CRYPTO-GRAM
December 15, 2002
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
[EMAIL PROTECTED]
<http://www.counterpane.com>
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on computer security and cryptography.
Back issues are available at
<http://www.counterpane.com/crypto-gram.html>. To subscribe, visit
<http://www.counterpane.com/crypto-gram.html> or send a blank message
to [EMAIL PROTECTED]
Copyright (c) 2002 by Counterpane Internet Security, Inc.
** *** ***** ******* *********** *************
In this issue:
Counterattack
Crypto-Gram Reprints
Comments on the Department of Homeland Security
News
Counterpane News
Security Notes from All Over: Dan Cooper
Crime: The Internet's Next Big Thing
Comments from Readers
** *** ***** ******* *********** *************
Counterattack
This must be an idea whose time has come, because I'm seeing it talked
about everywhere. The entertainment industry floated a bill that would
give it the ability to break into other people's computers if they are
suspected of copyright violation. Several articles have been written
on the notion of automated law enforcement, where both governments and
private companies use computers to automatically find and target
suspected criminals. And finally, Tim Mullen and other security
researchers start talking about "strike back," where the victim of a
computer assault automatically attacks back at the perpetrator.
The common theme here is vigilantism: citizens and companies taking the
law into their own hands and going after their assailants. Viscerally,
it's an appealing idea. But it's a horrible one, and one that society
after society has eschewed.
Our society does not give us the right of revenge, and wouldn't work
very well if it did. Our laws give us the right to justice, in either
the criminal or civil context. Justice is all we can expect if we want
to enjoy our constitutional freedoms, personal safety, and an orderly
society.
Anyone accused of a crime deserves a fair trial. He deserves the right
to defend himself, the right to face his accused, the right to an
attorney, and the right to be held innocent until proven guilty.
Vigilantism flies in the face of these rights. It punishes people
before they have been found guilty. Angry mobs lynching someone
suspected of murder is wrong, even if that person is actually
guilty. The MPAA disabling someone's computer because he's suspected
of copying a movie is wrong, even if the movie was copied. Revenge is
a basic human emotion, but revenge only becomes justice if carried out
by the State.
And the State has more motivation to be fair. The RIAA sent a
cease-and-desist letter to an ISP asking them to remove certain files
that were the copyrighted works of George Harrison. One of the files:
"Portrait of mrs. harrison Williams 1943.jpg." The RIAA simply Googled
for the string "harrison" and went after everyone who turned
up. Vigilantism is wrong because the vigilante could be wrong. The
goal of a State legal system is justice; the goal of the RIAA was
expediency.
Systems of strike back are much the same. The idea is that if a
computer is attacking you -- sending you viruses, acting as a DDoS
zombie, etc. -- you might be able to forcibly shut that computer down
or remotely install a patch. Again, a nice idea in theory but one
that's legally and morally wrong.
Imagine you're a homeowner, and your neighbor has some kind of device
on the outside of his house that makes noise. A lot of noise. All day
and all night. Enough noise that any reasonable person would claim it
to be a public nuisance. Even so, it is not legal for you to take
matters into your own hand and stop the noise.
Destroying property is not a recognized remedy for stopping a nuisance,
even if it is causing you real harm. Your remedies are to: 1) call the
police and ask them to turn it off, break it, or insist that the
neighbor turn it off; or 2) sue the neighbor and ask the court to
enjoin him from using that device unless it is repaired properly, and
to award you damages for your aggravation. Vigilante justice is simply
not an option, no matter how right you believe your cause to be.
This is law, not technology, so there are all sorts of shades of gray
to this issue. The interests at stake in the original attack, the
nature of the property, liberty or personal safety taken away by the
counterattack, the risk of being wrong, and the availability and
effectiveness of other measures are all factors that go into the
assessment of whether something is morally or legally right. The RIAA
bill is at one extreme because copyright is a limited property
interest, and there is a great risk of wrongful deprivation of use of
the computer, and of the user's privacy and security. A strikeback
that disables a dangerous Internet worm is less extreme. Clearly this
is something that the courts will have to sort out.
Way back in 1789, the Declaration of the Rights of Man and of the
Citizen said that: "No person shall be accused, arrested, or imprisoned
except in the cases and according to the forms prescribed by law. Any
one soliciting, transmitting, executing, or causing to be executed any
arbitrary order shall be punished." And also: "As all persons are held
innocent until they shall have been declared guilty, if arrest shall be
deemed indispensable, all harshness not essential to the securing of
the prisoner s person shall be severely repressed by law."
