December 15, 2002

               by Bruce Schneier
                Founder and CTO
       Counterpane Internet Security, Inc.
            [EMAIL PROTECTED]

A free monthly newsletter providing summaries, analyses, insights, and 
commentaries on computer security and cryptography.

Back issues are available at 
<>.  To subscribe, visit 
<> or send a blank message 

Copyright (c) 2002 by Counterpane Internet Security, Inc.

** *** ***** ******* *********** *************

In this issue:
      Crypto-Gram Reprints
      Comments on the Department of Homeland Security
      Counterpane News
      Security Notes from All Over:  Dan Cooper
      Crime: The Internet's Next Big Thing
      Comments from Readers

** *** ***** ******* *********** *************


This must be an idea whose time has come, because I'm seeing it talked 
about everywhere.  The entertainment industry floated a bill that would 
give it the ability to break into other people's computers if they are 
suspected of copyright violation.  Several articles have been written 
on the notion of automated law enforcement, where both governments and 
private companies use computers to automatically find and target 
suspected criminals.  And finally, Tim Mullen and other security 
researchers start talking about "strike back," where the victim of a 
computer assault automatically attacks back at the perpetrator.

The common theme here is vigilantism: citizens and companies taking the 
law into their own hands and going after their assailants.  Viscerally, 
it's an appealing idea.  But it's a horrible one, and one that society 
after society has eschewed.

Our society does not give us the right of revenge, and wouldn't work 
very well if it did.  Our laws give us the right to justice, in either 
the criminal or civil context.  Justice is all we can expect if we want 
to enjoy our constitutional freedoms, personal safety, and an orderly 

Anyone accused of a crime deserves a fair trial.  He deserves the right 
to defend himself, the right to face his accused, the right to an 
attorney, and the right to be held innocent until proven guilty.

Vigilantism flies in the face of these rights.  It punishes people 
before they have been found guilty.  Angry mobs lynching someone 
suspected of murder is wrong, even if that person is actually 
guilty.  The MPAA disabling someone's computer because he's suspected 
of copying a movie is wrong, even if the movie was copied.  Revenge is 
a basic human emotion, but revenge only becomes justice if carried out 
by the State.

And the State has more motivation to be fair.  The RIAA sent a 
cease-and-desist letter to an ISP asking them to remove certain files 
that were the copyrighted works of George Harrison.  One of the files: 
"Portrait of mrs. harrison Williams 1943.jpg."  The RIAA simply Googled 
for the string "harrison" and went after everyone who turned 
up.  Vigilantism is wrong because the vigilante could be wrong.  The 
goal of a State legal system is justice; the goal of the RIAA was 

Systems of strike back are much the same.  The idea is that if a 
computer is attacking you -- sending you viruses, acting as a DDoS 
zombie, etc. -- you might be able to forcibly shut that computer down 
or remotely install a patch.  Again, a nice idea in theory but one 
that's legally and morally wrong.

Imagine you're a homeowner, and your neighbor has some kind of device 
on the outside of his house that makes noise.  A lot of noise.  All day 
and all night.  Enough noise that any reasonable person would claim it 
to be a public nuisance.  Even so, it is not legal for you to take 
matters into your own hand and stop the noise.

Destroying property is not a recognized remedy for stopping a nuisance, 
even if it is causing you real harm.  Your remedies are to: 1) call the 
police and ask them to turn it off, break it, or insist that the 
neighbor turn it off; or 2) sue the neighbor and ask the court to 
enjoin him from using that device unless it is repaired properly, and 
to award you damages for your aggravation.  Vigilante justice is simply 
not an option, no matter how right you believe your cause to be.

This is law, not technology, so there are all sorts of shades of gray 
to this issue.  The interests at stake in the original attack, the 
nature of the property, liberty or personal safety taken away by the 
counterattack, the risk of being wrong, and the availability and 
effectiveness of other measures are all factors that go into the 
assessment of whether something is morally or legally right.  The RIAA 
bill is at one extreme because copyright is a limited property 
interest, and there is a great risk of wrongful deprivation of use of 
the computer, and of the user's privacy and security.  A strikeback 
that disables a dangerous Internet worm is less extreme.  Clearly this 
is something that the courts will have to sort out.

