Blogs

RSS

An aggregation of our Blog Roll, made up of acmqueue authors.   more

All Postings, Bruce Schneier:  (2,239 posts)

Source blog: Schneier on Security

Mon, 20 May 2013 11:34:17 UTC

Security Risks of Too Much Security

Posted By Bruce Schneier

All of the anti-counterfeiting features of the new Canadian $100 bill are resulting in people not bothering to verify them. The fanfare about the security features on the bills, may be part of the problem, said RCMP Sgt. Duncan Pound. "Because the polymer series' notes are so secure ... there's almost an overconfidence among retailers and the public in terms...

Fri, 17 May 2013 21:57:09 UTC

Friday Squid Blogging: Striped Pyjama Squid Pet Sculpture

Posted By Bruce Schneier

Technically, it's a cuttlefish and not a squid. But it's still nice art. I posted a photo of a real striped pyjama squid way back in 2006. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 17 May 2013 19:59:37 UTC

Applied Cryptography on Elementary

Posted By Bruce Schneier

In the episode that aired on May 9th, about eight or nine minutes in, there's a scene with a copy of Applied Cryptography prominently displayed on the coffee table. This isn't the first time that my books have appeared on that TV show....

Thu, 16 May 2013 13:45:20 UTC

Bluetooth-Controlled Door Lock

Posted By Bruce Schneier

Here is a new lock that you can control via Bluetooth and an iPhone app. That's pretty cool, and I can imagine all sorts of reasons to get one of those. But I'm sure there are all sorts of unforeseen security vulnerabilities in this system. And even worse, a single vulnerability can affect all the locks. Remember that vulnerability found...

Tue, 14 May 2013 10:48:13 UTC

Transparency and Accountability

Posted By Bruce Schneier

As part of the fallout of the Boston bombings, we're probably going to get some new laws that give the FBI additional investigative powers. As with the Patriot Act after 9/11, the debate over whether these new laws are helpful will be minimal, but the effects on civil liberties could be large. Even though most people are skeptical about sacrificing...

Mon, 13 May 2013 13:15:20 UTC

2007 NSA Manual on Internet Hacking

Posted By Bruce Schneier

Mildly interesting....

Fri, 10 May 2013 21:26:12 UTC

Friday Squid Blogging: Squid Festival in Monterey

Posted By Bruce Schneier

It's at the end of May. Note that it's being put on by the Calamari Entertainment Group. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 May 2013 18:49:42 UTC

The Onion on Browser Security

Posted By Bruce Schneier

Wise advice: At Chase Bank, we recognize the value of online banking­ -- its quick, convenient, and available any time you need it. Unfortunately, though, the threats posed by malware and identity theft are very real and all too common nowadays. Thats why, when youre finished with your online banking session, we recommend three simple steps to protect your personal...

Fri, 10 May 2013 11:47:32 UTC

Mail Cover

Posted By Bruce Schneier

From a FOIAed Department of Transportation document on investigative techniques: A "mail cover" is the process by which the U.S. Postal Service records any data appearing on the outside cover of any class of mail, sealed or unsealed, or by which a record is made of the contents of unsealed (second-, third-, or fourth-class) mail matter as allowed by law....

Thu, 09 May 2013 10:16:46 UTC

The Economist on Guantanamo

Posted By Bruce Schneier

Maybe the tide is turning: America is in a hole. The last response of the blowhards and cowards who have put it there is always: "So what would you do: set them free?" Our answer remains, yes. There is clearly a risk that some of them would then commit some act of violence -- in Yemen, elsewhere in the Middle...

Wed, 08 May 2013 18:54:28 UTC

Reidentifying Anonymous Data

Posted By Bruce Schneier

Latanya Sweeney has demonstrated how easy it can be to identify people from their birth date, gender, and zip code. The anonymous data she reidentified happened to be DNA data, but that's not relevant to her methods or results. Of the 1,130 volunteers Sweeney and her team reviewed, about 579 provided zip code, date of birth and gender, the three...

Wed, 08 May 2013 11:32:35 UTC

Evacuation Alerts at the Airport

Posted By Bruce Schneier

Last week, an employee error caused the monitors at LAX to display a building evacuation order: At a little before 9:47 p.m., the message read: "An emergency has been declared in the terminal. Please evacuate." An airport police source said officers responded to the scene at the Tom Bradley International Terminal, believing the system had been hacked. But an airport...

Tue, 07 May 2013 17:57:36 UTC

Is the U.S. Government Recording and Saving All Domestic Telephone Calls?

Posted By Bruce Schneier

I have no idea if "former counterterrorism agent for the FBI" Tom Clemente knows what he's talking about, but that's certainly what he implies here: More recently, two sources familiar with the investigation told CNN that Russell had spoken with Tamerlan after his picture appeared on national television April 18. What exactly the two said remains under investigation, the sources...

Tue, 07 May 2013 11:10:49 UTC

Intelligence Analysis and the Connect-the-Dots Metaphor

Posted By Bruce Schneier

The FBI and the CIA are being criticized for not keeping better track of Tamerlan Tsarnaev in the months before the Boston Marathon bombings. How could they have ignored such a dangerous person? How do we reform the intelligence community to ensure this kind of failure doesn't happen again? It's an old song by now, one we heard after the...

Mon, 06 May 2013 18:17:15 UTC

Michael Chertoff on Google Glass

Posted By Bruce Schneier

Interesting op-ed by former DHS head Michael Chertoff on the privacy risks of Google Glass. Now imagine that millions of Americans walk around each day wearing the equivalent of a drone on their head: a device capable of capturing video and audio recordings of everything that happens around them. And imagine that these devices upload the data to large-scale commercial...

Mon, 06 May 2013 10:44:34 UTC

Honeywords

Posted By Bruce Schneier

Here is a simple but clever idea. Seed password files with dummy entries that will trigger an alarm when used. That way a site can know when a hacker is trying to decrypt the password file....

Fri, 03 May 2013 21:33:52 UTC

Friday Squid Blogging: Squid Escape Artist

Posted By Bruce Schneier

It's amazing how small a hole he can fit through. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 May 2013 17:44:28 UTC

Another WWII Message Decoded

Posted By Bruce Schneier

It's a really interesting code and story. (The first link has the most detailed information about the code and the cryptanalysis.)...

Fri, 03 May 2013 11:15:48 UTC

The Public/Private Surveillance Partnership

Posted By Bruce Schneier

Our government collects a lot of information about us. Tax records, legal records, license records, records of government services received-- it's all in databases that are increasingly linked and correlated. Still, there's a lot of personal information the government can't collect. Either they're prohibited by law from asking without probable cause and a judicial order, or they simply have no...

Thu, 02 May 2013 18:09:29 UTC

Risks of Networked Systems

Posted By Bruce Schneier

Interesting research: Helbing's publication illustrates how cascade effects and complex dynamics amplify the vulnerability of networked systems. For example, just a few long-distance connections can largely decrease our ability to mitigate the threats posed by global pandemics. Initially beneficial trends, such as globalization, increasing network densities, higher complexity, and an acceleration of institutional decision processes may ultimately push human-made or...

Thu, 02 May 2013 11:50:28 UTC

More on FinSpy/FinFisher

Posted By Bruce Schneier

FinFisher (also called FinSpy) is a commercially sold spyware package that is used by governments world-wide, including the U.S. There's a new report that has a bunch of new information: Our new findings include: We have identified FinFisher Command & Control servers in 11 new Countries. Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, Austria. Taken together...

Wed, 01 May 2013 18:58:05 UTC

Google Pays $31,000 for Three Chrome Vulnerabilities

Posted By Bruce Schneier

Google is paying bug bounties. This is important; there's a market in vulnerabilities that provides incentives for their being kept secret and exploitable; for Google to buy and patch them makes us all more secure. The U.S. government should do the same....

Wed, 01 May 2013 15:26:40 UTC

Details of a Cyberheist

Posted By Bruce Schneier

Really interesting article detailing how criminals steal from a company's accounts over the Internet. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years. Basically, the criminals break into the...

Tue, 30 Apr 2013 18:29:38 UTC

The Importance of Backups

Posted By Bruce Schneier

I've already written about the guy who got a new trial because a virus ate his court records. Here's someone who will have to redo his thesis research because someone stole his only copy of the data. Remember the rule: no one ever wants backups, but everyone always wants restores. I have no idea if that image is real or...

Tue, 30 Apr 2013 11:11:44 UTC

Pinging the Entire Internet

Posted By Bruce Schneier

Turns out there's a lot of vulnerable systems out there: Many of the two terabytes (2,000 gigabytes) worth of replies Moore received from 310 million IPs indicated that they came from devices vulnerable to well-known flaws, or configured in a way that could to let anyone take control of them. On Tuesday, Moore published results on a particularly troubling segment...

Mon, 29 Apr 2013 15:27:24 UTC

More Links on the Boston Terrorist Attacks

Posted By Bruce Schneier

Max Abrahms has two sensible essays. Probably the ultimate in security theater: Williams-Sonoma stops selling pressure cookers "out of respect." They say it's temporary. (I bought a Williams-Sonoma pressure cooker last Christmas; I wonder if I'm now on a list.) A tragedy: Sunil Tripathi, whom Reddit and other sites wrongly identified as one of the bombers, was found dead in...

Fri, 26 Apr 2013 21:05:44 UTC

Friday Squid Blogging: Lego Giant Squid Model

Posted By Bruce Schneier

This is a fantastic Lego model of a space kraken attacking a Star Wars Super Star Destroyer. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 26 Apr 2013 17:21:46 UTC

xkcd on a Bad Threat Model

Posted By Bruce Schneier

Funny, and true....

Fri, 26 Apr 2013 12:19:58 UTC

Tor Needs Bridges

Posted By Bruce Schneier

The Internet anonymity service Tor needs people who are willing to run bridges. It's a goodness for the world; do it if you can....

Thu, 25 Apr 2013 19:37:05 UTC

Cryptanalyst on British Postage Stamps

Posted By Bruce Schneier

A 92-year-old World War II Bletchley Park codebreaker has had a set of commemorative stamps issued in his honor....

Thu, 25 Apr 2013 11:42:54 UTC

Random Links on the Boston Terrorist Attack

Posted By Bruce Schneier

Encouraging poll data says that maybe Americans are starting to have realistic fears about terrorism, or at least are refusing to be terrorized. Good essay by Scott Atran on terrorism and our reaction. Reddit apologizes. I think this is a big story. The Internet is going to help in everything, including trying to identify terrorists. This will happen whether or...

Wed, 24 Apr 2013 18:06:27 UTC

Ellen on Protecting Passwords

Posted By Bruce Schneier

Pretty good video. Ellen makes fun of the "Internet Password Minder," which is -- if you think about it -- only slightly different than Password Safe....

Wed, 24 Apr 2013 11:51:07 UTC

More Plant Security Countermeasures

Posted By Bruce Schneier

I've talked about plant security systems, both here and in Beyond Fear. Specifically, I've talked about tobacco plants that call air strikes against insects that eat them, by releasing a scent that attracts predators to those insects. Here's another defense: the plants also tag caterpillars for predators by feeding them a sweet snack (full episode here) that makes them give...

Tue, 23 Apr 2013 17:34:27 UTC

The Police Now Like Amateur Photography

Posted By Bruce Schneier

PhotographyIsNotACrime.com points out the obvious: after years of warning us that photography is suspicious, the police were happy to accept all of those amateur photographs and videos at the Boston Marathon. Adding to the hypocrisy is that these same authorities will most likely start clamping down on citizens with cameras more than ever once the smoke clears and we once...

Tue, 23 Apr 2013 12:10:50 UTC

Securing Members of Congress from Transparency

Posted By Bruce Schneier

I commented in this article on the repeal of the transparency provisions of the STOCK Act: Passed in 2012 after a 60 Minutes report on insider trading practices in Congress, the STOCK Act banned members of Congress and senior executive and legislative branch officials from trading based on government knowledge. To give the ban teeth, the law directed that many...

Sun, 21 Apr 2013 15:48:08 UTC

About Police Shoot Outs and Spectators

Posted By Bruce Schneier

Hopefully this advice is superfluous for my audience, but it's so well written it's worth reading nonetheless: 7. SO, the bottom line is this: If you are in a place where you hear steady, and sustained, and nearby (lets call that, for some technical reasons, anything less than 800 meters) gunfire, do these things: Go to your basement. You are...

Sun, 21 Apr 2013 11:36:17 UTC

A Discussion of Redaction

Posted By Bruce Schneier

Interesting....

Sat, 20 Apr 2013 13:19:32 UTC

The Boston Marathon Bomber Manhunt

Posted By Bruce Schneier

I generally give the police a lot of tactical leeway in times like this. The very armed and very dangerous suspects warranted extraordinary treatment. They were perfectly capable of killing again, taking hostages, planting more bombs -- and we didn't know the extent of the plot or the group. That's why I didn't object to the massive police dragnet, the...

Fri, 19 Apr 2013 18:40:57 UTC

Me at the Berkman Center

Posted By Bruce Schneier

Earlier this month I spent a week at the Berkman Center for Internet and Society, talking to people about power, security, technology, and threats (details here). As part of that week, I gave a public talk at Harvard. Because my thoughts are so diffuse and disjoint, I didn't think I could pull it all together into a coherent talk. Instead,...

Fri, 19 Apr 2013 18:35:01 UTC

Friday Squid Blogging: Giant Squid Bike Rack

Posted By Bruce Schneier

It's the first on this page. Apparently this is the finished version of the design I blogged about last year. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 19 Apr 2013 11:47:21 UTC

NSA Cryptography Course

Posted By Bruce Schneier

This article, from some internal NSA publication, is about Lambros Callimahos, who taught an intensive 18-week course on cryptology for many years and died in 1977. Be sure to notice the great redacted photo of him and his students on page 17....

Thu, 18 Apr 2013 16:36:56 UTC

The Nemim.gen Trojan

Posted By Bruce Schneier

This clever piece of malware evades forensic examination by deleting its own components....

Tue, 16 Apr 2013 14:19:09 UTC

Initial Thoughts on the Boston Bombings

Posted By Bruce Schneier

I rewrote my "refuse to be terrorized" essay for the Atlantic. David Rothkoph (author of the great book Power, Inc.) wrote something similar, and so did John Cole. It's interesting to see how much more resonance this idea has today than it did a dozen years ago. If other people have written similar essays, please post links in the comments....

Tue, 16 Apr 2013 11:37:40 UTC

FBI and Cell Phone Surveillance

Posted By Bruce Schneier

We're learning a lot about how the FBI eavesdrops on cell phones from a recent court battle....

Mon, 15 Apr 2013 09:29:45 UTC

Google Glass Enables New Forms of Cheating

Posted By Bruce Schneier

It's mentioned here: Mr. Doerr said he had been wearing the glasses and uses them especially for taking pictures and looking up words while playing Scattergories with his family, though it is questionable whether that follows the game's rules. Questionable? Questionable? It just like using a computer's dictionary while playing Scrabble, or a computer odds program while playing poker, or...

Fri, 12 Apr 2013 21:34:41 UTC

Friday Squid Blogging: Illegal Squid Fishing

Posted By Bruce Schneier

While we we're on the subject of squid fishing in Argentina, the country is dealing with foreign boats illegally fishing for squid inside its territorial waters. So yet again, squid and security collide. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 12 Apr 2013 15:50:14 UTC

Remotely Hijacking an Aircraft

Posted By Bruce Schneier

There is a lot of buzz on the the Internet about a talk at the Hack-in-the Box conference by Hugo Teso, who claims he can hack in to remotely control an airplane's avionics. He even wrote an Android app to do it. I honestly can't tell how real this is, and how much of it is the unique configuration of...

Thu, 11 Apr 2013 11:42:43 UTC

Thieves Use Video Camera to Stake Out Properties

Posted By Bruce Schneier

If the police can use cameras, so can the burglars....

Wed, 10 Apr 2013 17:46:44 UTC

Security Externalities and DDOS Attacks

Posted By Bruce Schneier

Ed Felten has a really good blog post about the externalities that the recent Spamhaus DDOS attack exploited: The attackers' goal was to flood Spamhaus or its network providers with Internet traffic, to overwhelm their capacity to handle incoming network packets. The main technical problem faced by a DoS attacker is how to amplify the attacker's traffic-sending capacity, so that...

Wed, 10 Apr 2013 11:40:46 UTC

Last Battle of Midway Cryptanalyst

Posted By Bruce Schneier

The last cryptanalyst at the Battle of Midway, Rear Admiral Donald "Mac" Showers, USN-Ret, passed away 19 October 2012. His interment at Arlington National Cemetery at Arlington, Virginia, will be Monday, April 15, at 3:00. The family made this a public event to celebrate his life and contributions to the cryptologic community....

Tue, 09 Apr 2013 18:49:51 UTC

Nice Security Mindset Example

Posted By Bruce Schneier

A real-world one-way function: Alice and Bob procure the same edition of the white pages book for a particular town, say Cambridge. For each letter Alice wants to encrypt, she finds a person in the book whose last name starts with this letter and uses his/her phone number as the encryption of that letter. To decrypt the message Bob has...

Tue, 09 Apr 2013 11:05:25 UTC

Bitcoins in the Mainstream Media

Posted By Bruce Schneier

Interesting article from the New Yorker. I'm often asked what I think about bitcoins. I haven't analyzed the security, but what I have seen looks good. The real issues are economic and political, and I don't have the expertise to have an opinion on that. BTW, here's a recent criticism of BitCoins....

Mon, 08 Apr 2013 18:30:08 UTC

Elite Panic

Posted By Bruce Schneier

I hadn't heard of this term before, but it's an interesting one. The excerpt below is from an interview with Rebecca Solnit, author of A Paradise Built in Hell: The Extraordinary Communities That Arise in Disaster: The term "elite panic" was coined by Caron Chess and Lee Clarke of Rutgers. From the beginning of the field in the 1950s to...

Mon, 08 Apr 2013 11:34:49 UTC

Government Use of Hackers as an Object of Fear

Posted By Bruce Schneier

Interesting article about the perception of hackers in popular culture, and how the government uses the general fear of them to push for more power: But these more serious threats don't seem to loom as large as hackers in the minds of those who make the laws and regulations that shape the Internet. It is the hacker -- a sort...

Fri, 05 Apr 2013 21:08:43 UTC

Friday Squid Blogging: Nighttime Squid Fishing Seen from Space

Posted By Bruce Schneier

Page 18 of this thesis explains that squid fishing is done at night, and the lighting is so bright shows up in the satellite surveys of planetary lighting. This video shows the phenomenon off the coast line of Argentina. As usual, you can also use this squid post to talk about the security stories in the news that I haven't...

Fri, 05 Apr 2013 18:05:36 UTC

Apple's iMessage Encryption Seems to Be Pretty Good

Posted By Bruce Schneier

The U.S. Drug Enforcement Agency has complained (in a classified report, not publicly) that Apple's iMessage end-to-end encryption scheme can't be broken. On the one hand, I'm not surprised; end-to-end encryption of a messaging system is a fairly easy cryptographic problem, and it should be unbreakable. On the other hand, it's nice to have some confirmation that Apple is looking...

Fri, 05 Apr 2013 11:35:45 UTC

Skein Collision Competition

Posted By Bruce Schneier

Xkcd had a Skein collision competition. The contest is over -- Carnegie Mellon University won, with 384 (out of 1024) mismatched bits -- but it's explained here....

Thu, 04 Apr 2013 11:28:42 UTC

NSA Crossword Puzzles

Posted By Bruce Schneier

Two puzzles from a 1977 issue of Cryptolog....

Wed, 03 Apr 2013 12:29:39 UTC

IT for Oppression

Posted By Bruce Schneier

Whether it's Syria using Facebook to help identify and arrest dissidents or China using its "Great Firewall" to limit access to international news throughout the country, repressive regimes all over the world are using the Internet to more efficiently implement surveillance, censorship, propaganda, and control. They're getting really good at it, and the IT industry is helping. We're helping by...

Tue, 02 Apr 2013 11:02:06 UTC

Narratives of Secrecy

Posted By Bruce Schneier

How people talked about the secrecy surrounding the Manhattan project....

Mon, 01 Apr 2013 17:38:25 UTC

Sixth Movie-Plot Threat Contest

Posted By Bruce Schneier

It's back, after a two-year hiatus. Terrorism is boring; cyberwar is in. Cyberwar, and its kin: cyber Pearl Harbor, cyber 9/11, cyber Armageddon. (Or make up your own: a cyber Black Plague, cyber Ragnarok, cyber comet-hits-the-earth.) This is how we get budget and power for militaries. This is how we convince people to give up their freedoms and liberties. This...

Mon, 01 Apr 2013 11:07:15 UTC

What I've Been Thinking About

Posted By Bruce Schneier

I'm starting to think about my next book, which will be about power and the Internet -- from the perspective of security. My objective will be to describe current trends, explain where those trends are leading us, and discuss alternatives for avoiding that outcome. Many of my recent essays have touched on various facets of this, although Im still looking...

Fri, 29 Mar 2013 21:19:59 UTC

Friday Squid Blogging: Bomb Discovered in Squid at Market

Posted By Bruce Schneier

Really: An unexploded bomb was found inside a squid when the fish was slaughtered at a fish market in Guangdong province. Oddly enough, this doesn't seem to be the work of terrorists: The stall owner, who has been selling fish for 10 years, told the newspaper the 1-meter-long squid might have mistaken the bomb for food. Clearly there's much to...

Fri, 29 Mar 2013 17:25:11 UTC

The Dangers of Surveillance

Posted By Bruce Schneier

Interesting article, "The Dangers of Surveillance," by Neil M. Richards, Harvard Law Review, 2013. From the abstract: ....We need a better account of the dangers of surveillance. This article offers such an account. Drawing on law, history, literature, and the work of scholars in the emerging interdisciplinary field of "surveillance studies," I explain what those harms are and why they...

Fri, 29 Mar 2013 11:59:08 UTC

New RC4 Attack

Posted By Bruce Schneier

This is a really clever attack on the RC4 encryption algorithm as used in TLS. We have found a new attack against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used. The attacks arise from statistical flaws in the keystream generated by the RC4 algorithm which become apparent...

Thu, 28 Mar 2013 13:36:49 UTC

Unwitting Drug Smugglers

Posted By Bruce Schneier

This is a story about a physicist who got taken in by an imaginary Internet girlfriend and ended up being arrested in Argentina for drug smuggling. Readers of this blog will see it coming, of course, but it's a still a good read. I don't know whether the professor knew what he was doing -- it's pretty clear that the...

Wed, 27 Mar 2013 11:47:03 UTC

Security Awareness Training

Posted By Bruce Schneier

Should companies spend money on security awareness training for their employees? It's a contentious topic, with respected experts on both sides of the debate. I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere. Moreover, I believe that our industry's focus on training serves to obscure greater...

Tue, 26 Mar 2013 19:15:35 UTC

The NSA's Cryptolog

Posted By Bruce Schneier

The NSA has published declassified versions of its Cryptolog newsletter. All the issues from Aug 1974 through Summer 1997 are on the web, although there are some pretty heavy redactions in places. (Here's a link to the documents on a non-government site, in case they disappear.) I haven't even begun to go through these yet. If you find anything good,...

Tue, 26 Mar 2013 11:38:14 UTC

Identifying People from Mobile Phone Location Data

Posted By Bruce Schneier

Turns out that it's pretty easy: Researchers at the Massachusetts Institute of Technology (MIT) and the Catholic University of Louvain studied 15 months' worth of anonymised mobile phone records for 1.5 million individuals. They found from the "mobility traces" - the evident paths of each mobile phone - that only four locations and times were enough to identify a particular...

Mon, 25 Mar 2013 11:28:13 UTC

Our Internet Surveillance State

Posted By Bruce Schneier

I'm going to start with three data points. One: Some of the Chinese military hackers who were implicated in a broad set of attacks against the U.S. government and corporations were identified because they accessed Facebook from the same network infrastructure they used to carry out their attacks. Two: Hector Monsegur, one of the leaders of the LulzSac hacker movement,...

Fri, 22 Mar 2013 21:12:38 UTC

Friday Squid Blogging: Giant Squid Genetics

Posted By Bruce Schneier

Despite looking very different from each other and being distributed across the world's oceans, all giant squid are the same species. There's also not a lot of genetic diversity. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 22 Mar 2013 20:46:55 UTC

Changes to the Blog

Posted By Bruce Schneier

I have made a few changes to my blog that I'd like to talk about. The first is the various buttons associated with each post: a Facebook Like button, a Retweet button, and so on. These buttons are ubiquitous on the Internet now. We publishers like them because it makes it easier for our readers to share our content. I...

Fri, 22 Mar 2013 12:10:57 UTC

FBI Secretly Spying on Cloud Computer Users

Posted By Bruce Schneier

Both Google and Microsoft have admitted it. Presumably every other major cloud service provider is getting these National Security Letters as well. If you've been following along, you know that a U.S. District Court recently ruled National Security Letters unconstitutional. Not that this changes anything yet....

Thu, 21 Mar 2013 18:17:25 UTC

Text Message Retention Policies

Posted By Bruce Schneier

The FBI wants cell phone carriers to store SMS messages for a long time, enabling them to conduct surveillance backwards in time. Nothing new there -- data retention laws are being debated in many countries around the world -- but this was something I did not know: Wireless providers' current SMS retention policies vary. An internal Justice Department document (PDF)...

Thu, 21 Mar 2013 12:02:28 UTC

When Technology Overtakes Security

Posted By Bruce Schneier

A core, not side, effect of technology is its ability to magnify power and multiply force -- for both attackers and defenders. One side creates ceramic handguns, laser-guided missiles, and new-identity theft techniques, while the other side creates anti-missile defense systems, fingerprint databases, and automatic facial recognition systems. The problem is that it's not balanced: Attackers generally benefit from new...

Wed, 20 Mar 2013 16:51:42 UTC

Lessons From the FBI's Insider Threat Program

Posted By Bruce Schneier

This article is worth reading. One bit: For a time the FBI put its back into coming up with predictive analytics to help predict insider behavior prior to malicious activity. Rather than coming up with a powerful tool to stop criminals before they did damage, the FBI ended up with a system that was statistically worse than random at ferreting...

Tue, 19 Mar 2013 18:34:57 UTC

FinSpy

Posted By Bruce Schneier

Twenty five countries are using the FinSpy surveillance software package (also called FinFisher) to spy on their own citizens: The list of countries with servers running FinSpy is now Australia, Bahrain, Bangladesh, Britain, Brunei, Canada, the Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, the United Arab Emirates, the United States...

Tue, 19 Mar 2013 11:44:17 UTC

Gauss

Posted By Bruce Schneier

Nice summary article on the state-sponsored Gauss malware....

Mon, 18 Mar 2013 18:00:52 UTC

A 1962 Speculative Essay on Computers and Intelligence

Posted By Bruce Schneier

From the CIA archives: Orrin Clotworthy, "Some Far-out Thoughts on Computers," Studies in Intelligence v. 6 (1962)....

Mon, 18 Mar 2013 14:38:00 UTC

Prison Escape

Posted By Bruce Schneier

Audacious daytime prison escape by helicopter. The escapees have since been recaptured....

Fri, 15 Mar 2013 21:10:46 UTC

Friday Squid Blogging: WTF, Evolution?

Posted By Bruce Schneier

WTF, Evolution? is a great blog, and they finally mentioned squid....

Fri, 15 Mar 2013 19:01:01 UTC

xkcd on PGP

Posted By Bruce Schneier

How security interacts with users....

Fri, 15 Mar 2013 10:46:12 UTC

Stuxnet is Much Older than We Thought

Posted By Bruce Schneier

Symantec has found evidence of Stuxnet variants from way back in 2005. That's much older than the 2009 creation date we originally thought it had. More here and here. What's impressive is how advanced the cyberattack capabilities of the U.S. and/or Israel were back then....

Thu, 14 Mar 2013 17:19:08 UTC

On Secrecy

Posted By Bruce Schneier

Interesting law paper: "The Implausibility of Secrecy," by Mark Fenster. Abstract: Government secrecy frequently fails. Despite the executive branchs obsessive hoarding of certain kinds of documents and its constitutional authority to do so, recent high-profile events ­ among them the WikiLeaks episode, the Obama administrations celebrated leak prosecutions, and the widespread disclosure by high-level officials of flattering confidential information to...

Thu, 14 Mar 2013 11:11:56 UTC

Nationalism on the Internet

Posted By Bruce Schneier

For technology that was supposed to ignore borders, bring the world closer together, and sidestep the influence of national governments the Internet is fostering an awful lot of nationalism right now. We've started to see increased concern about the country of origin of IT products and services; U.S. companies are worried about hardware from China; European companies are worried about...

Wed, 13 Mar 2013 18:30:38 UTC

Security Theater on the Wells Fargo Website

Posted By Bruce Schneier

Click on the "Establishing secure connection" link at the top of this page. It's a Wells Fargo page that displays a progress bar with a bunch of security phrases -- "Establishing Secure Connection," "Sending credentials," "Building Secure Environment," and so on -- and closes after a few seconds. It's complete security theater; it doesn't actually do anything but make account...

Wed, 13 Mar 2013 12:24:27 UTC

Hacking Best-seller Lists

Posted By Bruce Schneier

It turns out that you can buy a position for your book on best-seller lists....

Tue, 12 Mar 2013 18:43:11 UTC

Cisco IP Phone Hack

Posted By Bruce Schneier

Nice work: All current Cisco IP phones, including the ones seen on desks in the White House and aboard Air Force One, have a vulnerability that allows hackers to take complete control of the devices....

Tue, 12 Mar 2013 11:45:35 UTC

"The Logic of Surveillance"

Posted By Bruce Schneier

Interesting essay: Surveillance is part of the system of control. "The more surveillance, the more control" is the majority belief amongst the ruling elites. Automated surveillance requires fewer "watchers", and since the watchers cannot watch all the surveillance, long term storage increases the ability to find some "crime" anyone is guilty of. [...] This is one of the biggest problems...

Mon, 11 Mar 2013 17:58:40 UTC

Dead Drop from the 1870s

Posted By Bruce Schneier

Hats: De Blowitz was staying at the Kaiserhof. Each day his confederate went there for lunch and dinner. The two never acknowledged one another, but they hung their hats on neighboring pegs. At the end of the meal the confederate departed with de Blowitz's hat, and de Blowitz innocently took the confederate's. The communications were hidden in the hat's lining....

Mon, 11 Mar 2013 11:12:21 UTC

Is Software Security a Waste of Money?

Posted By Bruce Schneier

I worry that comments about the value of software security made at the RSA Conference last week will be taken out of context. John Viega did not say that software security wasn't important. He said: For large software companies or major corporations such as banks or health care firms with large custom software bases, investing in software security can prove...

Fri, 08 Mar 2013 22:06:27 UTC

Friday Squid Blogging: Squid/Whale Yin-Yang

Posted By Bruce Schneier

Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 08 Mar 2013 18:08:07 UTC

Ross Anderson's Security Engineering Online

Posted By Bruce Schneier

The second edition of Ross Anderson's fantastic book, Security Engineering, is now free online. Required reading for any security engineer....

Fri, 08 Mar 2013 12:23:16 UTC

Oxford University Blocks Google Docs

Posted By Bruce Schneier

Google Docs is being used for phishing. Oxford University felt that it had to block the service because Google isn't responding to takedown requests quickly enough. Think about this in light of my essay on feudal security. Oxford University has to trust that Google will act in its best interest, and has no other option if it doesn't....

Thu, 07 Mar 2013 19:39:15 UTC

How the FBI Intercepts Cell Phone Data

Posted By Bruce Schneier

Good article on "Stingrays," which the FBI uses to monitor cell phone data. Basically, they trick the phone into joining a fake network. And, since cell phones inherently trust the network -- as opposed to computers which inherently do not trust the Internet -- it's easy to track people and collect data. There are lots of questions about whether or...

Thu, 07 Mar 2013 12:45:04 UTC

Browser Security

Posted By Bruce Schneier

Interesting discussion on browser security from Communications of the ACM. Also, an article on browser and web privacy from the same issue....

Wed, 06 Mar 2013 19:24:15 UTC

The NSA's Ragtime Surveillance Program and the Need for Leaks

Posted By Bruce Schneier

A new book reveals details about the NSA's Ragtime surveillance program: A book published earlier this month, "Deep State: Inside the Government Secrecy Industry," contains revelations about the NSA's snooping efforts, based on information gleaned from NSA sources. According to a detailed summary by Shane Harris at the Washingtonian yesterday, the book discloses that a codename for a controversial NSA...

Wed, 06 Mar 2013 12:50:07 UTC

Al Qaeda Document on Avoiding Drone Strikes

Posted By Bruce Schneier

Interesting: 3  Spreading the reflective pieces of glass on a car or on the roof of the building. 4  Placing a group of skilled snipers to hunt the drone, especially the reconnaissance ones because they fly low, about six kilometers or less. 5  Jamming of and confusing of electronic communication using the ordinary water-lifting dynamo fitted with...

Tue, 05 Mar 2013 19:58:04 UTC

Marketing at the RSA Conference

Posted By Bruce Schneier

Marcus Ranum has an interesting screed on "booth babes" in the RSA Conference exhibition hall: I'm not making a moral argument about sexism in our industry or the objectification of women. I could (and probably should) but it's easier to just point out the obvious: the only customers that will be impressed by anyone's ability to hire pretty models to...

Tue, 05 Mar 2013 12:28:50 UTC

Technologies of Surveillance

Posted By Bruce Schneier

It's a new day for the New York Police Department, with technology increasingly informing the way cops do their jobs. With innovation comes new possibilities but also new concerns. For one, the NYPD is testing a new type of security apparatus that uses terahertz radiation to detect guns under clothing from a distance. As Police Commissioner Ray Kelly explained to...

Mon, 04 Mar 2013 20:04:34 UTC

New Internet Porn Scam

Posted By Bruce Schneier

I hadn't heard of this one before. In New Zealand, people viewing adult websites -- it's unclear whether these are honeypot sites, or malware that notices the site being viewed -- get a pop-up message claiming it's from the NZ Police and demanding payment of an instant fine for viewing illegal pornography....

Mon, 04 Mar 2013 12:38:18 UTC

Getting Security Incentives Right

Posted By Bruce Schneier

One of the problems with motivating proper security behavior within an organization is that the incentives are all wrong. It doesn't matter how much management tells employees that security is important, employees know when it really isn't -- when getting the job done cheaply and on schedule is much more important. It seems to me that his co-workers understand the...

Fri, 01 Mar 2013 22:36:01 UTC

Friday Squid Blogging: Another Squid Cartoon.

Posted By Bruce Schneier

Another. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 01 Mar 2013 20:11:07 UTC

Me on "Virtually Speaking"

Posted By Bruce Schneier

Last week I was on "Virtually Speaking."...

Fri, 01 Mar 2013 11:05:22 UTC

Phishing Has Gotten Very Good

Posted By Bruce Schneier

This isn't phishing; it's not even spear phishing. It's laser-guided precision phishing: One of the leaked diplomatic cables referred to one attack via email on US officials who were on a trip in Copenhagen to debate issues surrounding climate change. "The message had the subject line 'China and Climate Change' and was spoofed to appear as if it were from...

Thu, 28 Feb 2013 20:40:38 UTC

The Court of Public Opinion

Posted By Bruce Schneier

Recently, Elon Musk and the New York Times took to Twitter and the Internet to argue the data -- and their grievances -- over a failed road test and car review. Meanwhile, an Applebee's server is part of a Change.org petition to get her job back after posting a pastor's no-tip receipt comment online. And when he wasn't paid quickly...

Thu, 28 Feb 2013 12:35:53 UTC

Brazen Physical Thefts

Posted By Bruce Schneier

Three brazen robberies are in the news this week. The first was a theft at a small museum of gold nuggets worth $750,000: Police said the daring heist happened between daytime tours, during a 20-minute window. Museum employees said the thief used an ax to smash the acrylic window, and then left the ax behind. "He just grabbed it, threw...

Wed, 27 Feb 2013 19:26:01 UTC

Alan F. Westin Died

Posted By Bruce Schneier

Obituary here. His 1967 book, Privacy and Freedom, almost single-handedly created modern privacy law....

Wed, 27 Feb 2013 13:09:47 UTC

How Complex Systems Fail

Posted By Bruce Schneier

Good summary list. It's not directly about security, but it's all fundamentally about security. Any real-world security system is inherently complex. I wrote about this long ago in Beyond Fear....

Tue, 26 Feb 2013 19:38:35 UTC

Security Lessons from the Battle of Hoth

Posted By Bruce Schneier

Someone has analyzed the security mistakes in the Battle of Hoth, from the movie The Empire Strikes Back....

Tue, 26 Feb 2013 13:10:03 UTC

House Hearing: How Well Is the TSA Doing?

Posted By Bruce Schneier

I would have liked to participate in this hearing: Committee on Homeland Security, Subcommittee on Oversight and Management Efficiency: "Assessing DHS 10 Years Later: How Wisely is DHS Spending Taxpayer Dollars?" February 15, 2013....

Mon, 25 Feb 2013 19:49:53 UTC

Me at the RSA Conference

Posted By Bruce Schneier

I'll be speaking twice at the RSA Conference this year. I'm giving a solo talk Tuesday at 1:00, and participating in a debate about training Wednesday at noon. This is a short written preview of my solo talk, and this is an audio interview on the topic. Additionally: Akamai is giving away 1,500 copies of Liars and Outliers, and Zcaler...

Mon, 25 Feb 2013 11:52:51 UTC

Another Essay about Liars and Outliers

Posted By Bruce Schneier

The Montréal Review asked me to write an essay about my latest book. Not much that regular readers haven't seen before....

Fri, 22 Feb 2013 22:38:30 UTC

Friday Squid Blogging: Land Squids

Posted By Bruce Schneier

Funny. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 22 Feb 2013 20:21:39 UTC

I Was on Inventing the Future

Posted By Bruce Schneier

I was a guest on Inventing the Future, for an episode on surveillance technology. The video is here....

Fri, 22 Feb 2013 17:12:01 UTC

Hacking the Papal Election

Posted By Bruce Schneier

As the College of Cardinals prepares to elect a new pope, security people like me wonder about the process. How does it work, and just how hard would it be to hack the vote? The rules for papal elections are steeped in tradition. John Paul II last codified them in 1996, and Benedict XVI left the rules largely untouched. The...

Fri, 22 Feb 2013 12:03:34 UTC

All Those Companies that Can't Afford Dedicated Security

Posted By Bruce Schneier

This is interesting: In the security practice, we have our own version of no-man's land, and that's midsize companies. Wendy Nather refers to these folks as being below the "Security Poverty Line." These folks have a couple hundred to a couple thousand employees. That's big enough to have real data interesting to attackers, but not big enough to have a...

Thu, 21 Feb 2013 18:54:28 UTC

More on Chinese Cyberattacks

Posted By Bruce Schneier

Wow, is this a crazy media frenzy. We should know better. These attacks happen all the time, and just because the media is reporting about them with greater frequency doesn't mean that they're happening with greater frequency. Hype aside, the Mandiant report on the hackers is very good, especially the part where the Chinese hackers outted themselves through poor opsec:...