Neither the interests of sysadmins on the Internet, nor the interests
of companies like Disney, should be allowed to trump these rights.
Automated law enforcement:
<http://www.foxnews.com/story/0,2933,64688,00.html>
Mullen's essay:
<http://www.hammerofgod.com/strikeback.txt>
Berman legislation:
<http://www.counterpane.com/crypto-gram-0208.html#5>
** *** ***** ******* *********** *************
Crypto-Gram Reprints
Crypto-Gram is currently in its fifth year of publication. Back issues
cover a variety of security-related topics, and can all be found on
<http://www.counterpane.com/crypto-gram.html>. These are a selection
of articles that appeared in this calendar month in other years.
National ID Cards:
<http://www.counterpane.com/crypto-gram-0112.html#1>
Judges Punish Bad Security:
<http://www.counterpane.com/crypto-gram-0112.html#2>
Computer Security and Liabilities:
<http://www.counterpane.com/crypto-gram-0112.html#4>
Fun with Vulnerability Scanners:
<http://www.counterpane.com/crypto-gram-0112.html#9>
Voting and Technology:
<http://www.counterpane.com/crypto-gram-0012.html#1>
"Security Is Not a Product; It's a Process"
<http://www.counterpane.com/crypto-gram-9912.html#SecurityIsNotaProductI
tsaProcess>
Echelon Technology:
<http://www.counterpane.com/crypto-gram-9912.html#ECHELONTechnology>
European Digital Cellular Algorithms:
<http://www.counterpane.com/crypto-gram-9912.html#EuropeanCellularEncryp
tionAlgorithms>
The Fallacy of Cracking Contests:
<http://www.counterpane.com/crypto-gram-9812.html#contests>
How to Recognize Plaintext:
<http://www.counterpane.com/crypto-gram-9812.html#plaintext>
** *** ***** ******* *********** *************
Comments on the Department of Homeland Security
The promise of the newly formed Department of Homeland Security is to
improve our nation's security from terrorism. Unfortunately, the
results are far more likely to be the opposite. Centralizing security
responsibilities has the downside of making our security more brittle,
by instituting a commonality of approach and a uniformity of
thinking. Unless the new department distributes security
responsibility even as it centralizes coordination, it won't improve
our nation's security. Security has two universal truisms relevant to
this discussion. One, security decisions need to be made as close to
the problem as possible. This has many implications: protecting
potential terrorist targets should be done by people who understand the
targets; bombing decisions should be made by the generals on the ground
in the war zone, not by Washington; and investigations should be
approved by the FBI office that's closest to the investigation. This
mode of operation has more opportunitie
s for abuse, so competent oversight is vital. But it is also more
robust, and is the best way to make security work.
Two, security analysis needs to happen as far away from the sources as
possible. Intelligence involves finding relevant information amongst
enormous reams of irrelevant data, and then organizing all those
disparate pieces of information into coherent predictions about what
will happen next. It requires smart people who can see connections,
and who have access to information from many disparate government
agencies. It can't be the sole purview of anyone, not the FBI, CIA,
NSA, or the new Department of Homeland Security. The whole picture is
larger than any single agency, and each only has access to a small
slice of it.
The implication of these two truisms is that security will work better
if it is centrally coordinated but implemented in a distributed
manner. We're more secure if every government agency implements its
own security, within the context of its department, with different
strengths and weaknesses. Our security is stronger if multiple
departments overlap each other. To this end, it is a good thing that
the institutions best funded and equipped to defend our nation against
terrorism aren't part of this new department: the FBI, the CIA, and the
military's intelligence organizations.
But all these organizations have to communicate with each other, and
that's the primary value of a Department of Homeland Security. One
organization needs to be a single point for coordination and analysis
of terrorist threats and responses. One organization needs to see the
big picture, and make decisions and set policies based on it.
The human body defends itself through overlapping security systems. It
has a complex immune system specifically to fight disease, but disease
fighting is also distributed throughout every organ and every
cell. The body has all sorts of security systems, ranging from your
skin to keep harmful things out of your body, to your liver filtering
harmful things from your bloodstream, to the defenses in your digestive
system. These systems all do their own thing in their own way. They
overlap each other, and to a certain extent one can compensate when
another fails. It might seem redundant and inefficient, but it's more
robust, reliable, and secure. You're alive and reading this because of
it.