Way back in 1789, the Declaration of the Rights of Man and of the 
Citizen said that: "No person shall be accused, arrested, or imprisoned 
except in the cases and according to the forms prescribed by law.  Any 
one soliciting, transmitting, executing, or causing to be executed any 
arbitrary order shall be punished."  And also: "As all persons are held 
innocent until they shall have been declared guilty, if arrest shall be 
deemed indispensable, all harshness not essential to the securing of 
the prisoner s person shall be severely repressed by law."

Neither the interests of sysadmins on the Internet, nor the interests 
of companies like Disney, should be allowed to trump these rights.

Automated law enforcement:

Mullen's essay:

Berman legislation:

** *** ***** ******* *********** *************

             Crypto-Gram Reprints

Crypto-Gram is currently in its fifth year of publication.  Back issues 
cover a variety of security-related topics, and can all be found on 
<>.  These are a selection 
of articles that appeared in this calendar month in other years.

National ID Cards:

Judges Punish Bad Security:

Computer Security and Liabilities:

Fun with Vulnerability Scanners:

Voting and Technology:

"Security Is Not a Product; It's a Process"


Echelon Technology:

European Digital Cellular Algorithms:


The Fallacy of Cracking Contests:

How to Recognize Plaintext:

** *** ***** ******* *********** *************

   Comments on the Department of Homeland Security

The promise of the newly formed Department of Homeland Security is to 
improve our nation's security from terrorism.  Unfortunately, the 
results are far more likely to be the opposite.  Centralizing security 
responsibilities has the downside of making our security more brittle, 
by instituting a commonality of approach and a uniformity of 
thinking.  Unless the new department distributes security 
responsibility even as it centralizes coordination, it won't improve 
our nation's security. Security has two universal truisms relevant to 
this discussion.  One, security decisions need to be made as close to 
the problem as possible.  This has many implications:  protecting 
potential terrorist targets should be done by people who understand the 
targets; bombing decisions should be made by the generals on the ground 
in the war zone, not by Washington; and investigations should be 
approved by the FBI office that's closest to the investigation.  This 
mode of operation has more opportunitie
  s for abuse, so competent oversight is vital.  But it is also more 
robust, and is the best way to make security work.

Two, security analysis needs to happen as far away from the sources as 
possible.  Intelligence involves finding relevant information amongst 
enormous reams of irrelevant data, and then organizing all those 
disparate pieces of information into coherent predictions about what 
will happen next.  It requires smart people who can see connections, 
and who have access to information from many disparate government 
agencies.  It can't be the sole purview of anyone, not the FBI, CIA, 
NSA, or the new Department of Homeland Security.  The whole picture is 
larger than any single agency, and each only has access to a small 
slice of it.

The implication of these two truisms is that security will work better 
if it is centrally coordinated but implemented in a distributed 
manner.  We're more secure if every government agency implements its 
own security, within the context of its department, with different 
strengths and weaknesses.  Our security is stronger if multiple 
departments overlap each other.  To this end, it is a good thing that 
the institutions best funded and equipped to defend our nation against 
terrorism aren't part of this new department: the FBI, the CIA, and the 
military's intelligence organizations.

But all these organizations have to communicate with each other, and 
that's the primary value of a Department of Homeland Security.  One 
organization needs to be a single point for coordination and analysis 
of terrorist threats and responses.  One organization needs to see the 
big picture, and make decisions and set policies based on it.