Thu, 21 Feb 2013 13:24:45 UTC

Age Biases in Perceptions of Trust

Posted By Bruce Schneier

Interesting research (full article is behind a paywall): Abstract: Older adults are disproportionately vulnerable to fraud, and federal agencies have speculated that excessive trust explains their greater vulnerability. Two studies, one behavioral and one using neuroimaging methodology, identified age differences in trust and their neural underpinnings. Older and younger adults rated faces high in trust cues similarly, but older adults...

Wed, 20 Feb 2013 18:03:29 UTC

Cheating at Chess

Posted By Bruce Schneier

Good summary of cheating in tournament chess....

Wed, 20 Feb 2013 13:29:50 UTC

Fixing Soccer Matches

Posted By Bruce Schneier

How international soccer matches are fixed. Right now, Dan Tan's programmers are busy reverse-engineering the safeguards of online betting houses. About $3 billion is wagered on sports every day, most of it on soccer, most of it in Asia. That's a lot of noise on the big exchanges. We can exploit the fluctuations, rig the bets in a way that...

Tue, 19 Feb 2013 18:52:43 UTC

19th-Century Traffic Analysis

Posted By Bruce Schneier

There's a nice example of traffic analysis in the book No Name, by Wilkie Collins (1862). The attacker, Captain Wragge, needs to know whether a letter has been placed in the mail. He knows who it will have been addressed to if it has been mailed, and with that information, is able to convince the postmaster to tell him that...

Tue, 19 Feb 2013 12:11:29 UTC

Hacking Citation Counts

Posted By Bruce Schneier

Hacking citation counts using Google Scholar....

Mon, 18 Feb 2013 19:43:55 UTC

More State-Sponsored Hacking

Posted By Bruce Schneier

After the New York Times broke the story of what seemed to be a state-sponsored hack from China against the newspaper, the Register has stories of two similar attacks: one from Burma and another from China....

Mon, 18 Feb 2013 12:14:41 UTC

Automobile Data Surveillance and the Future of Black Boxes

Posted By Bruce Schneier

Tesla Motors gave one of its electric cars to John Broder, a very outspoken electric-car skeptic from the New York Times, for a test drive. After a negative review, Tesla revealed that it logged a dizzying amount of data from that text drive. The company then matched the reporter's claims against its logs and published a rebuttal. Broder rebutted the...

Fri, 15 Feb 2013 22:09:57 UTC

Friday Squid Blogging: More on Flying Squid

Posted By Bruce Schneier

Japanese squid researchers have confirmed flying squid can fly, and how they do it. (Note: I have written about flying squid before.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 15 Feb 2013 18:52:24 UTC

Jacob Appelbaum's 29C3 Keynote Speech

Posted By Bruce Schneier

This QNsePZj_Yks">speech from last December's 29C3 (29th Chaos Communication Congress) is worth listening to. He talks about what we can do in the face of oppressive power on the Internet. I'm not sure his answers are right, but am glad to hear someone talking about the real problems....

Fri, 15 Feb 2013 12:48:58 UTC

Guessing Smart Phone PINs by Monitoring the Accelerometer

Posted By Bruce Schneier

"Practicality of Accelerometer Side Channels on Smartphones," by Adam J. Aviv. Benjamin Sapp, Matt Blaze, and Jonathan M. Smith. Abstract: Modern smartphones are equipped with a plethora of sensors that enable a wide range of interactions, but some of these sensors can be employed as a side channel to surreptitiously learn about user input. In this paper, we show that...

Thu, 14 Feb 2013 17:42:59 UTC

Using the iWatch for Authentication

Posted By Bruce Schneier

Usability engineer Bruce Tognazzini talks about how an iWatch -- which seems to be either a mythical Apple product or one actually in development -- can make authentication easier. Passcodes. The watch can and should, for most of us, eliminate passcodes altogether on iPhones, and Macs and, if Apple's smart, PCs: As long as my watch is in range, let...

Thu, 14 Feb 2013 12:32:47 UTC

Anti-Cheating Security in Casinos

Posted By Bruce Schneier

Long article. With over a thousand cameras operating 24/7, the monitoring room creates tremendous amounts of data every day, most of which goes unseen. Six technicians watch about 40 monitors, but all the feeds are saved for later analysis. One day, as with OCR scanning, it might be possible to search all that data for suspicious activity. Say, a baccarat...

Wed, 13 Feb 2013 19:39:57 UTC

Real-World Prisoner's Dilemma from France

Posted By Bruce Schneier

This is a real story of a pair of identical twins who are suspected in a crime. There is there is CCTV and DNA evidence that could implicate either suspect. Detailed DNA testing that could resolve the guilty twin is prohibitively expensive. So both have been arrested in the hope that one may confess or implicate the other....

Wed, 13 Feb 2013 12:13:31 UTC

New al Qaeda Encryption Tool

Posted By Bruce Schneier

There's not a lot of information -- and quite a lot of hyperbole -- in this article: With the release of the Asrar Al Dardashah plugin, GIMF promised "secure correspondence" based on the Pidgin chat client, which supports multiple chat platforms, including Yahoo Messenger, Windows Live Messenger, AOL Instant Messenger, Google Talk and Jabber/XMPP. "The Asrar Al Dardashah plugin supports...

Tue, 12 Feb 2013 18:55:26 UTC

Massive Police Shootout in Cleveland Despite Lack of Criminals

Posted By Bruce Schneier

This is an amazing story. I urge you to read the whole thing, but here's the basics: A November car chase ended in a "full blown-out" firefight, with glass and bullets flying, according to Cleveland police officers who described for investigators the chaotic scene at the end of the deadly 25-minute pursuit. But when the smoky haze -- caused by...

Tue, 12 Feb 2013 12:53:19 UTC

Our New Regimes of Trust

Posted By Bruce Schneier

Society runs on trust. Over the millennia, we've developed a variety of mechanisms to induce trustworthy behavior in society. These range from a sense of guilt when we cheat, to societal disapproval when we lie, to laws that arrest fraudsters, to door locks and burglar alarms that keep thieves out of our homes. They're complicated and interrelated, but they tend...

Mon, 11 Feb 2013 19:25:40 UTC

Really Clever TLS Attack

Posted By Bruce Schneier

This is an extremely clever man-in-the-middle timing attack against AES that exploits the interaction between how the protocol implements AES in CBC mode for encryption, and HMAC-SHA1 for authentication. (And this is a really good plain-language description of it.)...

Mon, 11 Feb 2013 12:49:11 UTC

Platform Fragmentation as a Security Issue

Posted By Bruce Schneier

Interesting article about the difficulty Google has pushing security updates onto Android phones. The problem is that the phone manufacturer is in charge, and there are a lot of different phone manufacturers of varying ability and interest....

Sat, 09 Feb 2013 00:28:21 UTC

Friday Squid Blogging: Squid Recipe

Posted By Bruce Schneier

Chorizo-stuffed squid with potatoes, capers and sage. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 08 Feb 2013 20:41:19 UTC

I Seem to Be a Physical Security Expert Now

Posted By Bruce Schneier

This seems so obviously written by someone who Googled me on the Internet, without any other knowledge of who I am or what i do....

Fri, 08 Feb 2013 17:20:44 UTC

Millennials and Cybersecurity

Posted By Bruce Schneier

This long report looks at risky online behavior among the Millennial generation, and finds that they respond positively to automatic reminders and prodding. No surprise, really....

Fri, 08 Feb 2013 12:16:47 UTC

Inauguration Security

Posted By Bruce Schneier

A first-person account of the security surrounding the second inauguration of President Obama....

Thu, 07 Feb 2013 18:51:41 UTC

Tide Becomes Drug Currency

Posted By Bruce Schneier

Basically, Tide detergent is a popular product with a very small profit margin. So small non-chain grocery and convenience stores are happy to buy it cheaply, no questions asked. This makes it easy to sell if you steal it. And drug dealers have started taking it as currency, large bottles being worth about $5....

Thu, 07 Feb 2013 12:35:01 UTC

Over $3M in Prizes to Hack Google Chrome

Posted By Bruce Schneier

Google's contest at the CanSecWest conference: Today were announcing our third Pwnium competition­Pwnium 3. Google Chrome is already featured in the Pwn2Own competition this year, so Pwnium 3 will have a new focus: Chrome OS. Well issue Pwnium 3 rewards for Chrome OS at the following levels, up to a total of $3.14159 million USD: $110,000: browser or system level...

Wed, 06 Feb 2013 18:21:36 UTC

Why Is Quantum Computing So Hard?

Posted By Bruce Schneier

Blog post (and two papers) by Ross Anderson and Robert Brady. News article....

Wed, 06 Feb 2013 12:36:06 UTC

New York Times Hacked by China

Posted By Bruce Schneier

This was big news last week, and I spent a lot of time doing press interviews about it. But while it is an important story -- hacking a newspaper, looking for confidential sources is fundamentally different from hacking for financial gain -- it's not much different than GhostNet in 2009, Google's Chinese hacking stories from 2010 and 2011, or others....

Tue, 05 Feb 2013 18:16:05 UTC

Anti-Drone Clothing

Posted By Bruce Schneier

Clothing designed to thwart drones....

Tue, 05 Feb 2013 13:38:59 UTC

Proactive Defense Papers

Posted By Bruce Schneier

I just printed this out: "Proactive Defense for Evolving Cyber Threats," a Sandia Report by Richard Colbaugh and Kristin Glass. It's a collection of academic papers, and it looks interesting....

Mon, 04 Feb 2013 19:43:40 UTC

Security Seals

Posted By Bruce Schneier

I don't see a lot written about security seals, despite how common they are. This article is a very basic overview of the technologies....

Mon, 04 Feb 2013 12:39:35 UTC

Using Imagery to Avoid Censorship

Posted By Bruce Schneier

Interesting: "It's really hard for the government to censor things when they don't understand the made-up words or meaning behind the imagery," said Kevin Lee, COO of China Youthology, in conversation at the DLD conference in Munich on Monday. "The people there aren't even relying on text anymore It's audio, visual, photos. All the young people are creating their own...

Fri, 01 Feb 2013 22:40:31 UTC

Friday Squid Blogging: Squid Anchor

Posted By Bruce Schneier

Webpage says that it's "the most effective lightweight, portable anchor around." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 01 Feb 2013 18:36:44 UTC

Pentagon Staffs Up U.S. Cyber Command

Posted By Bruce Schneier

The Washington Post has the story: The move, requested by the head of the Defense Department's Cyber Command, is part of an effort to turn an organization that has focused largely on defensive measures into the equivalent of an Internet-era fighting force. The command, made up of about 900 personnel, will expand to include 4,900 troops and civilians. [...] The...

Fri, 01 Feb 2013 12:08:15 UTC

Jared Diamond on Common Risks

Posted By Bruce Schneier

Jared Diamond has an op-ed in the New York Times where he talks about how we overestimate rare risks and underestimate common ones. Nothing new here -- I and others have written about this sort of thing extensively -- but he says that this is a bias found more in developed countries than in primitive cultures. I first became aware...

Thu, 31 Jan 2013 19:28:59 UTC

The Eavesdropping System in Your Computer

Posted By Bruce Schneier

Dan Farmer has an interesting paper (long version here; short version here) discussing the Baseboard Management Controller on your computer's motherboard: The BMC is an embedded computer found on most server motherboards made in the last 10 or 15 years. Often running Linux, the BMC's CPU, memory, storage, and network run independently. It runs Intel's IPMI out-of-band systems management protocol...

Thu, 31 Jan 2013 13:09:16 UTC

Power and the Internet

Posted By Bruce Schneier

All disruptive technologies upset traditional power balances, and the Internet is no exception. The standard story is that it empowers the powerless, but that's only half the story. The Internet empowers everyone. Powerful institutions might be slow to make use of that new power, but since they are powerful, they can use it more effectively. Governments and corporations have woken...

Wed, 30 Jan 2013 18:20:08 UTC

"People, Process, and Technology"

Posted By Bruce Schneier

Back in 1999 when I formed Counterpane Internet Security, Inc., I popularized the notion that security was a combination of people, process, and technology. Back then, it was an important notion; security back then was largely technology-only, and I was trying to push the idea that people and process needed to be incorporated into an overall security system. This blog...

Wed, 30 Jan 2013 12:51:55 UTC

Who Does Skype Let Spy?

Posted By Bruce Schneier

Lately I've been thinking a lot about power and the Internet, and what I call the feudal model of IT security that is becoming more and more pervasive. Basically, between cloud services and locked-down end-user devices, we have less control and visibility over our security -- and have no point but to trust those in power to keep us safe....

Tue, 29 Jan 2013 19:06:14 UTC

Backdoors Built in to Barracuda Networks Equipment

Posted By Bruce Schneier

Don't we know enough not to do this anymore?...

Tue, 29 Jan 2013 12:32:58 UTC

Complexity and Security

Posted By Bruce Schneier

I have written about complexity and security for over a decade now (for example, this from 1999). Here's the results of a survey that confirms this: Results showed that more than half of the survey respondents from mid-sized (identified as 50-2500 employees) and enterprise organizations (identified as 2500+ employees) stated that complex policies ultimately led to a security breach, system...

Mon, 28 Jan 2013 19:25:17 UTC

Dangerous Security Theater: Scrambling Fighter Jets

Posted By Bruce Schneier

This story exemplifies everything that's wrong with our see-something-say-something war on terror: a perfectly innocent person on an airplane, a random person identifying him as a terrorist threat, and a complete overreaction on the part of the authorities. Typical overreaction, but in this case -- as in several others over the past decade -- F-15 fighter jets were scrambled to...

Mon, 28 Jan 2013 12:07:31 UTC

Violence as a Contagious Disease

Posted By Bruce Schneier

This is fascinating: Intuitively we understand that people surrounded by violence are more likely to be violent themselves. This isn't just some nebulous phenomenon, argue Slutkin and his colleagues, but a dynamic that can be rigorously quantified and understood. According to their theory, exposure to violence is conceptually similar to exposure to, say, cholera or tuberculosis. Acts of violence are...

Fri, 25 Jan 2013 22:15:12 UTC

Friday Squid Blogging: Squirming Tentacle USB Drive

Posted By Bruce Schneier

Just the thing. (Note that this is different than the previous squid USB drive I blogged about.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 25 Jan 2013 20:47:30 UTC

Video Interview with Me

Posted By Bruce Schneier

This interview was conducted last month, at an artificial intelligence conference at Oxford....

Fri, 25 Jan 2013 13:03:50 UTC

Shaming as Punishment for Repeated Drunk Driving

Posted By Bruce Schneier

Janesville, Wisconsin, has published information about repeated drunk driving offenders since 2010. The idea is that the public shame will reduce future incidents....

Thu, 24 Jan 2013 19:33:22 UTC

Identifying People from their Writing Style

Posted By Bruce Schneier

It's called stylometry, and it's based on the analysis of things like word choice, sentence structure, syntax and punctuation. In one experiment, researchers were able to identify 80% of users with a 5,000-word writing sample. Download tools here, including one to anonymize your writing style....

Thu, 24 Jan 2013 12:48:36 UTC

Identifying People from their DNA

Posted By Bruce Schneier

Interesting: The genetic data posted online seemed perfectly anonymous ­- strings of billions of DNA letters from more than 1,000 people. But all it took was some clever sleuthing on the Web for a genetics researcher to identify five people he randomly selected from the study group. Not only that, he found their entire families, even though the relatives had...

Wed, 23 Jan 2013 18:55:43 UTC

The Security of the Mega File-Sharing Service

Posted By Bruce Schneier

Ever since the launch of Kim Dotcom's file-sharing service, I have been asked about the unorthodox encryption and security system. I have not reviewed it, and don't have an opinion. All I know is what I read: this, this, this, this, and this. Please add other links in the comments....

Wed, 23 Jan 2013 12:14:37 UTC

Commenting on Aaron Swartz's Death

Posted By Bruce Schneier

There has been an enormous amount written about the suicide of Aaron Swartz. This is primarily a collection of links, starting with those that use his death to talk about the broader issues at play: Orin Kerr, Larry Lessig, Jennifer Granick, Glenn Greenwald, Henry Farrell, danah boyd, Cory Doctorow, James Fallows, Brewster Kahle, Carl Malamud, and Mark Bernstein. Here are...

Tue, 22 Jan 2013 18:04:33 UTC

Google's Authentication Research

Posted By Bruce Schneier

Google is working on non-password authentication techniques. But for Google's password-liberation plan to really take off, theyre going to need other websites to play ball. "Others have tried similar approaches but achieved little success in the consumer world," they write. "Although we recognize that our initiative will likewise remain speculative until we've proven large scale acceptance, were eager to test...

Tue, 22 Jan 2013 11:23:44 UTC

Thinking About Obscurity

Posted By Bruce Schneier

This essay is worth reading: Obscurity is the idea that when information is hard to obtain or understand, it is, to some degree, safe. Safety, here, doesn't mean inaccessible. Competent and determined data hunters armed with the right tools can always find a way to get it. Less committed folks, however, experience great effort as a deterrent. Online, obscurity is...

Mon, 21 Jan 2013 12:38:47 UTC

TSA Removing Rapiscan Full-Body Scanners from U.S. Airports

Posted By Bruce Schneier

This is big news: The U.S. Transportation Security Administration will remove airport body scanners that privacy advocates likened to strip searches after OSI Systems Inc. (OSIS) couldn't write software to make passenger images less revealing. This doesn't mean the end of full-body scanning. There are two categories of these devices: backscatter X-ray and millimeter wave. The government said Friday it...

Fri, 18 Jan 2013 21:31:17 UTC

Friday Squid Blogging: The Search for the Colossal Squid

Posted By Bruce Schneier

Now that videographers have bagged a giant squid, the search turns to the colossal squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 17 Jan 2013 15:50:13 UTC

Man-in-the-Middle Attacks Against Browser Encryption

Posted By Bruce Schneier

Last week, a story broke about how Nokia mounts man-in-the-middle attacks against secure browser sessions. The Finnish phone giant has since admitted that it decrypts secure data that passes through HTTPS connections -- including social networking accounts, online banking, email and other secure sessions -- in order to compress the data and speed up the loading of Web pages. The...

Thu, 17 Jan 2013 13:39:07 UTC

Essay on FBI-Mandated Backdoors

Posted By Bruce Schneier

Good essay by Matt Blaze and Susan Landau....

Wed, 16 Jan 2013 12:25:47 UTC

Cheating at Chess

Posted By Bruce Schneier

There's a fascinating story about a probable tournament chess cheat. No one knows how he does it; there's only the facts that 1) historically he's not nearly as good as his recent record, and 2) his moves correlate almost perfectly with one of best computer chess programs. The general question is how valid statistical evidence is when there is no...

Tue, 15 Jan 2013 12:10:50 UTC

Lexical Warfare

Posted By Bruce Schneier

This essay, which uses the suicide of Aaron Swartz as a jumping off point for how the term "hactivist" has been manipulated by various powers, has this to say about "lexical warfare": I believe the debate itself is far broader than the specifics of this unhappy case, for if there was prosecutorial overreach it raises the question of whether we...

Mon, 14 Jan 2013 19:27:28 UTC

Anti-Surveillance Clothing

Posted By Bruce Schneier

It's both an art project and a practical clothing line. ...Harvey's line of "Stealth Wear" clothing includes an "anti-drone hoodie" that uses metalized material designed to counter thermal imaging used by drones to spot people on the ground. He's also created a cellphone pouch made of a special "signal attenuating fabric." The pocket blocks your phone signal so that it...

Mon, 14 Jan 2013 12:54:58 UTC

The Origins of War

Posted By Bruce Schneier

Philosophy professor David Livingstone Smith on the origins of war....

Fri, 11 Jan 2013 21:59:07 UTC

Friday Squid Blogging: Giant Squid Video

Posted By Bruce Schneier

Last week, I blogged about an upcoming Discovery Channel program with actual video footage of a live giant squid. ABC News has a tantalizingly short sneak peak. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 11 Jan 2013 14:10:17 UTC

Experimental Results: Liars and Outliers Trust Offer

Posted By Bruce Schneier

Last August, I offered to sell Liars and Outliers for $11 in exchange for a book review. This was much less than the $30 list price; less even than the $16 Amazon price. For readers outside the U.S., where books can be very expensive, it was a great price. I sold 800 books from this offer -- much more than...

Thu, 10 Jan 2013 12:49:12 UTC

The Politics and Philosophy of National Security

Posted By Bruce Schneier

This essay explains why we're all living in failed Hobbesian states: What do these three implications -- states have a great deal of freedom to determine what threatens a people and how to respond to those threats, and in making those determinations, they are influenced by the interests and ideologies of their primary constituencies; states have strong incentives and have...

Wed, 09 Jan 2013 12:44:18 UTC

Denial-of-Service Attack Against Facebook

Posted By Bruce Schneier

Just claim the person is dead. All you need to do is fake an online obituary....

Tue, 08 Jan 2013 19:36:53 UTC

Cat Smuggler

Posted By Bruce Schneier

Not a cat burglar, a cat smuggler. Guards thought there was something suspicious about a little white cat slipping through a prison gate in northeastern Brazil. A prison official says that when they caught the animal, they found a cellphone, drills, small saws and other contraband taped to its body. Another article, with video. A prison spokesperson was quoted by...

Tue, 08 Jan 2013 12:28:14 UTC

DHS Gets to Spy on Everyone

Posted By Bruce Schneier

This Wall Street Journal investigative piece is a month old, but well worth reading. Basically, the Total Information Awareness program is back with a different name: The rules now allow the little-known National Counterterrorism Center to examine the government files of U.S. citizens for possible criminal behavior, even if there is no reason to suspect them. That is a departure...

Mon, 07 Jan 2013 12:31:33 UTC

Details of an Internet Scam

Posted By Bruce Schneier

Interesting details of an Amazon Marketplace scam. Worth reading. Most scams use a hook to cause a reaction. The idea being that if you are reacting, they get to control you. If you take the time to stop and think things through, you take control back and can usually spot the scam. Common hooks involve Urgency, Uncertainty, Sex, Fear or...

Fri, 04 Jan 2013 21:36:32 UTC

Friday Squid Blogging: Giant Squid Finally Captured on Video

Posted By Bruce Schneier

We'll see it later this month. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 04 Jan 2013 13:48:22 UTC

What Facebook Gives the Police

Posted By Bruce Schneier

This is what Facebook gives the police in response to a subpoena. (Note that this isn't in response to a warrant; it's in response to a subpoena.) This might be the first one of these that has ever become public....

Thu, 03 Jan 2013 12:03:48 UTC

Classifying a Shape

Posted By Bruce Schneier

This is a great essay: Spheres are special shapes for nuclear weapons designers. Most nuclear weapons have, somewhere in them, that spheres-within-spheres arrangement of the implosion nuclear weapon design. You dont have to use spheres -- cylinders can be made to work, and there are lots of rumblings and rumors about non-spherical implosion designs around these here Internets -- but...

Wed, 02 Jan 2013 14:44:41 UTC

Apollo Robbins, Pickpocket

Posted By Bruce Schneier

Fascianting story: "Come on," Jillette said. "Steal something from me." Again, Robbins begged off, but he offered to do a trick instead. He instructed Jillette to place a ring that he was wearing on a piece of paper and trace its outline with a pen. By now, a small crowd had gathered. Jillette removed his ring, put it down on...

Mon, 31 Dec 2012 12:44:16 UTC

Terms of Service as a Security Threat

Posted By Bruce Schneier

After the Instagram debacle, where it changed its terms of service to give itself greater rights over user photos and reversed itself after a user backlash, it's worth thinking about the security threat stemming from terms of service in general. As cloud computing becomes the norm, as Internet security becomes more feudal, these terms of service agreements define what our...

Fri, 28 Dec 2012 21:16:09 UTC

Friday Squid Blogging: William Gilly, Squid Researcher

Posted By Bruce Schneier

Good article. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 28 Dec 2012 18:34:37 UTC

I Seem to Be a Verb

Posted By Bruce Schneier

From "The Insider's TSA Dictionary": Bruce Schneiered: (V, ints) When a passenger uses logic in order to confound and perplex an officer into submission. Ex: "A TSA officer took my Swiss army knife, but let my scissors go. I then asked him wouldn't it be more dangerous if I were to make my scissors into two blades, or to go...

Fri, 28 Dec 2012 12:37:49 UTC

Becoming a Police Informant in Exchange for a Lighter Sentence

Posted By Bruce Schneier

Fascinating article. Snitching has become so commonplace that in the past five years at least 48,895 federal convicts -- one of every eight -- had their prison sentences reduced in exchange for helping government investigators, a USA TODAY examination of hundreds of thousands of court cases found. The deals can chop a decade or more off of their sentences. How...

Thu, 27 Dec 2012 19:02:46 UTC

Breaking Hard-Disk Encryption

Posted By Bruce Schneier

The newly announced ElcomSoft Forensic Disk Decryptor can decrypt BitLocker, PGP, and TrueCrypt. And it's only $300. How does it work? Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. You'll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes...

Thu, 27 Dec 2012 12:21:53 UTC

Public Shaming as a Security Measure

Posted By Bruce Schneier

In Liars and Outliers, I talk a lot about the more social forms of security. One of them is reputational. This post is about that squishy sociological security measure: public shaming as a way to punish bigotry (and, by extension, to reduce the incidence of bigotry). It's a pretty rambling post, first listing some of the public shaming sites, then...

Wed, 26 Dec 2012 17:50:21 UTC

Cryptography Engineering Available as an eBook

Posted By Bruce Schneier

Finally, Cryptography Engineering is available as an ebook. Even better, it's today's deal of the day at O'Reilly: $27.50 (50% off) and no copy protection. (The discount won't show until you add the book to your cart.)...

Wed, 26 Dec 2012 12:05:50 UTC

Hackers Use Backdoor to Break System

Posted By Bruce Schneier

Industrial control system comes with a backdoor: Although the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. "[Th]e published backdoor URL provided the same level of access to the company's control system as the password-protected administrator login," said the memo. The security of this...

Mon, 24 Dec 2012 18:59:13 UTC

Peruvian Spider Species Creates Decoys

Posted By Bruce Schneier

Clyclosa spiders create decoys to fool predators....

Mon, 24 Dec 2012 12:31:48 UTC

Phishing via Twitter

Posted By Bruce Schneier

Interesting firsthand phishing story: A few nights ago, I got a Twitter direct message (DM) from a friend saying that someone was saying nasty things about me, with a link. The link was a shortened (t.co) link, so it was hard to see exactly what it pointed to. I followed the link on my cell phone, and got to a...

Fri, 21 Dec 2012 22:58:14 UTC

Friday Squid Blogging: Laughing Squid

Posted By Bruce Schneier

The small San Francisco film and video company is celebrating its 17th anniversary. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 21 Dec 2012 18:12:11 UTC

This Week's Overreactions

Posted By Bruce Schneier

Schools go into lockdown over a thermometer, a car backfiring, a bank robbery a few blocks away, a student alone in a gym, a neighbor on the street, and some vague unfounded rumors. And one high-school kid was arrested for drawing pictures of guns. Everywhere else, post-traumatic stupidity syndrome." (It's not a new phrase -- Google shows hits back to...

Fri, 21 Dec 2012 12:20:05 UTC

Amazon Replacement-Order Scam

Posted By Bruce Schneier

Clever: Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon....

Thu, 20 Dec 2012 12:32:21 UTC

China Now Blocking Encryption

Posted By Bruce Schneier

The "Great Firewall of China" is now able to detect and block encryption: A number of companies providing "virtual private network" (VPN) services to users in China say the new system is able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems. China Unicom, one of the biggest telecoms providers in the...

Wed, 19 Dec 2012 12:47:27 UTC

Information-Age Law Enforcement Techniques

Posted By Bruce Schneier

This is an interesting blog post: Buried inside a recent United Nations Office on Drugs and Crime report titled Use of Internet for Terrorist Purposes one can carve out details and examples of law enforcement electronic surveillance techniques that are normally kept secret. [...] Point 280: International members of the guerilla group Revolutionary Armed Forces of Colombia (FARC) communicated with...

Tue, 18 Dec 2012 12:38:47 UTC

Nasty Samsung Phone Exploit

Posted By Bruce Schneier

There's a new exploit against Samsung Galaxy phones that allows a rogue app access to all memory. A hacker could copy all of your data, erase all of your data, and basically brick your phone. I haven't found an offical Samsung response, but there is a quick fix....

Mon, 17 Dec 2012 18:39:05 UTC

Possible Decryption of World War II Pigeon Message

Posted By Bruce Schneier

A Canadian claims that the message is based on a WWI codebook. A spokesman from GCHQ remains dubious, but says they'll be happy to look at the proposed solution....

Fri, 14 Dec 2012 22:44:32 UTC

Friday Squid Blogging: Giant PVC Squid

Posted By Bruce Schneier

Neat art project. Another link. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 14 Dec 2012 18:24:13 UTC

Book Review: Against Security

Posted By Bruce Schneier

Against Security: How We Go Wrong at Airports, Subways, and Other Sites of Ambiguous Danger, by Harvey Molotch, Princeton University Press, 278 pages, $35 Security is both a feeling and a reality, and the two are different things. People can feel secure when theyre actually not, and they can be secure even when they believe otherwise. This discord explains much...

Fri, 14 Dec 2012 13:28:14 UTC

The History of Security Economics

Posted By Bruce Schneier

Ross Anderson recalls the history of security economics (presentation and paper.)...

Thu, 13 Dec 2012 18:33:14 UTC

The Internet in North Korea

Posted By Bruce Schneier

How Internet censorship works in North Korea....

Thu, 13 Dec 2012 12:19:23 UTC

QR Code Scams

Posted By Bruce Schneier

There's a rise in QR codes that point to fraudulent sites. One of the warning signs seems to be a sticker with the code, rather than a code embedded in an advertising poster. This brings up another question: does anyone actually use these things?...

Wed, 12 Dec 2012 18:59:30 UTC

Detecting Edited Audio

Posted By Bruce Schneier

Interesting development in forensic analysis: Comparing the unique pattern of the frequencies on an audio recording with a database that has been logging these changes for 24 hours a day, 365 days a year provides a digital watermark: a date and time stamp on the recording. Philip Harrison, from JP French Associates, another forensic audio laboratory that has been logging...

Wed, 12 Dec 2012 12:06:26 UTC

Drone Flights Over the US

Posted By Bruce Schneier

The EFF has been prying data out of the government and analyzing it....

Tue, 11 Dec 2012 19:03:22 UTC

The National Cyber Security Framework Manual

Posted By Bruce Schneier

This book is available as a free pdf download: The National Cyber Security Framework Manual provides detailed background information and in-depth theoretical frameworks to help the reader understand the various facets of National Cyber Security, according to different levels of public policy formulation. The four levels of government -- political, strategic, operational and tactical/technical -- each have their own perspectives...

Tue, 11 Dec 2012 12:08:25 UTC

Dictators Shutting Down the Internet

Posted By Bruce Schneier

Excellent article: "How to Shut Down Internets." First, he describes what just happened in Syria. Then: Egypt turned off the internet by using the Border Gateway Protocol trick, and also by switching off DNS. This has a similar effect to throwing bleach over a map. The location of every street and house in the country is blotted out. All the...

Mon, 10 Dec 2012 19:04:05 UTC

Bypassing Two-Factor Authentication

Posted By Bruce Schneier

Yet another way two-factor authentication has been bypassed: For a user to fall prey to Eurograbber, he or she must first be using a computer infected with the trojan. This was typically done by luring the user onto a malicious web page via a round of unfortunate web surfing or email phishing attempts. Once infected, the trojan would monitor that...

Mon, 10 Dec 2012 11:56:12 UTC

Buy Your Own ATM Skimmer for $3000

Posted By Bruce Schneier

I have no idea if this is real. If I had to guess, I would say no....

Fri, 07 Dec 2012 22:04:33 UTC

Squids on the Economist Cover

Posted By Bruce Schneier

Four squids on the cover of this week's Economist represent the four massive (and intrusive) data-driven Internet giants: Google, Facebook, Apple, and Amazon. Interestingly, these are the same four companies I've been listing as the new corporate threat to the Internet. The first of three pillars propping up this outside threat are big data collectors, which in addition to Apple...

Thu, 06 Dec 2012 16:59:03 UTC

Comedy and Cryptography

Posted By Bruce Schneier

Not the sort of pairing I normally think of, but: Robin Ince and Brian Cox are joined on stage by comedian Dave Gorman, author and Enigma Machine owner Simon Singh and Bletchley Park enthusiast Dr Sue Black as they discuss secret science, code-breaking and the extraordinary achievements of the team working at Bletchley during WW II. Audio here....

Wed, 05 Dec 2012 12:01:00 UTC

Roger Williams' Cipher Cracked

Posted By Bruce Schneier

Another historical cipher, this one from the 1600s, has been cracked: Senior math major Lucas Mason-Brown, who has done the majority of the decoding, said his first instinct was to develop a statistical tool. The 21-year-old from Belmont, Mass., used frequency analysis, which looks at the frequency of letters or groups of letters in a text, but initially didn't get...

Mon, 03 Dec 2012 13:24:27 UTC

Feudal Security

Posted By Bruce Schneier

Its a feudal world out there. Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft...

Fri, 30 Nov 2012 20:18:00 UTC

Friday Squid Blogging: Possible Squid Eyeball Found in Florida

Posted By Bruce Schneier

It's the size of a softball. No sign of the squid it came from. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 30 Nov 2012 11:23:15 UTC

Hacking by the Syrian Government

Posted By Bruce Schneier

Good article on how the Syrian government hacked into the computers of dissidents: The cyberwar in Syria began with a feint. On Feb. 8, 2011, just as the Arab Spring was reaching a crescendo, the government in Damascus suddenly reversed a long-standing ban on websites such as Facebook, Twitter, YouTube, and the Arabic version of Wikipedia. It was an odd...

Thu, 29 Nov 2012 22:36:25 UTC

Advances in Attacking ATMs

Posted By Bruce Schneier

Cash traps and card traps are the new thing: [Card traps] involve devices that fit over the card acceptance slot and include a razor-edged spring trap that prevents the customers card from being ejected from the ATM when the transaction is completed. "Spring traps are still being widely used," EAST wrote in its most recently European Fraud Update. "Once the...

Wed, 28 Nov 2012 19:30:35 UTC

James Bond Movie-Plot Threats

Posted By Bruce Schneier

Amusing post on the plausibility of the evil plans from the various movies....

Wed, 28 Nov 2012 11:55:47 UTC

The Psychology of IT Security Trade-offs

Posted By Bruce Schneier

Good article. I agree with the conclusion that the solution isn't to convince people to make better choices, but to change the IT architecture so that it's easier to make better choices....

Tue, 27 Nov 2012 18:12:19 UTC

Classified Information Confetti

Posted By Bruce Schneier

Some of the confetti at the Macy's Thanksgiving Day Parade in New York consisted of confidential documents from the Nassau County Police Department, shredded sideways....

Tue, 27 Nov 2012 12:39:05 UTC

Hackback

Posted By Bruce Schneier

Stewart Baker, Orin Kerr, and Eugene Volokh on the legality of hackback....

Mon, 26 Nov 2012 15:48:10 UTC

Liars and Outliers Ebook 50% Off and DRM-Free

Posted By Bruce Schneier

Today only, O'Reilly is offering 50% off all its ebooks, including Liars and Outliers. This is probably the cheapest you'll find a DRM-free copy of the book....

Mon, 26 Nov 2012 15:35:19 UTC

Homeland Security Essay Contest

Posted By Bruce Schneier

The Naval Postgraduate School's Center for Homeland Defense and Security is running its sixth annual essay competition. There are cash prizes. (Info on previous years here.)...

Fri, 23 Nov 2012 22:50:52 UTC

Friday Squid Blogging: Another Squid Comic

Posted By Bruce Schneier

Another squid comic. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 23 Nov 2012 12:18:19 UTC

Preventing Catastrophic Threats

Posted By Bruce Schneier

"Recommendations to Prevent Catastrophic Threats." Federation of American Scientists, 9 November 2012. It's twelve specific sets of recommendations for twelve specific threats. See also this....

Wed, 21 Nov 2012 20:06:29 UTC

Cell Phone Surveillance

Posted By Bruce Schneier

Good article on the different ways the police can eavesdrop on cell phone calls....

Wed, 21 Nov 2012 12:34:40 UTC

Decrypting a Secret Society's Documents from the 1740s

Posted By Bruce Schneier

Great story, both the cryptanalysis process and the Oculists....

Tue, 20 Nov 2012 18:53:47 UTC

Anonymous Claims it Sabotaged Rove Election Hacking

Posted By Bruce Schneier

Can anyone make heads or tails of this story? (More links.) For my part, I'd like a little -- you know -- evidence. Remember that Ohio was not the deciding state in the election. Neither was Florida or Virginia. It was Colorado. So even if there was this magic election-stealing software running in Ohio, it wouldn't have made any difference....

Mon, 19 Nov 2012 18:40:03 UTC

E-Mail Security in the Wake of Petraeus

Posted By Bruce Schneier

I've been reading lots of articles articles discussing how little e-mail and Internet privacy we actually have in the U.S. This is a good one to start with: The FBI obliged apparently obtaining subpoenas for Internet Protocol logs, which allowed them to connect the senders anonymous Google Mail account to others accessed from the same computers, accounts that belonged to...

Mon, 19 Nov 2012 11:41:01 UTC

Security Theater in American Diplomatic Missions

Posted By Bruce Schneier

I noticed this in an article about how increased security and a general risk aversion is harming US diplomatic missions: "Barbara Bodine, who was the U.S. ambassador to Yemen during the Qaeda bombing of the U.S.S. Cole in 2000, told me she believes that much of the security American diplomats are forced to travel with is counterproductive. "There's this idea...

Fri, 16 Nov 2012 22:30:44 UTC

Friday Squid Blogging: Vampire Squid

Posted By Bruce Schneier

Vampire squid eats marine wastes (paper and video). As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 16 Nov 2012 18:11:27 UTC

Jamming 4G Cell Networks

Posted By Bruce Schneier

It's easy....

Fri, 16 Nov 2012 12:13:03 UTC

Stealing VM Keys from the Hardware Cache

Posted By Bruce Schneier

Research into one VM stealing crypto keys from another VM running on the same hardware. ABSTRACT: This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-grained information from a victim VM running on the same physical computer. This attack is the first such attack demonstrated on a symmetric multiprocessing system virtualized...

Thu, 15 Nov 2012 12:45:24 UTC

The Terrorist Risk of Food Trucks

Posted By Bruce Schneier

This is idiotic: Public Intelligence recently posted a Powerpoint presentation from the NYC fire department (FDNY) discussing the unique safety issues mobile food trucks present. Along with some actual concerns (many food trucks use propane and/or gasoline-powered generators to cook; some *gasp* aren't properly licensed food vendors), the presenter decided to toss in some DHS speculation on yet another way...

Wed, 14 Nov 2012 18:28:08 UTC

Webmail as Dead Drop

Posted By Bruce Schneier

I noticed this amongst the details of the Petraeus scandal: Petraeus and Broadwell apparently used a trick, known to terrorists and teenagers alike, to conceal their email traffic, one of the law enforcement officials said. Rather than transmitting emails to the other's inbox, they composed at least some messages and instead of transmitting them, left them in a draft folder...

Wed, 14 Nov 2012 11:57:07 UTC

Keys to the Crown Jewels Stolen?