The biological metaphor is very apt. Terrorism is hard to defend
against because it subverts our institutions and turns our own freedoms
and capabilities against us. It invades our society, festers and
grows, and then attacks. It's hard to fight, in the same way that
cancer is hard to fight. If we are to best defend ourselves against
terrorism, security needs to be pervasive. It can't be in just one
department; it has to be everywhere. Every federal department needs to
do its part to secure our nation. Fighting terrorism requires defense
in depth. This means overlapping responsibilities to reduce single
points of failures, both for the actual defensive measures and for the
intelligence functions.
Our nation would be less secure if the new Department of Homeland
Security took over all security responsibility from the other
departments. The last thing we want is for the Department of Energy,
the Department of Commerce, and the Department of State to say:
"Security; that's the responsibility of the Department of Homeland
Security." Security is the responsibility of everyone in
government. We won't defeat terrorism by finding a single thing that
works all the time. We'll defeat terrorism when every little thing
works in its own way, and together provides an immune system for our
society. The new Department of Homeland Security needs to coordinate
but not subsume.
** *** ***** ******* *********** *************
News
Microsoft is saying that it will patch vulnerabilities in older
versions of its operating systems, even though it may mean breaking
existing applications in the process. Security vs. functionality is
one of the basic tensions of our business. Even though I've read some
essays blasting Microsoft for this pronouncement, I think it's
great. I think Microsoft should patch everything, no matter how old it
is. Then, a user whose application breaks because of the patch can
make his own choice: security vs. functionality. I want Microsoft to
let users make that choice, rather than deciding for everyone.
<http://www.wired.com/news/technology/0,1282,56381,00.html>
David Kahn's lecture at the 50th anniversary of the NSA:
<http://www.fas.org/irp/eprint/kahn.html>
"The Peon's Guide to Secure Systems Development." Good essay on the
topic.
<http://m.bacarella.com/papers/secsoft/html/>
Here's a report that claims that the Macintosh OS is the least
vulnerable to attack, because they have the fewest vulnerabilities.
<http://www.mi2g.com/cgi/mi2g/reports/int_briefings/061102.pdf>
Microsoft has cried foul, claiming that because Windows is the most
popular OS it is attacked more, but that doesn't mean it's less secure.
<http://www.nwfusion.com/news/2002/1107msfoul.html>
Microsoft does have a point, but it's a subtle one. And it's not one
necessarily in the company's favor. Certainly more exploits are
written for Windows than for Mac, and hackers tend to target Windows
more than the Mac. This doesn't necessarily mean that Windows is
inherently less secure than Mac; there could be zillions of Macintosh
vulnerabilities that no one has found yet. But it does mean that there
are more published Windows vulnerabilities, and more widely available
Windows attack tools. And since most attackers use published
vulnerabilities and existing attack tools, Windows computers are broken
into more. If I were choosing an operating system solely on the basis
of security, I would never choose Windows. Regardless of whether or
not it is inherently more secure, why would I want to use the popular
target?
Kevin Mitnick's book, "The Art of Deception," is a good read. The
missing first chapter, deleted at the last minute by the publisher, is
on the Internet. The chapter talks about Mitnick's life as a hacker
and a fugitive, and his arrest and trial. It's very interesting
reading.
<http://www.wired.com/news/culture/0,1284,56187,00.html>
<http://littlegreenguy.fateback.com/chapter1/Chapter%201%20-%20Banned%20
Edition.doc>
109-bit elliptic curve key cracked. I've been trying to get complexity
estimates of this crack. The best I can find is that it took "massive
amount of computing power including 10,000 computers (mostly PCs)
running 24 hours a day for 549 days." Operational systems use 163-bit
elliptic curve keys (or more), so there's absolutely nothing new to
worry about because of this result.
<http://www.certicom.com/about/pr/02/021106_ecc_winner.html>
Seems like HP wireless keyboards don't have any built-in
authentication. Here's a story about one person's keyboard talking to
another person's computer, through walls 150 meters away.
<http://www.aftenposten.no/english/local/article.jhtml?articleID=427668>
NIST and the NSA have published Common Criteria Protection Profiles for
operating systems, firewalls, intrusion detection systems, tokens and
public-key infrastructures.
<http://www.gcn.com/vol1_no1/daily-updates/20373-1.html>
California law now requires businesses and government agencies to
report cyber-attacks that may have compromised confidential
information. There's a large loophole for information that may
adversely affect an ongoing investigation, so I don't expect much
change from this.
