Schneier's Jan 2006 Cryptogram

Bruce Schneier’s latest issue of Cryptogram is out and, as usual, it’s a treasure trove of interesting stories. (It’s also very popular – the link above might not work right now since the issue came out today.) I’m just going to hit the highlights here. I’ll probably go into more depth in future posts.

FISA and Survillance
Schneier devotes a lot of time to discussion of FISA and the President’s decision to conduct surveillance without going through the court system. One of the most interesting essays suggests the President’s purpose was probably not to speed up getting warrants but to use a different style of surveillance. FISA is organized around the idea that you conduct surveillance of a particular person, but the NSA, through systems like Echelon, has the capability to “vacuum” up billions of messages daily and mine them for interesting patterns – something you can’t get a warrant to do. Mr. Bush may have wanted to be able to do that with communications going to and from the United States. A follow-up article discusses Project Shamrock, a 1950’s and 60’s project in which intelligence agencies did exactly that by intercepting all telegrams going to and from the United States and argues Congress’s reaction to that project is what gave rise to FISA in the first place. There’s also a rather extensive article describing the Bush administration’s legal justifications in lay terms, with links to the Yoo memo containing the legal reasoning. Finally, if you really want to live on the edge, here’s a suggested test to find out if your e-mail’s being snooped, though it might wind up landing you on the no-fly list.

Browser Vulnerabilities
A group’s run a study on security and web browsers. For each browser, they looked at the number of days out of 2004 when there was a known vulnerability in the browser but no patch to fix the vulnerability existed. The results? Firefox: 15% unsafe (with the Windows version of Firefox being 7% unsafe.) Opera: 17% unsafe. Internet Explorer: 98% unsafe.

RFID Tag-related Stories (Wallet article, Zapper article)
RFID tags are (still) creating a lot of stir on the Internet among people with both professional and amateur interest in security. Somewhat tongue-in-cheek, but apparently effective, are these plans to make an RFID-blocking wallet out of duct tape and aluminum foil. There are also plans to make an RFID-zapper, a device designed to burn out RFID chips permanently by generating a small electromagnetic pulse. The FCC’s gotta frown on that.

Vehicle Tracking in UK
Looks like the UK is set to implement a system to track the movements of every car and truck in the country and keep those records for two years. They’re going to use a network of cameras to read and record license plates. I wasn’t able to determine what the system would do if Bad Guy used electrical tape to change the numbering on his plate to be the same as Good Guy’s numbers and then went tooling around. One of the comments also raises an interesting point: if police cars have mobile plate scanners, you can use the logs to track the movements of the police cars as they scan plates, since you’ll know “cop car X scanned plate Y at location L and time Z.”