Security

Gadi Evron has now suggested, following Paul Vixie, that it’s a waste of time to fight botnets by shutting down botnet controllers. Here’s what I wrote to some colleagues when I read Vixie’s statement that stomping out botnets is not only a waste of time, but counter-productive because it causes botherders to change their behavior and find new malicious techniques: 1. If you don’t stomp them they are still going to develop new ways of doing things as a result of internal competition. It may happen more slowly, but it will still happen. There’s no getting around an arms race. Even taking his analogy seriously, he wouldn’t recommend that we stop using antibiotics. 2. Waiting on law enforcement to start effectively prosecuting will take a long time, and I don’t think I’ll be happy with what it will take for them to do it (I’m already unhappy with the new CALEA draft bill that’s circulating). Criminal prosecution will likely never target more than a minority of offenders–mostly the high-profile cases. 3. Taking action raises their costs, which applies more broadly the same economic effect as prosecution does in a narrower and stronger manner. Again, if we take the antibiotic analogy seriously, a diversity of approaches is better than relying on a single approach. 4. Our experience seems to indicate a drop in botnet controller activity when we hit them consistently. If the bulk of miscreants follow the path of least resistance, putting up a fight will tend to push them to environs where people aren’t putting up a fight.Shutting down botnet controllers does have positive effects–and it’s much quicker and reliable than law enforcement prosecution. I think a diversity of defensive actions is important, and we need to continue developing more of them–as I said above, it is a continuing arms race. Richard Bejtlich has also commented on this subject at his TaoSecurity blog, and there’s some good discussion in the comments. David Bianco has offered a suggestion at the InfoSecPotpourri blog. Bianco’s suggestion is to modify the botnet C&C traffic, which in order to be most effective would have to occur at either large consumer ISPs (where 99+% of the bots are located) or at a small number of high-volume, low-cost webhosting companies (where 75+% of the botnet controllers are located). There are a number of approaches that are being developed, which I won’t describe in any detail here, but I agree that new approaches need to go more strongly after the bots themselves rather than just the botnet controllers. Those approaches need to use Netflow, and they need to use DNS. We also need to provide incentives for consumers with old, unpatched, vulnerable systems to protect themselves and to be protected by their ISPs–that’s where the biggest bang for the buck will occur.

Yesterday there were numerous news reports about a woman’s water bottle testing positive, twice, for explosive residue and being identified as problematic by a bomb-sniffing dog. She was allegedly taken for questioning by the FBI. Today, there seems to be little followup about the fact that it was actually makeup that triggered false positives.

The Department of Homeland Security Office of the Inspector General has issued a report on U.S. Customs and Border Patrol activities at U.S. ports of entry that “indicates a significant decrease over the past few years in the interception of narcotics and the identification of fraudulent immigration documents, especially at airports.” The problem is that when people are stopped whose names resemble those of individuals on the terrorist watch list, they have limited discretion about how to proceed, which causes them to spend a large amount of time dealing with each such case. Spending time on those cases detracts from their ability to do anything else, and the accumulated information collected in such incidents doesn’t appear to be put to effective use: When a watchlisted or targeted individual is encountered at a POE, CBP generates several reports summarizing the incident. Each of these reports provides a different level of detail, and is distributed to a different readership. It is unclear, however, how details of the encounter and the information obtained from the suspected terrorist are disseminated for analysis. This inconsistent reporting is preventing DHS from developing independent intelligence assessments and may be preventing important information from inclusion in national strategic intelligence analyses.The report advises giving more discretion to supervisors at ports of entry, giving security clearances to port of entry counterterrorism personnel, establishing consistent reporting standards, and reviewing port of entry staffing models. It also advises that port of entry personnel collect biometric data from persons entering the country “who would not normally provide this information when entering the United States." More at Bruce Schneier’s blog.

In Stephen Colbert’s discussion of the liquids he takes with him while traveling (on YouTube), he asked whether custard is a liquid. A USA Today “Today in the Sky” blog entry on “Putting TSA to the viscosity test” reported on the author’s experiment to see what she would be forced to discard. She carried a number of items in her bag to the screening area at the Baltimore airport for a flight to St. Louis on Friday night. The items were a container of Silk soy milk, Edge shaving gel, Ban deodorant, a small container of yogurt, a sealed two-pack of Advil capsules (gel caps), some makeup items, and a packet of mustard (see photo). She was only required to discard the soy milk, one of the makeup items, and one other item (the mustard?). I don’t remember the details and cannot verify them because USA Today has removed the blog post, probably on the grounds that it encourages readers to test the limits of security screening. But shouldn’t the rules about what is permitted be clear? Is water in a frozen state permitted? Are there any beverages or food items which have the properties of being thixotropic (solid until shaken) or rheopectic (temporarily solid after being shaken)? There’s now (at least temporarily) a market…

Bruce Schneier writes about last week’s terrorism arrests: Hours-long waits in the security line. Ridiculous prohibitions on what you can carry onboard. Last week’s foiling of a major terrorist plot and the subsequent airport security graphically illustrates the difference between effective security and security theater. None of the airplane security measures implemented because of 9/11 – no-fly lists, secondary screening, prohibitions against pocket knives and corkscrews – had anything to do with last week’s arrests. And they wouldn’t have prevented the planned attacks, had the terrorists not been arrested. A national ID card wouldn’t have made a difference, either. ...