Posted By Bruce Schneier

At least, that's the story: The locks at the Tower of London, home to the Crown Jewels, had to be changed after a burglar broke in and stole keys. The intruder scaled gates and took the keys from a sentry post. Guards spotted him but couldn't give chase as they are not allowed to leave their posts. But the story...

Tue, 13 Nov 2012 12:15:35 UTC

Free Online Cryptography Course

Posted By Bruce Schneier

Dan Boneh of Stanford University is offering a free online cryptography course. The course runs for six weeks, and has five to seven hours of coursework per week. It just started last week....

Mon, 12 Nov 2012 19:03:48 UTC

Fairy Wren Passwords

Posted By Bruce Schneier

Mother fairy wrens teach their children passwords while they're still in their eggs to tell them from cuckoo impostors: She kept 15 nests under constant audio surveillance, and discovered that fairy-wrens call to their unhatched chicks, using a two-second trill with 19 separate elements to it. They call once every four minutes while sitting on their eggs, starting on the...

Mon, 12 Nov 2012 11:47:17 UTC

Encryption in Cloud Computing

Posted By Bruce Schneier

This article makes the important argument that encryption -- where the user and not the cloud provider holds the keys -- is critical to protect cloud data. The problem is, it upsets cloud providers' business models: In part it is because encryption with customer controlled keys is inconsistent with portions of their business model. This architecture limits a cloud provider's...

Fri, 09 Nov 2012 22:16:27 UTC

Friday Squid Blogging: Squid Ink as a Condiment

Posted By Bruce Schneier

Burger King introduces a black burger with ketchup that includes squid ink. Only in Japan, of course....

Fri, 09 Nov 2012 19:32:39 UTC

How To Tell if Your Hotel Guest Is a Terrorist

Posted By Bruce Schneier

From the Department of Homeland Security, a handy list of 19 suspicious behaviors that could indicate that a hotel guest is actually a terrorist. I myself have done several of these. More generally, this is another example of why all the "see something say something" campaigns fail: "If you ask amateurs to act as front-line security personnel, you shouldn't be...

Fri, 09 Nov 2012 12:41:39 UTC

How Terrorist Groups Disband

Posted By Bruce Schneier

Interesting research from RAND: Abstract: How do terrorist groups end? The evidence since 1968 indicates that terrorist groups rarely cease to exist as a result of winning or losing a military campaign. Rather, most groups end because of operations carried out by local police or intelligence agencies or because they join the political process. This suggests that the United States...

Thu, 08 Nov 2012 19:24:59 UTC

Gary McGraw on National Cybersecurity

Posted By Bruce Schneier

Good essay, making the point that cyberattack and counterattack aren't very useful -- actual cyberdefense is what's wanted. Creating a cyber-rock is cheap. Buying a cyber-rock is even cheaper since zero-day attacks exist on the open market for sale to the highest bidder. In fact, if the bad guy is willing to invest time rather than dollars and become an...

Thu, 08 Nov 2012 12:57:17 UTC

Micromorts

Posted By Bruce Schneier

Here's a great concept: a micromort: Shopping for coffee you would not ask for 0.00025 tons (unless you were naturally irritating), you would ask for 250 grams. In the same way, talking about a 1/125,000 or 0.000008 risk of death associated with a hang-gliding flight is rather awkward. With that in mind. Howard coined the term "microprobability" (¼p) to refer...

Wed, 07 Nov 2012 19:39:08 UTC

New SSL Vulnerability

Posted By Bruce Schneier

It's hard for me to get too worked up about this vulnerability: Many popular applications, HTTP(S) and WebSocket transport libraries, and SOAP and REST Web-services middleware use SSL/TLS libraries incorrectly, breaking or disabling certificate validation. Their SSL and TLS connections are not authenticated, thus they -- and any software using them -- are completely insecure against a man-in-the-middle attacker. Great...

Wed, 07 Nov 2012 12:16:10 UTC

Regulation as a Prisoner's Dilemma

Posted By Bruce Schneier

This is the sort of thing I wrote about in my latest book. The Prisoners Dilemma as outlined above can be seen in action in two variants within regulatory activities, and offers a clear insight into why those involved in regulation act as they do. The first relationship is that between the various people and organisations being regulated ­ banks,...

Tue, 06 Nov 2012 18:17:00 UTC

Three-Rotor Enigma Machine Up for Auction

Posted By Bruce Schneier

Expensive, but it's in complete working order. They're also auctioning off a complete set of rotors; those are even rarer than the machines -- which are often missing their rotors....

Tue, 06 Nov 2012 16:13:43 UTC

Wanted: RSA Exhibitor for Book Signing

Posted By Bruce Schneier

Is anyone out there interested in buying a pile of copies of my Liars and Outliers for a giveaway and book signing at the RSA Conference? I can guarantee enormous crowds at your booth for as long as there are books to give away. This could also work for an after-hours event. Please let me know. I can get you...

Tue, 06 Nov 2012 12:40:09 UTC

New Vulnerability Against Industrial Control Systems

Posted By Bruce Schneier

It doesn't look good. These are often called SCADA vulnerabilities, although it isn't SCADA that's involved here. They're against programmable logic controllers (PLCs): the same industrial controllers that Stuxnet attacked....

Mon, 05 Nov 2012 20:54:47 UTC

New Jersey Allows Voting by E-Mail

Posted By Bruce Schneier

I'm not filled with confidence, but this seems like the best of a bunch of bad alternatives....

Mon, 05 Nov 2012 19:26:20 UTC

New WWII Cryptanalysis

Posted By Bruce Schneier

I'd sure like to know more about this: Government code-breakers are working on deciphering a message that has remained a secret for 70 years. It was found on the remains of a carrier pigeon that was discovered in a chimney, in Surrey, having been there for decades. It is thought the contents of the note, once decoded, could provide fresh...

Mon, 05 Nov 2012 12:19:55 UTC

On the Ineffectiveness of Airport Security Pat-Downs

Posted By Bruce Schneier

I've written about it before, but not half as well as this story: "That search was absolutely useless." I said. "And just shows how much of all of this is security theatre. You guys are just feeling up passengers for no good effect, which means that you get all the downsides of a search -- such as annoyed travellers who...

Fri, 02 Nov 2012 11:37:14 UTC

Loopholes

Posted By Bruce Schneier

Interesting This American Life show on loopholes. The first part is about getting around the Church's ban against suicide. The second part is about an interesting insurance scheme....

Fri, 02 Nov 2012 11:30:07 UTC

Friday Squid Blogging: Squid Costume

Posted By Bruce Schneier

This is great....

Thu, 01 Nov 2012 11:34:11 UTC

Peter Neumann Profile

Posted By Bruce Schneier

Really nice profile in the New York Times. It includes a discussion of the Clean Slate program: Run by Dr. Howard Shrobe, an M.I.T. computer scientist who is now a Darpa program manager, the effort began with a premise: If the computer industry got a do-over, what should it do differently? The program includes two separate but related efforts: Crash,...

Tue, 30 Oct 2012 17:57:30 UTC

Doping in Professional Sports

Posted By Bruce Schneier

I updated a 2006 essay of mine on the security issues around sports doping....

Tue, 30 Oct 2012 14:24:13 UTC

Rap News on Internet Surveillance

Posted By Bruce Schneier

Wow....

Tue, 30 Oct 2012 11:49:06 UTC

Dan Ariely on Dishonesty

Posted By Bruce Schneier

Good talk, and I've always liked these animators....

Mon, 29 Oct 2012 22:24:43 UTC

Detecting Fake Hurricane Photographs

Posted By Bruce Schneier

A short tutorial here. Actually, it's good advice even if there weren't a hurricane....

Mon, 29 Oct 2012 18:53:37 UTC

Protecting (and Collecting) the DNA of World Leaders

Posted By Bruce Schneier

There's a lot of hype and hyperbole in this story, but here's the interesting bit: According to Ronald Kessler, the author of the 2009 book In the Presidents Secret Service, Navy stewards gather bedsheets, drinking glasses, and other objects the president has touched­they are later sanitized or destroyed­in an effort to keep would be malefactors from obtaining his genetic material....

Mon, 29 Oct 2012 11:36:19 UTC

Sony Playstation 3 Master Key Leaked

Posted By Bruce Schneier

Oops....

Fri, 26 Oct 2012 21:26:20 UTC

Friday Squid Blogging: Squid from the Power Ranger Universe

Posted By Bruce Schneier

Ika Origami....

Fri, 26 Oct 2012 11:46:52 UTC

Hacking TSA PreCheck

Posted By Bruce Schneier

I have a hard time getting worked up about this story: I have X'd out any information that you could use to change my reservation. But it's all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps....

Thu, 25 Oct 2012 11:27:58 UTC

The Risks of Trusting Experts

Posted By Bruce Schneier

I'm not sure what to think about this story: Six Italian scientists and an ex-government official have been sentenced to six years in prison over the 2009 deadly earthquake in L'Aquila. A regional court found them guilty of multiple manslaughter. Prosecutors said the defendants gave a falsely reassuring statement before the quake, while the defence maintained there was no way...

Wed, 24 Oct 2012 18:27:15 UTC

Risks of Data Portability

Posted By Bruce Schneier

Peter Swire and Yianni Lagos have pre-published a law journal article on the risks of data portability. It specifically addresses an EU data protection regulation, but the security discussion is more general. ...Article 18 poses serious risks to a long-established E.U. fundamental right of data protection, the right to security of a person's data. Previous access requests by individuals were...

Wed, 24 Oct 2012 10:57:41 UTC

Weaponizing Office Supplies

Posted By Bruce Schneier

Now this is interesting....

Mon, 22 Oct 2012 12:18:53 UTC

Camera Jammer that Protects Licence Plates

Posted By Bruce Schneier

noPhoto reacts to a camera flash, and then jams the image with a bright light. The website makes the point that this is legal, but that can't last....

Fri, 19 Oct 2012 21:54:20 UTC

Friday Squid Blogging: Squid Insurance

Posted By Bruce Schneier

This was once a real insurance product. Squid Insurance Marketing was the low-end offering at Astonish, complete with the tagline "Nothing Kills a Squid!" As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 19 Oct 2012 12:45:59 UTC

Stoking Cyber Fears

Posted By Bruce Schneier

A lot of the debate around President Obama's cubsersecurity initiative center on how much of a burden it would be on industry, and how that should be financed. As important as that debate is, it obscures some of the larger issues surrounding cyberwar, cyberterrorism, and cybersecurity in general. It's difficult to have any serious policy discussion amongst the fear mongering....

Thu, 18 Oct 2012 11:11:51 UTC

Analysis of How Bitcoin Is Actually Used

Posted By Bruce Schneier

"Quantitative Analysis of the Full Bitcoin Transaction Graph," by Dorit Ron and Adi Shamir: Abstract. The Bitcoin scheme is a rare example of a large scale global payment system in which all the transactions are publicly accessible (but in an anonymous way). We downloaded the full history of this scheme, and analyzed many statistical properties of its associated transaction graph....

Wed, 17 Oct 2012 11:23:52 UTC

Genetic Privacy

Posted By Bruce Schneier

New report from the Presidential Commission for the Study of Biothethical Issues. It's called "Privacy and Progress in Whole Genome Sequencing." The Commission described the rapid advances underway in the field of genome sequencing, but also noted growing concerns about privacy and security. The report lists twelve recommendations to improve current practices and to help safeguard privacy and security, including...

Tue, 16 Oct 2012 11:12:52 UTC

Studying Zero-Day Attacks

Posted By Bruce Schneier

Interesting paper: "Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World," by Leyla Bilge and Tudor Dumitras: Abstract: Little is known about the duration and prevalence of zeroday attacks, which exploit vulnerabilities that have not been disclosed publicly. Knowledge of new vulnerabilities gives cyber criminals a free pass to attack any target of their choosing,...

Mon, 15 Oct 2012 18:21:40 UTC

Apple Turns on iPhone Tracking in iOS6

Posted By Bruce Schneier

This is important: Previously, Apple had all but disabled tracking of iPhone users by advertisers when it stopped app developers from utilizing Apple mobile device data via UDID, the unique, permanent, non-deletable serial number that previously identified every Apple device. For the last few months, iPhone users have enjoyed an unusual environment in which advertisers have been largely unable to...

Mon, 15 Oct 2012 12:02:08 UTC

Master Keys

Posted By Bruce Schneier

Earlier this month, a retired New York City locksmith was selling a set of "master keys" on eBay: Three of the five are standard issue for members of the FDNY, and the set had a metal dog tag that was embossed with an FDNY lieutenant's shield number, 6896. The keys include the all-purpose "1620," a master firefighter key that with...

Sat, 13 Oct 2012 12:28:56 UTC

Another Liars and Outliers Review

Posted By Bruce Schneier

I was reviewed in Science: Thus it helps to have a lucid and informative account such as Bruce Schneier's Liars and Outliers. The book provides an interesting and entertaining summary of the state of play of research on human social behavior, with a special emphasis on trust and trustworthiness. [...] Free from preoccupations and personal attachments to any of the...

Fri, 12 Oct 2012 21:17:00 UTC

Friday Squid Blogging: Squid Car

Posted By Bruce Schneier

A squid art car. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 11 Oct 2012 12:03:15 UTC

"Ask Nicely" Doesn't Work as a Security Mechanism

Posted By Bruce Schneier

Apple's map application shows more of Taiwan than Google Maps: The Taiwanese government/military, like many others around the world, requests that satellite imagery providers, such as Google Maps, blur out certain sensitive military installations. Unfortunately, Apple apparently didn't get that memo. [...] According to reports the Taiwanese defence ministry hasn't filed a formal request with Apple yet but thought it...

Wed, 10 Oct 2012 13:18:42 UTC

The Insecurity of Networks

Posted By Bruce Schneier

Not computer networks, networks in general: Findings so far suggest that networks of networks pose risks of catastrophic danger that can exceed the risks in isolated systems. A seemingly benign disruption can generate rippling negative effects. Those effects can cost millions of dollars, or even billions, when stock markets crash, half of India loses power or an Icelandic volcano spews...

Tue, 09 Oct 2012 11:31:43 UTC

Story of a CIA Burglar

Posted By Bruce Schneier

This is a fascinating story of a CIA burglar, who worked for the CIA until he tried to work against the CIA. The fact that he stole code books and keys from foreign embassies makes it extra interesting, and the complete disregard for the Constitution at the end makes it extra scary....

Mon, 08 Oct 2012 13:12:38 UTC

New Developments in Captchas

Posted By Bruce Schneier

In the never-ending arms race between systems to prove that you're a human and computers that can fake it, here's a captcha that tests whether you have human feelings. Instead of your run-of-the-mill alphanumeric gibberish, or random selection of words, the Civil Rights Captcha presents you with a short blurb about a Civil Rights violation and asks you how you...

Fri, 05 Oct 2012 21:38:19 UTC

Friday Squid Blogging: Giant Squid Engraving from the 1870s

Posted By Bruce Schneier

Neat book illustration. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 05 Oct 2012 18:24:43 UTC

When Will We See Collisions for SHA-1?

Posted By Bruce Schneier

On a NIST-sponsored hash function mailing list, Jesse Walker (from Intel; also a member of the Skein team) did some back-of-the-envelope calculations to estimate how long it will be before we see a practical collision attack against SHA-1. I'm reprinting his analysis here, so it reaches a broader audience. According to E-BASH, the cost of one block of a SHA-1...

Fri, 05 Oct 2012 12:44:48 UTC

Maps Showing Spread of ZeroAccess Botnet

Posted By Bruce Schneier

The folks at F-Secure have plotted ZeroAccess infections across the U.S. and across Europe. It's interesting to see, but I'm curious to see the data normalized to the number of computers on the Internet....

Thu, 04 Oct 2012 20:35:10 UTC

Tradecraft and Terrorism

Posted By Bruce Schneier

Interesting....

Wed, 03 Oct 2012 15:00:21 UTC

Authentication Stories

Posted By Bruce Schneier

Anecdotes from Asia on seals versus signatures on official documents....

Tue, 02 Oct 2012 21:50:11 UTC

Keccak is SHA-3

Posted By Bruce Schneier

NIST has just announced that Keccak has been selected as SHA-3. It's a fine choice. I'm glad that SHA-3 is nothing like the SHA-2 family; something completely different is good. Congratulations to the Keccak team. Congratulations -- and thank you -- to NIST for running a very professional, interesting, and enjoyable competition. The process has increased our understanding about the...

Tue, 02 Oct 2012 14:41:26 UTC

2013 U.S. Homeland Security Budget

Posted By Bruce Schneier

Among other findings in this CBO report: Funding for homeland security has dropped somewhat from its 2009 peak of $76 billion, in inflation-adjusted terms; funding for 2012 totaled $68 billion. Nevertheless, the nation is now spending substantially more than what it spent on homeland security in 2001. Note that this is just direct spending on homeland security. This does not...

Mon, 01 Oct 2012 18:12:55 UTC

Security Question Cartoon

Posted By Bruce Schneier

Funny....

Mon, 01 Oct 2012 11:52:27 UTC

Scary iPhone Malware Story

Posted By Bruce Schneier

This story sounds pretty scary: Developed by Robert Templeman at the Naval Surface Warfare Center in Indiana and a few buddies from Indiana University, PlaceRader hijacks your phone's camera and takes a series of secret photographs, recording the time, and the phone's orientation and location with each shot. Using that information, it can reliably build a 3D model of your...

Thu, 27 Sep 2012 18:14:22 UTC

NPR on Biometric Data Collection

Posted By Bruce Schneier

Interesting Talk of the Nation segment....

Thu, 27 Sep 2012 14:10:59 UTC

Replacing Alice and Bob

Posted By Bruce Schneier

A proposal to replace cryptography's Alice and Bob with Sita and Rama: Any book on cryptography invariably involves the characters Alice and Bob. It is always Alice who wants to send a message to Bob. This article replaces the dramatis personnae of cryptography with characters drawn from Hindu mythology....

Wed, 26 Sep 2012 12:11:15 UTC

Using Agent-Based Simulations to Evaluate Security Systems

Posted By Bruce Schneier

Kay Hamacher and Stefan Katzenbeisser, "Public Security: Simulations Need to Replace Conventional Wisdom," New Security Paradigms Workshop, 2011. Abstract: Is more always better? Is conventional wisdom always the right guideline in the development of security policies that have large opportunity costs? Is the evaluation of security measures after their introduction the best way? In the past, these questions were frequently...

Tue, 25 Sep 2012 18:29:10 UTC

Quantum Cryptography

Posted By Bruce Schneier

Long article on quantum cryptography and cryptanalysis....

Tue, 25 Sep 2012 12:40:52 UTC

Homomorphic Encryption

Posted By Bruce Schneier

Good summary article....

Mon, 24 Sep 2012 18:09:24 UTC

Security Vulnerability in Windows 8 Unified Extensible Firmware Interface (UEFI)

Posted By Bruce Schneier

This is the first one discovered, I think....

Mon, 24 Sep 2012 11:59:58 UTC

SHA-3 to Be Announced

Posted By Bruce Schneier

NIST is about to announce the new hash algorithm that will become SHA-3. This is the result of a six-year competition, and my own Skein is one of the five remaining finalists (out of an initial 64). It's probably too late for me to affect the final decision, but I am hoping for "no award." It's not that the new...

Fri, 21 Sep 2012 21:30:53 UTC

Friday Squid Blogging: Beached Firefly Squid

Posted By Bruce Schneier

Pretty photo of firefly squid beached along a coast. I've written about firefly squid before. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 21 Sep 2012 20:29:25 UTC

Another Review of Liars and Outliers

Posted By Bruce Schneier

I usually don't post reviews of Liars and Outliers -- they're all here -- but I am particularly proud of this one....

Fri, 21 Sep 2012 11:45:47 UTC

Accountable Algorithms

Posted By Bruce Schneier

Ed Felten has two posts about accountable algorithms. Good stuff....

Thu, 20 Sep 2012 11:02:44 UTC

The NSA and the Risk of Off-the-Shelf Devices

Posted By Bruce Schneier

Interesting article on how the NSA is approaching risk in the era of cool consumer devices. There's a discussion of the president's network-disabled iPad, and the classified cell phone that flopped because it took so long to develop and was so clunky. Turns out that everyone wants to use iPhones. Levine concluded, "Using commercial devices to process classified phone calls,...

Wed, 19 Sep 2012 17:31:26 UTC

Analysis of PIN Data

Posted By Bruce Schneier

An analysis of 3.4 million four-digit PINs. ("1234" is the most common: 10.7% of all PINs. The top 20 PINs are 26.8% of the total. "8068" is the least common PIN -- that'll probably change now that the fact is published.)...

Wed, 19 Sep 2012 09:41:36 UTC

Recent Developments in Password Cracking

Posted By Bruce Schneier

A recent Ars Technica article made the point that password crackers are getting better, and therefore passwords are getting weaker. It's not just computing speed; we now have many databases of actual passwords we can use to create dictionaries of common passwords, or common password-generation techniques. (Example: dictionary word plus a single digit.) This really isn't anything new. I wrote...

Tue, 18 Sep 2012 21:37:55 UTC

Friday Squid Blogging: Octonaut

Posted By Bruce Schneier

A space-traveling squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Mon, 17 Sep 2012 12:03:54 UTC

Diamond Swallowing as a Ruse

Posted By Bruce Schneier

It's a known theft tactic to swallow what you're stealing. It works for food at the supermarket, and it also can work for diamonds. Here's a twist on that tactic: Police say he could have swallowed the stone in an attempt to distract the diamond's owner, Suresh de Silva, while his accomplice stole the real gem. Mr de Silva told...

Fri, 14 Sep 2012 21:15:29 UTC

Friday Squid Blogging: Giant Squid Museum

Posted By Bruce Schneier

In Valdés, Spain. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 14 Sep 2012 19:20:59 UTC

Schneier on Security on Elementary

Posted By Bruce Schneier

Two of my books can be seen in the background in CBS' new Sherlock Holmes drama, Elementary. A copy of Schneier on Security is prominently displayed on Sherlock Holmes' bookshelf. You can see it in the first few minutes of the pilot episode. The show's producers contacted me early on to ask permission to use my books, so it didn't...

Fri, 14 Sep 2012 16:23:20 UTC

Man-in-the-Middle Bank Fraud Attack

Posted By Bruce Schneier

This sort of attack will become more common as banks require two-factor authentication: Tatanga checks the user account details including the number of accounts, supported currency, balance/limit details. It then chooses the account from which it could steal the highest amount. Next, it initiates a transfer. At this point Tatanga uses a Web Inject to trick the user into believing...

Fri, 14 Sep 2012 11:47:58 UTC

UGNazi

Posted By Bruce Schneier

Good article on the hacker group UGNazi....

Thu, 13 Sep 2012 18:20:33 UTC

Estimating the Probability of Another 9/11

Posted By Bruce Schneier

This statistical research says once per decade: Abstract: Quantities with right-skewed distributions are ubiquitous in complex social systems, including political conflict, economics and social networks, and these systems sometimes produce extremely large events. For instance, the 9/11 terrorist events produced nearly 3000 fatalities, nearly six times more than the next largest event. But, was this enormous loss of life statistically...

Thu, 13 Sep 2012 11:15:57 UTC

Steganography in the Wild

Posted By Bruce Schneier

Steganographic information is embedded in World of Warcraft screen shots....

Wed, 12 Sep 2012 17:55:56 UTC

Stopping Terrorism

Posted By Bruce Schneier

Nice essay on the futility of trying to prevent another 9/11: "Never again." It is as simplistic as it is absurd. It is as vague as it is damaging. No two words have provided so little meaning or context; no catchphrase has so warped policy discussions that it has permanently confused the public's understanding of homeland security. It convinced us...

Wed, 12 Sep 2012 11:23:16 UTC

A Real Movie-Plot Threat Contest

Posted By Bruce Schneier

The "Australia's Security Nightmares: The National Security Short Story Competition" is part of Safeguarding Australia 2012. To aid the national security community in imagining contemporary threats, the Australian Security Research Centre (ASRC) is organising Australia's Security Nightmares: The National Security Short Story Competition. The competition aims to produce a set of short stories that will contribute to a better conception...

Tue, 11 Sep 2012 17:38:40 UTC

New Attack Against Chip-and-Pin Systems

Posted By Bruce Schneier

Well, new to us: You see, an EMV payment card authenticates itself with a MAC of transaction data, for which the freshly generated component is the unpredictable number (UN). If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and...

Tue, 11 Sep 2012 11:45:18 UTC

Security at the 9/11 WTC Memorial

Posted By Bruce Schneier

There's a lot: Advance tickets are required to enter this public, outdoor memorial. To book them, youre obliged to provide your home address, email address, and phone number, and the full names of everyone in your party. It is strongly recommended that you print your tickets at home, which is where you must leave explosives, large bags, hand soap, glass...

Mon, 10 Sep 2012 11:51:47 UTC

Another Stuxnet Post

Posted By Bruce Schneier

Larry Constantine disputes David Stanger's book about Stuxnet: So, what did he get wrong? First of all, the Stuxnet worm did not escape into the wild. The analysis of initial infections and propagations by Symantec show that, in fact, that it never was widespread, that it affected computers in closely connected clusters, all of which involved collaborators or companies that...

Fri, 07 Sep 2012 21:41:03 UTC

Friday Squid Blogging: Controlling Squid Chromatophores with Music

Posted By Bruce Schneier

Wacky. Other stories about the story. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 07 Sep 2012 12:10:06 UTC

Hacking Marathon Races

Posted By Bruce Schneier

Truly bizarre story of someone who seems to have figured out how to successfully cheat at marathons. The evidence of his cheating is overwhelming, but no one knows how he does it....

Thu, 06 Sep 2012 17:31:43 UTC

CSOs/CISOs Wanted: Cloud Security Questions

Posted By Bruce Schneier

I'm trying to separate cloud security hype from reality. To that end, I'd like to talk to a few big corporate CSOs or CISOs about their cloud security worries, requirements, etc. If you're willing to talk, please contact me via e-mail. Eventually I will share the results of this inquiry. Thank you....

Thu, 06 Sep 2012 11:48:48 UTC

Database of 12 Million Apple UDIDs Haked

Posted By Bruce Schneier

In this story, we learn that hackers got their hands on a database of 12 million Apple Apple Unique Device Identifiers (UDIDs) by hacking an FBI laptop. When I first read the story, my questions were not about the hack but about the data. Why does an FBI agent have user identification information about 12 million iPhone users on his...

Wed, 05 Sep 2012 19:04:29 UTC

Wall Street Journal Review of Liars and Outliers

Posted By Bruce Schneier

Liars and Outliers (along with two other books: Kip Hawley's memoir of his time at the TSA and Against Security, by Harvey Molotch) has been reviewed in the Wall Street Journal....

Wed, 05 Sep 2012 11:06:03 UTC

Hacking Brain-Computer Interfaces

Posted By Bruce Schneier

In this fascinating piece of research, the question is asked: can we surreptitiously collect secret information from the brains of people using brain-computer interface devices? One article: A team of security researchers from Oxford, UC Berkeley, and the University of Geneva say that they were able to deduce digits of PIN numbers, birth months, areas of residence and other personal...

Tue, 04 Sep 2012 14:04:49 UTC

Eye Twitch Patterns as a Biometric

Posted By Bruce Schneier

Yet another biometric: eye twitch patterns: ...a person's saccades, their tiny, but rapid, involuntary eye movements, can be measured using a video camera. The pattern of saccades is as unique as an iris or fingerprint scan but easier to record and so could provide an alternative secure biometric identification technology. Probably harder to fool than iris scanners....

Fri, 31 Aug 2012 21:22:07 UTC

Friday Squid Blogging: "The Seasick Squid"

Posted By Bruce Schneier

A fable. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 31 Aug 2012 14:20:06 UTC

Conversation about Liars and Outliers on The WELL

Posted By Bruce Schneier

I'm on The WELL right now -- for the next week or so -- discussing my new book with anyone who wants to participate. I'm also at Dragon*Con this weekend in Atlanta....

Thu, 30 Aug 2012 14:22:54 UTC

The Psychological Effects of Terrorism

Posted By Bruce Schneier

Shelly C. McArdle, Heather Rosoff, Richard S. John (2012), "The Dynamics of Evolving Beliefs, Concerns Emotions, and Behavioral Avoidance Following 9/11: A Longitudinal Analysis of Representative Archival Samples," Risk Analysis v. 32, pp. 744­761. Abstract: September 11 created a natural experiment that enables us to track the psychological effects of a large-scale terror event over time. The archival data came...

Wed, 29 Aug 2012 11:37:46 UTC

Shared Lock

Posted By Bruce Schneier

A reader sent me this photo of a shared lock. It's at the gate of a large ranch outside of Victoria, Texas. Multiple padlocks secure the device, but when a single padlock is removed, the center pin can be fully lifted and the gate can be opened. The point is to allow multiple entities (oil and gas, hunting parties, ranch...

Tue, 28 Aug 2012 15:38:30 UTC

The Importance of Security Engineering

Posted By Bruce Schneier

In May, neuroscientist and popular author Sam Harris and I debated the issue of profiling Muslims at airport security. We each wrote essays, then went back and forth on the issue. I don't recommend reading the entire discussion; we spent 14,000 words talking past each other. But what's interesting is how our debate illustrates the differences between a security engineer...

Tue, 28 Aug 2012 00:06:22 UTC

Fear and Imagination

Posted By Bruce Schneier

Interesting anecdote from World War II....

Fri, 24 Aug 2012 21:32:51 UTC

Friday Squid Blogging: Squid Sacrifices Arms to Avoid Predators

Posted By Bruce Schneier

The squid Octopoteuthis deletron will drop portions of an arm to escape from a predator. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 24 Aug 2012 18:18:45 UTC

Internet Safety Talking Points for Schools

Posted By Bruce Schneier

A surprisingly sensible list. E. Why are you penalizing the 95% for the 5%? You don't do this in other areas of discipline at school. Even though you know some students will use their voices or bodies inappropriately in school, you don't ban everyone from speaking or moving. You know some students may show up drunk to the prom, yet...

Fri, 24 Aug 2012 11:27:07 UTC

Fear and How it Scales

Posted By Bruce Schneier

Nice post: The screaming fear in your stomach before you give a speech to 12 kids in the fifth grade is precisely the same fear a presidential candidate feels before the final debate. The fight-or-flight reflex that speeds up your heart when you're about to get a speeding ticket you don't deserve isn't very different than the chemical reaction in...

Thu, 23 Aug 2012 18:23:14 UTC

Exaggerating Cybercrime

Posted By Bruce Schneier

Finally, someone takes a look at the $1 trillion number government officials are quoting as the cost of cybercrime. While it's a good figure to scare people, it doesn't have much of a basis in reality....

Thu, 23 Aug 2012 11:43:42 UTC

Video Filter that Detects a Pulse

Posted By Bruce Schneier

Fascinating. How long before someone claims he can use this technology to detect nervous people in airports?...

Wed, 22 Aug 2012 17:34:51 UTC

Five "Neglects" in Risk Management

Posted By Bruce Schneier

Good list, summarized here: 1. Probability neglect  people sometimes dont consider the probability of the occurrence of an outcome, but focus on the consequences only. 2. Consequence neglect  just like probability neglect, sometimes individuals neglect the magnitude of outcomes. 3. Statistical neglect  instead of subjectively assessing small probabilities and continuously updating them, people choose to use rules-of-thumb...

Wed, 22 Aug 2012 11:09:11 UTC

Poll: Americans Like the TSA

Posted By Bruce Schneier

Gallup has the results: Despite recent negative press, a majority of Americans, 54%, think the U.S. Transportation Security Administration is doing either an excellent or a good job of handling security screening at airports. At the same time, 41% think TSA screening procedures are extremely or very effective at preventing acts of terrorism on U.S. airplanes, with most of the...

Tue, 21 Aug 2012 18:42:31 UTC

Is iPhone Security Really this Good?

Posted By Bruce Schneier

Simson Garfinkel writes that the iPhone has such good security that the police can't use it for forensics anymore: Technologies the company has adopted protect Apple customers' content so well that in many situations it's impossible for law enforcement to perform forensic examinations of devices seized from criminals. Most significant is the increasing use of encryption, which is beginning to...

Tue, 21 Aug 2012 10:53:54 UTC

Help Cryptanalyze Gauss

Posted By Bruce Schneier

Kaspersky is looking for help decrypting the Gauss payload....

Mon, 20 Aug 2012 18:05:08 UTC

Passive Sensor that Sees Through Walls

Posted By Bruce Schneier

A new technology uses the radiation given off by wi-fi devices to sense the positions of people through a one-foot-thick brick wall....

Mon, 20 Aug 2012 11:36:29 UTC

The View from an Israeli Security Checkpoint

Posted By Bruce Schneier

This is an extraordinary (and gut-wrenching) first-person account of what it's like to staff an Israeli security checkpoint. It shows how power corrupts: how it's impossible to make humane decisions in such a circumstance....

Fri, 17 Aug 2012 21:16:40 UTC

Friday Squid Blogging: Efforts to Film a Live Giant Squid

Posted By Bruce Schneier

Japanese researchers are attempting to film the elusive giant squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 17 Aug 2012 11:39:14 UTC

$200 for a Fake Security System

Posted By Bruce Schneier

This is pretty funny: Moving red laser beams scare away potential intruders Laser beams move along floor and wall 180 degrees Easy to install, 110v comes on automatically w/timer Watch the video. This is not an alarm, and it doesn't do anything other than the laser light show. But, as the product advertisement says, "perception can be an excellent deterrent...

Thu, 16 Aug 2012 18:52:38 UTC

Rudyard Kipling on Societal Pressures

Posted By Bruce Schneier

In the short story "A Wayside Comedy," published in 1888 in Under the Deodars, Kipling wrote: You must remember, though you will not understand, that all laws weaken in a small and hidden community where there is no public opinion. When a man is absolutely alone in a Station he runs a certain risk of falling into evil ways. This...

Thu, 16 Aug 2012 11:49:54 UTC

An Analysis of Apple's FileVault 2

Posted By Bruce Schneier

This is an analysis of Apple's disk encryption program, FileVault 2, that first appeared in the Lion operating system. Short summary: they couldn't break it. (Presumably, the version in Mountain Lion isn't any different.)...

Wed, 15 Aug 2012 19:23:52 UTC

Lousy Password Security on Tesco Website

Posted By Bruce Schneier

Good post, not because it picks on Tesco but because it's filled with good advice on how not to do it wrong....

Wed, 15 Aug 2012 13:57:59 UTC

Sexual Harassment at DefCon (and Other Hacker Cons)

Posted By Bruce Schneier

Excellent blog post by Valerie Aurora about sexual harassment at the DefCon hackers conference. Aside from the fact that this is utterly reprehensible behavior by the perpetrators involved, this is a real problem for our community. The response of "this is just what hacker culture is, and changing it will destroy hackerdom" is just plain wrong. When swaths of the...

Wed, 15 Aug 2012 10:59:19 UTC

Liars and Outliers on Special Discount

Posted By Bruce Schneier

Liars and Outliers has been out since late February, and while it's selling great, I'd like it to sell better. So I have a special offer for my regular readers. People in the U.S. can buy a signed copy of the book for $11, Media Mail postage included. (Yes, I'm selling the book at a loss.) People in other countries...

Tue, 14 Aug 2012 19:27:23 UTC

Schneier in the News

Posted By Bruce Schneier

Here are links to three news articles about me, and two video interviews with me....

Tue, 14 Aug 2012 18:16:15 UTC

Measuring Cooperation and Defection using Shipwreck Data

Posted By Bruce Schneier

In Liars and Outliers, I talk a lot about social norms and when people follow them. This research uses survival data from shipwrecks to measure it. The authors argue that shipwrecks can actually tell us a fair bit about human behavior, since everyone stuck on a sinking ship has to do a bit of cost-benefit analysis. People will weigh their...

Tue, 14 Aug 2012 11:00:34 UTC

Cryptocat

Posted By Bruce Schneier

I'm late writing about this one. Cryptocat is a web-based encrypted chat application. After Wired published a pretty fluffy profile on the program and its author, security researcher Chris Soghoian wrote an essay criticizing the unskeptical coverage. Ryan Singal, the editor (not the writer) of the Wired piece, responded by defending the original article and attacking Soghoian. At this point,...

Mon, 13 Aug 2012 17:41:37 UTC

Preventive vs. Reactive Security

Posted By Bruce Schneier

This is kind of a rambling essay on the need to spend more on infrastructure, but I was struck by this paragraph: Here's a news flash: There are some events that no society can afford to be prepared for to the extent that we have come to expect. Some quite natural events -- hurricanes, earthquakes, tsunamis, derechos -- have such...

Mon, 13 Aug 2012 11:57:01 UTC

U.S. and China Talking About Cyberweapons

Posted By Bruce Schneier

Stuart Baker calls them "proxy talks" because they're not government to government, but it's a start....

Fri, 10 Aug 2012 21:02:56 UTC

Friday Squid Blogging: Dumpling Squid

Posted By Bruce Schneier

The sex life of the dumpling squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 Aug 2012 18:22:46 UTC

Termite Suicide Bombers

Posted By Bruce Schneier

Some termites blow themselves up to expel invaders from their nest....

Fri, 10 Aug 2012 10:51:17 UTC

11-Year-Old Bypasses Airport Security

Posted By Bruce Schneier

Sure, stories like this are great fun, but I don't think it's much of a security concern. Terrorists can't build a plot around random occasional security failures....

Thu, 09 Aug 2012 18:46:02 UTC

Rolling Stone Magazine Writes About Computer Security

Posted By Bruce Schneier

It's a virus that plays AC/DC, so it makes sense. Surreal, though. Another article....

Thu, 09 Aug 2012 11:32:29 UTC

Detecting Spoofed GPS Signals

Posted By Bruce Schneier

This is the latest in the arms race between spoofing GPS signals and detecting spoofed GPS signals. Unfortunately, the countermeasures all seem to be patent pending....

Wed, 08 Aug 2012 18:04:58 UTC

Chinese Gang Sells Fake Professional Certifications

Posted By Bruce Schneier

They were able to hack into government websites: The gangs USP, and the reason it could charge up to 10,000 yuan (£1,000) per certificate, was that it could hack the relevant government site and tamper with the back-end database to ensure that the fake certs name and registration number appeared legitimate. The gang made £30M before being arrested....

Wed, 08 Aug 2012 11:31:24 UTC

Yet Another Risk of Storing Everything in the Cloud

Posted By Bruce Schneier

A hacker can social-engineer his way into your cloud storageand delete everything you have. It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud....

Tue, 07 Aug 2012 18:45:30 UTC

Peter Swire Testifies on the Inadequacy of Privacy Self-Regulation

Posted By Bruce Schneier

Ohio State University Law Professor Peter Swire testifies before Congress on the inadequacy of industry self-regulation to protect privacy....

Tue, 07 Aug 2012 12:14:03 UTC

Verifying Elections Using Risk-Limiting Auditing

Posted By Bruce Schneier

Interesting article on using risk-limiting auditing in determining if an election's results are likely to be valid. The risk, in this case, is in the chance of a false negative, and the election being deemed valid. The risk level determines the extent of the audit....

Mon, 06 Aug 2012 16:22:12 UTC

Breaking Microsoft's PPTP Protocol

Posted By Bruce Schneier

Some things never change. Thirteen years ago, Mudge and I published a paper breaking Microsoft's PPTP protocol and the MS-CHAP authentication system. I haven't been paying attention, but I presume it's been fixed and improved over the years. Well, it's been broken again. ChapCrack can take captured network traffic that contains a MS-CHAPv2 network handshake (PPTP VPN or WPA2 Enterprise...

