting this control, the ONI has performed an invaluable service.

OpenNet Initiative:
http://www.opennet.net

This was originally published in Nature:

http://www.nature.com/nature/journal/v452/n7184/full/452155b.html

** *** ***** ******* *********** *************

Comments from Readers

There are hundreds of comments -- many of them interesting -- on these

topics on my blog. Search for the story you want to comment on, and join
in.

http://www.schneier.com/blog
** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,

insights, and commentaries on security: computer and otherwise. You can
subscribe, unsubscribe, or change your address on the Web at
<http://www.schneier.com/crypto-gram.html>. Back issues are also
available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to

colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the

best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish algorithms.
He is founder and CTO of BT Counterpane, and is a member of the Board of
Directors of the Electronic Privacy Information Center (EPIC). He is a
frequent writer and lecturer on security topics. See
<http://www.schneier.com>.

BT Counterpane is the world's leading protector of networked information

- the inventor of outsourced security monitoring and the foremost
authority on effective mitigation of emerging IT threats. BT
Counterpane protects networks for Fortune 1000 companies and governments
world-wide. See <http://www.counterpane.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not

necessarily those of BT or BT Counterpane.

Copyright (c) 2008 by Bruce Schneier.