Schneier on Security

A blog covering security and security technology.

What Is the Comprehensive National Cybersecurity Inititative?

The Department of Homeland Security has a new $200 million Comprehensive National Cybersecurity Inititative (CNCI). Congress is happy to fund it, but kind of wants to know what it's going to do.

I have to admit, I'm kind of curious myself.

Posted on May 13, 2008 at 12:54 PM • 18 Comments • View Blog Reactions

Interesting Microsoft Patent Application

Guardian Angel:

An intelligent personalized agent monitors, regulates, and advises a user in decision-making processes for efficiency or safety concerns. The agent monitors an environment and present characteristics of a user and analyzes such information in view of stored preferences specific to one of multiple profiles of the user. Based on the analysis, the agent can suggest or automatically implement a solution to a given issue or problem. In addition, the agent can identify another potential issue that requires attention and suggests or implements action accordingly. Furthermore, the agent can communicate with other users or devices by providing and acquiring information to assist in future decisions. All aspects of environment observation, decision assistance, and external communication can be flexibly limited or allowed as desired by the user.

Note that Bill Gates and Ray Ozzie are co-inventers.

Posted on May 13, 2008 at 07:05 AM • 37 Comments • View Blog Reactions

Terrorism as a Tax

Definitely a good way to look at it:

Fear, in other words, is a tax, and al-Qaeda and its ilk have done better at extracting it from Americans than the Internal Revenue Service. Think about the extra half-hour millions of airline passengers waste standing in security lines; the annual cost in lost work hours runs into the billions. Add to that the freight delays at borders, ports and airports, the cost of checking money transfers as well as goods in transit, the wages for beefed-up security forces around the world. And that doesn't even attempt to put a price tag on the compression of civil liberties or the loss of human dignity from being groped in full public view by Transportation Security Administration personnel at the airport or from having to walk barefoot through the metal detector, holding up your beltless pants. This global transaction tax represents the most significant victory of Terror International to date.

The new fear tax falls most heavily on the United States. Last November, the Commerce Department reported a 17 percent decline in overseas travel to the United States between Sept. 11, 2001, and 2006. (There are no firm figures for 2007 yet, but there seems to have been an uptick.) That slump has cost the country $94 billion in lost tourist spending, nearly 200,000 jobs and $16 billion in forgone tax revenue -- and all while the dollar has kept dropping.

Why? The journal Tourism Economics gives the predictable answer: "The perception that U.S. visa and entry policies do not welcome international visitors is the largest factor in the decline of overseas travelers." Two-thirds of survey respondents worried about being detained for hours because of a misstatement to immigration officials. And here is the ultimate irony: "More respondents were worried about U.S. immigration officials (70 percent) than about crime or terrorism (54 percent) when considering a trip to the country."

In Beyond Fear I wrote:

Security is a tax on the honest.

If it weren’t for attackers, our lives would be a whole lot easier. In a world where everyone was completely honorable and law-abiding all of the time, everything we bought and did would be cheaper. We wouldn’t have to pay for door locks, police departments, or militaries. There would be no security countermeasures, because people would never consider going where they were not allowed to go or doing what they were not allowed to do. Fraud would not be a problem, because no one would commit fraud. Nor would anyone commit burglary, murder, or terrorism. We wouldn’t have to modify our behavior based on security risks, because there would be none.

But that’s not the world we live in. Security permeates everything we do and supports our society in innumerable ways. It’s there when we wake up in the morning, when we eat our meals, when we’re at work, and when we’re with our families. It’s embedded in our wallets and the global financial network, in the doors of our homes and the border crossings of our countries, in our conversations and the publications we read. We constantly make security trade-offs, whether we’re conscious of them or not: large and small, personal and social. Many more security trade-offs are imposed on us from outside: by governments, by the marketplace, by technology, and by social norms. Security is a part of our world, just as it is part of the world of every other living thing. It has always been a part, and it always will be.

Posted on May 12, 2008 at 06:29 AM • 75 Comments • View Blog Reactions

Friday Squid Blogging: Squid Fishing Lures

In a variety of colors.

EDITED TO ADD (4/10): Link fixed.

Posted on May 09, 2008 at 04:04 PM • 11 Comments • View Blog Reactions

Schneier Talks

Last month I gave a talk at InfoSecurity Europe in London. The title was "Reconceptualizing Security," or maybe "The Theater of Security," and it is a follow-on to my work on the psychology of security. I haven't yet written this work up, but you can listen to or watch my talk.

Posted on May 09, 2008 at 01:34 PM • 11 Comments • View Blog Reactions

Making Security Cuddly

I don't know what I think of Sweet Dreams Security.