Mon, 06 Aug 2012 11:43:27 UTC

State-by-State Report on Electronic Voting

Posted By Bruce Schneier

The Verified Voting Foundation has released a comprehensive state-by-state report on electronic voting machines (report, executive summary, and news coverage). Let's hope it does some good....

Fri, 03 Aug 2012 21:08:24 UTC

Friday Squid Blogging: SQUIDS and Quantum Computing

Posted By Bruce Schneier

It seems that quantum computers might use superconducting quantum interference devices (SQUIDs). As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 Aug 2012 17:57:09 UTC

Unsafe Safes

Posted By Bruce Schneier

In a long article about insecurities in gun safes, there's this great paragraph: Unfortunately, manufacturers and consumers are deceived and misled into a false sense of security by electronic credentials, codes, and biometrics. We have seen this often, even with high security locks. Our rule: electrons do not open doors; mechanical components do. If you can compromise the mechanisms then...

Fri, 03 Aug 2012 11:03:04 UTC

Overreaction and Overly Specific Reactions to Rare Risks

Posted By Bruce Schneier

Horrific events, such as the massacre in Aurora, can be catalysts for social and political change. Sometimes it seems that they're the only catalyst; recall how drastically our policies toward terrorism changed after 9/11 despite how moribund they were before. The problem is that fear can cloud our reasoning, causing us to overreact and to overly focus on the specifics....

Thu, 02 Aug 2012 19:19:59 UTC

Court Orders TSA to Answer EPIC

Posted By Bruce Schneier

Year ago, EPIC sued the TSA over full body scanners (I was one of the plantiffs), demanding that they follow their own rules and ask for public comment. The court agreed, and ordered the TSA to do that. In response, the TSA has done nothing. Now, a year later, the court has again ordered the TSA to answer EPIC's position....

Thu, 02 Aug 2012 18:08:30 UTC

Hotel Door Lock Vulnerability

Posted By Bruce Schneier

The attack only works sometimes, but it does allow access to millions of hotel rooms worldwide that are secured by Onity brand locks. Basically, you can read the unit's key out of the power port on the bottom of the lock, and then feed it back to the lock to authenticate an open command using the same power port....

Thu, 02 Aug 2012 11:23:40 UTC

Profile on Eugene Kaspersky

Posted By Bruce Schneier

Wired has an interesting and comprehensive profile on Eugene Kaspersky. Especially note Kaspersky Lab's work to uncover US cyberespionage against Iran, Kaspersky's relationship with Russia's state security services, and the story of the kidnapping of Kaspersky's son, Ivan. Kaspersky responded (not kindly) to the article, and the author responded to the response....

Wed, 01 Aug 2012 18:34:23 UTC

Lone Shooters and Body Armor

Posted By Bruce Schneier

The new thing about the Aurora shooting wasn't the weaponry, but the armor: What distinguished Holmes wasn't his offense. It was his defense. At Columbine, Harris and Klebold did their damage in T-shirts and cargo pants. Cho and Loughner wore sweatshirts. Hasan was gunned down in his Army uniform. Holmes' outfit blew these jokers away. He wore a ballistic helmet,...

Wed, 01 Aug 2012 12:17:47 UTC

On Soft Targets

Posted By Bruce Schneier

Stratfor has an interesting article....

Tue, 31 Jul 2012 16:11:42 UTC

Fake Irises Fool Scanners

Posted By Bruce Schneier

We already know you can wear fake irises to fool a scanner into thinking you're not you, but this is the first fake iris you can use for impersonation: to fool a scanner into thinking you're someone else....

Tue, 31 Jul 2012 11:30:42 UTC

Hacking Tool Disguised as a Power Strip

Posted By Bruce Schneier

This is impressive: The device has Bluetooth and Wi-Fi adapters, a cellular connection, dual Ethernet ports, and hacking and remote access tools that let security professionals test the network and call home to be remotely controlled via the cellular network. The device comes with easy-to-use scripts that cause it to boot up and then phone home for instructions. A "text-to-bash"...

Mon, 30 Jul 2012 17:40:17 UTC

Fear-Mongering at TED

Posted By Bruce Schneier

This TED talk trots out the usual fear-mongering that technology leads to terrorism. The facts are basically correct, but there are no counterbalancing facts, and the conclusions all one-sided. I'm not impressed with the speaker's crowdsourcing solution, either. Sure, crowdsourcing is a great tool for a lot of problems, but it's not the single thing that's going to protect us...

Mon, 30 Jul 2012 12:34:40 UTC

Detroit Bomb Threats

Posted By Bruce Schneier

There have been a few hoax bomb threats in Detroit recently (Windsor tunnel, US-Canada bridge, Tiger Stadium). The good news is that police learned; during the third one, they didn't close down the threatened location....

Fri, 27 Jul 2012 21:26:34 UTC

Friday Squid Blogging: Tentacle Doorstop

Posted By Bruce Schneier

Now this is neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 27 Jul 2012 19:17:17 UTC

Liars and Outliers Summed Up in Two Comic Strips

Posted By Bruce Schneier

I don't know the context, but these strips sum up my latest book nicely....

Fri, 27 Jul 2012 14:42:07 UTC

Criminals Using Commercial Spamflooding Services

Posted By Bruce Schneier

Cybercriminals are using commercial spamflooding services to distract their victims during key moments of a cyberattack. Clever, but in retrospect kind of obvious....

Thu, 26 Jul 2012 11:55:10 UTC

Police Sting Operation Yields No Mobile Phone Thefts

Posted By Bruce Schneier

Police in Hastings, in the UK, outfitted mobile phones with tracking devices and left them in bars and restaurants, hoping to catch mobile phone thieves in the act. But no one stole them: Nine premises were visited in total and officers were delighted that not one of the bait phones was 'stolen'. In fact, on nearly every occasion good hearted...

Wed, 25 Jul 2012 11:42:46 UTC

Making Handcuff Keys with 3D Printers

Posted By Bruce Schneier

Handcuffs pose a particular key management problem. Officers need to be able to unlock handcuffs locked by another officer, so they're all designed to be opened by a standard set of keys. This system only works if the bad guys can't get a copy of the key, and modern handcuff manufacturers go out of their way to make it hard...

Tue, 24 Jul 2012 11:28:28 UTC

Implicit Passwords

Posted By Bruce Schneier

This is a really interesting research paper (article here) on implicit passwords: something your unconscious mind remembers but your conscious mind doesn't know. The Slashdot post is a nice summary: A cross-disciplinary team of US neuroscientists and cryptographers have developed a password/passkey system that removes the weakest link in any security system: the human user. It's ingenious: The system still...

Mon, 23 Jul 2012 11:15:59 UTC

How the Norwegians Reacted to Terrorism

Posted By Bruce Schneier

An antidote to the American cycle of threat, fear, and overspending in response to terrorism is this, about Norway on the first anniversary of its terrorist massacre: And at the political level, the Prime Minister Jens Stoltenberg pledged to do everything to ensure the country's core values were not undermined. "The Norwegian response to violence is more democracy, more openness...

Fri, 20 Jul 2012 21:17:07 UTC

Friday Squid Blogging: Preserved Squid

Posted By Bruce Schneier

Science or art? As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 19 Jul 2012 11:46:23 UTC

Camera-Transparent Plastic

Posted By Bruce Schneier

I just wrote about the coming age of invisible surveillance. Here's another step along that process. The material is black in color and cannot be seen through with the naked eye. However, if you point a black and white camera at a sheet of Black-Ops Plastic, it becomes transparent allowing the camera to record whatever is on the other side....

Wed, 18 Jul 2012 14:27:13 UTC

Chinese Airline Rewards Crew for Resisting Hijackers

Posted By Bruce Schneier

Normally, companies instruct their employees not to resist. But Hainan Airlines did the opposite: Two safety officers and the chief purser got cash and property worth 4m yuan ($628,500; £406,200) each. The rest got assets worth 2.5m yuan each. That's a lot of money, especially in China. I'm sure it will influence future decisions by crew, and even passengers, about...

Mon, 16 Jul 2012 18:59:02 UTC

Remote Scanning Technology

Posted By Bruce Schneier

I don't know if this is real or fantasy: Within the next year or two, the U.S. Department of Homeland Security will instantly know everything about your body, clothes, and luggage with a new laser-based molecular scanner fired from 164 feet (50 meters) away. From traces of drugs or gun powder on your clothes to what you had for breakfast...

Fri, 13 Jul 2012 21:53:36 UTC

Friday Squid Blogging: Barbecued Squid -- New Summer Favorite

Posted By Bruce Schneier

In the UK, barbecued squid is in: Sales of squid have tripled in recent months due to the growing popularity of Mediterranean food and the rise of the Dukan diet, as calamari looks set to become the barbecue hit of the summer....

Fri, 13 Jul 2012 11:51:20 UTC

Hacking BMW's Remote Keyless Entry System

Posted By Bruce Schneier

It turns out to be surprisingingly easy: The owner, who posted the video at 1addicts.com, suspects the thieves broke the glass to access the BMW's on-board diagnostics port (OBD) in the footwell of the car, then used a special device to obtain the car's unique key fob digital ID and reprogram a blank key fob to start the car. It...

Thu, 12 Jul 2012 17:59:35 UTC

All-or-Nothing Access Control for Mobile Phones

Posted By Bruce Schneier

This paper looks at access control for mobile phones. Basically, it's all or nothing: either you have a password that protects everything, or you have no password and protect nothing. The authors argue that there should be more user choice: some applications should be available immediately without a password, and the rest should require a password. This makes a lot...

Thu, 12 Jul 2012 14:47:50 UTC

Dropped USB Sticks in Parking Lot as Actual Attack Vector

Posted By Bruce Schneier

For years, it's been a clever trick to drop USB sticks in parking lots of unsuspecting businesses, and track how many people plug them into computers. I have long argued that the problem isn't that people are plugging the sticks in, but that the computers trust them enough to run software off of them. This is the first time I've...

Wed, 11 Jul 2012 17:39:21 UTC

Petition the U.S. Government to Force the TSA to Follow the Law

Posted By Bruce Schneier

This is important: In July 2011, a federal appeals court ruled that the Transportation Security Administration had to conduct a notice-and-comment rulemaking on its policy of using "Advanced Imaging Technology" for primary screening at airports. TSA was supposed to publish the policy in the Federal Register, take comments from the public, and justify its policy based on public input. The...

Wed, 11 Jul 2012 12:49:46 UTC

Cryptanalyze the Agrippa Code

Posted By Bruce Schneier

William Gibson's Grippa Code is available for cryptanalysis. Break the code, win a prize....

Tue, 10 Jul 2012 09:33:49 UTC

Attacking Fences

Posted By Bruce Schneier

From an article on the cocaine trade between Mexico and the U.S.: "They erect this fence," he said, "only to go out there a few days later and discover that these guys have a catapult, and they're flinging hundred-pound bales of marijuana over to the other side." He paused and looked at me for a second. "A catapult," he repeated....

Mon, 09 Jul 2012 17:36:20 UTC

Sensible Comments about Terrorism

Posted By Bruce Schneier

Two, at least: "Bee stings killed as many in UK as terrorists, says watchdog." "Americans Are as Likely to Be Killed by Their Own Furniture as by Terrorism." Is this a new trend in common sense? In case you forgot, here's a comprehensive list of ridiculous predictions about terrorist attacks (and an essay). And here's the best data on U.S....

Mon, 09 Jul 2012 11:02:43 UTC

Students Hack DHS Drone

Posted By Bruce Schneier

A team at the University of Texas successfully spoofed the GPS and took control of a DHS drone, for about $1,000 in off-the-shelf parts. Does anyone think that the bad guys won't be able to do this?...

Fri, 06 Jul 2012 21:58:09 UTC

Friday Squid Blogging: Dissecting a Squid

Posted By Bruce Schneier

This was suprisingly interesting. When a body is mysterious, you cut it open. You peel back the skin and take stock of its guts. It is the science of an arrow, the epistemology of a list. There and here and look: You tick off organs, muscles, bones. Its belly becomes fact. It glows like fluorescent lights. The air turns aseptic...

Fri, 06 Jul 2012 19:44:49 UTC

Me on Military Cyberattacks and Cyberweapons Treaties

Posted By Bruce Schneier

I did a short Q&A for Network World....

Fri, 06 Jul 2012 14:40:08 UTC

Naming Pets

Posted By Bruce Schneier

Children are being warned that the name of their first pet should contain at least eight characters and a digit....

Thu, 05 Jul 2012 11:17:04 UTC

So You Want to Be a Security Expert

Posted By Bruce Schneier

I regularly receive e-mail from people who want advice on how to learn more about computer security, either as a course of study in college or as an IT person considering it as a career choice. First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating...

Tue, 03 Jul 2012 11:22:50 UTC

Commercial Espionage Virus

Posted By Bruce Schneier

It's designed to steal blueprints and send them to China. Note that although this is circumstantial evidence that the virus is from China, it is possible that the Chinese e-mail accounts that are collecting the blueprints are simply drops, and the controllers are elsewhere on the planet....

Mon, 02 Jul 2012 18:10:23 UTC

On Fear

Posted By Bruce Schneier

A poet reflects on the nature of fear....

Mon, 02 Jul 2012 11:20:35 UTC

WEIS 2012

Posted By Bruce Schneier

Last week I was at the Workshop on Economics and Information Security in Berlin. Excellent conference, as always. Ross Anderson liveblogged the event; see the comments for summaries of the talks. On the second day, Ross and I debated -- well, discussed -- cybersecurity spending. A the first WEIS, he and I had a similar discussion: I argued that we...

Fri, 29 Jun 2012 21:14:36 UTC

Friday Squid Blogging: Another Giant Squid Found

Posted By Bruce Schneier

A dead 13-foot-long giant squid has been found off the coast of New South Wales. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 29 Jun 2012 19:47:28 UTC

FireDogLake Book Salon for Liars and Outliers

Posted By Bruce Schneier

Here's the permalink....

Fri, 29 Jun 2012 11:35:28 UTC

On Securing Potentially Dangerous Virology Research

Posted By Bruce Schneier

Abstract: The problem of securing biological research data is a difficult and complicated one. Our ability to secure data on computers is not robust enough to ensure the security of existing data sets. Lessons from cryptography illustrate that neither secrecy measures, such as deleting technical details, nor national solutions, such as export controls, will work. --------- Science and Nature have...

Thu, 28 Jun 2012 13:50:43 UTC

Nuclear Fears

Posted By Bruce Schneier

Interesting review -- by David Roepik -- of The Rise of Nuclear Fear, by Spencer Weart: Along with contributing to the birth of the environmental movement, Weart shows how fear of radiation began to undermine society's faith in science and modern technology. He writes "Polls showed that the number of Americans who felt 'a great deal' of confidence in science...

Wed, 27 Jun 2012 11:35:37 UTC

Top Secret America on the Post-9/11 Cycle of Fear and Funding

Posted By Bruce Schneier

I'm reading Top Secret America: The Rise of the New American Security State, by Dana Priest and William M. Arkin. Both work for The Washington Post. The book talks about the rise of the security-industrial complex in post 9/11 America. This short quote is from Chapter 3: Such dread was a large part of the post-9/11 decade. A culture of...

Wed, 27 Jun 2012 11:30:31 UTC

Russian Nuclear Launch Code Backup Procedure

Posted By Bruce Schneier

If the safe doesn't open, use a sledgehammer: The sledgehammer's existence first came to light in 1980, when a group of inspecting officers from the General Staff visiting Strategic Missile Forces headquarters asked General Georgy Novikov what he would do if he received a missile launch order but the safe containing the launch codes failed to open. Novikov said he...

Tue, 26 Jun 2012 18:57:43 UTC

E-Mail Accounts More Valuable than Bank Accounts

Posted By Bruce Schneier

This informal survey produced the following result: "45% of the users found their email accounts more valuable than their bank accounts." The author believes this is evidence of some sophisticated security reasoning on the part of users: From a security standpoint, I cant agree more with these people. Email accounts are used most commonly to reset other websites account passwords,...

Tue, 26 Jun 2012 11:39:19 UTC

Stratfor on the Phoenix Serial Flashlight Bomber

Posted By Bruce Schneier

Interesting....

Mon, 25 Jun 2012 16:17:21 UTC

Resilience

Posted By Bruce Schneier

There was a conference on resilience (highlights here, and complete videos here) earlier this year. Here's an interview with professor Sander van der Leeuw on the topic. Although he never mentions security, it's all about security. Any system, whether its the financial system, the environmental system, or something else, is always subject to all kinds of pressures. If it can...

Mon, 25 Jun 2012 11:58:25 UTC

Op-ed Explaining why Terrorism Doesn't Work

Posted By Bruce Schneier

Good essay by Max Abrams. I've written about his research before....

Fri, 22 Jun 2012 21:03:07 UTC

Friday Squid Blogging: Giant Mutant Squid at the Queen's Jubilee

Posted By Bruce Schneier

I think this is a parody, but you can never be sure. Millions of Britons turned out for the Queens four-day celebrations, undaunted by the 500-foot mutant squid that was destroying London. Huge crowds of well-wishers lined the banks of the Thames on Sunday to watch a spectacular flotilla, continuing to cheer and wave even as tentacles thicker than tree...

Fri, 22 Jun 2012 19:01:47 UTC

Colbert Report on the Orangutan Cyberthreat

Posted By Bruce Schneier

Very funny video exposé of the cyberthreat posed by giving iPads to orangutans. Best part is near the end, when Richard Clarke suddenly realizes that he's being interviewed about orangutans -- and not the Chinese....

Fri, 22 Jun 2012 12:20:20 UTC

Economic Analysis of Bank Robberies

Posted By Bruce Schneier

Yes, it's clever: The basic problem is the average haul from a bank job: for the three-year period, it was only £20,330.50 (~$31,613). And it gets worse, as the average robbery involved 1.6 thieves. So the authors conclude, "The return on an average bank robbery is, frankly, rubbish. It is not unimaginable wealth. It is a very modest £12,706.60 per...

Thu, 21 Jun 2012 18:03:03 UTC

Far-Fetched Scams Separate the Gullible from Everyone Else

Posted By Bruce Schneier

Interesting conclusion by Cormac Herley, in this paper: "Why Do Nigerian Scammers Say They are From Nigeria?" Abstract: False positives cause many promising detection technologies to be unworkable in practice. Attackers, we show, face this problem too. In deciding who to attack true positives are targets successfully attacked, while false positives are those that are attacked but yield nothing. This...

Thu, 21 Jun 2012 10:51:50 UTC

Apple Patents Data-Poisoning

Posted By Bruce Schneier

It's not a new idea, but Apple Computer has received a patent on "Techniques to pollute electronic profiling": Abstract: Techniques to pollute electronic profiling are provided. A cloned identity is created for a principal. Areas of interest are assigned to the cloned identity, where a number of the areas of interest are divergent from true interests of the principal. One...

Wed, 20 Jun 2012 18:19:50 UTC

Rand Paul Takes on the TSA

Posted By Bruce Schneier

Paul Rand has introduced legislation to rein in the TSA. There are two bills: One bill would require that the mostly federalized program be turned over to private screeners and allow airports ­ with Department of Homeland Security approval ­ to select companies to handle the work. This seems to be a result of a fundamental misunderstanding of the economic...

Wed, 20 Jun 2012 12:27:22 UTC

Switzerland National Defense

Posted By Bruce Schneier

Interesting blog post about this book about Switzerland's national defense. To make a long story short, McPhee describes two things: how Switzerland requires military service from every able-bodied male Swiss citizen -- a model later emulated and expanded by Israel -- and how the Swiss military has, in effect, wired the entire country to blow in the event of foreign...

Tue, 19 Jun 2012 18:02:20 UTC

Attack Against Point-of-Sale Terminal

Posted By Bruce Schneier

Clever attack: When you pay a restaurant bill at your table using a point-of-sale machine, are you sure it's legit? In the past three months, Toronto and Peel police have discovered many that aren't. In what is the latest financial fraud, crooks are using distraction techniques to replace merchants' machines with their own, police say. At the end of the...

Tue, 19 Jun 2012 12:11:14 UTC

The Failure of Anti-Virus Companies to Catch Military Malware

Posted By Bruce Schneier

Mikko Hyponnen of F-Secure attempts to explain why anti-virus companies didn't catch Stuxnet, DuQu, and Flame: When we went digging through our archive for related samples of malware, we were surprised to find that we already had samples of Flame, dating back to 2010 and 2011, that we were unaware we possessed. They had come through automated reporting mechanisms, but...

Mon, 18 Jun 2012 17:38:17 UTC

England's Prince Phillip on Security

Posted By Bruce Schneier

On banning guns: "If a cricketer, for instance, suddenly decided to go into a school and batter a lot of people to death with a cricket bat,which he could do very easily, I mean, are you going to ban cricket bats?" In a Radio 4 interview shortly after the Dunblane shootings in 1996. He said to the interviewer off-air afterwards:...

Mon, 18 Jun 2012 11:40:18 UTC

Honor System Farm Stands

Posted By Bruce Schneier

Many roadside farm stands in the U.S. are unmanned. They work on the honor system: take what you want, and pay what you owe. And today at his farm stand, Cochran says, just as at the donut shop years ago, most customers leave more money than they owe. That doesn't surprise social psychologist Michael Cunningham of the University of Louisville...

Fri, 15 Jun 2012 21:02:33 UTC

Friday Squid Blogging: Woman's Mouth Inseminated by Cooked Squid

Posted By Bruce Schneier

This story is so freaky I'm not even sure I want to post it. But if I don't, you'll all send me the links. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 15 Jun 2012 19:55:06 UTC

FireDogLake Book Salon for Liars and Outliers

Posted By Bruce Schneier

On Sunday, I will be participating in a public discussion about my new book on the FireDogLake website. James Fallows will be the moderator, and I will be answering questions from all comers -- you do have to register an ID, though -- from 5:00 - 7:00 EDT. Stop by and join the discussion....

Fri, 15 Jun 2012 11:51:32 UTC

Rare Rational Comment on al Qaeda's Capabilities

Posted By Bruce Schneier

From "CNN national security analyst" Peter Bergen: Few Americans harbor irrational fears about being killed by a lightning bolt. Abu Yahya al-Libi's death on Monday should remind them that fear of al Qaeda in its present state is even more irrational. Will anyone listen?...

Thu, 14 Jun 2012 17:27:14 UTC

Cheating in Online Classes

Posted By Bruce Schneier

Interesting article: In the case of that student, the professor in the course had tried to prevent cheating by using a testing system that pulled questions at random from a bank of possibilities. The online tests could be taken anywhere and were open-book, but students had only a short window each week in which to take them, which was not...

Thu, 14 Jun 2012 11:40:29 UTC

Cyberwar Treaties

Posted By Bruce Schneier

We're in the early years of a cyberwar arms race. It's expensive, it's destabilizing, and it threatens the very fabric of the Internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat. If you read the press and listen to government leaders, we're already in the middle of a...

Wed, 13 Jun 2012 17:08:44 UTC

Teaching the Security Mindset

Posted By Bruce Schneier

In 2008 I wrote about the security mindset and how difficult it is to teach. Two professors teaching a cyberwarfare class gave an exam where they expected their students to cheat: Our variation of the Kobayashi Maru utilized a deliberately unfair exam -- write the first 100 digits of pi (3.14159...) from memory and took place in the pilot offering...

Wed, 13 Jun 2012 11:45:30 UTC

High-Quality Fake IDs from China

Posted By Bruce Schneier

USA Today article: Most troubling to authorities is the sophistication of the forgeries: Digital holograms are replicated, PVC plastic identical to that found in credit cards is used, and ink appearing only under ultraviolet light is stamped onto the cards. Each of those manufacturing methods helps the IDs defeat security measures aimed at identifying forged documents. The overseas forgers are...

Tue, 12 Jun 2012 10:09:50 UTC

Israel Demanding Passwords at the Border

Posted By Bruce Schneier

There have been a bunch of stories about employers demanding passwords to social networking sites, like Facebook, from prospective employees, and several states have passed laws prohibiting this practice. This is the first story I've seen of a country doing this at its borders. The country is Israel, and they're asking for passwords to e-mail accounts....

Mon, 11 Jun 2012 11:36:49 UTC

Changing Surveillance Techniques for Changed Communications Technologies

Posted By Bruce Schneier

New paper by Peter P. Swire -- "From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud": Abstract: This paper explains how changing technology, especially the rising adoption of encryption, is shifting law enforcement and national security lawful access to far greater emphasis on stored records, notably records stored in the cloud. The...

Fri, 08 Jun 2012 21:28:48 UTC

Friday Squid Blogging: Baby Opalescent Squid

Posted By Bruce Schneier

Baby squid larvae are transparent after they hatch, so you can see the chromataphores (color control mechanisms) developing after a few days. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 08 Jun 2012 11:43:22 UTC

The Catastrophic Consequences of 9/11

Posted By Bruce Schneier

This is an interesting essay -- it claims to be the first in a series -- that looks at the rise of "homeland security" as a catastrophic consequence of the 9/11 terrorist attacks: In this usage catastrophic is not a pejorative, it is a description of an atypically radical shift in perception and behavior from one condition to another very...

Thu, 07 Jun 2012 11:15:06 UTC

Homeland Security as Security Theater Metaphor

Posted By Bruce Schneier

Look at the last sentence in this article on hotel cleanliness: "I relate this to homeland security. We are not any safer, but many people believe that we are," he said. It's interesting to see the waste-of-money meme used so cavalierly....

Wed, 06 Jun 2012 14:36:46 UTC

Ghostery

Posted By Bruce Schneier

Ghostery is a Firefox plug-in that tracks who is tracking your browsing habits in cyberspace. Here's a TED talk by Gary Kovacs, the CEO of Mozilla Corp., on it. I use AdBlock Plus, and dump my cookies whenever I close Firefox. Should I switch to Ghostery? What do other people do for web privacy?...

Tue, 05 Jun 2012 18:16:59 UTC

Security and Human Behavior (SHB 2012)

Posted By Bruce Schneier

I'm at the Fifth Interdisciplinary Workshop on Security and Human Behavior, SHB 2012. Google is hosting this year, at its offices in lower Manhattan. SHB is an invitational gathering of psychologists, computer security researchers, behavioral economists, sociologists, law professors, business school professors, political scientists, anthropologists, philosophers, and others -- all of whom are studying the human side of security --...

Tue, 05 Jun 2012 11:07:26 UTC

Interesting Article on Libyan Internet Intelligence Gathering

Posted By Bruce Schneier

This is worth reading, for the insights it provides on how a country goes about monitoring its citizens in the information age: a combination of targeted attacks and wholesale surveillance. I'll just quote one bit, this list of Western companies that helped: Amesys, with its Eagle system, was just one of Libya's partners in repression. A South African firm called...

Mon, 04 Jun 2012 11:36:33 UTC

The Unreliability of Eyewitness Testimony

Posted By Bruce Schneier

Interesting article: The reliability of witness testimony is a vastly complex subject, but legal scholars and forensic psychologists say it's possible to extract the truth from contradictory accounts and evolving memories. According to Barbara Tversky, professor emerita of psychology at Stanford University, the bottom line is this: "All other things equal, earlier recountings are more likely to be accurate than...

Mon, 04 Jun 2012 11:21:58 UTC

Flame

Posted By Bruce Schneier

Flame seems to be another military-grade cyber-weapon, this one optimized for espionage. The worm is at least two years old, and is mainly confined to computers in the Middle East. (It does not replicate and spread automatically, which is certainly so that its controllers can target it better and evade detection longer.) And its espionage capabilities are pretty impressive. We'll...

Fri, 01 Jun 2012 21:40:38 UTC

Friday Squid Blogging: Mimicking Squid Camouflage

Posted By Bruce Schneier

Interesting: Cephalopods - squid, cuttlefish and octopuses - change colour by using tiny muscles in their skins to stretch out small sacs of black colouration. These sacs are located in the animal's skin cells, and when a cell is ready to change colour, the brain sends a signal to the muscles and they contract. This makes the sacs expand and...

Fri, 01 Jun 2012 18:08:17 UTC

Obama's Role in Stuxnet and Iranian Cyberattacks

Posted By Bruce Schneier

Really interesting article....

Fri, 01 Jun 2012 11:48:41 UTC

The Vulnerabilities Market and the Future of Security

Posted By Bruce Schneier

Recently, there have been several articles about the new market in zero-day exploits: new and unpatched computer vulnerabilities. It's not just software companies, who sometimes pay bounties to researchers who alert them of security vulnerabilities so they can fix them. And it's not only criminal organizations, who pay for vulnerabilities they can exploit. Now there are governments, and companies who...

Thu, 31 May 2012 18:19:52 UTC

Tax Return Identity Theft

Posted By Bruce Schneier

I wrote about this sort of thing in 2006 in the UK, but it's even bigger business here: The criminals, some of them former drug dealers, outwit the Internal Revenue Service by filing a return before the legitimate taxpayer files. Then the criminals receive the refund, sometimes by check but more often though a convenient but hard-to-trace prepaid debit card....

Thu, 31 May 2012 11:17:28 UTC

Bar Code Switching

Posted By Bruce Schneier

A particularly clever form of retail theft -- especially when salesclerks are working fast and don't know the products -- is to switch bar codes. This particular thief stole Lego sets. If you know Lego, you know there's a vast price difference between the small sets and the large ones. He was caught by in-store surveillance....

Wed, 30 May 2012 17:54:29 UTC

The Psychology of Immoral (and Illegal) Behavior

Posted By Bruce Schneier

When I talk about Liars and Outliers to security audiences, one of the things I stress is our traditional security focus -- on technical countermeasures -- is much narrower than it could be. Leveraging moral, repetitional, and institutional pressures are likely to be much more effective in motivating cooperative behavior. This story illustrates the point. It's about the psychology of...

Wed, 30 May 2012 11:44:56 UTC

The Problem of False Alarms

Posted By Bruce Schneier

The context is tornado warnings: The basic problem, Smith says, it that sirens are sounded too often in most places. Sometimes they sound in an entire county for a warning that covers just a sliver of it; sometimes for other thunderstorm phenomena like large hail and/or strong straight-line winds; and sometimes for false alarm warnings ­ warnings for tornadoes that...

Tue, 29 May 2012 19:07:49 UTC

Backdoor Found in Chinese-Made Military Silicon Chips

Posted By Bruce Schneier

We all knew this was possible, but researchers have found the exploit in the wild: Claims were made by the intelligence agencies around the world, from MI5, NSA and IARPA, that silicon chips could be infected. We developed breakthrough silicon chip scanning technology to investigate these claims. We chose an American military chip that is highly secure with sophisticated encryption...

Tue, 29 May 2012 11:03:48 UTC

Interview with a Safecracker

Posted By Bruce Schneier

The legal kind. It's interesting: Q: How realistic are movies that show people breaking into vaults? A: Not very! In the movies it takes five minutes of razzle-dazzle; in real life it's usually at least a couple of hours of precision work for an easy, lost combination lockout. [...] Q: Have you ever met a lock you couldn't pick? A:...

Mon, 28 May 2012 11:58:33 UTC

My Last Post About Ethnic Profiling at Airports

Posted By Bruce Schneier

Remember my rebuttal of Sam Harris's essay advocating the profiling of Muslims at airports? That wasn't the end of it. Harris and I conducted a back-and-forth e-mail discussion, the results of which are here. At 14,000+ words, I only recommend it for the most stalwort of readers....

Fri, 25 May 2012 21:01:55 UTC

Friday Squid Blogging: Squid Ink from the Jurassic

Posted By Bruce Schneier

Seems that squid ink hasn't changed much in 160 million years. From this, researchers argue that the security mechanism of spraying ink into the water and escaping is also that old. Simon and his colleagues used a combination of direct, high-resolution chemical techniques to determine that the melanin had been preserved. The researchers also compared the chemical composition of the...

Fri, 25 May 2012 11:43:23 UTC

The Explosive from the Latest Foiled Al Qaeda Underwear Bomb Plot

Posted By Bruce Schneier

Interesting: Although the plot was disrupted before a particular airline was targeted and tickets were purchased, al Qaeda's continued attempts to attack the U.S. speak to the organization's persistence and willingness to refine specific approaches to killing. Unlike Abdulmutallab's bomb, the new device contained lead azide, an explosive often used as a detonator. If the new underwear bomb had been...

Thu, 24 May 2012 16:31:46 UTC

The Ubiquity of Cyber-Fears

Posted By Bruce Schneier

A new study concludes that more people are worried about cyber threats than terrorism. ...the three highest priorities for Americans when it comes to security issues in the presidential campaign are: Protecting government computer systems against hackers and criminals (74 percent) Protecting our electric power grid, water utilities and transportation systems against computer or terrorist attacks (73 percent) Homeland security...

Thu, 24 May 2012 11:17:59 UTC

The Banality of Surveillance Photos

Posted By Bruce Schneier

Interesting essay on a trove on surveillance photos from Cold War-era Prague. Cops, even secret cops, are for the most part ordinary people. Working stiffs concerned with holding down jobs and earning a living. Even those who thought it was important to find enemies recognized the absurdity of their task. I take photos all the time and these empty blurry...

Wed, 23 May 2012 17:32:12 UTC

Lessons in Trust from Web Hoaxes

Posted By Bruce Schneier

Interesting discussion of trust in this article on web hoaxes. Kelly's students, like all good con artists, built their stories out of small, compelling details to give them a veneer of veracity. Ultimately, though, they aimed to succeed less by assembling convincing stories than by exploiting the trust of their marks, inducing them to lower their guard. Most of us...

Wed, 23 May 2012 12:25:35 UTC

Privacy Concerns Around "Social Reading"

Posted By Bruce Schneier

Interesting paper: "The Perils of Social Reading," by Neil M. Richards, from the Georgetown Law Journal. Abstract: Our law currently treats records of our reading habits under two contradictory rules ­ rules mandating confidentiality, and rules permitting disclosure. Recently, the rise of the social Internet has created more of these records and more pressures on when and how they should...

Tue, 22 May 2012 18:10:22 UTC

Racism as a Vestigal Remnant of a Security Mechanism

Posted By Bruce Schneier

"Roots of Racism," by Elizabeth Culotta in Science: Our attitudes toward outgroups are part of a threat-detection system that allows us to rapidly determine friend from foe, says psychologist Steven Neuberg of ASU Tempe. The problem, he says, is that like smoke detectors, the system is designed to give many false alarms rather than miss a true threat. So outgroup...

Tue, 22 May 2012 11:24:51 UTC

Security Incentives and Advertising Fraud

Posted By Bruce Schneier

Details are in the article, but here's the general idea: Let's follow the flow of the users: Scammer buys user traffic from PornoXo.com and sends it to HQTubeVideos. HQTubeVideos loads, in invisible iframes, some parked domains with innocent-sounding names (relaxhealth.com, etc). In the parked domains, ad networks serve display and PPC ads. The click-fraud sites click on the ads that...

Mon, 21 May 2012 15:32:57 UTC

Portrait of a Counterfeiter

Posted By Bruce Schneier

Interesting article from Wired....

Fri, 18 May 2012 21:26:57 UTC

Friday Squid Blogging: Squid Scalp Massager

Posted By Bruce Schneier

Cheap! As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 18 May 2012 11:06:51 UTC

Kip Hawley Reviews Liars and Outliers

Posted By Bruce Schneier

In his blog: I think the most important security issues going forward center around identity and trust. Before knowing I would soon encounter Bruce again in the media, I bought and read his new book Liars & Outliers and it is a must-read book for people looking forward into our security future and thinking about where this all leads. For...

Thu, 17 May 2012 17:28:45 UTC

Cybersecurity at the Doctor's Office

Posted By Bruce Schneier

I like this essay because it nicely illustrates the security mindset....

Thu, 17 May 2012 12:20:14 UTC

Rules for Radicals

Posted By Bruce Schneier

It was written in 1971, but this still seems like a cool book: For an elementary illustration of tactics, take parts of your face as the point of reference; your eyes, your ears, and your nose. First the eyes: if you have organized a vast, mass-based people's organization, you can parade it visibly before the enemy and openly show your...

Wed, 16 May 2012 18:50:05 UTC

USB Drives and Wax Seals

Posted By Bruce Schneier

Need some pre-industrial security for your USB drive? How about a wax seal? Neat, but I recommend combining it with encryption for even more security!...

Wed, 16 May 2012 11:15:10 UTC

Security Vulnerabilities in Airport Full-Body Scanners

Posted By Bruce Schneier

According to a report from the DHS Office of Inspector General: Federal investigators "identified vulnerabilities in the screening process" at domestic airports using so-called "full body scanners," according to a classified internal Department of Homeland Security report. EPIC obtained an unclassified version of the report in a FOIA response. Here's the summary....

Tue, 15 May 2012 11:17:04 UTC

U.S. Exports Terrorism Fears

Posted By Bruce Schneier

To New Zealand: United States Secretary of Homeland Security Janet Napolitano has warned the New Zealand Government about the latest terrorist threat known as "body bombers." [...] "Do we have specific credible evidence of a [body bomb] threat today? I would not say that we do, however, the importance is that we all lean forward." Why the headline of this...

Mon, 14 May 2012 11:19:44 UTC

The Trouble with Airport Profiling

Posted By Bruce Schneier

Why do otherwise rational people think it's a good idea to profile people at airports? Recently, neuroscientist and best-selling author Sam Harris related a story of an elderly couple being given the twice-over by the TSA, pointed out how these two were obviously not a threat, and recommended that the TSA focus on the actual threat: "Muslims, or anyone who...

Fri, 11 May 2012 21:58:04 UTC

Friday Squid Blogging: New Book on Squid

Posted By Bruce Schneier

Kraken: The Curious, Exciting, and Slightly Disturbing Science of Squid. And a review. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 11 May 2012 11:42:22 UTC

Smart Phone Privacy App

Posted By Bruce Schneier

MobileScope looks like a great tool for monitoring and controlling what information third parties get from your smart phone apps: We built MobileScope as a proof-of-concept tool that automates much of what we were doing manually; monitoring mobile devices for surprising traffic and highlighting potentially privacy-revealing flows [...] Unlike PCs, we have little control over the underlying privacy and security...

Thu, 10 May 2012 10:46:52 UTC

Security Fail

Posted By Bruce Schneier

Funny....

Wed, 09 May 2012 11:24:17 UTC

RuggedCom Inserts Backdoor into Its Products

Posted By Bruce Schneier

All RuggedCom equipment comes with a built-in backdoor: The backdoor, which cannot be disabled, is found in all versions of the Rugged Operating System made by RuggedCom, according to independent researcher Justin W. Clarke, who works in the energy sector. The login credentials for the backdoor include a static username, "factory," that was assigned by the vendor and can't be...

Tue, 08 May 2012 18:14:17 UTC

A Foiled Terrorist Plot

Posted By Bruce Schneier

We don't know much, but here are my predictions: There's a lot more hyperbole to this story than reality. The explosive would have either 1) been caught by pre-9/11 security, or 2) not been caught by post-9/11 security. Nonetheless, it will be used to justify more invasive airport security....