CNN: Tisha Presley, bound for Fort Bragg, North Carolina, hurriedly sipped from her bottled water before going through security at the Atlanta airport. “I assume before too long we’ll be naked on the plane – and that’s fine with me,” she said.My wife Kat jokingly suggests that TSA require passengers to change into TSA-provided unitards, returned for cleaning and reuse upon arrival at the destination. Of course, the real question is whether air travel continues to be economically viable under high levels of travel restrictions without completely transforming the industry’s business model. One thing for sure–the level of restrictions currently imposed in the UK will provide incentives for telecommuting and audio and video conferencing, which are services provided by the company which employs me, Global Crossing. ...

The Brits caught some douchebags who were going to blow up some planes. Now, the way I see it, you can't have terrorism without terror. The strategy of terrorism is to use isolated acts of violence to instill fear and confusion into the population at large. A small number of people can incapacitate a society by leveraging our inability to understand risk. Airline industry stocks plummetted today, while the industry braced for a rash of cancellations. This, despite the fact that even with the risk of airplane bombings it's still more dangerous to drive your car. Or smoke cigarettes. As long as a small group of people can inflict mass panic across a large population, the tactic itself will remain viable. One way to deal a blow to the effectiveness of terrorism is to deal with the terror itself. London's police deputy commissioner Paul Stevenson said that the plot was "intended to be mass murder on an unimaginable scale." No, it is imaginable: between three and ten flights out of thousands would have resulted in the terrible loss of human life. Bush today said this country is safer today than it was prior to 9/11. Personally, I don't think he knows. Whether we like it or not, terrorist attacks on Americans are now part of the global reality. They will continue to happen. Many places around the globe have had to deal with a similar reality for years. India, Ireland, England, Spain, Russia, to name a few. In many cases, these societies have pulled together and not allowed isolated acts of violence to tear at their fiber. Like disease and the forces of nature, it's a risk that we have to rationally come to terms with. The government's responsibility is to make sure that fear and terror are not disproportionate to the reality of the situation. Today the President said, "This nation is at war with Islamic fascists who will use any means to destroy those of us who love freedom to hurt our nation." Generalized statements like this which instill nebulous fear without specific information are exactly in line with the goals of terrorism.Video here. (Hat tip to James Redekop on the SKEPTIC mailing list.) Along similar lines is John Mueller of Ohio State University's "A False Sense of Insecurity? How does the risk of terrorism measure up against everyday dangers?" (PDF), published in the Cato Institute's Regulation, Fall 2004. The additional security measures, which are creating long queues of people waiting to go through security checkpoints, are actually creating greater risks of terrorism--against those people waiting to get through the checkpoints. But that risk pales in comparison to every day risks which we accept (or allow others to accept) as a matter of course: falling off ladders, driving in automobiles, eating fast food, smoking. If a terrorist act on the scale of 9/11 occurred every month in the United States, it would only begin to approach the number of Americans killed every year in automobile accidents, and would still be far short of the number who die as a result of smoking. Responsive actions like unreasonable and inefficient security screening measures increase rather than decrease the costs of terrorism. Historical Comments OutOfContext (2006-12-09): "The only thing we have to fear is fear itself." Just think how much more popular and useful our President would have been by calming us all down and giving us perspective. But it's not just him, nobody with any national platform has come close. It almost seems like politicians are as insecure and afraid as the rest of us. I live in the heartland, a place where fear and distance make strange bedfellows. I guess it is easier to fear the sensational and exotic danger than to come to terms with the real social and economic insecurities in our everyday lives. It reminds me a little of a Bill Hicks monologue about CNN in which he complains that news channels show war, destruction, famine, and pestilence 24 hours a day, yet you stick your head out the window and...(the sound of crickets). ...

The AOL user identified as 4417749 in the recently released three months of AOL search data has been found by the New York Times. She’s Thelma Arnold, a 62-year-old widow in Georgia who has often done searches about medical conditions for her friends, as well as about such things as how to deal with her dog’s urination problem. The article includes a photo of her diaper-wearing dog, Dudley. The article points out both how the search results can be used to identify the real-world user as well as how they can be misleading. She says at the end of the article that she plans to cancel her account.

Ed Brayton calls out both the NY Times and those accusing the Times of treason for reporting that the U.S. government is data mining in financial data from SWIFT. He points out that the Times is criticizing the U.S. government for doing what the Times itself editorialized in favor of the government doing, and also points out that it hasn’t really revealed anything of significance that the Bush administration hadn’t already publicly said it was doing. Further, the only actually new thing reported–that the government is accessing large amounts of data with broad subpoenas, rather than specific transactions–was also reported by the Wall Street Journal, but without it being hit with the same criticisms as the Times. This is a significant outbreak of inconsistency.

Researchers at Georgia Tech have come up with a technology for preventing video cameras from working. The setup uses sensors to detect cameras from the reflectivity and shape of CCD sensors (or is it actually detecting the lens?), then directs a beam of light (potentially a laser) at the CCDs to prevent it from recording images. The prospective uses they suggest include prevention of piracy in movie theaters and as a countermeasure against espionage. Their small-area technology is apparently close to ready for commercialization, but the large-area version still has a ways to go. The camera-neutralization technology “may never work against single-lens reflex cameras." Let’s hope it doesn’t become a technology used to prevent the documentation of abuses, governmental or otherwise.