<http://www.businessweek.com/technology/content/nov2002/tc20021111_2402.
htm>
Computer sabotage stories:
<http://www.techtv.com/cybercrime/viceonline/story/0,23008,3386967,00.ht
ml>
Interesting article about getting the first step of security completely
wrong: not understanding what problem a security system is supposed to
solve. After 9/11, Ashcroft began enforcing a rule that required
non-U.S. citizens to notify the federal government whenever they
move. Change of address cards have been pouring into the government
office by the hundreds of thousands. There's no staff to enter the
address changes into a computer, and they're sitting in boxes in
storage. And even if someone did enter the data, so what? How exactly
is this going to solve any security problem? Is a terrorist going to
send a card in when he moves? I don't think so.
<http://www.ilw.com/lawyers/colum_article/articles/2002,1023-latour.shtm
>
DMCA Abuse. Wal-Mart and other retailers are using the DMCA to stop
consumer Web sites from publishing information about their sale
prices. This flagrant abuse of the DMCA is yet more evidence of how
bad a law it is.
<http://www.nytimes.com/2002/11/21/technology/21COPY.html>
<http://www.theregister.co.uk/content/6/28223.html>
<http://www.wired.com/news/business/0,1367,56504,00.html>
<http://www.fatwallet.com/forums/messageview.cfm?catid=18&threadid=12604
2>
Wal-Mart has backpedaled on this issue, and has decided not to
prosecute. Before you cheer, realize that the damage has already been
done. The DMCA is much less a law to prosecute people under and much
more a law to intimidate people by. The intimidation has already been
done.
<http://news.com.com/2100-1023-976296.html>
Steganography, and whether or not terrorists are using it:
<http://elonka.com/steganography/>
Further evidence that sysadmins don't install security patches. This
is a well-done scientific survey, and a really important result.
<http://www.newscientist.com/news/news.jsp?id=ns99993090>
<http://www.rtfm.com/upgrade.html>
Excellent paper on DRM, copyright, and peer-to-peer file
sharing. Don't let the fact that this is written by Microsoft people
fool you; this is good stuff.
<http://crypto.stanford.edu/DRM2002/darknet5.doc>
Good paper on home network security:
<http://intel.com/technology/itj/2002/volume06issue04/art04_security/p01
_abstract.htm>
2002 computer security survey:
<www.scmagazine.com/artframe_art_cs.html>
** *** ***** ******* *********** *************
Counterpane News
Still can't talk about what I can't talk about. Sorry.
Interview with Schneier on CNet:
<http://news.com.com/1200-1120-975429.html>
Another article on Schneier:
<http://www.zdnet.com.au/newstech/communications/story/0,2000024993,2026
9969,00.htm>
Interview with Schneier in Portugese:
<http://www.modulo.com.br/index.jsp?page=3&catid=6&objid=34&pagenumber=0
&idiom=0>
** *** ***** ******* *********** *************
Security Notes from All Over: Dan Cooper
On 24 November 1971, someone using the alias "Dan Cooper" invented a
new way to hijack an aircraft, or at least a new way of getting
away. He took over a Northwest Orient flight from Portland to Seattle
by claiming he had a bomb. On the ground in Seattle, he exchanged the
passengers and flight attendants for two hundred thousand dollars and
four parachutes. Taking off again, he told the pilots to fly at 10,000
feet toward Nevada. Then, somewhere over southwest Washington, he
lowered the plane's back stairs and parachuted away. He was never
caught, and the FBI still doesn't know who he is or whether he survived.
This attack was new. It was thinking outside the box. The attack
exploited a vulnerability in the seams of the security system: we spend
a lot of effort securing entry and exit to aircraft on the ground, but
don't really think about securing it in the air. (Also notice the
cleverness in asking for four parachutes. The FBI had to assume that
he would force some of the hostages to jump with him, and could not
risk giving him dud chutes.) Cooper "cheated" and got away with it.
He also inspired lots of copycats. In fact, so many attackers tried
the same trick that Boeing installed something called a Cooper Vane on
their planes, preventing the back stairs from opening in flight.
N.B. A police officer erroneously called him "D.B. Cooper" and the name
stuck, giving rise to both a ballad and a movie.