Tue, 08 May 2012 12:03:52 UTC

Overreacting to Potential Bombs

Posted By Bruce Schneier

This is a ridiculous overreaction: The police bomb squad was called to 2 World Financial Center in lower Manhattan at midday when a security guard reported a package that seemed suspicious. Brookfield Properties, which runs the property, ordered an evacuation as a precaution. That's the entire building, a 44-story, 2.5-million-square-foot office building. And why? The bomb squad determined the package...

Mon, 07 May 2012 11:52:51 UTC

Naval Drones

Posted By Bruce Schneier

With all the talk about airborne drones like the Predator, it's easy to forget that drones can be in the water as well. Meet the Common Unmanned Surface Vessel (CUSV): The boat -- painted in Navy gray and with a striking resemblance to a PT boat -- is 39 feet long and can reach a top speed of 28 knots....

Fri, 04 May 2012 21:01:04 UTC

Friday Squid Blogging: Squid Bicycle Parking Sculpture

Posted By Bruce Schneier

Neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 04 May 2012 18:31:57 UTC

Tampon-Shaped USB Drive

Posted By Bruce Schneier

This vendor is selling a tampon-shaped USB drive. Although it's less secure now that there are blog posts about it....

Fri, 04 May 2012 11:31:19 UTC

Facial Recognition of Avatars

Posted By Bruce Schneier

I suppose this sort of thing might be useful someday. In Second Life, avatars are easily identified by their username, meaning police can just ask San Francisco-based Linden Labs, which runs the virtual world, to look up a particular user. But what happens when virtual worlds start running on peer-to-peer networks, leaving no central authority to appeal to? Then there...

Thu, 03 May 2012 11:22:45 UTC

Criminal Intent Prescreening and the Base Rate Fallacy

Posted By Bruce Schneier

I've often written about the base rate fallacy and how it makes tests for rare events -- like airplane terrorists -- useless because the false positives vastly outnumber the real positives. This essay uses that argument to demonstrate why the TSA's FAST program is useless: First, predictive software of this kind is undermined by a simple statistical problem known as...

Wed, 02 May 2012 17:41:39 UTC

Al Qaeda Steganography

Posted By Bruce Schneier

The reports are still early, but it seems that a bunch of terrorist planning documents were found embedded in a digital file of a porn movie. Several weeks later, after laborious efforts to crack a password and software to make the file almost invisible, German investigators discovered encoded inside the actual video a treasure trove of intelligence -- more than...

Wed, 02 May 2012 12:10:38 UTC

Cybercrime as a Tragedy of the Commons

Posted By Bruce Schneier

Two very interesting points in this essay on cybercrime. The first is that cybercrime isn't as big a problem as conventional wisdom makes it out to be. We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority....

Tue, 01 May 2012 12:31:44 UTC

When Investigation Fails to Prevent Terrorism

Posted By Bruce Schneier

I've long advocated investigation, intelligence, and emergency response as the places where we can most usefully spend our counterterrorism dollars. Here's an example where that didn't work: Starting in April 1991, three FBI agents posed as members of an invented racist militia group called the Veterans Aryan Movement. According to their cover story, VAM members robbed armored cars, using the...

Mon, 30 Apr 2012 11:52:17 UTC

JCS Chairman Sows Cyberwar Fears

Posted By Bruce Schneier

Army General Martin E. Dempsey, the chairman of the Joint Chiefs of Staff, said: A cyber attack could stop our society in its tracks. Gadzooks. A scared populace is much more willing to pour money into the cyberwar arms race....

Sat, 28 Apr 2012 00:57:28 UTC

Vote for Liars and Outliers

Posted By Bruce Schneier

Actionable Books is having a vote to determine which of four books to summarize on their site. If you are willing, please go there and vote for Liars and Outliers. (Voting requires a Facebook ID.) Voting closes Monday at noon EST, although I presume they mean EDT....

Fri, 27 Apr 2012 16:32:49 UTC

Friday Squid Blogging: Chesapeake Bay Squid

Posted By Bruce Schneier

Great pictures. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 27 Apr 2012 11:53:30 UTC

Attack Mitigation

Posted By Bruce Schneier

At the RSA Conference this year, I noticed a trend of companies that have products and services designed to help victims recover from attacks. Kelly Jackson Higgins noticed the same thing: "Damage Mitigation as the New Defense." That new reality, which has been building for several years starting in the military sector, has shifted the focus from trying to stop...

Thu, 26 Apr 2012 11:57:58 UTC

Biometric Passports Make it Harder for Undercover CIA Officers

Posted By Bruce Schneier

Last year, I wrote about how social media sites are making it harder than ever for undercover police officers. This story talks about how biometric passports are making it harder than ever for undercover CIA agents. Busy spy crossroads such as Dubai, Jordan, India and many E.U. points of entry are employing iris scanners to link eyeballs irrevocably to a...

Wed, 25 Apr 2012 11:51:32 UTC

Fear and the Attention Economy

Posted By Bruce Schneier

danah boyd is thinking about -- in a draft essay, and as a recording of a presentation -- fear and the attention economy. Basically, she is making the argument that the attention economy magnifies the culture of fear because fear is a good way to get attention, and that this is being made worse by the rise of social media....

Tue, 24 Apr 2012 11:43:44 UTC

Amazing Round of "Split or Steal"

Posted By Bruce Schneier

In Liars and Outliers, I use the metaphor of the Prisoner's Dilemma to exemplify the conflict between group interest and self-interest. There are a gazillion academic papers on the Prisoner's Dilemma from a good dozen different academic disciplines, but the weirdest dataset on real people playing the game is from a British game show called Golden Balls. In the final...

Mon, 23 Apr 2012 11:18:12 UTC

Alan Turing Cryptanalysis Papers

Posted By Bruce Schneier

GCHQ, the UK government's communications headquarters, has released two new -- well, 70 years old, but new to us -- cryptanalysis documents by Alan Turing. The papers, one entitled The Applications of Probability to Crypt, and the other entitled Paper on the Statistics of Repetitions, discuss mathematical approaches to code breaking. [...] According to the GCHQ mathematician, who identified himself...

Fri, 20 Apr 2012 21:49:34 UTC

Friday Squid Blogging: Extracting Squid Ink

Posted By Bruce Schneier

How to extract squid ink. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 20 Apr 2012 17:48:07 UTC

Liars & Outliers Update

Posted By Bruce Schneier

Liars & Outliers has been available for about two months, and is selling well both in hardcover and e-book formats. More importantly, I'm very pleased with the book's reception. The reviews I've gotten have been great, and I read a lot of tweets from people who have enjoyed the book. My goal was to give people new ways to think...

Fri, 20 Apr 2012 11:19:44 UTC

TSA Behavioral Detection Statistics

Posted By Bruce Schneier

Interesting data from the U.S. Government Accounting Office: But congressional auditors have questions about other efficiencies as well, like having 3,000 "behavior detection" officers assigned to question passengers. The officers sidetracked 50,000 passengers in 2010, resulting in the arrests of 300 passengers, the GAO found. None turned out to be terrorists. Yet in the same year, behavior detection teams apparently...

Thu, 19 Apr 2012 18:03:11 UTC

Dance Moves As an Identifier

Posted By Bruce Schneier

A burglar was identified by his dance moves, captured on security cameras: "The 16-year-old juvenile suspect is known for his 'swag,' or signature dance move," Heyse said, "and [he] does it in the hallways at school." Presumably, although the report doesn't make it clear, a classmate or teacher saw the video, recognized the distinctive swag and notified authorities. But is...

Thu, 19 Apr 2012 10:52:09 UTC

Smart Meter Hacks

Posted By Bruce Schneier

Brian Krebs writes about smart meter hacks: But it appears that some of these meters are smarter than others in their ability to deter hackers and block unauthorized modifications. The FBI warns that insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software readily available on the Internet....

Wed, 18 Apr 2012 18:30:47 UTC

Password Security at Linode

Posted By Bruce Schneier

Here's something good: We have implemented sophisticated brute force protection for Linode Manager user accounts that combines a time delay on failed attempts, forced single threading of log in attempts from a given remote address, and automatic tarpitting of requests from attackers. And this: Some of you may have noticed a few changes to the Linode Manger over the past...

Wed, 18 Apr 2012 11:49:43 UTC

Stolen Phone Database

Posted By Bruce Schneier

This article talks about a database of stolen cell phone IDs that will be used to deny service. While I think this is a good idea, I don't know how much it would deter cell phone theft. As long as there are countries that don't implement blocking based on the IDs in the databases -- and surely there will always...

Tue, 17 Apr 2012 18:22:44 UTC

Forever-Day Bugs

Posted By Bruce Schneier

That's a nice turn of phrase: Forever day is a play on "zero day," a phrase used to classify vulnerabilities that come under attack before the responsible manufacturer has issued a patch. Also called iDays, or "infinite days" by some researchers, forever days refer to bugs that never get fixed­--even when they're acknowledged by the company that developed the software....

Tue, 17 Apr 2012 11:15:38 UTC

Outliers in Intelligence Analysis

Posted By Bruce Schneier

From the CIA journal Studies in Intelligence: "Capturing the Potential of Outlier Ideas in the Intelligence Community." In war you will generally find that the enemy has at any time three courses of action open to him. Of those three, he will invariably choose the fourth. Helmuth Von Moltke With that quip, Von Moltke may have launched a spirited debate...

Mon, 16 Apr 2012 17:29:40 UTC

Hawley Channels His Inner Schneier

Posted By Bruce Schneier

Kip Hawley wrote an essay for the Wall Street Journal on airport security. In it, he says so many sensible things that people have been forwarding it to me with comments like "did you ghostwrite this?" and "it looks like you won an argument" and "how did you convince him?" (Sadly, the essay was published in the Journal, which means...

Mon, 16 Apr 2012 10:55:15 UTC

How Information Warfare Changes Warfare

Posted By Bruce Schneier

Really interesting paper on the moral and ethical implications of cyberwar, and the use of information technology in war (drones, for example): "Information Warfare: A Philosophical Perspective," by Mariarosaria Taddeo, Philosophy and Technology, 2012. Abstract: This paper focuses on Information Warfare -- the warfare characterised by the use of information and communication technologies. This is a fast growing phenomenon, which...

Fri, 13 Apr 2012 21:48:05 UTC

Friday Squid Blogging: Squid Fiction

Posted By Bruce Schneier

Great short story in Nature. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 13 Apr 2012 19:11:30 UTC

Me at RSA 2012

Posted By Bruce Schneier

This is not a video of my talk at the RSA Conference earlier this year. This is a 16-minute version of that talk -- TED-like -- that the conference filmed the day after for the purpose of putting it on the Internet. Today's Internet threats are not technical; they're social and political. They aren't criminals, hackers, or terrorists. They're the...

Fri, 13 Apr 2012 12:08:15 UTC

Disguising Tor Traffic as Skype Video Calls

Posted By Bruce Schneier

One of the problems with Tor traffic is that it can de detected and blocked. Here's SkypeMorph, a clever system that disguises Tor traffic as Skype video traffic. To prevent the Tor traffic from being recognized by anyone analyzing the network flow, SkypeMorph uses what's known as traffic shaping to convert Tor packets into User Datagram Protocol packets, as used...

Thu, 12 Apr 2012 18:34:02 UTC

Bomb Threats As a Denial-of-Service Attack

Posted By Bruce Schneier

The University of Pittsburgh has been the recipient of 50 bomb threats in the past two months (over 30 during the last week). Each time, the university evacuates the threatened building, searches it top to bottom -- one of the threatened buildings is the 42-story Cathedral of Learning -- finds nothing, and eventually resumes classes. This seems to be nothing...

Thu, 12 Apr 2012 11:38:56 UTC

Brian Snow on Cybersecurity

Posted By Bruce Schneier

Interesting video of Brian Snow speaking from last November. (Brian used to be the Technical Director of NSA's Information Assurance Directorate.) About a year and a half ago, I complained that his words were being used to sow cyber-fear. This talk -- about 30 minutes -- is a better reflection of what he really thinks....

Wed, 11 Apr 2012 18:25:54 UTC

"Raise the Crime Rate"

Posted By Bruce Schneier

I read this a couple of months ago, and I'm still not sure what I think about it. It's definitely of the most thought-provoking essays I've read this year. According to government statistics, Americans are safer today than at any time in the last forty years. In 1990, there were 2,245 homicides in New York City. In 2010, there were...

Wed, 11 Apr 2012 14:57:15 UTC

A Heathrow Airport Story about Trousers

Posted By Bruce Schneier

Usually I don't bother posting random stories about dumb or inconsistent airport security measures. But this one is particularly interesting: "Sir, your trousers." "Pardon?" "Sir, please take your trousers off." A pause. "No." "No?" The security official clearly was not expecting that response. He begins to look like he doesn't know what to do, bless him. "You have no power...

Tue, 10 Apr 2012 15:21:50 UTC

Teenagers and Privacy

Posted By Bruce Schneier

Good article debunking the myth that young people don't care about privacy on the Intenet. Most kids are well aware of risks, and make "fairly sophisticated" decisions about privacy settings based on advice and information from their parents, teachers, and friends. They differentiate between people they don't know out in the world (distant strangers) and those they don't know in...

Mon, 09 Apr 2012 12:45:06 UTC

Laptops and the TSA

Posted By Bruce Schneier

The New York Times tries to make sense of the TSA's policies on computers. Why do you have to take your tiny laptop out of your bag, but not your iPad? Their conclusion: security theater....

Fri, 06 Apr 2012 21:14:23 UTC

Friday Squid Blogging: Squid Art

Posted By Bruce Schneier

Happy Easter. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 06 Apr 2012 16:03:38 UTC

A Systems Framework for Catastrophic Disaster Response

Posted By Bruce Schneier

The National Academies Press has published Crisis Standards of Care: A Systems Framework for Catastrophic Disaster Response. When a nation or region prepares for public health emergencies such as a pandemic influenza, a large-scale earthquake, or any major disaster scenario in which the health system may be destroyed or stressed to its limits, it is important to describe how standards...

Fri, 06 Apr 2012 10:35:08 UTC

James Randi on Magicians and the Security Mindset

Posted By Bruce Schneier

Okay, so he doesn't use that term. But he explains how a magician's inherent ability to detect deception can be useful to science. We can't make magicians out of scientists -- we wouldn't want to -- but we can help scientists "think in the groove" -- think like a magician. And we should. We are not scientists ­ with a...

Thu, 05 Apr 2012 17:42:06 UTC

Helen Nussenbaum, Privacy, and the Federal Trade Commission

Posted By Bruce Schneier

Good article....

Thu, 05 Apr 2012 11:19:30 UTC

JetBlue Captain Clayton Osbon and Resilient Security

Posted By Bruce Schneier

This is the most intelligent thing I've read about the JetBlue incident where a pilot had a mental breakdown in the cockpit: For decades, public safety officials and those who fund them have focused on training and equipment that has a dual-use function for any hazard that may come our way. The post-9/11 focus on terrorism, with all the gizmos...

Wed, 04 Apr 2012 17:34:27 UTC

The Battle for Internet Governance

Posted By Bruce Schneier

Good article on the current battle for Internet governance: The War for the Internet was inevitable -- a time bomb built into its creation. The war grows out of tensions that came to a head as the Internet grew to serve populations far beyond those for which it was designed. Originally built to supplement the analog interactions among American soldiers...

Wed, 04 Apr 2012 11:07:36 UTC

Lost Smart Phones and Human Nature

Posted By Bruce Schneier

Symantec deliberately "lost" a bunch of smart phones with tracking software on them, just to see what would happen: Some 43 percent of finders clicked on an app labeled "online banking." And 53 percent clicked on a filed named "HR salaries." A file named "saved passwords" was opened by 57 percent of finders. Social networking tools and personal e-mail were...

Tue, 03 Apr 2012 19:01:02 UTC

Law Enforcement Forensics Tools Against Smart Phones

Posted By Bruce Schneier

Turns out the password can be easily bypassed: XRY works by first jailbreaking the handset. According to Micro Systemation, no backdoors created by Apple used, but instead it makes use of security flaws in the operating system the same way that regular jailbreakers do. Once the iPhone has been jailbroken, the tool then goes on to brute-force the passcode, trying...

Tue, 03 Apr 2012 11:53:15 UTC

Computer Forensics: An Example

Posted By Bruce Schneier

Paul Ceglia's lawsuit against Facebook is fascinating, but that's not the point of this blog post. As part of the case, there are allegations that documents and e-mails have been electronically forged. I found this story about the forensics done on Ceglia's computer to be interesting....

Mon, 02 Apr 2012 12:56:45 UTC

Buying Exploits on the Grey Market

Posted By Bruce Schneier

This article talks about legitimate companies buying zero-day exploits, including the fact that "an undisclosed U.S. government contractor recently paid $250,000 for an iOS exploit." The price goes up if the hack is exclusive, works on the latest version of the software, and is unknown to the developer of that particular software. Also, more popular software results in a higher...

Fri, 30 Mar 2012 21:28:52 UTC

Friday Squid Blogging: How Squid Hear

Posted By Bruce Schneier

Interesting research: The squid use two closely spaced organs called statocysts to sense sound. "I think of a statocyst as an inside-out tennis ball," explains Dr Mooney. "It's got hairs on the inside and this little dense calcium stone that sits on those hair cells. "What happens is that the sound wave actually moves the squid back and forth, and...

Thu, 29 Mar 2012 19:07:38 UTC

Summer Schools in Cryptography and Software Security at Penn State

Posted By Bruce Schneier

Normally I just delete these as spam, but this summer program for graduate students 1) looks interesting, and 2) has some scholarship money available....

Thu, 29 Mar 2012 11:53:30 UTC

Harms of Post-9/11 Airline Security

Posted By Bruce Schneier

As I posted previously, I have been debating former TSA Administrator Kip Hawley on the Economist website. I didn't bother reposting my opening statement and rebuttal, because -- even thought I thought I did a really good job with them -- they were largely things I've said before. In my closing statement, I talked about specific harms post-9/11 airport security...

Wed, 28 Mar 2012 11:05:26 UTC

SHARCS Conference

Posted By Bruce Schneier

Last weekend was the 2012 SHARCS (Special-Purpose Hardware for Attacking Cryptographic Systems) conference. The presentations are online....

Tue, 27 Mar 2012 11:46:48 UTC

The Effects of Data Breach Litigation

Posted By Bruce Schneier

"Empirical Analysis of Data Breach Litigation," Sasha Romanosky, David Hoffman, and Alessandro Acquisti: Abstract: In recent years, a large number of data breaches have resulted in lawsuits in which individuals seek redress for alleged harm resulting from an organization losing or compromising their personal information. Currently, however, very little is known about those lawsuits. Which types of breaches are litigated,...

Mon, 26 Mar 2012 18:02:24 UTC

Congressional Testimony on the TSA

Posted By Bruce Schneier

I was supposed to testify today about the TSA in front of the House Committee on Oversight and Government Reform. I was informally invited a couple of weeks ago, and formally invited last Tuesday: The hearing will examine the successes and challenges associated with Advanced Imaging Technology (AIT), the Screening of Passengers by Observation Techniques (SPOT) program, the Transportation Worker...

Mon, 26 Mar 2012 11:38:16 UTC

Rare Spanish Enigma Machine

Posted By Bruce Schneier

This is a neat story: A pair of rare Enigma machines used in the Spanish Civil War have been given to the head of GCHQ, Britain's communications intelligence agency. The machines - only recently discovered in Spain - fill in a missing chapter in the history of British code-breaking, paving the way for crucial successes in World War II. Fun...

Fri, 23 Mar 2012 21:18:40 UTC

Friday Squid Blogging: Giant Squid Eyes

Posted By Bruce Schneier

It seems that the huge eyes of the giant squid are optimized to see sperm whales....

Fri, 23 Mar 2012 11:33:14 UTC

The Economist Debate on Airplane Security

Posted By Bruce Schneier

On The Economist website, I am currently debating Kip Hawley on airplane security. On Tuesday we posted our initial statements, and today (London time) we posted our rebuttals. We have one more round to go. I've set it up to talk about the myriad of harms airport security has caused: loss of trust in government, increased fear, creeping police state,...

Thu, 22 Mar 2012 12:17:05 UTC

Can the NSA Break AES?

Posted By Bruce Schneier

In an excellent article in Wired, James Bamford talks about the NSA's codebreaking capability. According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the...

Wed, 21 Mar 2012 19:36:19 UTC

Another Liars and Outliers Excerpt

Posted By Bruce Schneier

IT World published an excerpt from Chapter 4....

Wed, 21 Mar 2012 11:26:26 UTC

Unprinter

Posted By Bruce Schneier

A way to securely erase paper: "The key idea was to find a laser energy level that is high enough to ablate - or vaporise - the toner that at the same time is lower than the destruction threshold of the paper substrate. It turns out the best wavelength is 532 nanometres - that's green visible light - with a...

Tue, 20 Mar 2012 13:52:05 UTC

Hacking Critical Infrastructure

Posted By Bruce Schneier

A otherwise uninteresting article on Internet threats to public infrastructure contains this paragraph: At a closed-door briefing, the senators were shown how a power company employee could derail the New York City electrical grid by clicking on an e-mail attachment sent by a hacker, and how an attack during a heat wave could have a cascading impact that would lead...

Mon, 19 Mar 2012 19:33:02 UTC

Avi Rubin on Computer Security

Posted By Bruce Schneier

Avi Rubin has a TEDx talk on hacking various computer devices: medical devices, automobiles, police radios, smart phones, etc....

Mon, 19 Mar 2012 11:38:58 UTC

Australian Security Theater

Posted By Bruce Schneier

I like the quote at the end of this excerpt: Aviation officials have questioned the need for such a strong permanent police presence at airports, suggesting they were there simply "to make the government look tough on terror". One senior executive said in his experience, the officers were expensive window-dressing. "When you add the body scanners, the ritual humiliation of...

Fri, 16 Mar 2012 21:57:45 UTC

Friday Squid Blogging: Squid-Shaped USB Drive

Posted By Bruce Schneier

It looks great. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 16 Mar 2012 18:15:24 UTC

BitCoin Security Musings

Posted By Bruce Schneier

Jon Callas talks about BitCoin's security model, and how susceptible it would be to a Goldfinger-style attack (destroy everyone else's BitCoins)....

Fri, 16 Mar 2012 12:09:58 UTC

Non-Lethal Heat Ray

Posted By Bruce Schneier

The U.S. military has a non-lethal heat ray. No details on what "non-lethal" means in this context....

Thu, 15 Mar 2012 19:35:42 UTC

Assorted Schneier News Stories

Posted By Bruce Schneier

I have several stories in the news (and one podcast), mostly surrounding the talks I gave at the RSA Conference last month....

Thu, 15 Mar 2012 11:16:13 UTC

More "Liars and Outliers" Links

Posted By Bruce Schneier

First, five new reviews of the book. Second, four new AV interviews about the book. Third, I take the Page 99 Test....

Wed, 14 Mar 2012 11:22:09 UTC

On Cyberwar Hype

Posted By Bruce Schneier

Good article by Thomas Rid on the hype surrounding cyberwar. It's well worth reading. And in a more academic paper, published in the RUSI Journal, Thomas Rid and Peter McBurney argue that cyber-weapons aren't all that destructive and that we've been misled by some bad metaphors. Some fundamental questions on the use of force in cyberspace are still unanswered. Worse,...

Tue, 13 Mar 2012 19:01:46 UTC

A Negative Liars and Outliers Review

Posted By Bruce Schneier

Ths person didn't like it at all. It'll go up on the book's webpage, along with all the positive reviews....

Tue, 13 Mar 2012 11:22:26 UTC

The Security of Multi-Word Passphrases

Posted By Bruce Schneier

Interesting research on the security of passphrases. From a blog post on the work: We found about 8,000 phrases using a 20,000 phrase dictionary. Using a very rough estimate for the total number of phrases and some probability calculations, this produced an estimate that passphrase distribution provides only about 20 bits of security against an attacker trying to compromise 1%...

Mon, 12 Mar 2012 21:30:34 UTC

Video Shows TSA Full-Body Scanner Failure

Posted By Bruce Schneier

The Internet is buzzing about this video, showing a blogger walking through two different types of full-body scanners with metal objects. Basically, by placing the object on your side, the black image is hidden against the scanner's black background. This isn't new, by the way. This vulnerability was discussed in a paper published last year by the Journal of Transportation...

Mon, 12 Mar 2012 11:35:12 UTC

Jamming Speech with Recorded Speech

Posted By Bruce Schneier

This is cool: The idea is simple. Psychologists have known for some years that it is almost impossible to speak when your words are replayed to you with a delay of a fraction of a second. Kurihara and Tsukada have simply built a handheld device consisting of a microphone and a speaker that does just that: it records a person's...

Fri, 09 Mar 2012 22:01:37 UTC

Friday Squid Blogging: Humboldt Squid Can Dive to 1.5 km

Posted By Bruce Schneier

Yet another impressive Humboldt squid feat: "We've seen them make really impressive dives up to a kilometre and a half deep, swimming straight through a zone where there's really low oxygen," the Hopkins Marine Station researcher said. "They're able to spend several hours at this kilometre-and-a-half-deep, and then they go back up and continue their normal daily swimming behaviour. It's...

Fri, 09 Mar 2012 19:40:25 UTC

Liars and Outliers: Book Excerpt

Posted By Bruce Schneier

Gizmodo published the beginning of Chapter 17: the last chapter....

Thu, 08 Mar 2012 12:50:26 UTC

Cloud Computing As a Man-in-the-Middle Attack

Posted By Bruce Schneier

This essay uses the interesting metaphor of the man-in-the-middle attacker to describe cloud providers like Facebook and Google. Basically, they get in the middle of our interactions with others and eavesdrop on the data going back and forth....

Wed, 07 Mar 2012 19:35:11 UTC

NSA's Secure Android Spec

Posted By Bruce Schneier

The NSA has released its specification for a secure Android. One of the interesting things it's requiring is that all data be tunneled through a secure VPN: Inter-relationship to Other Elements of the Secure VoIP System The phone must be a commercial device that supports the ability to pass data over a commercial cellular network. Standard voice phone calls, with...

Wed, 07 Mar 2012 12:14:28 UTC

How Changing Technology Affects Security

Posted By Bruce Schneier

Security is a tradeoff, a balancing act between attacker and defender. Unfortunately, that balance is never static. Changes in technology affect both sides. Society uses new technologies to decrease what I call the scope of defection -- what attackers can get away with -- and attackers use new technologies to increase it. What's interesting is the difference between how the...

Tue, 06 Mar 2012 19:22:57 UTC

The Keywords the DHS Is Using to Analyze Your Social Media Posts

Posted By Bruce Schneier

According to this document, received by EPIC under the Freedom of Information Act, the U.S. Department of Homeland Security is combing through the gazillions of social media postings looking for terrorists. A partial list of keywords is included in the document (pages 2023), and is reprinted in this blog post....

Tue, 06 Mar 2012 12:20:29 UTC

Comic: Movie Hacking vs. Real Hacking

Posted By Bruce Schneier

Funny....

Mon, 05 Mar 2012 19:30:02 UTC

Themes from the RSA Conference

Posted By Bruce Schneier

Last week was the big RSA Conference in San Francisco: something like 20,000 people. From what I saw, these were the major themes on the show floor: Companies that deal with "Advanced Persistent Threat." Companies that help you recover after you've been hacked. Companies that deal with "Bring Your Own Device" at work, also known as consumerization. Who else went...

Mon, 05 Mar 2012 12:45:51 UTC

British Anti-Theft Briefcase from the 1960s

Posted By Bruce Schneier

Fantastic....

Fri, 02 Mar 2012 22:41:45 UTC

Friday Squid Blogging: Squid Vision

Posted By Bruce Schneier

Some squid can see aspects of light that are invisible to humans, including polarized light. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 02 Mar 2012 19:21:49 UTC

Liars and Outliers: The Big Idea

Posted By Bruce Schneier

My big idea is a big question. Every cooperative system contains parasites. How do we ensure that society's parasites don't destroy society's systems? It's all about trust, really. Not the intimate trust we have in our close friends and relatives, but the more impersonal trust we have in the various people and systems we interact with in society. I trust...

Fri, 02 Mar 2012 12:11:46 UTC

GPS Spoofers

Posted By Bruce Schneier

Great movie-plot threat: Financial institutions depend on timing that is accurate to the microsecond on a global scale so that stock exchanges in, say, London and New York are perfectly synchronised. One of the main ways of doing this is through GPS, and major financial institutions will have a GPS antenna on their main buildings. "They are always visible because...

Thu, 01 Mar 2012 19:32:57 UTC

State Department Redacts Wikileaks Cables

Posted By Bruce Schneier

The ACLU filed a FOIA request for a bunch of cables that Wikileaks had already released complete versions of. This is what happened: The agency released redacted versions of 11 and withheld the other 12 in full. The five excerpts below show the government's selective and self-serving decisions to withhold information. Because the leaked versions of these cables have already...

Thu, 01 Mar 2012 12:39:45 UTC

Detect Which Social Networking Sites Website Visitors Are Logged Into

Posted By Bruce Schneier

Clever hack....

Wed, 29 Feb 2012 13:11:17 UTC

FBI Special Agent and Counterterrorism Expert Criticizes the TSA

Posted By Bruce Schneier

Good essay. Nothing I haven't said before, but it's good to hear it from someone with a widely different set of credentials than I have....

Tue, 28 Feb 2012 12:43:08 UTC

"Cyberwar Is the New Yellowcake"

Posted By Bruce Schneier

Good essay on the dangers of cyberwar rhetoric -- and the cyberwar arms race....

Mon, 27 Feb 2012 18:30:37 UTC

Liars and Outliers: Interview on The Browser

Posted By Bruce Schneier

I was asked to talk about five books related to privacy. You're best known as a security expert but our theme today is "trust". How would you describe the connection between the two? Security exists to facilitate trust. Trust is the goal, and security is how we enable it. Think of it this way: As members of modern society, we...

Mon, 27 Feb 2012 11:49:52 UTC

U.S. Federal Court Rules that it is Unconstitutional for the Police to Force Someone to Decrypt their Laptop

Posted By Bruce Schneier

A U.S. Federal Court ruled that it is unconstitutional for the police to force someone to decrypt their laptop computer: Thursdays decision by the 11th U.S. Circuit Court of Appeals said that an encrypted hard drive is akin to a combination to a safe, and is off limits, because compelling the unlocking of either of them is the equivalent of...

Fri, 24 Feb 2012 22:08:07 UTC

Friday Squid Blogging: Squid Can Fly to Save Energy

Posted By Bruce Schneier

There's a new study that shows that squid are faster in the air than in the water. Squid of many species have been seen to 'fly' using the same jet-propulsion mechanisms that they use to swim: squirting water out of their mantles so that they rocket out of the sea and glide through the air. Until now, most researchers have...

Fri, 24 Feb 2012 21:18:30 UTC

Liars and Outliers News

Posted By Bruce Schneier

The book is selling well. (Signed copies are still available on the website.) All the online stores have it, and most bookstores as well. It is available in Europe and elsewhere outside the U.S. And for those who wanted a DRM-free electronic copy, it's available on the OReilly.com bookstore for $11.99. I have collected four new reviews. And a bunch...

Fri, 24 Feb 2012 20:56:52 UTC

Press Mentions

Posted By Bruce Schneier

One article on me, and a podcast about my RSA talk next week....

Fri, 24 Feb 2012 19:37:50 UTC

Mention of Cryptography in a Rap Song

Posted By Bruce Schneier

The new movie Safe House features the song "No Church in the Wild," by Kanye West, which includes this verse: I live by you, desire I stand by you, walk through the fire Your love is my scripture Let me into your encryption...

Fri, 24 Feb 2012 13:06:19 UTC

Computer Security when Traveling to China

Posted By Bruce Schneier

Interesting: When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film. He leaves his cellphone and laptop at home and instead brings "loaner" devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables...

Thu, 23 Feb 2012 18:29:46 UTC

Another Piece of the Stuxnet Puzzle

Posted By Bruce Schneier

We can now conclusively link Stuxnet to the centrifuge structure at the Natanz nuclear enrichment lab in Iran. Watch this new video presentation from Ralph Langner, the researcher who has done the most work on Stuxnet. It's a long clip, but the good stuff is between 21:00 and 29:00. The pictures he's referring to are still up. My previous writings...

Thu, 23 Feb 2012 12:27:50 UTC

Mobile Malware Is Increasing

Posted By Bruce Schneier

According to a report by Juniper, mobile malware is increasing dramatically. In 2011, we saw unprecedented growth of mobile malware attacks with a 155 percent increase across all platforms. Most noteworthy was the dramatic growth in Android Malware from roughly 400 samples in June to over 13,000 samples by the end of 2011. This amounts to a cumulative increase of...

Wed, 22 Feb 2012 12:53:59 UTC

John Nash's 1955 Letter to the NSA

Posted By Bruce Schneier

Fascinating....

Tue, 21 Feb 2012 13:36:38 UTC

"1234" and Birthdays Are the Most Common PINs

Posted By Bruce Schneier

Research paper: "A birthday present every eleven wallets? The security of customer-chosen banking PINs," by Joseph Bonneau, Sören Preibusch, and Ross Anderson: Abstract: We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression...

Mon, 20 Feb 2012 12:30:58 UTC

Covert Communications Channel in Tarsiers

Posted By Bruce Schneier

Marissa A. Ramsier, Andrew J. Cunningham, Gillian L. Moritz, James J. Finneran, Cathy V. Williams, Perry S. Ong, Sharon L. Gursky-Doyen, and Nathaniel J. Dominy (2012), "Primate communication in the pure ultrasound," Biology Letters. Abstract: Few mammals -- cetaceans, domestic cats and select bats and rodents -- can send and receive vocal signals contained within the ultrasonic domain, or pure...

Fri, 17 Feb 2012 22:37:21 UTC

Friday Squid Blogging: Squid Desk Lamp

Posted By Bruce Schneier

Beautiful sculpture. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 17 Feb 2012 19:45:41 UTC

What Is a Suspicious-Looking Package, Anyway?

Posted By Bruce Schneier

Funny comic....

Fri, 17 Feb 2012 12:25:49 UTC

Self-Domestication in Bonobos and Other Animals

Posted By Bruce Schneier

Self-domestication happens when the benefits of cooperation outweigh the costs: But why and how could natural selection tame the bonobo? One possible narrative begins about 2.5 million years ago, when the last common ancestor of bonobos and chimpanzees lived both north and south of the Zaire River, as did gorillas, their ecological rivals. A massive drought drove gorillas from the...

Thu, 16 Feb 2012 18:22:26 UTC

Cryptanalysis of Satellite Phone Encryption Algorithms

Posted By Bruce Schneier

From the abstract of the paper: In this paper, we analyze the encryption systems used in the two existing (and competing) satphone standards, GMR-1 and GMR-2. The first main contribution is that we were able to completely reverse engineer the encryption algorithms employed. Both ciphers had not been publicly known previously. We describe the details of the recovery of the...

Thu, 16 Feb 2012 12:51:51 UTC

Lousy Random Numbers Cause Insecure Public Keys

Posted By Bruce Schneier

There's some excellent research (paper, news articles) surveying public keys in the wild. Basically, the researchers found that a small fraction of them (27,000 out of 7.1 million, or 0.38%) share a common factor and are inherently weak. The researchers can break those public keys, and anyone who duplicates their research can as well. The cause of this is almost...

Wed, 15 Feb 2012 19:11:06 UTC

Dumb Risk of the Day

Posted By Bruce Schneier

Geotagged images of children: Joanne Kuzma of the University of Worcester, England, has analyzed photos that clearly show children's faces on the photo sharing site Flickr. She found that a significant proportion of those analyzed were geotagged and a large number of those were associated with 50 of the more expensive residential zip codes in the USA. The location information...

Wed, 15 Feb 2012 13:09:22 UTC

The Sudafed Security Trade-Off

Posted By Bruce Schneier

This writer wrestles with the costs and benefits of tighter controls on pseudoephedrine, a key chemical used to make methamphetamine: Now, personally, I sincerely doubt that the pharmaceutical industry has reliable estimates of how many of their purchasers actually have colds--or that they would share data indicating that half of their revenues came from meth cooks. But let's say this...

Tue, 14 Feb 2012 18:36:11 UTC

SSL Traffic Analysis on Google Maps

Posted By Bruce Schneier

Interesting....

Tue, 14 Feb 2012 13:12:53 UTC

Trust Requires Transparency

Posted By Bruce Schneier

Adam Shostack explains to Verisign that trust requires transparency. This is a lesson Path should have learned....

Mon, 13 Feb 2012 20:53:30 UTC

Liars and Outliers Update

Posted By Bruce Schneier

Liars and Outliers is available. Amazon and Barnes & Noble have ben shipping the book since the beginning of the month. Both the Kindle and the Nook versions are available for download. I have received 250 books myself. Everyone who read and commented on a draft will get a copy in the mail. And as of today, I have shipped...

Mon, 13 Feb 2012 11:20:24 UTC

What Happens When the Court Demands You Decrypt a Document and You Forget the Key?

Posted By Bruce Schneier

Last month, a U.S. court demanded that a defendent surrender the encryption key to a laptop so the police could examine it. Now it seems that she's forgotten the key. What happens now? It seems as if this excuse would always be available to someone who doesn't want the police to decrypt her files. On the other hand, it might...

Fri, 10 Feb 2012 22:04:47 UTC

Friday Squid Blogging: Squid's Beard

Posted By Bruce Schneier

It's an acoustic bluegrass band. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 Feb 2012 20:08:22 UTC

Captchas

Posted By Bruce Schneier

Funny....

Fri, 10 Feb 2012 12:21:14 UTC

Securing iPads for Exams

Posted By Bruce Schneier

Interesting blog post about locking down an iPad so students can take exams on them....

Thu, 09 Feb 2012 12:10:35 UTC

Security Implications of "Lower-Risk Aircraft"

Posted By Bruce Schneier

Interesting paper: Paul J. Freitas (2012), "Passenger aviation security, risk management, and simple physics," Journal of Transportation Security. Abstract: Since the September 11, 2001 suicide hijacking attacks on the United States, preventing similar attacks from recurring has been perhaps the most important goal of aviation security. In addition to other measures, the US government has increased passenger screening requirements to...

Wed, 08 Feb 2012 12:46:04 UTC

Solving the Underlying Economic Problem of Internet Piracy

Posted By Bruce Schneier

This essay is definitely thinking along the correct directions....

Tue, 07 Feb 2012 11:53:41 UTC

Error Rates of Hand-Counted Voting Systems

Posted By Bruce Schneier

The error rate for hand-counted ballots is about two percent. All voting systems have nonzero error rates. This doesn't surprise technologists, but does surprise the general public. There's a myth out there that elections are perfectly accurate, down to the single vote. They're not. If the vote is within a few percentage points, they're likely a statistical tie. (The problem,...

Mon, 06 Feb 2012 19:23:27 UTC

The Failure of Two-Factor Authentication

Posted By Bruce Schneier

In 2005, I wrote an essay called "The Failure of Two-Factor Authentication," where I predicted that attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint. This BBC article describes exactly that: After logging in to the bank's real site, account holders are being tricked...

Fri, 03 Feb 2012 22:18:41 UTC

Friday Squid Blogging: Clothing that Keeps an Exercise Journal

Posted By Bruce Schneier

It's called Squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 Feb 2012 20:49:54 UTC

The Problems of Too Much Information Sharing

Posted By Bruce Schneier

Funny. Fake, but funny....