The human body defends itself through overlapping security systems.  It 
has a complex immune system specifically to fight disease, but disease 
fighting is also distributed throughout every organ and every 
cell.  The body has all sorts of security systems, ranging from your 
skin to keep harmful things out of your body, to your liver filtering 
harmful things from your bloodstream, to the defenses in your digestive 
system.  These systems all do their own thing in their own way.  They 
overlap each other, and to a certain extent one can compensate when 
another fails.  It might seem redundant and inefficient, but it's more 
robust, reliable, and secure.  You're alive and reading this because of

The biological metaphor is very apt.  Terrorism is hard to defend 
against because it subverts our institutions and turns our own freedoms 
and capabilities against us.  It invades our society, festers and 
grows, and then attacks.  It's hard to fight, in the same way that 
cancer is hard to fight.  If we are to best defend ourselves against 
terrorism, security needs to be pervasive.  It can't be in just one 
department; it has to be everywhere.  Every federal department needs to 
do its part to secure our nation.  Fighting terrorism requires defense 
in depth.  This means overlapping responsibilities to reduce single 
points of failures, both for the actual defensive measures and for the 
intelligence functions.

Our nation would be less secure if the new Department of Homeland 
Security took over all security responsibility from the other 
departments.  The last thing we want is for the Department of Energy, 
the Department of Commerce, and the Department of State to say: 
"Security; that's the responsibility of the Department of Homeland 
Security."  Security is the responsibility of everyone in 
government.  We won't defeat terrorism by finding a single thing that 
works all the time.  We'll defeat terrorism when every little thing 
works in its own way, and together provides an immune system for our 
society.  The new Department of Homeland Security needs to coordinate 
but not subsume.

** *** ***** ******* *********** *************


Microsoft is saying that it will patch vulnerabilities in older 
versions of its operating systems, even though it may mean breaking 
existing applications in the process.  Security vs. functionality is 
one of the basic tensions of our business.  Even though I've read some 
essays blasting Microsoft for this pronouncement, I think it's 
great.  I think Microsoft should patch everything, no matter how old it 
is.  Then, a user whose application breaks because of the patch can 
make his own choice: security vs. functionality.  I want Microsoft to 
let users make that choice, rather than deciding for everyone.

David Kahn's lecture at the 50th anniversary of the NSA:

"The Peon's Guide to Secure Systems Development."  Good essay on the

Here's a report that claims that the Macintosh OS is the least 
vulnerable to attack, because they have the fewest vulnerabilities.
Microsoft has cried foul, claiming that because Windows is the most 
popular OS it is attacked more, but that doesn't mean it's less secure.
Microsoft does have a point, but it's a subtle one.  And it's not one 
necessarily in the company's favor.  Certainly more exploits are 
written for Windows than for Mac, and hackers tend to target Windows 
more than the Mac.  This doesn't necessarily mean that Windows is 
inherently less secure than Mac; there could be zillions of Macintosh 
vulnerabilities that no one has found yet.  But it does mean that there 
are more published Windows vulnerabilities, and more widely available 
Windows attack tools.  And since most attackers use published 
vulnerabilities and existing attack tools, Windows computers are broken 
into more.  If I were choosing an operating system solely on the basis 
of security, I would never choose Windows.  Regardless of whether or 
not it is inherently more secure, why would I want to use the popular 

Kevin Mitnick's book, "The Art of Deception," is a good read.  The 
missing first chapter, deleted at the last minute by the publisher, is 
on the Internet.  The chapter talks about Mitnick's life as a hacker 
and a fugitive, and his arrest and trial.  It's very interesting


109-bit elliptic curve key cracked.  I've been trying to get complexity 
estimates of this crack. The best I can find is that it took "massive 
amount of computing power including 10,000 computers (mostly PCs) 
running 24 hours a day for 549 days."  Operational systems use 163-bit 
elliptic curve keys (or more), so there's absolutely nothing new to 
worry about because of this result.

Seems like HP wireless keyboards don't have any built-in 
authentication. Here's a story about one person's keyboard talking to 
another person's computer, through walls 150 meters away.

NIST and the NSA have published Common Criteria Protection Profiles for 
operating systems, firewalls, intrusion detection systems, tokens and 
public-key infrastructures.

California law now requires businesses and government agencies to 
report cyber-attacks that may have compromised confidential 
information.  There's a large loophole for information that may 
adversely affect an ongoing investigation, so I don't expect much 
change from this.