** *** ***** ******* *********** *************
Crime: The Internet's Next Big Thing
I think the next big Internet security trend is going to be crime. Not
the spray-painting cow-tipping annoyance-causing crime we've been
seeing over the past few years. Not the viruses and Trojans and DDoS
attacks for fun and bragging rights. Not even the epidemics that sweep
the Internet in hours and cause millions of dollars of damage. Real
crime. On the Internet.
Crime on the Internet is nothing new. We've all heard isolated stories
of competitors breaking into each others networks, hackers breaking
into networks and extorting money from dazed sysadmins, and industrial
espionage, identity theft, credit card-number theft, simple monetary
theft from banks and other financial institutions, but it's the Nimdas
and the root-name-server attacks that make the headlines. And while
we're worrying about those threats, the criminals are slipping by
unnoticed. They're stealing money and things they can sell for
money. They're stealing credit card numbers and identity information
and using it to commit fraud. They're engaging in industrial
espionage. The crimes never change; it's only the tactics that are new.
I predict that people will start noticing. Companies have a strong
self-interest not to publicize any real crime against their
networks. The bad press from making an attack public is often more
harmful than the attack itself. But the times are changing. Just this
year, California passed a law -- with large loopholes, unfortunately --
requiring companies to make these attacks public. I predict more of
these sorts of laws in the future.
Criminals tend to lag behind technology by five to ten years, but
eventually they figure it out. Just as Willie Sutton robbed banks
because "that's where the money is," modern criminals will attack
computer networks. Increasingly, value is online instead of in a
vault; illicitly changing a number in a bank database can be
significantly more lucrative than walking into a branch office waving a
gun around.
Real crime is hard to detect. When your network is being scanned
dozens of times a day by script kiddies, the one serious criminal can
sneak in unnoticed. At Counterpane, we monitor hundreds of networks
against attack. Our hardest job, and the thing we spend the most time
worrying about, is catching the real criminals among the hundreds of
annoying hackers. It's the insider trying to change his salary in the
human resources computer. It's the robbers trying to manipulate
account balances on a bank computer. This is the real crime on the
net, and when we catch these guys our customers are elated. More and
more, this is going to be where companies want their computer security
dollars to be spent.
** *** ***** ******* *********** *************
Comments from Readers
From: Anomymous
Subject: Embedded Systems - July 15, 2002 Cryptogram
A draft of this sat in my mail program for several months. I noticed
there were no replies with similar comments in later Cryptograms, so
I'm sending this.
Regarding your comments on embedded systems: I agree that threats like
bombs and germs (as well as hurricanes and earthquakes) are far more
likely than hackers, but these systems still have some serious security
issues.
A few comments from personal experience (I coordinate the IT aspects of
some energy management systems for my employer):
* These systems are moving away from direct hard-wire connections to
TCP/IP-based communications, since institutions can take advantage of
existing network infrastructure rather than spend a lot of money to run
and maintain dedicated hardwired connections. While they'll
(hopefully) use a restricted network for their equipment, chances are
they'll have a gateway on the open Internet so users (maintenance staff
as well as contractors) can check on the equipment remotely.
* Users of these systems are moving away from proprietary systems to
open protocols like LonMark (aka LonWorks, EcheLon), BACnet, ModBus
over IP, etc. Forget about security through obscurity.
* The people who have designed these protocols know about their
respective systems (fire alarms, heating/cooling systems, electrical
metering, etc.) and little about network security, if even about
computer networks. (I recall one vendor's BACnet system that required
users setting them up to create their own MAC addresses.) What little
security they implement may be a simple plaintext username and password.
* Web-based (Java) interfaces are becoming more
popular. Institutions prefer this since systems can be accessed from
any computer with a web browser, instead of a specific computer with
specialized software.
* For the usual reasons, systems which are designed to take advantage
of Internet Explorer's features are quite popular. Imagine analyzing a
problem from a nearby office instead of going down 50 floors to the
sub-basement of the building, or having a contractor quickly fixing a
problem from his office rather than making a visit at $100+/hour, and
you'll understand the appeal. Of course, this means anybody can get to
such systems. A hacker does not even need to know about protocols,
only the right Web site and password.
* These systems may use proprietary or lesser-known Web servers,
which don't have the same degree of testing or evaluation that
something like Apache or even IIS has.
* Often these systems have little or no logging facilities to say who
logged in when (or tried to) and did what.
* The people who use and maintain these systems on a day-to-day basis
are not the most computer literate. Who regularly checks on the
computers, installs service packs or patches, examines logs, etc.?