Posted on May 09, 2008 at 11:57 AM • 23 Comments • View Blog Reactions

Cell Phone Spying

A handy guide:

A service called World Tracker lets you use data from cell phone towers and GPS systems to pinpoint anyone’s exact whereabouts, any time — as long as they’ve got their phone on them.

All you have to do is log on to the web site and enter the target phone number. The site sends a single text message to the phone that requires one response for confirmation. Once the response is sent, you are locked in to their location and can track them step-by-step. The response is only required the first time the phone is contacted, so you can imagine how easily it could be handled without the phone’s owner even knowing.

Once connected, the service shows you the exact location of the phone by the minute, conveniently pinpointed on a Google Map. So far, the service is only available in the UK, but the company has indicated plans to expand its service to other countries soon.

[...]

Dozens of programs are available that’ll turn any cell phone into a high-tech, long-range listening device. And the scariest part? They run virtually undetectable to the average eye.

Take, for example, Flexispy. The service promises to let you “catch cheating wives or cheating husbands” and even “bug meeting rooms.” Its tools use a phone’s microphone to let you hear essentially any conversations within earshot. Once the program is installed, all you have to do is dial a number to tap into the phone’s mic and hear everything going on. The phone won’t even ring, and its owner will have no idea you are virtually there at his side.

Posted on May 09, 2008 at 06:27 AM • 32 Comments • View Blog Reactions

History of the U.S. Surveillance Debate

Excellent article, chronicling the surveillance debate from the mid 1980s until today. Don't expect good coverage of the current debate, however: the legality of the NSA's recent domestic eavesdropping program, and the legality of the assistance provided by the telcos.

Posted on May 08, 2008 at 01:05 PM • 10 Comments • View Blog Reactions

Tourists, Not Terrorists

Remember the two men who were exhibiting "unusual behavior" on a Washington-state ferry last summer?

The agency's Seattle field office, along with the Washington Joint Analytical Center, was still seeking the men's identities and whereabouts Wednesday as ferry service was temporarily shutdown when a suspicious package was found in a ferry bathroom and taken away by authorities.

"We had various independent reports from passengers and ferry employees that these two guys were engaging in what they described as unusual activities on the ferries," Special Agent Robbie Burroughs, a spokeswoman for the FBI in Washington state, told FOXNews.com.

"They felt that these guys were showing an undue interest in the boat itself, in the layout, the workers and the terminal, and it caused them enough concern that they contacted law enforcement about it," she told FOXNews.com.

The two were photographed by a ferry employee about a month ago, and those photographs were distributed to ferry employees three weeks ago by local law enforcement.

Turns out they were tourists, not terrorists:

Turns out the men, both citizens of a European Union nation, were captivated by the car-carrying capacity of local ferries.

"Where these gentlemen live, they don't have vehicle ferries. They were fascinated that a ferry could hold that many cars and wanted to show folks back home," FBI Special Agent Robbie Burroughs said Monday.

[...]

Two weeks ago, the men appeared at a U.S. Embassy and identified themselves as the men in the photo released to the media in August, a couple of weeks after they took a ferry from Seattle to Vashon Island during a business trip, Burroughs said.

They came forward because they worried they'd be arrested if they traveled to the U.S. and so provided proof of their identities, employment and the reason for their July trip to Seattle, according to the FBI.

Posted on May 08, 2008 at 07:32 AM • 52 Comments • View Blog Reactions

Third Annual Movie-Plot Threat Contest Semi-Finalists

A month ago I announced the Third Annual Movie-Plot Threat Contest:

For this contest, the goal is to create fear. Not just any fear, but a fear that you can alleviate through the sale of your new product idea. There are lots of risks out there, some of them serious, some of them so unlikely that we shouldn't worry about them, and some of them completely made up. And there are lots of products out there that provide security against those risks.

Your job is to invent one. First, find a risk or create one. It can be a terrorism risk, a criminal risk, a natural-disaster risk, a common household risk -- whatever. The weirder the better. Then, create a product that everyone simply has to buy to protect him- or herself from that risk. And finally, write a catalog ad for that product.

[...]

Entries are limited to 150 words ... because fear doesn't require a whole lot of explaining. Tell us why we should be afraid, and why we should buy your product.

Submissions are in. The blog entry has 327 comments. I've read them all, and here are the semi-finalists:

• DNA adulteratometer to detect waiters spitting in your soup.
• Toothpaste test strips.
• SOS device for people locked in car trunks.
• Anti-laser-pointer eyeglasses.
• "Alertness alert" heartbeat monitor.