Computer sabotage stories:

Interesting article about getting the first step of security completely 
wrong: not understanding what problem a security system is supposed to 
solve.  After 9/11, Ashcroft began enforcing a rule that required 
non-U.S. citizens to notify the federal government whenever they 
move.  Change of address cards have been pouring into the government 
office by the hundreds of thousands.  There's no staff to enter the 
address changes into a computer, and they're sitting in boxes in 
storage.  And even if someone did enter the data, so what?  How exactly 
is this going to solve any security problem?  Is a terrorist going to 
send a card in when he moves?  I don't think so.

DMCA Abuse.  Wal-Mart and other retailers are using the DMCA to stop 
consumer Web sites from publishing information about their sale 
prices.  This flagrant abuse of the DMCA is yet more evidence of how 
bad a law it is.
Wal-Mart has backpedaled on this issue, and has decided not to 
prosecute.  Before you cheer, realize that the damage has already been 
done.  The DMCA is much less a law to prosecute people under and much 
more a law to intimidate people by.  The intimidation has already been 

Steganography, and whether or not terrorists are using it:

Further evidence that sysadmins don't install security patches.  This 
is a well-done scientific survey, and a really important result.

Excellent paper on DRM, copyright, and peer-to-peer file 
sharing.  Don't let the fact that this is written by Microsoft people 
fool you; this is good stuff.

Good paper on home network security:


2002 computer security survey:

** *** ***** ******* *********** *************

                Counterpane News

Still can't talk about what I can't talk about.  Sorry.

Interview with Schneier on CNet:

Another article on Schneier:


Interview with Schneier in Portugese:


** *** ***** ******* *********** *************

    Security Notes from All Over:  Dan Cooper

On 24 November 1971, someone using the alias "Dan Cooper" invented a 
new way to hijack an aircraft, or at least a new way of getting 
away.  He took over a Northwest Orient flight from Portland to Seattle 
by claiming he had a bomb.  On the ground in Seattle, he exchanged the 
passengers and flight attendants for two hundred thousand dollars and 
four parachutes.  Taking off again, he told the pilots to fly at 10,000 
feet toward Nevada.  Then, somewhere over southwest Washington, he 
lowered the plane's back stairs and parachuted away.  He was never 
caught, and the FBI still doesn't know who he is or whether he survived.

This attack was new.  It was thinking outside the box.  The attack 
exploited a vulnerability in the seams of the security system: we spend 
a lot of effort securing entry and exit to aircraft on the ground, but 
don't really think about securing it in the air.  (Also notice the 
cleverness in asking for four parachutes.  The FBI had to assume that 
he would force some of the hostages to jump with him, and could not 
risk giving him dud chutes.)  Cooper "cheated" and got away with it.

He also inspired lots of copycats.  In fact, so many attackers tried 
the same trick that Boeing installed something called a Cooper Vane on 
their planes, preventing the back stairs from opening in flight.

N.B. A police officer erroneously called him "D.B. Cooper" and the name 
stuck, giving rise to both a ballad and a movie.

** *** ***** ******* *********** *************

       Crime: The Internet's Next Big Thing

I think the next big Internet security trend is going to be crime.  Not 
the spray-painting cow-tipping annoyance-causing crime we've been 
seeing over the past few years.  Not the viruses and Trojans and DDoS 
attacks for fun and bragging rights.  Not even the epidemics that sweep 
the Internet in hours and cause millions of dollars of damage.  Real 
crime.  On the Internet.

Crime on the Internet is nothing new.  We've all heard isolated stories 
of competitors breaking into each others networks, hackers breaking 
into networks and extorting money from dazed sysadmins, and industrial 
espionage, identity theft, credit card-number theft, simple monetary 
theft from banks and other financial institutions, but it's the Nimdas 
and the root-name-server attacks that make the headlines.  And while 
we're worrying about those threats, the criminals are slipping by 
unnoticed.  They're stealing money and things they can sell for 
money.  They're stealing credit card numbers and identity information 
and using it to commit fraud.  They're engaging in industrial 
espionage.  The crimes never change; it's only the tactics that are new.

I predict that people will start noticing.  Companies have a strong 
self-interest not to publicize any real crime against their 
networks.  The bad press from making an attack public is often more 
harmful than the attack itself.  But the times are changing.  Just this 
year, California passed a law -- with large loopholes, unfortunately -- 
requiring companies to make these attacks public.  I predict more of 
these sorts of laws in the future.