Fri, 03 Feb 2012 16:49:08 UTC

VeriSign Hacked, Successfully and Repeatedly, in 2010

Posted By Bruce Schneier

Reuters discovered the information: The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published. The company, unsurprisingly,...

Thu, 02 Feb 2012 15:04:12 UTC

Prisons in the U.S.

Posted By Bruce Schneier

Really good article on the huge incarceration rate in the U.S., its causes, its effects, and its value: Over all, there are now more people under "correctional supervision" in America -- more than six million -- than were in the Gulag Archipelago under Stalin at its height. That city of the confined and the controlled, Lockuptown, is now the second...

Wed, 01 Feb 2012 12:05:59 UTC

The Idaho Loophole

Posted By Bruce Schneier

Brian C. Kalt (2012), "The Idaho Loophole," Georgetown Law Journal, Vol. 93, No. 2. Abstract: This article argues that there is a 50-square-mile swath of Idaho in which one can commit felonies with impunity. This is because of the intersection of a poorly drafted statute with a clear but neglected constitutional provision: the Sixth Amendment's Vicinage Clause. Although lesser criminal...

Tue, 31 Jan 2012 23:03:31 UTC

Possibly the Most Incompetent TSA Story Yet

Posted By Bruce Schneier

The storyline: TSA screener finds two pipes in passenger's bags. Screener determines that they're not a threat. Screener confiscates them anyway, because of their "material and appearance." Because they're not actually a threat, screener leaves them at the checkpoint. Everyone forgets about them. Six hours later, the next shift of TSA screeners notices the pipes and -- not being able...

Tue, 31 Jan 2012 17:13:27 UTC

Biases in Forensic Science

Posted By Bruce Schneier

Some errors in forensic science may be the result of the biases of the medical examiners: Though they cannot prove it, Dr Dror and Dr Hampikian suspect the difference in contextual information given to the examiners was the cause of the different results. The original pair may have subliminally interpreted ambiguous information in a way helpful to the prosecution, even...

Mon, 30 Jan 2012 19:59:42 UTC

Liars and Outliers Update

Posted By Bruce Schneier

According to my publisher, the book was printed last week and the warehouse is shipping orders to booksellers today. Amazon is likely to start shipping books on Thursday. (Yes, Amazon's webpage claims that the book will be published on February 21, 2012, but they'll ship copies as soon as they get them -- this ain't Harry Potter.) The Kindle edition...

Mon, 30 Jan 2012 16:52:01 UTC

British Tourists Arrested in the U.S. for Tweeting

Posted By Bruce Schneier

Does this story make sense to anyone? The Department of Homeland Security flagged him as a potential threat when he posted an excited tweet to his pals about his forthcoming trip to Hollywood which read: 'Free this week, for quick gossip/prep before I go and destroy America'. After making their way through passport control at Los Angeles International Airport (LAX)...

Mon, 30 Jan 2012 12:02:49 UTC

The Nature of Cyberwar

Posted By Bruce Schneier

This was pretty good, I thought: However, it may be difficult to write military doctrine for many aspects of cyberconflict that are truly revolutionary. Here are no fewer than 10 to consider: The Internet is an artificial environment that can be shaped in part according to national security requirements. The blinding proliferation of technology and hacker tools makes it impossible...

Fri, 27 Jan 2012 12:39:16 UTC

Password Sharing Among American Teenagers

Posted By Bruce Schneier

Interesting article from the New York Times on password sharing as a show of affection. "It's a sign of trust," Tiffany Carandang, a high school senior in San Francisco, said of the decision she and her boyfriend made several months ago to share passwords for e-mail and Facebook. "I have nothing to hide from him, and he has nothing to...

Thu, 26 Jan 2012 16:36:32 UTC

Evidence on the Effectiveness of Terrorism

Posted By Bruce Schneier

Readers of this blog will know that I like the works of Max Abrams, and regularly blog them. He has a new paper (full paper behind paywall) in Defence and Peace Economics, 22:6 (2011), 58394, "Does Terrorism Really Work? Evolution in the Conventional Wisdom since 9/11, Defence and Peace Economics": The basic narrative of bargaining theory predicts that, all else...

Wed, 25 Jan 2012 19:56:57 UTC

Federal Judge Orders Defendant to Decrypt Laptop

Posted By Bruce Schneier

A U.S. federal judge has ordered a defendent to decrypt her laptop....

Wed, 25 Jan 2012 18:54:19 UTC

Supreme Court Rules that GPS Tracking Requires a Warrant

Posted By Bruce Schneier

The U.S Supreme Court has ruled that the police cannot attach a GPS tracking device to a car without a warrant....

Wed, 25 Jan 2012 12:44:26 UTC

Research into an Information Security Risk Rating

Posted By Bruce Schneier

The NSF is funding research on giving organizations information-security risk ratings, similar to credit ratings for individuals: Existing risk management techniques are based on annual audits and only provide a snapshot of a partner's security posture. However, new vulnerabilities are discovered everyday and the industry needs a solution that enables a business to continuously monitor changing risk posture of all...

Tue, 24 Jan 2012 12:46:08 UTC

Using Plant DNA for Authentication

Posted By Bruce Schneier

Turns out you can create unique signatures from plant DNA. The idea is to spray this stuff on military components in order to verify authentic items and detect counterfeits, similar to SmartWater. It's a good idea in theory, but my guess is that the security is not going to center around counterfeiting the plant DNA, but rather in subverting the...

Mon, 23 Jan 2012 17:49:29 UTC

Authentication by "Cognitive Footprint"

Posted By Bruce Schneier

DARPA is funding research into new forms of biometrics that authenticate people as they use their computer: things like keystroke patterns, eye movements, mouse behavior, reading speed, and surfing and e-mail response behavior. The idea -- and I think this is a good one -- is that the computer can continuously authenticate people, and not just authenticate them once when...

Fri, 20 Jan 2012 12:39:45 UTC

The Continued Militarization of the U.S. Police

Posted By Bruce Schneier

The state of Texas gets an armed PT boat. I guess armed drones weren't enough for them....

Thu, 19 Jan 2012 19:02:09 UTC

The Onion on Facebook

Posted By Bruce Schneier

Funny news video on Facebook and the CIA....

Thu, 19 Jan 2012 12:36:38 UTC

Using False Alarms to Disable Security

Posted By Bruce Schneier

I wrote about this technique in Beyond Fear: Beginning Sunday evening, the robbers intentionally set off the gallery's alarm system several times without entering the building, according to police. The security staffers on duty, who investigated and found no disturbances, subsequently disabled at least one alarm. The burglars then entered through a balcony door....

Tue, 17 Jan 2012 22:10:01 UTC

Going Dark to Protest SOPA/PIPA

Posted By Bruce Schneier

Tomorrow, from 8 am to 8 pm EDT, this site, Schneier on Security, is going on strike to protest SOPA and PIPA. In doing so, I'll be joining Wikipedia (in English), BoingBoing, WordPress, and many others. A list of participants, and HTML and JavaScript code for anyone who wants to participate, can be found here....

Tue, 17 Jan 2012 18:29:58 UTC

Tor Opsec

Posted By Bruce Schneier

Good operational security guide to Tor....

Tue, 17 Jan 2012 13:31:14 UTC

The Importance of Good Backups

Posted By Bruce Schneier

Thankfully, this doesn't happen very often: A US man who had been convicted on a second-degree murder charge will get a new trial after a computer virus destroyed transcripts of court proceedings....

Mon, 16 Jan 2012 15:58:56 UTC

PCI Lawsuit

Posted By Bruce Schneier

This is a first: ...the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to...

Fri, 13 Jan 2012 22:19:13 UTC

Friday Squid Blogging: Argentina Attempts a Squid Blockage against the Falkland Islands

Posted By Bruce Schneier

Yet another story that combines squid and security. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 13 Jan 2012 18:58:24 UTC

Recovering a Hacked Gmail Account

Posted By Bruce Schneier

Long (but well-written and interesting) story of someone whose Gmail account was hacked and erased, and eventually restored. Many interesting lessons about the security of largely support-free cloud services....

Fri, 13 Jan 2012 12:58:01 UTC

"Going Dark" vs. a "Golden Age of Surveillance"

Posted By Bruce Schneier

It's a policy debate that's been going on since the crypto wars of the early 1990s. The FBI, NSA, and other agencies continue to claim they're losing their ability to engage in surveillance: that it's "going dark." Whether the cause of the problem is encrypted e-mail, digital telephony, or Skype, the bad guys use it to communicate, so we need...

Thu, 12 Jan 2012 21:04:36 UTC

Abolish the Department of Homeland Security

Posted By Bruce Schneier

I have a love/hate relationship with the CATO Institute. Most of their analysis I strongly disagree with, but some of it I equally strongly agree with. Last September 11 -- the tenth anniversary of 9/11 -- CATO's David Rittgers published "Abolish the Department of Homeland Security": DHS has too many subdivisions in too many disparate fields to operate effectively. Agencies...

Thu, 12 Jan 2012 20:39:49 UTC

TSA Cupcake Update

Posted By Bruce Schneier

The TSA claims that the cupcake they confiscated was in a jar. So this is a less obviously stupid story than I previously thought....

Thu, 12 Jan 2012 18:37:28 UTC

A Theory of Online Jihadist Sites

Posted By Bruce Schneier

Very interesting: The counterterrorism community has spent years trying to determine why so many people are engaged in online jihadi communities in such a meaningful way. After all, the life of an online administrator for a hard-line Islamist forum is not as exciting as one might expect. You don't get paid, and you spend most of your time posting links...

Thu, 12 Jan 2012 11:53:20 UTC

Apple Split-Key Patent

Posted By Bruce Schneier

Apple has a patent on splitting a key between a portable device and its power supply. Clever idea....

Wed, 11 Jan 2012 13:15:30 UTC

Protecting Your Privacy at International Borders

Posted By Bruce Schneier

The EFF has published a good guide. My own advice is here and here....

Tue, 10 Jan 2012 12:56:27 UTC

Collecting Expert Predictions about Terrorist Attacks

Posted By Bruce Schneier

John Mueller has been collecting them: Some 116 of these Very People were surveyed in 2006 by Foreign Policy magazine in a joint project with the Center for America Progress. The magazine stressed that its survey drew from the "highest echelons of Americas foreign policy establishment" and included the occasional secretary of state and national security adviser, as well as...

Mon, 09 Jan 2012 18:55:57 UTC

Stealing Source Code

Posted By Bruce Schneier

Hackers stole some source code to Symantec's products. We don't know what was stolen or how recent the code is -- the company is, of course, minimizing the story -- but it's hard to get worked up about this. Yes, maybe the bad guys will comb the code looking for vulnerabilities, and maybe there's some smoking gun that proves Symantec's...

Mon, 09 Jan 2012 12:00:55 UTC

The TSA Proves its Own Irrelevance

Posted By Bruce Schneier

Have you wondered what $1.2 billion in airport security gets you? The TSA has compiled its own "Top 10 Good Catches of 2011": 10) Snakes, turtles, and birds were found at Miami (MIA) and Los Angeles (LAX). Im just happy there werent any lions, tigers, and bears& [...] 3) Over 1,200 firearms were discovered at TSA checkpoints across the nation...

Fri, 06 Jan 2012 22:36:05 UTC

Friday Squid Blogging: Squid Skateboards

Posted By Bruce Schneier

Great designs.....

Fri, 06 Jan 2012 19:50:49 UTC

Time to Patch Your HP Printers

Posted By Bruce Schneier

It's a serious vulnerability. Note that this is the research that was mistakenly reported as allowing hackers to set your printer on fire. Here's a list of all the printers affected....

Fri, 06 Jan 2012 12:30:24 UTC

Improving the Security of Four-Digit PINs on Cell Phones

Posted By Bruce Schneier

The author of this article notices that it's often easy to guess a cell phone PIN because of smudge marks on the screen. Those smudge marks indicate the four PIN digits, so an attacker knows that the PIN is one of 24 possible permutations of those digits. Then he points out that if your PIN has only three different digits...

Thu, 05 Jan 2012 19:39:55 UTC

Liars and Outliers News

Posted By Bruce Schneier

The Liars and Outliers webpage is live. On it you can find links to order both paper and e-book copies from a variety of online retailers, and signed copies directly from me. I've also posted the jacket copy, the table of contents, the first chapter, the 15 figures from the book, an image of the full wraparound cover, and all...

Thu, 05 Jan 2012 12:28:59 UTC

Newly Released Papers from NSA Journals

Posted By Bruce Schneier

The papers are old, but they have just been released under FOIA....

Wed, 04 Jan 2012 14:37:07 UTC

Sending Coded Messages with Postage Stamps

Posted By Bruce Schneier

The history of coded messages in postage-stamp placement. I wonder how prevalent this actually was. My guess is that it was more a clever idea than an actual signaling system. And I notice that a lot of the code systems don't have a placement that indicates "no message; this is just as stamp."...

Mon, 02 Jan 2012 18:33:56 UTC

Allocating Security Resources to Protect Critical Infrastructure

Posted By Bruce Schneier

Alan T. Murray and Tony H. Grubesic, "Critical Infrastructure Protection: The Vulnerability Conundrum," Telematics & Informatics, 29 (February 2012): 56­65 (full article behind paywall). Abstract: Critical infrastructure and key resources (CIKR) refer to a broad array of assets which are essential to the everyday functionality of social, economic, political and cultural systems in the United States. The interruption of CIKR...

Mon, 02 Jan 2012 12:15:26 UTC

Applying Game Theory to Cyberattacks and Defenses

Posted By Bruce Schneier

Behzad Zare Moayedi, Mohammad Abdollahi Azgomi, "A Game Theoretic Framework for Evaluation of the Impacts of Hackers Diversity on Security Measures," Reliability Engineering & System Safety, 99 (2012): 45-54 (full article behind paywall). Abstract: Game theoretical methods offer new insights into quantitative evaluation of dependability and security. Currently, there is a wide range of useful game theoretic approaches to model...

Fri, 30 Dec 2011 12:11:13 UTC

Studying Airport Security

Posted By Bruce Schneier

Alan A. Kirschenbaum, Michele Mariani, Coen Van Gulijk, Sharon Lubasz, Carmit Rapaport, and Hinke Andriessen, "Airport Security: An Ethnographic Study," Journal of Air Transport Management, 18 (January 2012): 68-73 (full article is behind a paywall). Abstract: This paper employs a behavioral science perspective of airport security to, examine security related decision behaviors using exploratory ethnographic observations. Sampling employees from a...

Thu, 29 Dec 2011 19:58:17 UTC

Tying Up Phone Lines as a Cyberattack Tactic

Posted By Bruce Schneier

There's a service that can be hired to tie up target phone lines indefinitely. The article talks about how this can be used as a diversionary tactic to mask a cyberattack, but that seems a bit odd to me. I'd be more concerned about how this sort of thing could be used to disrupt the operations of a political candidate...

Thu, 29 Dec 2011 15:47:40 UTC

Hacking Marconi's Wireless in 1903

Posted By Bruce Schneier

A great story: Yet before the demonstration could begin, the apparatus in the lecture theatre began to tap out a message. At first, it spelled out just one word repeated over and over. Then it changed into a facetious poem accusing Marconi of "diddling the public". Their demonstration had been hacked -- and this was more than 100 years before...

Wed, 28 Dec 2011 17:40:33 UTC

Butt Identification

Posted By Bruce Schneier

Here's a new biometric: how you sit: ...researchers there developed a system that can recognize a person by the backside when the person takes a seat. The system performs a precise measurement of the person's posterior, its contours and the way the person applies pressure on the seat. The developers say that in lab tests, the system was able to...

Tue, 27 Dec 2011 12:22:54 UTC

The Collar Bomb Robbery

Posted By Bruce Schneier

Really interesting story of the collar-bomb robbery -- and subsequent investigation -- from 2003....

Mon, 26 Dec 2011 14:39:56 UTC

Hacking Subway's POS System

Posted By Bruce Schneier

The story of how Subway's point-of-sale system was hacked for $3M....

Sun, 25 Dec 2011 16:28:21 UTC

Merry Christmas from the TSA

Posted By Bruce Schneier

Cupcakes deemed security threat: Rebecca Hains says she was going through security at the airport in Las Vegas when a TSA agent pulled her aside and said the cupcake frosting was "gel-like" enough to constitute a security risk. The TSA has officially jumped the shark....

Sat, 24 Dec 2011 00:10:39 UTC

Friday Squid Blogging: Goldman Sachs and the Vampire Squid Metaphor

Posted By Bruce Schneier

It's a metaphor that will not die. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 23 Dec 2011 20:50:39 UTC

Santa Hacked

Posted By Bruce Schneier

Mildly amusing video....

Fri, 23 Dec 2011 17:03:00 UTC

Me on Airport Security

Posted By Bruce Schneier

Charles Mann made me the central focus of his article on airport security for Vanity Fair. (Mann also wrote about me in 2002 for The Atlantic.) The article was supposed to have been in the tenth-anniversary-of-9/11 issue, but got delayed....

Fri, 23 Dec 2011 13:51:45 UTC

Human Ear Biometric

Posted By Bruce Schneier

I have no idea how good this biometric actually is....

Thu, 22 Dec 2011 12:09:44 UTC

Giveaway: Liars and Outliers Galleys

Posted By Bruce Schneier

My box of galley copies arrived in the mail yesterday. They're filled with uncorrected typos, but otherwise look great. Wiley printed about 500 of them, and they're mostly going to journalists and book reviewers, with some going to different wholesale and retail outlets. I have 20 copies to give away to readers of my blog and Crypto-Gram. Earlier this month,...

Wed, 21 Dec 2011 11:55:34 UTC

Chinese Hacking of iBahn Internet Services

Posted By Bruce Schneier

Citing unexplained "intelligence data," an unnamed "senior intelligence official," and an anonymous "privacy security official," Bloomberg News claims that iBahn -- the company that runs Internet services for a bunch of hotel chains -- has been hacked by the Chinese. The rest of the story is pretty obvious: all sorts of private e-mails stolen, corporate networks hacked via iBahn, China...

Tue, 20 Dec 2011 12:24:12 UTC

Multiple Protocol Attacks

Posted By Bruce Schneier

In 1997, I wrote about something called a chosen-protocol attack, where an attacker can use one protocol to break another. Here's an example of the same thing in the real world: two different parking garages that mask different digits of credit cards on their receipts. Find two from the same car, and you can reconstruct the entire number. I have...

Mon, 19 Dec 2011 19:38:57 UTC

How to Open a Padlock with a Coke Can

Posted By Bruce Schneier

A nice tutorial on making and using shims to open padlocks....

Mon, 19 Dec 2011 12:48:40 UTC

Plasmonics Anti-Counterfeiting Technology

Posted By Bruce Schneier

This could be interesting: NOtES exploits an obscure area of physics to accomplish its bright and sharp display, known as plasmonics. Light waves interact with the array of nano-scale holes on a NOtES display--which are typically 100-200 nanometers in diameter--in a way that creates what are called "surface plasmons." In the words of the company, this means light "[collects] on...

Fri, 16 Dec 2011 22:24:15 UTC

Friday Squid Blogging: Squid Season

Posted By Bruce Schneier

It's squid season off the coast of Southern California. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 16 Dec 2011 20:52:10 UTC

Me Speaking on Cryptography in 1997

Posted By Bruce Schneier

In 1997, I spoke at the Beyond HOPE Conference in New York. (HOPE stood for "Hackers Over Planet Earth.) A video of that talk is available online....

Fri, 16 Dec 2011 19:28:39 UTC

Cameo in a Rock Video

Posted By Bruce Schneier

At the 1:46 mark, you'll see my first cameo appearance in a transvestite-themed rock video....

Fri, 16 Dec 2011 18:01:45 UTC

More on the Captured U.S. Drone

Posted By Bruce Schneier

There's a report that Iran hacked the drones' GPS systems: "The GPS navigation is the weakest point," the Iranian engineer told the Monitor, giving the most detailed description yet published of Iran's "electronic ambush" of the highly classified US drone. "By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its...

Fri, 16 Dec 2011 17:21:18 UTC

Snow Cone Machines for Homeland Security

Posted By Bruce Schneier

When you give out money based on politics, without any accounting, this is what you get: The West Michigan Shoreline Regional Development Commission (WMSRDC) is a federal- and state-designated agency responsible for managing and administrating the homeland security program in Montcalm County and 12 other counties. The WMSRDC recently purchased and transferred homeland security equipment to these counties -- including...

Fri, 16 Dec 2011 13:04:32 UTC

The EFF's Sovereign Key Proposal

Posted By Bruce Schneier

Proposal here....

Fri, 16 Dec 2011 05:00:00 UTC

Liars and Outliers Galleys

Posted By Bruce Schneier

My publisher is printing galley copies of Liars and Outliers. If anyone out there has a legitimate reason to get one, like writing book reviews for a newspaper, magazine, popular blog, etc., send me an e-mail and I'll forward your request to Wiley's PR department. I think they'll be ready in a week or so, although it might be after...

Thu, 15 Dec 2011 18:50:39 UTC

Investigative Report on "Buckshot Yankee"

Posted By Bruce Schneier

This is a really good analysis about the Buckshot Yankee attack against the classified military computer network in 2008. It contains a bunch of details I had not previously known....

Wed, 14 Dec 2011 19:22:03 UTC

Feeling vs. Reality of Security in Sparrows

Posted By Bruce Schneier

Sparrows have fewer surviving offspring if they feel insecure, regardless of whether they actually are insecure. Liana Y. Zanette, Aija F. White, Marek C. Allen, and Michael Clinchy, "Perceived Predation Risk Reduces the Number of Offspring Songbirds Produce per Year," Science, 9 Dec 2011: Abstract: Predator effects on prey demography have traditionally been ascribed solely to direct killing in studies...

Wed, 14 Dec 2011 12:17:39 UTC

Yet More Fear-Mongering from the DHS

Posted By Bruce Schneier

Al Qaeda is sewing bombs into people. Actually, not really. This is an "aspirational" terrorist threat, which basically means that someone mentioned it while drunk in a bar somewhere. Of course, that won't stop the DHS from trying to terrorize people with the idea and the security-industrial complex from selling us an expensive "solution" to reduce our fears. Wired: "So:...

Tue, 13 Dec 2011 18:46:26 UTC

Assessing Terrorist Threats to Commercial Aviation

Posted By Bruce Schneier

This article on airplane security says many of the same things I've been saying for years: Given the breadth and complexity of threats to commercial aviation, those who criticize the TSA and other aviation security regulatory agencies for reactive policies and overly narrow focus appear to have substantial grounding. Three particularly serious charges can be levied against the TSA: it...

Tue, 13 Dec 2011 12:30:41 UTC

Iranians Capture U.S. Drone

Posted By Bruce Schneier

Iran has captured a U.S. surveillance drone. No one is sure how it happened. Looking at the pictures of the drone, it wasn't shot down and it didn't crash. The various fail-safe mechanisms on the drone seem to have failed; otherwise, it would have returned home. The U.S. claims that it was a simple "malfunction," but that doesn't make a...

Mon, 12 Dec 2011 18:08:49 UTC

Dumbest Camera Ban Ever

Posted By Bruce Schneier

In London: While photography bans are pretty common, the station has decided to only ban DSLRs due to "their combination of high quality sensor and high resolution". Other cameras are allowed in, as long as they don't look "big" enough to shoot amazing photos. The iPhone 4S camera is pretty amazing....

Mon, 12 Dec 2011 12:09:29 UTC

First-Person Account of a TSA Airport Screener

Posted By Bruce Schneier

This is a few years old, but I seem not to have blogged it before....

Fri, 09 Dec 2011 22:30:43 UTC

Friday Squid Blogging: Humbolt Squid Mystery Solved

Posted By Bruce Schneier

Humbolt Squid off the coast of Mexico are spawning younger and smaller than usual. El Nino is to blame. The mystery was solved by a class of biology students. (A blog of the expedition.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 09 Dec 2011 18:30:57 UTC

Robbing a Bank as Part of a Penetration Test

Posted By Bruce Schneier

A funny story....

Thu, 08 Dec 2011 19:40:52 UTC

Lockable USB Hard Drive

Posted By Bruce Schneier

Just in time for Christmas, a USB drive housed in a physical combination lock....

Thu, 08 Dec 2011 12:12:35 UTC

DARPA Unshredding Contest

Posted By Bruce Schneier

DARPA held an unshredding contest, and there's a winner: "Lots of experts were skeptical that a solution could be produced at all let alone within the short time frame," said Dan Kaufman, director, DARPA Information Innovation Office. "The most effective approaches were not purely computational or crowd-sourced, but used a combination blended with some clever detective work. We are impressed...

Wed, 07 Dec 2011 18:49:49 UTC

Skype Security Flaw

Posted By Bruce Schneier

Just announced: The researchers found several properties of Skype that can track not only users' locations over time, but also their peer-to-peer (P2P) file-sharing activity, according to a summary of the findings on the NYU-Poly web site. Earlier this year, a German researcher found a cross-site scripting flaw in Skype that could allow someone to change an account password without...

Wed, 07 Dec 2011 12:13:38 UTC

Tagging People with Invisible Ink

Posted By Bruce Schneier

In Montreal, police marked protesters with invisible ink to be able to identify them later. The next step is going to be a spray that marks people surreptitiously, maybe with SmartWater....

Tue, 06 Dec 2011 19:50:58 UTC

Security Problems with U.S. Cloud Providers

Posted By Bruce Schneier

Invasive U.S. surveillance programs, either illegal like the NSA's wiretapping of AT&T phone lines or legal as authorized by the PATRIOT Act, are causing foreign companies to think twice about putting their data in U.S. cloud systems. I think these are legitimate concerns. I don't trust the U.S. government, law or no law, not to spy on my data if...

Tue, 06 Dec 2011 13:31:10 UTC

Recent Developments in Full Disclosure

Posted By Bruce Schneier

Last week, I had a long conversation with Robert Lemos over an article he was writing about full disclosure. He had noticed that companies have recently been reacting more negatively to security researchers publishing vulnerabilities about their products. The debate over full disclosure is as old as computing, and I've written about it before. Disclosing security vulnerabilities is good for...

Mon, 05 Dec 2011 18:21:10 UTC

GCHQ Hacking Contest

Posted By Bruce Schneier

GCHQ is holding a hacking contest to drum up ">new recruits....

Mon, 05 Dec 2011 12:05:54 UTC

Carrier IQ Spyware

Posted By Bruce Schneier

Spyware on many smart phones monitors your every action, including collecting individual keystrokes. The company that makes and runs this software on behalf of different carriers, Carrier IQ, freaked when a security researcher outed them. It initially claimed it didn't monitor keystrokes -- an easily refuted lie -- and threatened to sue the researcher. It took EFF getting involved to...

Fri, 02 Dec 2011 22:34:16 UTC

Friday Squid Blogging: Squid-Inspired Robot

Posted By Bruce Schneier

It crawls on land....

Fri, 02 Dec 2011 19:57:36 UTC

I Received an Honorary Doctorate

Posted By Bruce Schneier

Last weekend, I received an honorary PhD from the University of Westminster, in London. I have had mixed feelings about this since I was asked early this year. The best piece of advice I've read is: "It's a great honor, but it is an honor, not a degree."...

Fri, 02 Dec 2011 19:17:18 UTC

Hacking Printers and Setting Them on Fire

Posted By Bruce Schneier

It's the kind of research result that screams hype, but online attacks that have physical-world consequences are fundamentally a different sort of threat. I suspect we'll learn more about what's actually possible in the coming weeks. HP has issued a rebuttal....

Fri, 02 Dec 2011 11:30:51 UTC

Walls as Security Theater

Posted By Bruce Schneier

Interesting essay on walls and their effects: Walls, then, are built not for security, but for a sense of security. The distinction is important, as those who commission them know very well. What a wall satisfies is not so much a material need as a mental one. Walls protect people not from barbarians, but from anxieties and fears, which can...

Thu, 01 Dec 2011 19:44:18 UTC

Full-Disk Encryption Works

Posted By Bruce Schneier

According to researchers, full-disk encryption is hampering police forensics. The authors of the report suggest there are some things law enforcement can do, but they all must happen prior to a drive being buttoned up by encryption. Specifically, they say that law enforcement should stop turning computers off to bring them to another location for study, doing so only causes...

Thu, 01 Dec 2011 12:25:00 UTC

Status Report: Liars and Outliers

Posted By Bruce Schneier

After a long and hard year, Liars and Outliers is done. I submitted the manuscript to the publisher on Oct 1, got edits back from both an outside editor and a copyeditor about a week later, spent another week integrating the comments and edits, and submitted the final manuscript to the publisher just before Thanksgiving. Now it's being laid out,...

Wed, 30 Nov 2011 18:28:50 UTC

Full Disclosure in Biology

Posted By Bruce Schneier

The debate over full disclosure in computer security has been going on for the better part of two decades now. The stakes are much higher in biology: The virus is an H5N1 avian influenza strain that has been genetically altered and is now easily transmissible between ferrets, the animals that most closely mimic the human response to flu. Scientists believe...

Wed, 30 Nov 2011 12:57:18 UTC

Bad CIA Operational Security

Posted By Bruce Schneier

I have no idea if this story about CIA spies in Lebanon is true, and it will almost certainly never be confirmed or denied: But others inside the American intelligence community say sloppy "tradecraft" -- the method of covert operations -- by the CIA is also to blame for the disruption of the vital spy networks. In Beirut, two Hezbollah...

Tue, 29 Nov 2011 20:13:48 UTC

Security Systems as a Marker for High-Value Targets

Posted By Bruce Schneier

If something is protected by heavy security, it's obviously worth stealing. Here's an example from the insect world: Maize plants, like many others, protect themselves with poisons. They pump their roots with highly toxic insecticides called BXDs, which deters hungry mandibles. But these toxins dont come free. The plant needs energy to act as its own pharmacist, so it distributes...

Tue, 29 Nov 2011 13:01:18 UTC

Shopper Surveillance Using Cell Phones

Posted By Bruce Schneier

Electronic surveillance is becoming so easy that even marketers can do it: The cellphone tracking technology, called Footpath, is made by Path Intelligence Ltd., a Portsmouth, U.K.-based company. It uses sensors placed throughout the mall to detect signals from mobile phones and track their path around the mall. The sensors cannot gather phone numbers or other identifying data, or intercept...

Mon, 28 Nov 2011 18:55:27 UTC

Spider Webs Contain Ant Poison

Posted By Bruce Schneier

Shichang Zhang, Teck Hui Koh, Wee Khee Seah, Yee Hing Lai, Mark A. Elgar, and Daiqin Li (2011), "A Novel Property of Spider Silk: Chemical Defence Against Ants," Proceedings of the Royal Society B: Biological Sciences (full text is behind a paywall). Abstract: Spider webs are made of silk, the properties of which ensure remarkable efficiency at capturing prey. However,...

Mon, 28 Nov 2011 13:26:46 UTC

The DHS Partners with Major League Soccer to Promote Fear

Posted By Bruce Schneier

It seems to be harder and harder to keep people scared: The Departments "If You See Something, Say Something"" partnership with the MLS Cup will feature a "If You See Something, Say Something"" graphic that will aired on the video board during the MLS Cup championship game in Carson City, Calif. Safety messaging will also be printed on the back...

Fri, 25 Nov 2011 22:27:50 UTC

Friday Squid Blogging: Cephalopod Art Conference

Posted By Bruce Schneier

There was an interdisciplinary cephalopod art conference earlier this year, in Minneapolis. Videos of the conference are available online. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 25 Nov 2011 12:06:09 UTC

Android Malware

Posted By Bruce Schneier

The Android platform is where the malware action is: What happens when anyone can develop and publish an application to the Android Market? A 472% increase in Android malware samples since July 2011. These days, it seems all you need is a developer account, that is relatively easy to anonymize, pay $25 and you can post your applications. [...] In...

Tue, 22 Nov 2011 11:59:00 UTC

Free Cryptography Class

Posted By Bruce Schneier

Dan Boheh of Stanford University is teaching a free cryptography class starting in January....

Mon, 21 Nov 2011 12:57:25 UTC

Hack Against SCADA System

Posted By Bruce Schneier

A hack against a SCADA system controlling a water pump in Illinois destroyed the pump. We know absolutely nothing here about the attack or the attacker's motivations. Was it on purpose? An accident? a fluke?...

Fri, 18 Nov 2011 22:41:39 UTC

Friday Squid Blogging: Squid Camouflage

Posted By Bruce Schneier

Some squid can switch their camouflage instantly. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 18 Nov 2011 11:50:48 UTC

A Link between Altruism and Fairness

Posted By Bruce Schneier

I write a lot about altruism, fairness, and cooperation in my new book (out in February!), and this sort of thing interests me a lot: In a new study, researchers had 15-month old babies watch movies of a person distributing crackers or milk to two others, either evenly or unevenly. Babies look at things longer when they're surprised, so measuring...

Thu, 17 Nov 2011 19:13:47 UTC

EU Bans X-Ray Body Scanners

Posted By Bruce Schneier

The European Union has banned X-ray full body scanners at airports. Millimeter wave scanners are allowed as long as they conform to privacy guidelines. Under the new EU legislation the use of security scanners is only allowed in accordance with minimum conditions such as for example that: security scanners shall not store, retain, copy, print or retrieve images; any unauthorised...

Thu, 17 Nov 2011 12:37:40 UTC

Detecting Psychopaths by their Speech Patterns

Posted By Bruce Schneier

Interesting: The researchers interviewed 52 convicted murderers, 14 of them ranked as psychopaths according to the Psychopathy Checklist-Revised, a 20-item assessment, and asked them to describe their crimes in detail. Using computer programs to analyze what the men said, the researchers found that those with psychopathic scores showed a lack of emotion, spoke in terms of cause-and-effect when describing their...

Wed, 16 Nov 2011 22:45:16 UTC

Paul Kocher

Posted By Bruce Schneier

Really nice article on crypotographer Paul Kocher and his company, Cryptography Research, Inc....

Wed, 16 Nov 2011 15:17:37 UTC

Sam Harris on Self-Defense

Posted By Bruce Schneier

I thought this was very interesting. His three principles are: Avoid dangerous people and dangerous places. Do not defend your property. Respond immediately and escape....

Tue, 15 Nov 2011 11:26:20 UTC

Identity Theft Call Center

Posted By Bruce Schneier

There's a group who charges to make social engineering calls to obtain missing personal information for identity theft. This doesn't surprise me at all. Fraud is a business, too....

Mon, 14 Nov 2011 20:02:34 UTC

More SSL Woes

Posted By Bruce Schneier

From Mikko Hypponen: "We found a malware sample. Which was signed. With a valid certificate. Belonging to the Government of Malaysia."...

Mon, 14 Nov 2011 13:14:49 UTC

Remotely Opening Prison Doors

Posted By Bruce Schneier

This seems like a bad vulnerability: Researchers have demonstrated a vulnerability in the computer systems used to control facilities at federal prisons that could allow an outsider to remotely take them over, doing everything from opening and overloading cell door mechanisms to shutting down internal communications systems. [...] The researchers began their work after Strauchs was called in by a...

Fri, 11 Nov 2011 11:52:50 UTC

Commentary on Strong Passwords

Posted By Bruce Schneier

It turns out that "2bon2btitq" is not a strong password....

Wed, 09 Nov 2011 19:51:51 UTC

Advanced Persistent Threat (APT)

Posted By Bruce Schneier

It's taken me a few years, but I've come around to this buzzword. It highlights an important characteristic of a particular sort of Internet attacker. A conventional hacker or criminal isn't interested in any particular target. He wants a thousand credit card numbers for fraud, or to break into an account and turn it into a zombie, or whatever. Security...

Wed, 09 Nov 2011 09:39:47 UTC

Unlocking any iPad2 using a Smart Cover

Posted By Bruce Schneier

This security bug is just plain weird....

Mon, 07 Nov 2011 18:43:18 UTC

Cutting Wallets Out of Drunks' Pockets on New York City Subways

Posted By Bruce Schneier

It's a crime with finesse: But he is actually a middle-aged or older man who has been doing this for a very long time. And he is a fading breed. "It's like a lost art," the lieutenant said. "It's all old-school guys who cut the pocket. They die off." And they do not seem to be replacing themselves, he said....

Mon, 07 Nov 2011 12:26:43 UTC

Fake Documents that Alarm if Opened

Posted By Bruce Schneier

This sort of thing seems like a decent approach, but it has a lot of practical problems: In the wake of Wikileaks, the Department of Defense has stepped up its game to stop leaked documents from making their way into the hands of undesirables -- be they enemy forces or concerned citizens. A new piece of software has created a...

Fri, 04 Nov 2011 21:47:13 UTC

Friday Squid Blogging: Star Trek IV, now with Squid

Posted By Bruce Schneier

Someone edited Star Trek IV, removing the whales and replacing them with giant squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 04 Nov 2011 10:05:09 UTC

Weaponized UAV Drones in the Hands of Local Police

Posted By Bruce Schneier

Why does anyone think this is a good idea? The police in Montgomery County  and area north of Houston, Texas  is the first local police in the united States to deploy a drone that can carry weapons. [...] He said they are designed to carry weapons for local law enforcement. "The aircraft has the capability to have a...

Thu, 03 Nov 2011 18:22:43 UTC

Journal Article on Cyberwar

Posted By Bruce Schneier

From the Journal of Strategic Studies: "Cyber War Will Not Take Place" (full article is behind a paywall): Abstract: For almost two decades, experts and defense establishments the world over have been predicting that cyber war is coming. But is it? This article argues in three steps that cyber war has never happened in the past, that cyber war does...

Thu, 03 Nov 2011 12:03:54 UTC

Underage Children on Facebook

Posted By Bruce Schneier

Interesting research on how parents help their children lie about their age to get onto Facebook. One reaction to our data might be that companies should not be allowed to restrict access to children on their sites. Unfortunately, getting the parental permission required by COPPA is technologically difficult, financially costly, and ethically problematic. Sites that target children take on this...

Tue, 01 Nov 2011 18:41:55 UTC

DARPA Cyber Colloquium

Posted By Bruce Schneier

I note that the three "industry leaders" speaking at the DARPA Cyber Colloquium next week have about 75 years of government experience between them....

Tue, 01 Nov 2011 11:14:29 UTC

The Economist on Lying

Posted By Bruce Schneier

Two articles. And this is the cited work....

Mon, 31 Oct 2011 17:29:59 UTC

Cell Phone Surveillance System

Posted By Bruce Schneier

I was not surprised that police forces are buying this system, but at its capabilities. Britain's largest police force is operating covert surveillance technology that can masquerade as a mobile phone network, transmitting a signal that allows authorities to shut off phones remotely, intercept communications and gather data about thousands of users in a targeted area. The surveillance system has...

Mon, 31 Oct 2011 13:18:01 UTC

Another ATM Theft Tactic

Posted By Bruce Schneier

This brazen tactic is from Malaysia. Robbers sabotage the machines, and then report the damage to the bank. When the banks send repair technicians to open and repair the machines, the robbers take the money at gunpoint. It's hardly a technology-related attack. But from what I know about ATM machines, the security of the money safe inside the machine is...