It's not in the running, but reader "False Data" deserves special mention for his Safe-T-Nav, a GPS system that detects high crime zones. It would be a semi-finalist, but it already exists.

Cast your vote; I'll announce the winner on the 15th.

Posted on May 07, 2008 at 02:33 PM • 97 Comments • View Blog Reactions

Al Qaeda Threat Overrated

Seems obvious to me:

"I reject the notion that Al Qaeda is waiting for 'the big one' or holding back an attack," Sheehan writes. "A terrorist cell capable of attacking doesn't sit and wait for some more opportune moment. It's not their style, nor is it in the best interest of their operational security. Delaying an attack gives law enforcement more time to detect a plot or penetrate the organization."

Terrorism is not about standing armies, mass movements, riots in the streets or even palace coups. It's about tiny groups that want to make a big bang. So you keep tracking cells and potential cells, and when you find them you destroy them. After Spanish police cornered leading members of the group that attacked trains in Madrid in 2004, they blew themselves up. The threat in Spain declined dramatically.

Indonesia is another case Sheehan and I talked about. Several high-profile associates of bin Laden were nailed there in the two years after 9/11, then sent off to secret CIA prisons for interrogation. The suspects are now at Guantánamo. But suicide bombings continued until police using forensic evidence—pieces of car bombs and pieces of the suicide bombers—tracked down Dr. Azahari bin Husin, "the Demolition Man," and the little group around him. In a November 2005 shootout the cops killed Dr. Azahari and crushed his cell. After that such attacks in Indonesia stopped.

The drive to obliterate the remaining hives of Al Qaeda training activity along the Afghanistan-Pakistan frontier and those that developed in some corners of Iraq after the U.S. invasion in 2003 needs to continue, says Sheehan. It's especially important to keep wanna-be jihadists in the West from joining with more experienced fighters who can give them hands-on weapons and explosives training. When left to their own devices, as it were, most homegrown terrorists can't cut it. For example, on July 7, 2005, four bombers blew themselves up on public transport in London, killing 56 people. Two of those bombers had trained in Pakistan. Another cell tried to do the same thing two weeks later, but its members had less foreign training, or none. All the bombs were duds.

[...]

Sir David Omand, who used to head Britain's version of the National Security Agency and oversaw its entire intelligence establishment from the Cabinet Office earlier this decade, described terrorism as "one corner" of the global security threat posed by weapons proliferation and political instability. That in turn is only one of three major dangers facing the world over the next few years. The others are the deteriorating environment and a meltdown of the global economy. Putting terrorism in perspective, said Sir David, "leads naturally to a risk management approach, which is very different from what we've heard from Washington these last few years, which is to 'eliminate the threat'."

Yet when I asked the panelists at the forum if Al Qaeda has been overrated, suggesting as Sheehan does that most of its recruits are bunglers, all shook their heads. Nobody wants to say such a thing on the record, in case there's another attack tomorrow and their remarks get quoted back to them.

That's part of what makes Sheehan so refreshing. He knows there's a big risk that he'll be misinterpreted; he'll be called soft on terror by ass-covering bureaucrats, breathless reporters and fear-peddling politicians. And yet he charges ahead. He expects another attack sometime, somewhere. He hopes it won't be made to seem more apocalyptic than it is. "Don't overhype it, because that's what Al Qaeda wants you to do. Terrorism is about psychology." In the meantime, said Sheehan, finishing his fruit juice, "the relentless 24/7 job for people like me is to find and crush those guys."

I've ordered Sheehan's book, Crush the Cell: How to Defeat Terrorism Without Terrorizing Ourselves.

Posted on May 07, 2008 at 12:56 PM • 19 Comments • View Blog Reactions

London's Cameras Don't Reduce Crime

News here and here:

Massive investment in CCTV cameras to prevent crime in the UK has failed to have a significant impact, despite billions of pounds spent on the new technology, a senior police officer piloting a new database has warned. Only 3% of street robberies in London were solved using CCTV images, despite the fact that Britain has more security cameras than any other country in Europe.

[...]

Use of CCTV images for court evidence has so far been very poor, according to Detective Chief Inspector Mick Neville, the officer in charge of the Metropolitan police unit. "CCTV was originally seen as a preventative measure," Neville told the Security Document World Conference in London. "Billions of pounds has been spent on kit, but no thought has gone into how the police are going to use the images and how they will be used in court. It's been an utter fiasco: only 3% of crimes were solved by CCTV. There's no fear of CCTV. Why don't people fear it? [They think] the cameras are not working."

This is, of course is absolutely no surprise.

Posted on May 07, 2008 at 06:53 AM • 32 Comments • View Blog Reactions

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT Counterpane.