Criminals tend to lag behind technology by five to ten years, but 
eventually they figure it out.  Just as Willie Sutton robbed banks 
because "that's where the money is," modern criminals will attack 
computer networks.  Increasingly, value is online instead of in a 
vault; illicitly changing a number in a bank database can be 
significantly more lucrative than walking into a branch office waving a 
gun around.

Real crime is hard to detect.  When your network is being scanned 
dozens of times a day by script kiddies, the one serious criminal can 
sneak in unnoticed.  At Counterpane, we monitor hundreds of networks 
against attack.  Our hardest job, and the thing we spend the most time 
worrying about, is catching the real criminals among the hundreds of 
annoying hackers.  It's the insider trying to change his salary in the 
human resources computer.  It's the robbers trying to manipulate 
account balances on a bank computer.  This is the real crime on the 
net, and when we catch these guys our customers are elated.  More and 
more, this is going to be where companies want their computer security 
dollars to be spent.

** *** ***** ******* *********** *************

             Comments from Readers

From: Anomymous
Subject: Embedded Systems - July 15, 2002 Cryptogram

A draft of this sat in my mail program for several months.  I noticed 
there were no replies with similar comments in later Cryptograms, so 
I'm sending this.

Regarding your comments on embedded systems: I agree that threats like 
bombs and germs (as well as hurricanes and earthquakes) are far more 
likely than hackers, but these systems still have some serious security 

A few comments from personal experience (I coordinate the IT aspects of 
some energy management systems for my employer):

  * These systems are moving away from direct hard-wire connections to 
TCP/IP-based communications, since institutions can take advantage of 
existing network infrastructure rather than spend a lot of money to run 
and maintain dedicated hardwired connections.  While they'll 
(hopefully) use a restricted network for their equipment, chances are 
they'll have a gateway on the open Internet so users (maintenance staff 
as well as contractors) can check on the equipment remotely.

  * Users of these systems are moving away from proprietary systems to 
open protocols like LonMark (aka LonWorks, EcheLon), BACnet, ModBus 
over IP, etc.  Forget about security through obscurity.

  * The people who have designed these protocols know about their 
respective systems (fire alarms, heating/cooling systems, electrical 
metering, etc.) and little about network security, if even about 
computer networks. (I recall one vendor's BACnet system that required 
users setting them up to create their own MAC addresses.) What little 
security they implement may be a simple plaintext username and password.

  * Web-based (Java) interfaces are becoming more 
popular.  Institutions prefer this since systems can be accessed from 
any computer with a web browser, instead of a specific computer with 
specialized software.

  * For the usual reasons, systems which are designed to take advantage 
of Internet Explorer's features are quite popular.  Imagine analyzing a 
problem from a nearby office instead of going down 50 floors to the 
sub-basement of the building, or having a contractor quickly fixing a 
problem from his office rather than making a visit at $100+/hour, and 
you'll understand the appeal.  Of course, this means anybody can get to 
such systems.  A hacker does not even need to know about protocols, 
only the right Web site and password.

  * These systems may use proprietary or lesser-known Web servers, 
which don't have the same degree of testing or evaluation that 
something like Apache or even IIS has.

  * Often these systems have little or no logging facilities to say who 
logged in when (or tried to) and did what.

  * The people who use and maintain these systems on a day-to-day basis 
are not the most computer literate.  Who regularly checks on the 
computers, installs service packs or patches, examines logs, etc.?

  * My experience with some contractors is that they are used to just 
throwing these systems onto whatever network connections they get and 
installing software onto a computer used by the maintenance staff. I 
suspect there are many institutions where the IT department has no idea 
such systems exist on their networks.

  * Likewise, the contractors usually send somebody who is an expert in 
the a specific field (HVAC, electronic locks, fire alarms) but knows 
little about setting up or maintaining a Windows NT or Linux box.

  * The maintenance staff often makes the purchasing decisions with no 
input from the IT staff.