Fri, 28 Oct 2011 21:25:00 UTC

Friday Squid Blogging: Video of Kid Eating Squid

Posted By Bruce Schneier

It's hard to tell if he likes it. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 28 Oct 2011 20:21:04 UTC

Full Extent of the Attack that Compromised RSA in March

Posted By Bruce Schneier

Brian Kerbs has done the analysis; it's something like 760 companies that were compromised. Among the more interesting names on the list are Abbott Labs, the Alabama Supercomputer Network, Charles Schwabb & Co., Cisco Systems, eBay, the European Space Agency, Facebook, Freddie Mac, Google, the General Services Administration, the Inter-American Development Bank, IBM, Intel Corp., the Internal Revenue Service (IRS),...

Fri, 28 Oct 2011 15:21:20 UTC

XKCD Today

Posted By Bruce Schneier

It's a good one. Be sure to read the hover-over text....

Thu, 27 Oct 2011 17:01:38 UTC

Secret Codes in Bacteria

Posted By Bruce Schneier

Neat: Researchers have invented a new form of secret messaging using bacteria that make glowing proteins only under certain conditions. In addition to being useful to spies, the new technique could also allow companies to encode secret identifiers into crops, seeds, or other living commodities. [...] The new scheme replaces the fuse with seven colonies of Escherichia coli bacteria, each...

Thu, 27 Oct 2011 11:45:40 UTC

The Security of SSL

Posted By Bruce Schneier

EFF reports on the security of SSL: The most interesting entry in that table is the "CA compromise" one, because those are incidents that could affect any or every secure web or email server on the Internet. In at least 248 cases, a CA chose to indicate that it had been compromised as a reason for revoking a cert. Such...

Wed, 26 Oct 2011 11:02:29 UTC

Cracking the Copiale Cipher

Posted By Bruce Schneier

I don't follow historical cryptography, so all of this comes as a surprise to me. But something called the Copiale Cipher from the 18th Century has been cracked....

Wed, 26 Oct 2011 10:54:11 UTC

Demands from Law Enforcement for Google Data

Posted By Bruce Schneier

Google releases statistics: Google received more than 15,600 requests in the January-June period, 10 percent more than the final six months of last year. The requests in the latest period spanned more than 25,400 individual accounts worldwide - a tiny fraction of Google's more than billion users. [...] The highest volume of government demands for user data came from the...

Tue, 25 Oct 2011 17:58:21 UTC

Twofish Mentioned in Thriller Novel

Posted By Bruce Schneier

I've been told that the Twofish encryption algorithm is mentioned in the book Abuse of Power, in the first paragraph of Chapter 3. Did rhe terrorists use it? Did our hero break it? I am unlikely to read it; can someone scan the page for me....

Tue, 25 Oct 2011 10:31:41 UTC

NSA Acronyms

Posted By Bruce Schneier

The second document in this file is the recently unclassified "Guide to Historical Cryptologic Acronyms and Abbreviations, 1940-1980," from the NSA Note that there are still some redactions....

Mon, 24 Oct 2011 18:39:01 UTC

Blue Coat Products Enable Web Censorship in Syria

Posted By Bruce Schneier

It's illegal for Blue Coat to sell its technology for this purpose, but there are lots of third-parties who are willing to act as middlemen: "Blue Coat does not sell to Syria. We comply with US export laws and we do not allow our partners to sell to embargoed countries," [Blue Coat spokesman Steve] Schick told the Bureau. "In addition,...

Mon, 24 Oct 2011 11:42:36 UTC

Facebook Patent to Track Users Even When They are Not Logged In to Facebook

Posted By Bruce Schneier

Patent number 2,011,023,240: Communicating Information in a Social Network System about Activities from Another Domain Abstract: In one embodiment, a method is described for tracking information about the activities of users of a social networking system while on another domain. The method includes maintaining a profile for each of one or more users of the social networking system, each profile...

Fri, 21 Oct 2011 21:10:06 UTC

Friday Squid Blogging: Squid T-Shirt

Posted By Bruce Schneier

Pretty design....

Fri, 21 Oct 2011 11:23:31 UTC

Google Enables SSL by Default for Search

Posted By Bruce Schneier

This is a good thing....

Thu, 20 Oct 2011 11:25:43 UTC

Random Passwords in the Wild

Posted By Bruce Schneier

Interesting analysis: the hacktivist group Anonymous hacked into several BART servers. They leaked part of a database of users from myBART, a website which provides frequent BART riders with email updates about activities near BART stations. An interesting aspect of the leak is that 1,346 of the 2,002 accounts seem to have randomly-generated passwords-a rare opportunity to study this approach...

Wed, 19 Oct 2011 16:05:34 UTC

New Malware: Duqu

Posted By Bruce Schneier

A newly discovered piece of malware, Duqu, seems to be a precursor to the next Stuxnet-like worm and uses some of the same techniques as the original....

Tue, 18 Oct 2011 11:34:53 UTC

Discovering What Facebook Knows About You

Posted By Bruce Schneier

Things are getting interesting in Europe: Max is a 24 year old law student from Vienna with a flair for the interview and plenty of smarts about both technology and legal issues. In Europe there is a requirement that entities with data about individuals make it available to them if they request it. That's how Max ended up with a...

Mon, 17 Oct 2011 11:12:32 UTC

Criminal Uses of Crowdsourcing

Posted By Bruce Schneier

Interesting article....

Fri, 14 Oct 2011 21:07:24 UTC

Friday Squid Blogging: Prehistoric Sentient SquidOr Not

Posted By Bruce Schneier

There's big news in the world of giant squid: Researchers initially thought that this strange grouping of 45-foot-long marine reptiles had either died en masse from a poisonous plankton bloom or had become stranded in shallow water. But recent geological analysis of the fossil site indicates that the park was deep underwater when these shonisaurs swam the prehistoric seas. So...

Fri, 14 Oct 2011 17:34:10 UTC

Burglars Tip Off Police About Bigger Crime

Posted By Bruce Schneier

I find this fascinating: A central California man has been arrested for possession of child pornography, thanks to a tip from burglars who robbed the man's property, authorities said. I am reminded of the UK story of a burglar finding some military secrets on a laptop -- or perhaps a USB drive -- that he stole, and returning them with...

Fri, 14 Oct 2011 11:38:20 UTC

Weird World War II Security Puzzle

Posted By Bruce Schneier

Read this. Anyone have any ideas?...

Thu, 13 Oct 2011 11:03:47 UTC

Official Malware from the German Police

Posted By Bruce Schneier

The Chaos Computer Club has disassembled and analyzed the Trojan used by the German police for legal intercept. In its default mode, it takes regular screenshots of the active window and sends it to the police. It encrypts data in AES Electronic Codebook mode with -- are you ready? -- a fixed key across all versions. There's no authentication built...

Wed, 12 Oct 2011 11:57:43 UTC

New Attacks on CAPTCHAs

Posted By Bruce Schneier

Nice research: Abstract: We report a novel attack on two CAPTCHAs that have been widely deployed on the Internet, one being Google's home design and the other acquired by Google (i.e. reCAPTCHA). With a minor change, our attack program also works well on the latest ReCAPTCHA version, which uses a new defence mechanism that was unknown to us when we...

Mon, 10 Oct 2011 11:38:22 UTC

U.S. Drones Have a Computer Virus

Posted By Bruce Schneier

You'd think we would be more careful than this: A computer virus has infected the cockpits of Americas Predator and Reaper drones, logging pilots every keystroke as they remotely fly missions over Afghanistan and other warzones. [...] "We keep wiping it off, and it keeps coming back," says a source familiar with the network infection, one of three that told...

Fri, 07 Oct 2011 21:51:11 UTC

Friday Squid Blogging: Hundreds of Squid Wash Up on Southern California Beaches

Posted By Bruce Schneier

Humboldt squid are washing up on beaches across Southern California. Seems like it's no big deal; the squid just swam too close to shore....

Fri, 07 Oct 2011 18:11:05 UTC

Security Seals on Voting Machines

Posted By Bruce Schneier

Related to this blog post from Wednesday, here's a paper that looks at security seals on voting machines. Andrew W. Appel, "Security Seals on Voting Machines: A Case Study," ACM Transactions on Information and System Security, 14 (2011): 129. Abstract: Tamper-evident seals are used by many states' election officials on voting machines and ballot boxes, either to protect the computer...

Fri, 07 Oct 2011 11:26:38 UTC

Dilbert on Security Standards

Posted By Bruce Schneier

So true (the predecessor)....

Fri, 07 Oct 2011 11:01:56 UTC

FBI-Sponsored Backdoors

Posted By Bruce Schneier

From a review of Susan Landau's Surveillance or Security?: To catch up with the new technologies of malfeasance, FBI director Robert Mueller traveled to Silicon Valley last November to persuade technology companies to build "backdoors" into their products. If Muellers wish were granted, the FBI would gain undetected real-time access to suspects Skype calls, Facebook chats, and other online communications­and...

Thu, 06 Oct 2011 00:38:25 UTC

Status Report: Liars and Outliers

Posted By Bruce Schneier

Last weekend, I completely reframed the book. I realized that the book isn't about security. It's about trust. I'm writing about how society induces people to behave in the group interest instead of some competing personal interest. It's obvious that society needs to do this; otherwise, it can never solve collective action problems. And as a social species, we have...

Wed, 05 Oct 2011 11:58:17 UTC

Insider Attack Against Diebold Voting Machines

Posted By Bruce Schneier

This is both news and not news: Indeed, the Argonne team's attack required no modification, reprogramming, or even knowledge, of the voting machine's proprietary source code. It was carried out by inserting a piece of inexpensive "alien electronics" into the machine. It's not news because we already know that if you have access to the internals of a voting machine,...

Tue, 04 Oct 2011 18:29:09 UTC

Security Cartoon

Posted By Bruce Schneier

Nice cartoon on the problems of content filtering....

Tue, 04 Oct 2011 11:31:01 UTC

National Cybersecurity Awareness Month

Posted By Bruce Schneier

October is National Cybersecurity Awareness Month, sponsored by the Department of Homeland Security. The website has some sample things you can do to to celebrate, but they're all pretty boring. Surely we can do better. Post your suggestions in comments....

Mon, 03 Oct 2011 18:20:09 UTC

Isaac Asimov on Security Theater

Posted By Bruce Schneier

A great find: In his 1956 short story, "Let's Get Together," Isaac Asimov describes security measures proposed to counter a terrorist threat: "Consider further that this news will leak out as more and more people become involved in our countermeasures and more and more people begin to guess what we're doing. Then what? The panic might do us more harm...

Mon, 03 Oct 2011 11:35:25 UTC

HTC Android Vulnerability

Posted By Bruce Schneier

Custom HTC firmware breaks standard permissions and allows rogue apps to access location, address book, and account info without authorization....

Fri, 30 Sep 2011 21:42:44 UTC

Friday Squid Blogging: Interesting Squid Recipes

Posted By Bruce Schneier

Plus a slide show of pretty dishes....

Thu, 29 Sep 2011 12:07:03 UTC

Insecure Chrome Extensions

Posted By Bruce Schneier

An analysis of extensions to the Chrome browser shows that 25% of them are insecure: We reviewed 100 Chrome extensions and found that 27 of the 100 extensions leak all of their privileges to a web or WiFi attacker. Bugs in extensions put users at risk by leaking private information (like passwords and history) to web and WiFi attackers. Web...

Wed, 28 Sep 2011 11:03:31 UTC

Making Fake ATMs Using 3D Printers

Posted By Bruce Schneier

One group stole $400K....

Tue, 27 Sep 2011 12:12:39 UTC

Problems with Mac OS X Lion Passwords

Posted By Bruce Schneier

Seems like some dumb mistakes. News article....

Mon, 26 Sep 2011 11:41:23 UTC

Tor Arms Race

Posted By Bruce Schneier

Iran blocks Tor, and Tor releases a workaround on the same day. How did the filter work technically? Tor tries to make its traffic look like a web browser talking to an https web server, but if you look carefully enough you can tell some differences. In this case, the characteristic of Tor's SSL handshake they looked at was the...

Fri, 23 Sep 2011 21:28:35 UTC

Friday Squid Blogging: Sex Life of Deep-Sea Squid

Posted By Bruce Schneier

There's evidence of indiscriminate fertilization in deep-sea squid. They mate with any other squid the encounter, male or female. This unusual behaviour, they said, may be explained by the fact the squid is boosting its chances of successfully passing on its genes in the challenging environment it lives in. In the Royal Society paper the team writes: "In the deep,...

Fri, 23 Sep 2011 18:37:26 UTC

Man-in-the-Middle Attack Against SSL 3.0/TLS 1.0

Posted By Bruce Schneier

It's the Browser Exploit Against SSL/TLS Tool, or BEAST: The tool is based on a blockwise-adaptive chosen-plaintext attack, a man-in-the-middle approach that injects segments of plain text sent by the target's browser into the encrypted request stream to determine the shared key. The code can be injected into the user's browser through JavaScript associated with a malicious advertisement distributed through...

Fri, 23 Sep 2011 11:53:36 UTC

Three Emerging Cyber Threats

Posted By Bruce Schneier

On Monday I participated a panel at the Information Systems Forum in Berlin. The moderator asked us what the top three emerging threats were in cyberspace. I went last, and decided to focus on the top three threats that are not criminal: The Rise of Big Data. By this I mean industries that trade on our data. These include traditional...

Fri, 23 Sep 2011 10:22:43 UTC

An Interesting Software Liability Proposal

Posted By Bruce Schneier

This proposal is worth thinking about. Clause 1. If you deliver software with complete and buildable source code and a license that allows disabling any functionality or code by the licensee, then your liability is limited to a refund. This clause addresses how to avoid liability: license your users to inspect and chop off any and all bits of your...

Thu, 22 Sep 2011 12:09:42 UTC

U.S.-Australia Cyberwar Treaty

Posted By Bruce Schneier

The long-standing ANZUS military treaty now includes cyberspace attacks: According to Reuters, the decision was made in discussions between the two countries this week. The extension of the treaty would mean that a cyber-attack on either country would be considered an attack on both. Exactly what this means in practice is less clear: practically every government with a connection to...

Wed, 21 Sep 2011 11:58:19 UTC

Shifting Risk Instead of Reducing Risk

Posted By Bruce Schneier

Risks of teen driving: For more than a decade, California and other states have kept their newest teen drivers on a tight leash, restricting the hours when they can get behind the wheel and whom they can bring along as passengers. Public officials were confident that their get-tough policies were saving lives. Now, though, a nationwide analysis of crash data...

Tue, 20 Sep 2011 11:36:38 UTC

Complex Electronic Banking Fraud in Malaysia

Posted By Bruce Schneier

The interesting thing about this attack is how it abuses a variety of different security systems. Investigations revealed that the syndicate members had managed to retrieve personal particulars including the usernames, passwords from an online banking kiosk at a bank in Petaling Jaya and even obtained the transaction authorisation code (TAC) which is sent out by the bank to the...

Mon, 19 Sep 2011 18:35:15 UTC

Pretty Creepy Type of Cyberstalking

Posted By Bruce Schneier

Luis "Guicho" Mijangos, "sextortionist."...

Mon, 19 Sep 2011 11:35:57 UTC

The Effectiveness of Plagiarism Detection Software

Posted By Bruce Schneier

As you'd expect, it's not very good: But this measure [Turnitin] captures only the most flagrant form of plagiarism, where passages are copied from one document and pasted unchanged into another. Just as shoplifters slip the goods they steal under coats or into pocketbooks, most plagiarists tinker with the passages they copy before claiming them as their own. In other...

Fri, 16 Sep 2011 21:52:39 UTC

Friday Squid Blogging: Squid Street Art

Posted By Bruce Schneier

Nice....

Fri, 16 Sep 2011 17:31:09 UTC

Identifying Speakers in Encrypted Voice Communication

Posted By Bruce Schneier

I've already written how it is possible to detect words and phrases in encrypted VoIP calls. Turns out it's possible to detect speakers as well: Abstract: Most of the voice over IP (VoIP) traffic is encrypted prior to its transmission over the Internet. This makes the identity tracing of perpetrators during forensic investigations a challenging task since conventional speaker recognition...

Fri, 16 Sep 2011 10:22:54 UTC

Domain-in-the-Middle Attacks

Posted By Bruce Schneier

It's an easy attack. Register a domain that's like your target except for a typo. So it would be countrpane.com instead of counterpane.com, or mailcounterpane.com instead of mail.counterpane.com. Then, when someone mistypes an e-mail address to someone at that company and you receive it, just forward it on as if nothing happened. These are called "doppleganger domains." To test the...

Thu, 15 Sep 2011 17:45:30 UTC

Sharing Security Information and the Prisoner's Dilemma

Posted By Bruce Schneier

New paper: Dengpan Liu, Yonghua Ji, and Vijay Mookerjee (2011), "Knowledge Sharing and Investment Decisions in Information Security," Decision Support Systems, in press. Abstract: We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary...

Thu, 15 Sep 2011 11:52:01 UTC

A Status Report: "Liars and Outliers"

Posted By Bruce Schneier

It's been a long hard year, but the book is almost finished. It's certainly the most difficult book I've ever written, mostly because I've had to learn academic fields I don't have a lot of experience in. But the book is finally coming together as a coherent whole, and I am optimistic that the results will prove to be worth...

Wed, 14 Sep 2011 19:02:38 UTC

Risk Tolerance and Culture

Posted By Bruce Schneier

This is an interesting study on cultural differences in risk tolerance. The Cultures of Risk Tolerance Abstract: This study explores the links between culture and risk tolerance, based on surveys conducted in 23 countries. Altogether, more than 4,000 individuals participated in the surveys. Risk tolerance is associated with culture. Risk tolerance is relatively low in countries where uncertainty avoidance is...

Wed, 14 Sep 2011 11:55:14 UTC

TSA Administrator John Pistole on the Future of Airport Security

Posted By Bruce Schneier

There's a lot here that's worth watching. He talks about expanding behavioral detection. He talks about less screening for "trusted travelers." So, what do the next 10 years hold for transportation security? I believe it begins with TSA's continued movement toward developing and implementing a more risk-based security system, a phrase you may have heard the last few months. When...

Tue, 13 Sep 2011 18:46:52 UTC

Human Pattern-Matching Failures in Airport Screening

Posted By Bruce Schneier

I've written about this before: the human brain just isn't suited to finding rare anomalies in a screening situation. The Role of the Human Operator in Image-Based Airport Security Technologies Abstract: Heightened international concerns relating to security and identity management have led to an increased interest in security applications, such as face recognition and baggage and passenger screening at airports....

Tue, 13 Sep 2011 11:38:57 UTC

Risk Perception and Terrorism

Posted By Bruce Schneier

I've been posting about a lot of academic articles of late, because that's what I'm reading. Here's another. Clinton M. Jenkin (2006), Risk Perception and Terrorism, Homeland Security Affairs....

Mon, 12 Sep 2011 18:27:27 UTC

More 9/11 Retrospectives

Posted By Bruce Schneier

Joseph Stiglitz on the price of 9/11. How 9/11 changed surveillance. New scientific research as a result of 9/11. A good controversial piece. The day we lost our privacy and power. The probability of another 9/11-magnitude terrorist attack. To justify the current U.S. spending on homeland security -- not including our various official and unofficial wars -- we'd have to...

Mon, 12 Sep 2011 14:20:07 UTC

ACLU Report on the War on Terror

Posted By Bruce Schneier

This report is really good: "A Call to Courage: Reclaiming Our Liberties Ten Years After 9/11."...

Fri, 09 Sep 2011 21:30:51 UTC

Friday Squid Blogging: Beautiful Squid Drawings

Posted By Bruce Schneier

From Italy. As before, use the comments to this post to write about and discuss security stories that don't have their own post....

Thu, 08 Sep 2011 11:14:58 UTC

New Lows in Secret Questions

Posted By Bruce Schneier

I've already written about secret questions, the easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password. Here's a new one, courtesey of the National Archives: "What is your preferred internet password?" I have been told that Priceline has the same one, which implies that this is some third-party login service or...

Wed, 07 Sep 2011 19:32:16 UTC

The Legality of Government Critical Infrastructure Monitoring

Posted By Bruce Schneier

Mason Rice, Robert Miller, and Sujeet Shenoi (2011), "May the US Government Monitor Private Critical Infrastructure Assets to Combat Foreign Cyberspace Threats?" International Journal of Critical Infrastructure Protection, 4 (April 2011): 313. Abstract: The government owns the entire US airspace­it can install radar systems, enforce no-fly zones and interdict hostile aircraft. Since the critical infrastructure and the associated cyberspace are...

Wed, 07 Sep 2011 11:17:11 UTC

Outing a CIA Agent

Posted By Bruce Schneier

Interesting article on how difficult it is to keep an identity secret in the information age....

Tue, 06 Sep 2011 20:29:48 UTC

Optimizing Airport Security

Posted By Bruce Schneier

New research: Adrian J. Lee and Sheldon H. Jacobson (2011), "The Impact of Aviation Checkpoint Queues on Optimizing Security Screening Effectiveness," Reliability Engineering & System Safety, 96 (August): 900911. Abstract: Passenger screening at aviation security checkpoints is a critical component in protecting airports and aircraft from terrorist threats. Recent developments in screening device technology have increased the ability to detect...

Tue, 06 Sep 2011 12:03:13 UTC

Where Are All the Terrorists?

Posted By Bruce Schneier

From Foreign Policy: "Why Is It So Hard to Find a Suicide Bomber These Days?" And from Stratfor: "Why al Qaeda is Unlikely to Execute Another 9/11." Me from May 2010: "Where Are All the Terrorist Attacks?"...

Fri, 02 Sep 2011 21:44:58 UTC

Friday Squid Blogging: SQUIDS Game

Posted By Bruce Schneier

It's coming to the iPhone and iPad, then to other platforms: In SQUIDS, players will command a small army of stretchy, springy sea creatures to protect an idyllic underwater kingdom from a sinister emerging threat. An infectious black ooze is spreading through the lush seascape, turning ordinary crustaceans into menacing monsters. Now a plucky team of Squids­each with unique personalities,...

Fri, 02 Sep 2011 18:34:36 UTC

The Efficacy of Post-9/11 Counterterrorism

Posted By Bruce Schneier

This is an interesting article. The authors argue that the whole war-on-terror nonsense is useless -- that's not new -- but that the security establishment knows it doesn't work and abandoned many of the draconian security measures years ago, long before Obama became president. All that's left of the war on terror is political, as lawmakers fund unwanted projects in...

Fri, 02 Sep 2011 11:38:35 UTC

A Professional ATM Theft

Posted By Bruce Schneier

Fidelity National Information Services Inc. (FIS) lost $13M to an ATM theft earlier this year: KrebsOnSecurity recently discovered previously undisclosed details of the successful escapade. According to sources close to the investigation, cyber thieves broke into the FIS network and targeted the Sunrise platform's "open-loop" prepaid debit cards. The balances on these prepaid cards aren't stored on the cards themselves;...

Thu, 01 Sep 2011 17:56:05 UTC

Unredacted U.S. Diplomatic WikiLeaks Cables Published

Posted By Bruce Schneier

It looks as if the entire mass of U.S. diplomatic cables that WikiLeaks had is available online somewhere. How this came about is a good illustration of how security can go wrong in ways you don't expect. Near as I can tell, this is what happened: In order to send the Guardian the cables, WikiLeaks encrypted them and put them...

Thu, 01 Sep 2011 10:46:48 UTC

Forged Google Certificate

Posted By Bruce Schneier

There's been a forged Google certificate out in the wild for the past month and a half. Whoever has it -- evidence points to the Iranian government -- can, if they're in the right place, launch man-in-the-middle attacks against Gmail users and read their mail. This isn't Google's mistake; the certificate was issued by a Dutch CA that has nothing...

Wed, 31 Aug 2011 17:30:52 UTC

Job Opening: TSA Public Affairs Specialist

Posted By Bruce Schneier

This job can't be fun: This Public Affairs Specialist position is located in the Office of Strategic Communications and Public Affairs (SCPA), Transportation Security Administration (TSA), Department of Homeland Security (DHS). If selected for this position, you will serve as the Press Secretary and senior representative/liaison working with Federal and stakeholder partners. You will utilize your expert knowledge and mastery...

Wed, 31 Aug 2011 11:21:26 UTC

The Effects of Social Media on Undercover Policing

Posted By Bruce Schneier

Social networking sites make it very difficult, if not impossible, to have undercover police officers: "The results found that 90 per cent of female officers were using social media compared with 81 per cent of males." The most popular site was Facebook, followed by Twitter. Forty seven per cent of those surveyed used social networking sites daily while another 24...

Tue, 30 Aug 2011 17:24:09 UTC

Facebook Privacy Guide

Posted By Bruce Schneier

It's actually pretty good. Also note that the site is redesigning its privacy. As we learned from Microsoft, nothing motivates a company to improve its security like competition....

Tue, 30 Aug 2011 11:25:41 UTC

Details of the RSA Hack

Posted By Bruce Schneier

We finally have some, even though the company isn't talking: So just how well crafted was the e-mail that got RSA hacked? Not very, judging by what F-Secure found. The attackers spoofed the e-mail to make it appear to come from a "web master" at Beyond.com, a job-seeking and recruiting site. Inside the e-mail, there was just one line of...

Mon, 29 Aug 2011 11:20:29 UTC

Screenshots of Chinese Hacking Tool

Posted By Bruce Schneier

It's hard to know how serious this really is: The screenshots appear as B-roll footage in the documentary for six seconds­between 11:04 and 11:10 minutes -- showing custom built Chinese software apparently launching a cyber-attack against the main website of the Falun Gong spiritual practice, by using a compromised IP address belonging to a United States university. As of Aug....

Fri, 26 Aug 2011 20:40:30 UTC

Friday Squid Blogging: Squid Fishing in Ulleungdo, Korea

Posted By Bruce Schneier

The industry is in decline: A generation ago, most of the island's 10,000 residents worked in the squid industry, either as sellers like Kim or as farmer-fishermen who toiled in the fields each winter and went to sea during summer. Ulleungdo developed a reputation for large, tasty squid that were once exported to the mainland and Japan. The volcanic island,...

Fri, 26 Aug 2011 20:07:47 UTC

Preventing the Theft of Wire Cutters

Posted By Bruce Schneier

This is a picture of a pair of wire cutters secured to a table with a wire. Someone isn't thinking this through.......

Fri, 26 Aug 2011 18:58:33 UTC

The Problem with Using the Cold War Metaphor to Describe Cyberspace Risks

Posted By Bruce Schneier

Nice essay on the problems with talking about cyberspace risks using "Cold War" metaphors: The problem with threat inflation and misapplied history is that there are extremely serious risks, but also manageable responses, from which they steer us away. Massive, simultaneous, all-encompassing cyberattacks on the power grid, the banking system, transportation networks, etc. along the lines of a Cold War...

Fri, 26 Aug 2011 11:26:15 UTC

Terrorism in the U.S. Since 9/11

Posted By Bruce Schneier

John Mueller and his students analyze the 33 cases of attempted terrorism in the U.S. since 9/11. So few of them are actually real, and so many of them were created or otherwise facilitated by law enforcement....

Thu, 25 Aug 2011 21:08:40 UTC

Funniest Joke at the Edinburgh Fringe Festival

Posted By Bruce Schneier

Nick Helm won an award for the funniest joke at the Edinburgh Fringe Festival: Nick Helm: "I needed a password with eight characters so I picked Snow White and the Seven Dwarves." Note that two other jokes were about security: Tim Vine: "Crime in multi-storey car parks. That is wrong on so many different levels." Andrew Lawrence: "I admire these...

Thu, 25 Aug 2011 17:43:47 UTC

Moving 211 Tons of Gold

Posted By Bruce Schneier

The security problems associated with moving $12B in gold from London to Venezuela. It seems to me that Chávez has four main choices here. He can go the FTs route, and just fly the gold to Caracas while insuring each shipment for its market value. He can go the Spanish route, and try to transport the gold himself, perhaps making...

Thu, 25 Aug 2011 11:22:36 UTC

The Security Risks of Not Teaching Malware

Posted By Bruce Schneier

Essay by George Ledin on the security risks of not teaching students malware....

Wed, 24 Aug 2011 12:13:15 UTC

Stealing ATM PINs with a Thermal Camera

Posted By Bruce Schneier

It's easy: Researchers from UCSD pointed thermal cameras towards plastic ATM PIN pads and metal ATM PIN pads to test how effective they were at stealing PIN numbers. The thermal cams didn't work against metal pads but on plastic pads the success rate of detecting all the digits was 80% after 10 seconds and 60% after 45 seconds. If you...

Tue, 23 Aug 2011 19:09:48 UTC

Smartphone Keystroke Logging Using the Motion Sensor

Posted By Bruce Schneier

Clever: "When the user types on the soft keyboard on her smartphone (especially when she holds her phone by hand rather than placing it on a fixed surface), the phone vibrates. We discover that keystroke vibration on touch screens are highly correlated to the keys being typed." Applications like TouchLogger could be significant because they bypasses protections built into both...

Tue, 23 Aug 2011 11:56:19 UTC

Security for Implanted Medical Devices

Posted By Bruce Schneier

Worried about someone hacking your implanted medical devices? Here's a signal-jamming device you can wear....

Tue, 23 Aug 2011 10:44:58 UTC

Cheating at Casinos with Hidden Cameras

Posted By Bruce Schneier

Sleeve cameras aren't new, but they're now smaller than ever and the cheaters are getting more sophisticated: In January, at the newly opened $4-billion Cosmopolitan casino in Las Vegas, a gang called the Cutters cheated at baccarat. Before play began, the dealer offered one member of the group a stack of eight decks of cards for a pre-game cut. The...

Mon, 22 Aug 2011 18:30:22 UTC

Movie-Plot Threat: Open Airplane Cockpit Doors During Bathroom Breaks

Posted By Bruce Schneier

James Fallows has a nice debunking of a movie-plot threat....

Mon, 22 Aug 2011 17:19:10 UTC

How Microsoft Develops Security Patches

Posted By Bruce Schneier

I thought this was an interesting read....

Mon, 22 Aug 2011 11:01:19 UTC

Pseudonymity

Posted By Bruce Schneier

Long essay on the value of pseudonymity. From the conclusions: Here lies the huge irony in this discussion. Persistent pseudonyms aren't ways to hide who you are. They provide a way to be who you are. You can finally talk about what you really believe; your real politics, your real problems, your real sexuality, your real family, your real self....

Fri, 19 Aug 2011 21:20:52 UTC

Friday Squid Blogging: Squid Forks

Posted By Bruce Schneier

Squid forks....

Fri, 19 Aug 2011 18:57:59 UTC

Looking Backward at Terrorism

Posted By Bruce Schneier

Nice essay on the danger of too much security: The great lie of the war on terror is not that we can sacrifice a little liberty for greater security. It is that fear can be eliminated, and that all we need to do to improve our society is defeat terrorism, rather than look at the other causes of our social,...

Fri, 19 Aug 2011 13:55:30 UTC

The Dilemma of Counterterrorism Policy

Posted By Bruce Schneier

Any institution delegated with the task of preventing terrorism has a dilemma: they can either do their best to prevent terrorism, or they can do their best to make sure they're not blamed for any terrorist attacks. I've talked about this dilemma for a while now, and it's nice to see some research results that demonstrate its effects. A. Peter...

Thu, 18 Aug 2011 18:32:04 UTC

Steven Pinker on Terrorism

Posted By Bruce Schneier

It's almost time for a deluge of "Ten Years After 9/11" essays. Here's Steven Pinker: The discrepancy between the panic generated by terrorism and the deaths generated by terrorism is no accident. Panic is the whole point of terrorism, as the root of the word makes clear: "Terror" refers to a psychological state, not an enemy or an event. The...

Thu, 18 Aug 2011 11:12:14 UTC

New Attack on AES

Posted By Bruce Schneier

"Biclique Cryptanalysis of the Full AES," by Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. Abstract. Since Rijndael was chosen as the Advanced Encryption Standard, improving upon 7-round attacks on the 128-bit key variant or upon 8-round attacks on the 192/256-bit key variants has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a...

Wed, 17 Aug 2011 18:51:43 UTC

Alarm Geese

Posted By Bruce Schneier

A prison in Brazil uses geese as part of its alarm system. There's a long tradition of this. Circa 400 BC, alarm geese alerted a Roman citadel to a Gaul attack....

Wed, 17 Aug 2011 11:13:34 UTC

Security by Default

Posted By Bruce Schneier

Nice essay by Christopher Soghoian on why cell phone and Internet providers need to enable security options by default....

Tue, 16 Aug 2011 15:47:42 UTC

Search Redirection and the Illicit Online Prescription Drug Trade

Posted By Bruce Schneier

Really interesting research. Search-redirection attacks combine several well-worn tactics from black-hat SEO and web security. First, an attacker identifies high-visibility websites (e.g., at universities) that are vulnerable to code-injection attacks. The attacker injects code onto the server that intercepts all incoming HTTP requests to the compromised page and responds differently based on the type of request: Requests from search-engine crawlers...

Mon, 15 Aug 2011 09:48:54 UTC

New, Undeletable, Web Cookie

Posted By Bruce Schneier

A couple of weeks ago Wired reported the discovery of a new, undeletable, web cookie: Researchers at U.C. Berkeley have discovered that some of the nets most popular sites are using a tracking service that cant be evaded -- even when users block cookies, turn off storage in Flash, or use browsers incognito functions. The Wired article was very short...

Sat, 13 Aug 2011 20:55:10 UTC

Interview with Me

Posted By Bruce Schneier

Here's an interview with me from the Homeland Security News Wire....

Fri, 12 Aug 2011 21:28:39 UTC

Friday Squid Blogging: Giant Squid Painted on Canal Narrowboat

Posted By Bruce Schneier

Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 12 Aug 2011 19:09:32 UTC

Liars and Outliers Cover

Posted By Bruce Schneier

My new book, Liars and Outliers, has a cover. Publication is still scheduled for the end of February -- in time for the RSA Conference -- assuming I finish the manuscript in time....

Fri, 12 Aug 2011 16:13:24 UTC

Rat that Applies Poison to its Fur

Posted By Bruce Schneier

The African crested rat applies tree poison to its fur to make itself more deadly. The researchers made their discovery after presenting a wild-caught crested rat with branches and roots of the Acokanthera tree, whose bark includes the toxin ouabain. The animal gnawed and chewed the tree's bark but avoided the nontoxic leaves and fruit. The rat then applied the...

Fri, 12 Aug 2011 11:59:23 UTC

Counterfeit Pilot IDs and Uniforms Will Now Be Sufficient to Bypass Airport Security

Posted By Bruce Schneier

This seems like a really bad idea: ...the Transportation Security Administration began a program Tuesday allowing pilots to skirt the security-screening process. The TSA has deployed approximately 500 body scanners to airports nationwide in a bid to prevent terrorists from boarding domestic flights, but pilots don't have to go through the controversial nude body scanners or other forms of screening....

Thu, 11 Aug 2011 11:19:24 UTC

Security Flaws in Encrypted Police Radios

Posted By Bruce Schneier

"Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System," by Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu, and Matt Blaze. Abstract: APCO Project 25a (P25) is a suite of wireless communications protocols used in the US and elsewhere for public safety two-way (voice) radio systems. The protocols include...

Wed, 10 Aug 2011 21:48:19 UTC

Friday Squid Blogging: Smaller Male Squid Have Bigger Sperm

Posted By Bruce Schneier

Loligo bleekeri males have two different reproductive strategies, depending on their size. It's kind of like a covert channel....

Wed, 10 Aug 2011 21:11:54 UTC

GPRS Hacked

Posted By Bruce Schneier

Just announced: Nohl's group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren't encrypted at all. When they were encrypted, Nohl adds, the ciphers were often...

Wed, 10 Aug 2011 11:39:03 UTC

"Taxonomy of Operational Cyber Security Risks"

Posted By Bruce Schneier

I'm a big fan of taxonomies, and this -- from Carnegie Mellon -- seems like a useful one: The taxonomy of operational cyber security risks, summarized in Table 1 and detailed in this section, is structured around a hierarchy of classes, subclasses, and elements. The taxonomy has four main classes: actions of people -- action, or lack of action, taken...

Tue, 09 Aug 2011 18:09:14 UTC

Free-Riding on Plant Security Countermeasures

Posted By Bruce Schneier

There's a security story from biology I've used a few times: plants that use chemicals to call in airstrikes by wasps on the herbivores attacking them. This is a new variation: a species of orchid that emits the same signals as a trick, to get pollinated....

Tue, 09 Aug 2011 10:45:31 UTC

MRI Lie Detectors

Posted By Bruce Schneier

An article from Salon -- lots of interesting research. My previous blog post on the topic....

Mon, 08 Aug 2011 17:47:21 UTC

New Bank-Fraud Trojan

Posted By Bruce Schneier

Nasty: The German Federal Criminal Police (the Bundeskriminalamt or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen...

Mon, 08 Aug 2011 11:13:58 UTC

Business Week on The Cyberwar Arms Race

Posted By Bruce Schneier

I've been using the phrase "arms race" to describe the world's militaries' rush into cyberspace for a couple of years now. Here's a good article on the topic that uses the same phrase....

Fri, 05 Aug 2011 21:24:59 UTC

Friday Squid Blogging: Severed Hand is Actually A Dried Squid

Posted By Bruce Schneier

I just can't make this stuff up: A report of a severed hand found at an Oahu seabird sanctuary has turned out to be dried squid. Remember: if you see something, say something. Again this week, please use the squid post to talk about the security stories in the news that I didn't cover....

Fri, 05 Aug 2011 19:58:20 UTC

XKCD on the CIA Hack

Posted By Bruce Schneier

So true....

Fri, 05 Aug 2011 17:25:26 UTC

Zodiac Cipher Cracked

Posted By Bruce Schneier

I admit I don't pay much attention to pencil-and-paper ciphers, so I knew nothing about the Zodiac cipher. Seems it has finally been broken: The Zodiac Killer was a serial killer who preyed on couples in Northern California in the years between 1968 and 1970. Of his seven confirmed victims, five died. More victims and attacks are suspected. The killer...

Fri, 05 Aug 2011 11:22:02 UTC

German Police Call Airport Full-Body Scanners Useless

Posted By Bruce Schneier

I'm not surprised: The weekly Welt am Sonntag, quoting a police report, said 35 percent of the 730,000 passengers checked by the scanners set off the alarm more than once despite being innocent. The report said the machines were confused by several layers of clothing, boots, zip fasteners and even pleats, while in 10 percent of cases the passenger's posture...

Thu, 04 Aug 2011 19:10:54 UTC

Home-Made Wi-Fi Hacking, Phone Snooping, UAV

Posted By Bruce Schneier

Impressive....

Thu, 04 Aug 2011 12:36:26 UTC

Hacking Lotteries

Posted By Bruce Schneier

Two items on hacking lotteries. The first is about someone who figured out how to spot winner in a scratch-off tic-tac-toe style game, and a daily draw style game where expcted payout can exceed the ticket price. The second -- behind a paywall, sorry -- is about someone who has won the lottery four times, with speculation that she had...

Wed, 03 Aug 2011 17:57:19 UTC

New Information on the Inventor of the One-Time Pad

Posted By Bruce Schneier

Seems that the one-time pad was not first invented by Vernam: He could plainly see that the document described a technique called the one-time pad fully 35 years before its supposed invention during World War I by Gilbert Vernam, an AT&T engineer, and Joseph Mauborgne, later chief of the Army Signal Corps. [...] The 1882 monograph that Dr. Bellovin stumbled...