* My experience with some contractors is that they are used to just
throwing these systems onto whatever network connections they get and
installing software onto a computer used by the maintenance staff. I
suspect there are many institutions where the IT department has no idea
such systems exist on their networks.
* Likewise, the contractors usually send somebody who is an expert in
the a specific field (HVAC, electronic locks, fire alarms) but knows
little about setting up or maintaining a Windows NT or Linux box.
* The maintenance staff often makes the purchasing decisions with no
input from the IT staff.
* Queries or complaints to the vendors about security of their
systems either disappear down the black hole of "we'll have development
look at it" or result in defensive responses from their sales staff.
* Throw in the usual sloppiness about users writing down passwords on
their desks, sharing passwords or using easy-to-guess passwords,
vendors using one password for all of their clients' systems, default
passwords left unchanged....
That's the tip of the iceberg.
From: "Christian Gruber" <[EMAIL PROTECTED]>
Subject: National Strategy to Secure Cyberspace
This is in response to a letter you included in the November
Cryptogram. In it, a reader indicated that protecting the commons was
best achieved by parceling it up, and sectioning it out to private
ownership, who would "keep it clean" because they had incentive, since
it was theirs, with the caveat: "The tricky bit is dividing the commons
up into the proper chunks of property to insure that the greatest
number of people can still use it at a fair price."
There are three flaws here.
The first is in the assumption that people keep what is theirs clean
and accessible at all. I almost never weed my lawn. My wife gets
allergy attacks when I use pesticides, and I'm not outdoorsy enough to
take care of it myself. Because it's mine, I don't tend to take out
the dandelions. I only do so when I am pressured by subtle and/or
angry hints from my neighbours. Frankly, that's external pressure,
unrelated to property ownership. That's them defending the commons of
the beauty of the neighbourhood, combined with the commons of the
airspace we share through which dandelion seeds fly. My "private"
owned lot itself provides no incentive pressure to keep clean, nor do I
have incentive to allow others onto it -- especially when they are just
going to complain about my weeds. So indeed, parceling up "commons"
seems to have no advantage to the common folk, but has great benefit to
me, since I get to own property with which I can do what I please (more
or less).
Second, the statement "laws don't work" is patently ridiculous. If
laws don't work, then I invite the reader to take tea with me the day
after I brutally kill his dog. Since he will establish that I "damaged
his property" and bring those same pesky community enforcement arms
(popo's, for you ghetto kids) to arrest me on that basis. You see, if
he is enforcing property rights under the law, he is saying laws
work. Just not the laws FOR the commons.
Thirdly, he's comparing the best of private ownership and minimalist
governance against the worst of public trust governance. "Private
owners are good, honest people, who will keep their own streets clean"
but "Pork-barrel politicians are just waiting for that bribe to ignore
environmental laws, whilst feeding at the public trough in the first
place." The inverse picture is made by opponents of privatization,
etc. "Those nasty megacorporations are polluting the earth" and "We
need our big daddy the government to legislate moral behavior into
corporations." Both are extreme comparisons of the worst of each side
against the best, depending on which the speaker prefers. The truth is
more moderate.
The point is I smell bias here. Laws work for our friend. What
doesn't work for the dear reader are laws that don't support an agenda
of private ownership taking priority over public ownership. That's a
fine position to take, and I am somewhat sympathetic to laws that
enforce property rights. His presentation, however, tries to pass off
a partisan bit of rhetoric as sensible argument, when it is in fact
self-contradictory, and (albeit anecdotally) demonstrably false.
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on computer security and cryptography. Back
issues are available on <http://www.counterpane.com/crypto-gram.html>.
To subscribe, visit <http://www.counterpane.com/crypto-gram.html> or
send a blank message to [EMAIL PROTECTED] To
unsubscribe, visit <http://www.counterpane.com/unsubform.html>.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who
will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO
of Counterpane Internet Security Inc., the author of "Secrets and Lies"
and "Applied Cryptography," and an inventor of the Blowfish, Twofish,
and Yarrow algorithms. He is a member of the Advisory Board of the
Electronic Privacy Information Center (EPIC). He is a frequent writer
and lecturer on computer security and cryptography.
Counterpane Internet Security, Inc. is the world leader in Managed
Security Monitoring. Counterpane's expert security analysts protect
networks for Fortune 1000 companies world-wide.
<http://www.counterpane.com/>
Copyright (c) 2002 by Counterpane Internet Security, Inc.
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