  * Queries or complaints to the vendors about security of their 
systems either disappear down the black hole of "we'll have development 
look at it" or result in defensive responses from their sales staff.

  * Throw in the usual sloppiness about users writing down passwords on 
their desks, sharing passwords or using easy-to-guess passwords, 
vendors using one password for all of their clients' systems, default 
passwords left unchanged....

That's the tip of the iceberg.

From: "Christian Gruber" <[EMAIL PROTECTED]>
Subject: National Strategy to Secure Cyberspace

This is in response to a letter you included in the November 
Cryptogram.  In it, a reader indicated that protecting the commons was 
best achieved by parceling it up, and sectioning it out to private 
ownership, who would "keep it clean" because they had incentive, since 
it was theirs, with the caveat: "The tricky bit is dividing the commons 
up into the proper chunks of property to insure that the greatest 
number of people can still use it at a fair price."

There are three flaws here.

The first is in the assumption that people keep what is theirs clean 
and accessible at all.  I almost never weed my lawn.  My wife gets 
allergy attacks when I use pesticides, and I'm not outdoorsy enough to 
take care of it myself.  Because it's mine, I don't tend to take out 
the dandelions.  I only do so when I am pressured by subtle and/or 
angry hints from my neighbours.  Frankly, that's external pressure, 
unrelated to property ownership.  That's them defending the commons of 
the beauty of the neighbourhood, combined with the commons of the 
airspace we share through which dandelion seeds fly.  My "private" 
owned lot itself provides no incentive pressure to keep clean, nor do I 
have incentive to allow others onto it -- especially when they are just 
going to complain about my weeds.  So indeed, parceling up "commons" 
seems to have no advantage to the common folk, but has great benefit to 
me, since I get to own property with which I can do what I please (more 
or less).

Second, the statement "laws don't work" is patently ridiculous.  If 
laws don't work, then I invite the reader to take tea with me the day 
after I brutally kill his dog.  Since he will establish that I "damaged 
his property" and bring those same pesky community enforcement arms 
(popo's, for you ghetto kids) to arrest me on that basis.  You see, if 
he is enforcing property rights under the law, he is saying laws 
work.  Just not the laws FOR the commons.

Thirdly, he's comparing the best of private ownership and minimalist 
governance against the worst of public trust governance.  "Private 
owners are good, honest people, who will keep their own streets clean" 
but "Pork-barrel politicians are just waiting for that bribe to ignore 
environmental laws, whilst feeding at the public trough in the first 
place."  The inverse picture is made by opponents of privatization, 
etc. "Those nasty megacorporations are polluting the earth" and "We 
need our big daddy the government to legislate moral behavior into 
corporations."  Both are extreme comparisons of the worst of each side 
against the best, depending on which the speaker prefers.  The truth is 
more moderate.

The point is I smell bias here.  Laws work for our friend.  What 
doesn't work for the dear reader are laws that don't support an agenda 
of private ownership taking priority over public ownership.  That's a 
fine position to take, and I am somewhat sympathetic to laws that 
enforce property rights.  His presentation, however, tries to pass off 
a partisan bit of rhetoric as sensible argument, when it is in fact 
self-contradictory, and (albeit anecdotally) demonstrably false.

** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on computer security and cryptography.  Back 
issues are available on <>.

To subscribe, visit <> or 
send a blank message to [EMAIL PROTECTED]  To 
unsubscribe, visit <>.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who 
will find it valuable.  Permission is granted to reprint CRYPTO-GRAM, 
as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is founder and CTO 
of Counterpane Internet Security Inc., the author of "Secrets and Lies" 
and "Applied Cryptography," and an inventor of the Blowfish, Twofish, 
and Yarrow algorithms.  He is a member of the Advisory Board of the 
Electronic Privacy Information Center (EPIC).  He is a frequent writer 
and lecturer on computer security and cryptography.

Counterpane Internet Security, Inc. is the world leader in Managed 
Security Monitoring.  Counterpane's expert security analysts protect 
networks for Fortune 1000 companies world-wide.


Copyright (c) 2002 by Counterpane Internet Security, Inc.

IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to