Wed, 03 Aug 2011 11:08:28 UTC

Identifying People by their Writing Style

Posted By Bruce Schneier

The article is in the context of the big Facebook lawsuit, but the part about identifying people by their writing style is interesting: Recently, a team of computer scientists at Concordia University in Montreal took advantage of an unusual set of data to test another method of determining e-mail authorship. In 2003, the Federal Energy Regulatory Commission, as part of...

Tue, 02 Aug 2011 18:33:50 UTC

Developments in Facial Recognition

Posted By Bruce Schneier

Eventually, it will work. You'll be able to wear a camera that will automatically recognize someone walking towards you, and a earpiece that will relay who that person is and maybe something about him. None of the technologies required to make this work are hard; it's just a matter of getting the error rate down low enough for it to...

Tue, 02 Aug 2011 11:23:42 UTC

Attacking PLCs Controlling Prison Doors

Posted By Bruce Schneier

Embedded system vulnerabilities in prisons: Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the countrys top high-security prisons, according to security consultant and engineer John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week in...

Mon, 01 Aug 2011 17:29:29 UTC

Breaking the Xilinx Virtex-II FPGA Bitstream Encryption

Posted By Bruce Schneier

It's a power-analysis attack, which makes it much harder to defend against. And since the attack model is an engineer trying to reverse-engineer the chip, it's a valid attack. Abstract: Over the last two decades FPGAs have become central components for many advanced digital systems, e.g., video signal processing, network routers, data acquisition and military systems. In order to protect...

Mon, 01 Aug 2011 11:03:28 UTC

Using Science Fiction to Teach Computer Security

Posted By Bruce Schneier

Interesting paper: "Science Fiction Prototyping and Security Education: Cultivating Contextual and Societal Thinking in Computer Security Education and Beyond," by Tadayoshi Kohno and Brian David Johnson. Abstract: Computer security courses typically cover a breadth of technical topics, including threat modeling, applied cryptography, software security, and Web security. The technical artifacts of computer systems -- and their associated computer security risks...

Fri, 29 Jul 2011 11:54:32 UTC

Hacking Apple Laptop Batteries

Posted By Bruce Schneier

Interesting: Security researcher Charlie Miller, widely known for his work on Mac OS X and Apple's iOS, has discovered an interesting method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries...

Thu, 28 Jul 2011 19:02:46 UTC

ShareMeNot

Posted By Bruce Schneier

ShareMeNot is a Firefox add-on for preventing tracking from third-party buttons (like the Facebook "Like" button or the Google "+1" button) until the user actually chooses to interact with them. That is, ShareMeNot doesn't disable/remove these buttons completely. Rather, it allows them to render on the page, but prevents the cookies from being sent until the user actually clicks on...

Thu, 28 Jul 2011 11:27:55 UTC

Data Privacy as a Prisoner's Dilemma

Posted By Bruce Schneier

Good analysis: Companies would be better off if they all provided meaningful privacy protections for consumers, but privacy is a collective action problem for them: many companies would love to see the ecosystem fixed, but no one wants to put themselves at a competitive disadvantage by imposing unilateral limitations on what they can do with user data. The solution --...

Wed, 27 Jul 2011 19:10:00 UTC

Cryptography and Wiretapping

Posted By Bruce Schneier

Matt Blaze analyzes the 2010 U.S. Wiretap Report. In 2000, government policy finally reversed course, acknowledging that encryption needed to become a critical part of security in modern networks, something that deserved to be encouraged, even if it might occasionally cause some trouble for law enforcement wiretappers. And since that time the transparent use of cryptography by everyday people (and...

Wed, 27 Jul 2011 11:44:59 UTC

Ars Technica on Liabilities and Computer Security

Posted By Bruce Schneier

Good article: Halderman argued that secure software tends to come from companies that have a culture of taking security seriously. But it's hard to mandate, or even to measure, "security consciousness" from outside a company. A regulatory agency can force a company to go through the motions of beefing up its security, but it's not likely to be effective unless...

Tue, 26 Jul 2011 18:28:58 UTC

Duplicating Physical Keys from Photographs (Sneakey)

Posted By Bruce Schneier

In this demonstration, researchers photographed keys from 200 feet away and then made working copies. From the paper: The access control provided by a physical lock is based on the assumption that the information content of the corresponding key is private -- that duplication should require either possession of the key or a priori knowledge of how it was cut....

Tue, 26 Jul 2011 11:51:45 UTC

iPhone Iris Scanning Technology

Posted By Bruce Schneier

No indication about how well it works: The smartphone-based scanner, named Mobile Offender Recognition and Information System, or MORIS, is made by BI2 Technologies in Plymouth, Massachusetts, and can be deployed by officers out on the beat or back at the station. An iris scan, which detects unique patterns in a person's eyes, can reduce to seconds the time it...

Mon, 25 Jul 2011 18:06:12 UTC

Revenge Effects of Too-Safe Playground Equipment

Posted By Bruce Schneier

Sometimes too much security isn't good. After observing children on playgrounds in Norway, England and Australia, Dr. Sandseter identified six categories of risky play: exploring heights, experiencing high speed, handling dangerous tools, being near dangerous elements (like water or fire), rough-and-tumble play (like wrestling), and wandering alone away from adult supervision. The most common is climbing heights. "Climbing equipment needs...

Mon, 25 Jul 2011 10:59:08 UTC

Smuggling Drugs in Unwitting People's Car Trunks

Posted By Bruce Schneier

This is clever: A few miles away across the Rio Grande, the FBI determined that Chavez and Gomez were using lookouts to monitor the SENTRI Express Lane at the border. The lookouts identified "targets" -- people with regular commutes who primarily drove Ford vehicles. According to the FBI affidavit, the smugglers would follow their targets and get the vehicle identification...

Fri, 22 Jul 2011 21:11:08 UTC

Friday Squid Blogging: Glass Squid

Posted By Bruce Schneier

Pretty....

Thu, 21 Jul 2011 11:07:40 UTC

Is There a Hacking Epidemic?

Posted By Bruce Schneier

Freakonomics asks: "Why has there been such a spike in hacking recently? Or is it merely a function of us paying closer attention and of institutions being more open about reporting security breaches?" They posted five answers, including mine: The apparent recent hacking epidemic is more a function of news reporting than an actual epidemic. Like shark attacks or school...

Wed, 20 Jul 2011 11:23:21 UTC

Google Detects Malware in its Search Data

Posted By Bruce Schneier

This is interesting: As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were...

Tue, 19 Jul 2011 19:50:59 UTC

Members of "Anonymous" Hacker Group Arrested

Posted By Bruce Schneier

The police arrested sixteen suspected members of the Anonymous hacker group. Whatever you may think of their politics, the group committed crimes and their members should be arrested and prosecuted. I just hope we don't get a media flurry about how they were some sort of cyber super criminals. Near as I can tell, they were just garden variety hackers...

Tue, 19 Jul 2011 14:59:03 UTC

Telex Anti-Censorship System

Posted By Bruce Schneier

This is really clever: Many anticensorship systems work by making an encrypted connection (called a tunnel) from the user's computer to a trusted proxy server located outside the censor's network. This server relays requests to censored websites and returns the responses to the user over the encrypted tunnel. This approach leads to a cat-and-mouse game, where the censor attempts to...

Mon, 18 Jul 2011 14:42:43 UTC

British Phone Hacking Scandal

Posted By Bruce Schneier

Ross Anderson discusses the technical and policy details....

Fri, 15 Jul 2011 21:49:25 UTC

Friday Squid Blogging: Giant School of Squid

Posted By Bruce Schneier

Neat pictures....

Fri, 15 Jul 2011 19:33:00 UTC

Interview in Infosecurity Magazine

Posted By Bruce Schneier

I think I gave this interview at the RSA Conference in February....

Fri, 15 Jul 2011 11:31:38 UTC

Degree Plans of the Future

Posted By Bruce Schneier

You can now get a Master of Science in Strategic Studies in Weapons of Mass Destruction. Well, maybe you can't: "It's not going to be open enrollment (or) traditional students," Giever said. "You worry about whether you might be teaching the wrong person this stuff." At first, the FBI will select students from within its ranks, though Giever wants to...

Thu, 14 Jul 2011 18:47:10 UTC

My Next Book Title: Liars and Outliers

Posted By Bruce Schneier

Thank you for all your comments and suggestions regarding my next book title. It will be:      Liars and Outliers:      How Security Holds Society Together We're still deciding on a cover, but it won't be any of the five from the above link. Vaguely ominous crowd scenes are not what I want....

Thu, 14 Jul 2011 11:38:24 UTC

Physical Key Escrow

Posted By Bruce Schneier

This creates far more security risks than it solves: The city council in Cedar Falls, Iowa has absolutely crossed the line. They voted 6-1 in favor of expanding the use of lock boxes on commercial property. Property owners would be forced to place the keys to their businesses in boxes outside their doors so that firefighters, in that one-in-a-million chance,...

Wed, 13 Jul 2011 11:30:19 UTC

Interview with Evgeny Kaspersky

Posted By Bruce Schneier

Interesting....

Tue, 12 Jul 2011 12:13:16 UTC

Insurgent Groups Exhibit Learning Curve

Posted By Bruce Schneier

Interesting research: After analyzing reams of publicly available data on casualties from Iraq, Afghanistan, Pakistan and decades of terrorist attacks, the scientists conclude that "insurgents pretty much seemed to be following a progress curve–or a learning curve–that's very common in the manufacturing literature," says physicist Neil Johnson of the University of Miami in Florida and lead author of the study....

Mon, 11 Jul 2011 21:48:10 UTC

History of Stuxnet

Posted By Bruce Schneier

Nice article....

Fri, 08 Jul 2011 21:55:59 UTC

Friday Squid Blogging: Giant Squid Egg

Posted By Bruce Schneier

Interesting pictures. Article is in Italian, though. Google Translate translation....

Fri, 08 Jul 2011 11:19:54 UTC

Organized Crime in Ireland Evolves As Security Increases

Posted By Bruce Schneier

The whole article is interesting, but here's just one bit: The favoured quick-fix money-making exercise of the average Irish organised crime gang had, for decades, been bank robberies. But a massive investment by banks in branch security has made the traditional armed hold-up raids increasingly difficult. The presence of CCTV cameras in most banks means any raider would need to...

Thu, 07 Jul 2011 11:36:23 UTC

Comparing al Qaeda and the IRA

Posted By Bruce Schneier

A really interesting article: Al Qaeda played all out, spent all its assets in a few years. In my dumb-ass 2005 article, I called the Al Qaeda method "real war" and the IRA's slow-perc campaign "nerf war." That was ignorance talking, boyish war-loving ignorance. I wanted more action, that was all. I saw what an easy target the London transport...

Wed, 06 Jul 2011 10:53:54 UTC

Man Flies with Someone Else's Ticket and No Legal ID

Posted By Bruce Schneier

Last week, I got a bunch of press calls about Olajide Oluwaseun Noibi, who flew from New York to Los Angeles using an expired ticket in someone else's name and a university ID. They all wanted to know what this says about airport security. It says that airport security isn't perfect, and that people make mistakes. But it's not something...

Tue, 05 Jul 2011 11:14:19 UTC

Research in Secure Chips

Posted By Bruce Schneier

Unsuprisingly, the U.S. military is funding reseach in this....

Fri, 01 Jul 2011 21:26:03 UTC

Friday Squid Blogging: Giant Squid as an Emblem for Ocean Conservation

Posted By Bruce Schneier

It's a proposal....

Fri, 01 Jul 2011 17:08:05 UTC

TDSS Rootkit

Posted By Bruce Schneier

There's a new version: The latest TDL-4 version of the rootkit, which is used as a persistent backdoor to install other types of malware, infected 4.52 million machines in the first three months of this year, according to a detailed technical analysis published Wednesday by antivirus firm Kaspersky Lab. Almost a third of the compromised machines were located in the...

Fri, 01 Jul 2011 13:52:23 UTC

Menwith Hill

Posted By Bruce Schneier

Article on the NSA's Menwith Hill listening station in the UK....

Thu, 30 Jun 2011 13:15:00 UTC

Chinese Army Developed Online Wargame

Posted By Bruce Schneier

This is a really weird story: After setting up its own cyber-warfare team, China's military has now developed its first online war game aimed at improving combat skills and battle awareness, state press said on Wednesday. After setting up its own cyber-warfare team, China's military has now developed its first online war game aimed at improving combat skills and battle...

Wed, 29 Jun 2011 14:13:20 UTC

Yet Another "People Plug in Strange USB Sticks" Story

Posted By Bruce Schneier

I'm really getting tired of stories like this: Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers. And if the drive or CD had an official logo on it, 90% were installed. Of course people plugged in UBS...

Mon, 27 Jun 2011 11:15:52 UTC

Common PINs

Posted By Bruce Schneier

There's some great data on common iPhone passwords. I'm sure the results also apply to banking PINs....

Fri, 24 Jun 2011 21:19:38 UTC

Friday Squid Blogging: Eating Humboldt Squid

Posted By Bruce Schneier

Chris Cosentino, chef at Incanto in San Francisco, wants to serve you Humboldt squid....

Fri, 24 Jun 2011 18:59:57 UTC

Selling a Good Reputation on eBay

Posted By Bruce Schneier

Here's someone who is selling positive feedback on eBay: Hello, for sale is a picture of a tree. This tree is an original and was taken by me. I have gotten nothing but 100% feedback from people from this picture. Great Picture! Once payment is made I will send you picture via email. Once payment is made and I send...

Fri, 24 Jun 2011 16:40:28 UTC

Assisting a Hostage Taker via Facebook

Posted By Bruce Schneier

It's a new world: An armed Valdez, 36, held a woman hostage at a motel in a tense 16-hour, overnight standoff with SWAT teams, all while finding time to keep his family and friends updated on Facebook. [...] In all, Valdez made six posts and added at least a dozen new friends. His family and friends responded with 100 comments....

Fri, 24 Jun 2011 11:37:53 UTC

Protecting Private Information on Smart Phones

Posted By Bruce Schneier

AppFence is a technology -- with a working prototype -- that protects personal information on smart phones. It does this by either substituting innocuous information in place of sensitive information or blocking attempts by the application to send the sensitive information over the network. The significance of systems like AppFence is that they have the potential to change the balance...

Thu, 23 Jun 2011 18:16:57 UTC

NSA Style Manual

Posted By Bruce Schneier

National Security Agency (NSA) SIGINT Reporter's Style and Usage Manual, 2010....

Thu, 23 Jun 2011 11:29:24 UTC

Insider Attack Against M&A Information in Document Titles

Posted By Bruce Schneier

Protecting against insiders is hard. Kluger and two accomplices -- a Wall Street trader and a mortgage broker -- allegedly stole and traded on material nonpublic information about M&A deals over a period of 17 years, according to federal authorities. The trio, facing charges from the U.S. Securities and Exchange Commission and the Department of Justice, allegedly made at least...

Wed, 22 Jun 2011 18:40:52 UTC

Did Reason Evolve as a Persuasion Tool?

Posted By Bruce Schneier

Many of our informal security systems involve convincing others to do what we want them to. Here's a theory that says human reasoning evolved not as a tool to better understand the world or solve problems, but to win arguments and persuade other humans. (Paper here.)...

Wed, 22 Jun 2011 11:23:33 UTC

Firesheep in Use

Posted By Bruce Schneier

Nice article on Firesheep in action....

Tue, 21 Jun 2011 16:20:05 UTC

My Next Book: Title and Cover

Posted By Bruce Schneier

As my regular readers already know, I'm in the process of writing my next book. It's a book about why security exists: specifically, how a group of people protects itself from individuals within that group. My working title has been The Dishonest Minority. The idea behind the title is that "honesty" is defined by social convention, then those that don't...

Tue, 21 Jun 2011 10:58:12 UTC

The Problem with Cyber-crime Surveys

Posted By Bruce Schneier

Good paper: "Sex, Lies and Cyber-crime Surveys," Dinei Florêncio and Cormac Herley, Microsoft Research. Abstract: Much of the information we have on cyber-crime losses is derived from surveys. We examine some of the difficulties of forming an accurate estimate by survey. First, losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the...

Mon, 20 Jun 2011 17:12:58 UTC

The Life Cycle of Cryptographic Hash Functions

Posted By Bruce Schneier

Nice chart....

Mon, 20 Jun 2011 12:01:32 UTC

RAND Corporation on Trusted Traveler

Posted By Bruce Schneier

New paper: "Assessing the Security Benefits of a Trusted Traveler Program in the Presence of Attempted Attacker Exploitation and Compromise": Current aviation security procedures screen all passengers uniformly. Varying the amount of screening individuals receive based on an assessment of their relative risk has the potential to reduce the security burdens on some travelers, while improving security overall. This paper...

Sat, 18 Jun 2011 18:06:58 UTC

Fourth SHB Workshop

Posted By Bruce Schneier

I'm at SHB 2011, the fourth Interdisciplinary Workshop on Security and Human Behavior, at Carnegie Mellon University. This is a two-day invitational gathering of computer security researchers, psychologists, behavioral economists, sociologists, political scientists, anthropologists, philosophers, and others -- all of whom are studying the human side of security -- organized by Alessandro Acquisti, Ross Anderson, and me. It's not just...

Fri, 17 Jun 2011 21:35:09 UTC

Friday Squid Blogging: Beautiful Deep-Sea Squid Picture

Posted By Bruce Schneier

From the Telegraph (also here)....

Fri, 17 Jun 2011 19:32:33 UTC

Horse "No Ride" List

Posted By Bruce Schneier

Excellent satire....

Fri, 17 Jun 2011 17:09:39 UTC

Court Ruling on "Reasonable" Electronic Banking Security

Posted By Bruce Schneier

One of the pleasant side effects of being too busy to write longer blog posts is that -- if I wait long enough -- someone else writes what I would have wanted to. The ruling in the Patco Construction vs. People's United Bank case is important, because the judge basically ruled that the bank's substandard security was good enough --...

Fri, 17 Jun 2011 11:34:52 UTC

The Decline of al Qaeda

Posted By Bruce Schneier

Interesting essay....

Thu, 16 Jun 2011 12:33:35 UTC

Threat Models Colliding at Movie-Theater Projectors

Posted By Bruce Schneier

Interesting....

Wed, 15 Jun 2011 18:19:14 UTC

WEIS 2011

Posted By Bruce Schneier

I'm at the Tenth Workshop on Economics of Information Security (WEIS 2011) , at George Mason University. Most of the papers are online, and Ross Anderson is liveblogging the talks....

Wed, 15 Jun 2011 17:03:12 UTC

Malware in Google's Android

Posted By Bruce Schneier

This is not a good development....

Wed, 15 Jun 2011 11:22:00 UTC

The Non-Anonymity of Bubble Forms

Posted By Bruce Schneier

It turns out that "fill-in-the-bubble" forms are not so anonymous....

Tue, 14 Jun 2011 18:45:13 UTC

Status Report on the War on Photography

Posted By Bruce Schneier

Worth reading: Morgan Leigh Manning, "Less than Picture Perfect: The Legal Relationship between Photographers' Rights and Law Enforcement," Tennessee Law Review, Vol. 78, p. 105, 2010. Abstract: Threats to national security and public safety, whether real or perceived, result in an atmosphere conducive to the abuse of civil liberties. History is littered with examples: The Alien and Sedition Acts of...

Tue, 14 Jun 2011 12:54:26 UTC

Yet Another Way to Evade TSA's Full-Body Scanners

Posted By Bruce Schneier

Last night, at the Third EPIC Champion of Freedom Awards Dinner, we gave an award to Susie Castillo, whose blog post and video of her treatment in the hands of the TSA has inspired thousands to complain about the agency and their treatment of travellers. Sitting with her at dinner, I learned yet another way to evade the TSA's full...

Mon, 13 Jun 2011 11:52:50 UTC

Why it's So Difficult to Trace Cyber-Attacks

Posted By Bruce Schneier

I've been asked this question by countless reporters in the past couple of weeks. Here's a good explanation. Shorter answer: it's easy to spoof source destination, and it's easy to hijack unsuspecting middlemen and use them as proxies. No, mandating attribution won't solve the problem. Any Internet design will necessarily include anonymity....

Fri, 10 Jun 2011 21:14:18 UTC

Friday Squid Blogging: Squid Cartoon

Posted By Bruce Schneier

Savage Chickens....

Fri, 10 Jun 2011 17:59:49 UTC

Two Good Rants

Posted By Bruce Schneier

Patrick Gray on why we secretly love LulzSec, and Robert Cringely on why we openly hate RSA....

Fri, 10 Jun 2011 11:14:54 UTC

New Airport Scanning Technology

Posted By Bruce Schneier

Interesting: Iscon's patented, thermo-conductive technology combines infrared (IR) and heat transfer, for high-resolution imaging without using any radiation. The core of this is state of the art imaging which detects and processes a break in the established thermal balance between the clothes and a hidden object. The IR camera detects the heat radiating from even a tiny object, producing a...

Thu, 09 Jun 2011 18:53:27 UTC

Spam as a Business

Posted By Bruce Schneier

Interesting research: Kirill Levchenko, et al. (2010), "Click Trajectories -- End-to-End Analysis of the Spam Value Chain," IEEE Symposium on Security and Privacy 2011, Oakland, California, 24 May 2011. Abstract: Spam-based advertising is a business. While it has engendered both widespread antipathy and a multi-billion dollar anti-spam industry, it continues to exist because it fuels a profitable enterprise. We lack,...

Wed, 08 Jun 2011 20:46:13 UTC

25% of U.S. Criminal Hackers are Police Informants

Posted By Bruce Schneier

I have no idea if this is true: In some cases, popular illegal forums used by cyber criminals as marketplaces for stolen identities and credit card numbers have been run by hacker turncoats acting as FBI moles. In others, undercover FBI agents posing as "carders" ­ hackers specialising in ID theft ­ have themselves taken over the management of crime...

Tue, 07 Jun 2011 10:32:48 UTC

Tennessee Makes Password Sharing Illegal

Posted By Bruce Schneier

Here's a new law that won't work: State lawmakers in country music's capital have passed a groundbreaking measure that would make it a crime to use a friend's login -- even with permission -- to listen to songs or watch movies from services such as Netflix or Rhapsody. [...] The legislation was aimed at hackers and thieves who sell passwords...

Mon, 06 Jun 2011 19:59:17 UTC

Fighting Terrorism with Cupcakes

Posted By Bruce Schneier

MI6 hacked into an online al-Qaeda magazine and replaced bomb-making instructions with a cupcake recipe. It's a more polite hack than subtly altering the recipe so it blows up during the making process. (I've been told, although I don't know for sure, that the 1971 Anarchist's Cookbook has similarly flawed recipes.)...

Mon, 06 Jun 2011 12:06:54 UTC

Analysis of Redaction Failures

Posted By Bruce Schneier

Redaction failures are so common that I stopped blogging about them years ago. This is the first analysis I have seen of technical redaction failures. And here's the NSA on how to redact....

Fri, 03 Jun 2011 21:13:48 UTC

Friday Squid Blogging: LOLCat and Squid Toy

Posted By Bruce Schneier

Cute....

Fri, 03 Jun 2011 18:49:20 UTC

World War II Tunny Cryptanalysis Machine Rebuilt at Bletchley Park

Posted By Bruce Schneier

Neat: The rebuild team had only a few photographs, partial circuit diagrams and the fading memories of a few original Tunny operators to go on. Nonetheless a team led by John Pether and John Whetter was able to complete this restoration work. Pether explained that getting the electronics to work proved to be the most difficult part of the restoration...

Fri, 03 Jun 2011 11:41:21 UTC

Security vs. Privacy

Posted By Bruce Schneier

Daniel Solove on the security vs. privacy debate....

Thu, 02 Jun 2011 17:11:51 UTC

Open-Source Software Feels Insecure

Posted By Bruce Schneier

At first glance, this seems like a particularly dumb opening line of an article: Open-source software may not sound compatible with the idea of strong cybersecurity, but.... But it's not. Open source does sound like a security risk. Why would you want the bad guys to be able to look at the source code? They'll figure out how it works....

Thu, 02 Jun 2011 14:48:51 UTC

Spear Phishing Attacks from China Against Gmail Accounts

Posted By Bruce Schneier

Reporters have been calling me pretty much constantly about this story, but I can't figure out why in the world this is news. Attacks from China -- old news; attacks from China against Google -- old news; attacks from China against Google Gmail accounts -- old news. Spear phishing attacks from China against senior government officials -- old news. There's...

Thu, 02 Jun 2011 12:32:24 UTC

Man-in-the-Middle Attack Against the MCAT Exam

Posted By Bruce Schneier

In Applied Cryptography, I wrote about the "Chess Grandmaster Problem," a man-in-the-middle attack. Basically, Alice plays chess remotely with two grandmasters. She plays Grandmaster 1 as white and Grandmaster 2 as black. After the standard opening of 1. e4, she just replays the moves from one game to the other, and convinces both of them that she's a grandmaster in...

Wed, 01 Jun 2011 13:59:08 UTC

Three-Volume History of Counterintelligence

Posted By Bruce Schneier

CI Reader: An American Revolution Into the New Millennium, Volumes I, II, and III is published by the U.S. Office of the National Counterintelligence Executive. (No, I've never heard of them, either.)...

Tue, 31 May 2011 18:12:42 UTC

The U.S. Seems to Have a Secret Stealth Helicopter

Posted By Bruce Schneier

That's what the U.S. destroyed after a malfunction in Pakistan during the Bin Laden assassination. (For helicopters, "stealth" is less concerned with radar signatures and more concerned with acoustical quiet.) There was some talk about Pakistan sending it to China, but they're returning it to the U.S. I presume that the Chinese got everything they needed quickly....

Tue, 31 May 2011 11:34:35 UTC

Keeping Sensitive Information Out of the Hands of Terrorists Through Self-Restraint

Posted By Bruce Schneier

In my latest book (available February), I talk about various mechanisms for societal security: how we as a group protect ourselves from the "dishonest minority" within us. I have four types of societal security systems: moral systems -- any internal rewards and punishments; reputational systems -- any informal external rewards and punishments; rule-based systems -- any formal system of rewards...

Mon, 30 May 2011 12:17:20 UTC

Lockheed Martin Hack Linked to RSA's SecurID Breach

Posted By Bruce Schneier

All I know is what I read in the news....

Mon, 30 May 2011 11:58:47 UTC

Aggressive Social Engineering Against Consumers

Posted By Bruce Schneier

Cyber criminals are getting aggressive with their social engineering tactics. Val Christopherson said she received a telephone call last Tuesday from a man stating he was with an online security company who was receiving error messages from the computer at her Charleswood home. “He said he wanted to fix my problem over the phone,” Christopherson said. She said she was...

Fri, 27 May 2011 21:15:27 UTC

Friday Squid Blogging: Hand-Cut Paper Silhouette

Posted By Bruce Schneier

Surprisingly pretty....

Fri, 27 May 2011 11:04:55 UTC

Apple's iOS 4 Hardware Encryption Cracked

Posted By Bruce Schneier

All I know is what's in these two blog posts from Elcomsoft. Note that they didn't break AES-256; they figured out how to extract the keys from the hardware (iPhones, iPads). The company "will be releasing the product implementing this functionality for the exclusive use of law enforcement, forensic and intelligence agencies."...

Thu, 26 May 2011 18:57:44 UTC

U.S. Presidential Limo Defeated by Steep-Grade Parking Ramp

Posted By Bruce Schneier

It's not something I know anything about -- actually, it's not something many people know about -- but I've posted some links about the security features of the U.S. presidential limousine. So it's amusing to watch the limo immobilized by a steep grade at the U.S. embassy in Dublin. (You'll get a glimpse of how thick the car doors are...

Thu, 26 May 2011 11:02:58 UTC

Black Box Records in Automobiles

Posted By Bruce Schneier

Proposed new rules in the U.S....

Wed, 25 May 2011 16:55:48 UTC

Blackhole Exploit Kit

Posted By Bruce Schneier

It's now available as a free download: A free version of the Blackhole exploit kit has appeared online in a development that radically reduces the entry-level costs of getting into cybercrime. The Blackhole exploit kit, which up until now would cost around $1,500 for an annual licence, creates a handy way to plant malicious scripts on compromised websites. Surfers visiting...

Tue, 24 May 2011 10:50:30 UTC

New Siemens SCADA Vulnerabilities Kept Secret

Posted By Bruce Schneier

SCADA systems -- computer systems that control industrial processes -- are one of the ways a computer hack can directly affect the real world. Here, the fears multiply. It's not bad guys deleting your files, or getting your personal information and taking out credit cards in your name; it's bad guys spewing chemicals into the atmosphere and dumping raw sewage...

Mon, 23 May 2011 11:47:18 UTC

Dropbox Security

Posted By Bruce Schneier

I haven't written about Dropbox's security problems; too busy with the book. But here's an excellent summary article from The Economist. The meta-issue is pretty simple. If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to...

Fri, 20 May 2011 21:27:20 UTC

Friday Squid Blogging: Plush Squid

Posted By Bruce Schneier

Very cute....

Fri, 20 May 2011 21:00:05 UTC

CDC on the Zombie Apocalypse

Posted By Bruce Schneier

The Centers for Disease Control and Prevention weigh in on preparations for the zombie apocalypse....

Fri, 20 May 2011 19:43:36 UTC

The Normalization of Security

Posted By Bruce Schneier

TSA-style security is now so normal that it's part of a Disney ride: The second room of the queue is now a security check area, similar to a TSA checkpoint. The two G-series droids are still there, G2-9T scanning luggage and G2-4T scanning passengers. For those attraction junkies, you'll remember that the G-series droids are so named because in the...

Fri, 20 May 2011 12:44:46 UTC

Forged Subway Passes in Boston

Posted By Bruce Schneier

For years, an employee of Cubic Corp -- the company who makes the automatic fair card systems for most of the subway systems around the world -- forged forged and then sold monthly passes for the Boston MBTA system. The scheme was discovered by accident: Coakley said the alleged scheme was only discovered after a commuter rail operator asked a...

Thu, 19 May 2011 11:01:24 UTC

BIOS Protection

Posted By Bruce Schneier

NIST has released "BIOS Protection Guidelines."...

Wed, 18 May 2011 13:45:55 UTC

Bin Laden Maintained Computer Security with an Air Gap

Posted By Bruce Schneier

From the Associated Ptress: Bin Laden's system was built on discipline and trust. But it also left behind an extensive archive of email exchanges for the U.S. to scour. The trove of electronic records pulled out of his compound after he was killed last week is revealing thousands of messages and potentially hundreds of email addresses, the AP has learned....

Tue, 17 May 2011 18:35:07 UTC

Mobile Phone Privacy App Contest

Posted By Bruce Schneier

Entries due by the end of the month....

Tue, 17 May 2011 12:46:45 UTC

Fingerprint Scanner that Works at a Distance

Posted By Bruce Schneier

Scanning fingerprints from six feet away. Slightly smaller than a square tissue box, AIRprint houses two 1.3 megapixel cameras and a source of polarized light. One camera receives horizontally polarized light, while the other receives vertically polarized light. When light hits a finger, the ridges of the fingerprint reflect one polarization of light, while the valleys reflect another. "That's where...

Mon, 16 May 2011 11:31:05 UTC

The Inner Workings of an FBI Surveillance Device

Posted By Bruce Schneier

This FBI surveillance device, designed to be attached to a car, has been taken apart and analyzed. A recent ruling by the 9th U.S. Circuit Court of Appeals affirms that it's legal for law enforcement to secretly place a tracking device on your car without a warrant, even if it's parked in a private driveway....

Fri, 13 May 2011 21:54:45 UTC

Friday Squid Blogging: Squid Sous Vide

Posted By Bruce Schneier

Yum: We learned to cook squid sous vide at 59°C when we were at Atelier in Canada. The cooking time and temperature we picked up produce squid which is meaty, juicy and rich in texture. Here we marinated the squid with mango pickle and then cooked them for three hours at 59°C. Then we cooled them down in an ice...

Fri, 13 May 2011 16:29:02 UTC

Interview with Me About the Sony Hack

Posted By Bruce Schneier

These are what I get for giving interviews when I'm in a bad mood. For the record, I think Sony did a terrible job with its customers' security. I also think that most companies do a terrible job with customers' security, simply because there isn't a financial incentive to do better. And that most of us are pretty secure, despite...

Fri, 13 May 2011 12:11:26 UTC

Drugging People and Then Robbing Them

Posted By Bruce Schneier

This is a pretty scary criminal tactic from Turkey. Burglars dress up as doctors, and ring doorbells handing out pills under some pretense or another. They're actually powerful sedatives, and when people take them they pass out, and the burglars can ransack the house. According to the article, when the police tried the same trick with placebos, they got an...

Thu, 12 May 2011 11:24:22 UTC

FBI Surveillance Tools

Posted By Bruce Schneier

Interesting blog post from EFF....

Wed, 11 May 2011 16:01:59 UTC

RFID Tags Protecting Hotel Towels

Posted By Bruce Schneier

The stealing of hotel towels isn't a big problem in the scheme of world problems, but it can be expensive for hotels. Sure, we have moral prohibitions against stealing -- that'll prevent most people from stealing the towels. Many hotels put their name or logo on the towels. That works as a reputational societal security system; most people don't want...

Wed, 11 May 2011 11:12:23 UTC

"Resilience of the Internet Interconnection Ecosystem"

Posted By Bruce Schneier

This blog post by Richard Clayton is worth reading. If you have more time, there's 238-page report and a 31-page executive summary....

Tue, 10 May 2011 18:47:14 UTC

Medieval Tally Stick Discovered in Germany

Posted By Bruce Schneier

Interesting: The well-preserved tally stick was used in the Middle Ages to count the debts owed by the holder in a time when most people were unable to read or write. "Debts would have been carved into the stick in the form of small notches. Then the stick would have been split lengthways, with the creditor and the borrower each...

Tue, 10 May 2011 11:20:33 UTC

The Era of "Steal Everything"

Posted By Bruce Schneier

Good comment: "We're moving into an era of 'steal everything'," said David Emm, a senior security researcher for Kaspersky Labs. He believes that cyber criminals are now no longer just targeting banks or retailers in the search for financial details, but instead going after social and other networks which encourage the sharing of vast amounts of personal information. As both...

Mon, 09 May 2011 18:50:00 UTC

Vulnerabilities in Online Payment Systems

Posted By Bruce Schneier

This hack was conducted as a research project. It's unlikely it's being done in the wild: In one attack, Wang and colleagues used a plug-in for the Firefox web browser to examine data being sent and received by the online retailer Buy.com. When users make a purchase, Buy.com directs them to PayPal. Once they have paid, PayPal sends Buy.com a...

Mon, 09 May 2011 12:02:54 UTC

Status Report: The Dishonest Minority

Posted By Bruce Schneier

Three months ago, I announced that I was writing a book on why security exists in human societies. This is basically the book's thesis statement: All complex systems contain parasites. In any system of cooperative behavior, an uncooperative strategy will be effective -- and the system will tolerate the uncooperatives -- as long as they're not too numerous or too...

Fri, 06 May 2011 21:31:01 UTC

Friday Squid Blogging: Noise Pollution and Squid

Posted By Bruce Schneier

It literally blows holes in their heads: In the study, led by Michel André of the Technical University of Catalonia in Barcelona, biologists exposed 87 individual cephalopods of four species -- Loligo vulgaris, Sepia officinalis, Octopus vulgaris and Illex coindeti -- to short sweeps of relatively low intensity, low frequency sound between 50 and 400 Hertz (Hz). Then they examined...

Fri, 06 May 2011 21:11:09 UTC

Friday Squid Blogging: Squids in Space

Posted By Bruce Schneier

There are live squids on the last Endeavor mission....

Fri, 06 May 2011 17:32:20 UTC

Forged Memory

Posted By Bruce Schneier

A scary development in rootkits: Rootkits typically modify certain areas in the memory of the running operating system (OS) to hijack execution control from the OS. Doing so forces the OS to present inaccurate results to detection software (anti-virus, anti-rootkit). For example rootkits may hide files, registries, processes, etc., from detection software. So rootkits typically modify memory. And anti-rootkit tools...

Fri, 06 May 2011 12:01:15 UTC

Stolen Camera Finder

Posted By Bruce Schneier

Here's a clever Web app that locates your stolen camera by searching the EXIF data on public photo databases for your camera's serial number....

Thu, 05 May 2011 17:52:16 UTC

Extreme Authentication

Posted By Bruce Schneier

Exactly how did they confirm it was Bin Laden's body? Officials compared the DNA of the person killed at the Abbottabad compound with the bin Laden "family DNA" to determine that the 9/11 mastermind had in fact been killed, a senior administration official said. It was not clear how many different family members' samples were compared or whose DNA was...

Thu, 05 May 2011 11:43:40 UTC

Osama's Death Causes Spike in Suspicious Package Reports

Posted By Bruce Schneier

It's not that the risk is greater, it's that the fear is greater. Data from New York: There were 10,566 reports of suspicious objects across the five boroughs in 2010. So far this year, the total was 2,775 as of Tuesday compared with 2,477 through the same period last year. [...] The daily totals typically spike when terrorist plot makes...

Wed, 04 May 2011 17:15:57 UTC

"Operation Pumpkin"

Posted By Bruce Schneier

Wouldn't it be great if this were not a joke: the security contingency that was in place in the event that Kate Middleton tried to run away just before the wedding. After protracted, top-secret negotiations between royal staff from Clarence House and representatives from the Metropolitan Police, MI5 and elements of the military, a compromise was agreed. In the event...

Wed, 04 May 2011 11:40:09 UTC

Unintended Security Consequences of the New Pyrex Recipe

Posted By Bruce Schneier

This is interesting: When World Kitchen took over the Pyrex brand, it started making more products out of prestressed soda-lime glass instead of borosilicate. With pre-stressed, or tempered, glass, the surface is under compression from forces inside the glass. It is stronger than borosilicate glass, but when it's heated, it still expands as much as ordinary glass does. It doesn't...

Tue, 03 May 2011 19:25:25 UTC

Decline in Cursive Writing Leads to Increase in Forgery Risk?

Posted By Bruce Schneier

According to this article, students are no longer learning how to write in cursive. And, if they are learning it, they're forgetting how. Certainly the ubiquity of keyboards is leading to a decrease in writing by hand. Relevant to this blog, the article claims that this is making signtatures easier to forge. While printing might be legible, the less complex...

Tue, 03 May 2011 12:54:03 UTC

Nikon Image Authentication System Cracked

Posted By Bruce Schneier

Not a lot of details: ElcomSoft research shows that image metadata and image data are processed independently with a SHA-1 hash function. There are two 160-bit hash values produced, which are later encrypted with a secret (private) key by using an asymmetric RSA-1024 algorithm to create a digital signature. Two 1024-bit (128-byte) signatures are stored in EXIF MakerNote tag 0×0097...

Mon, 02 May 2011 14:09:55 UTC

LiveBlogging the Bin Ladin Assassination

Posted By Bruce Schneier

"VirtualReality" tweeted the Bin Ladin assassination without realizing it....

Mon, 02 May 2011 11:52:53 UTC

Hijacking the Coreflood Botnet

Posted By Bruce Schneier

Earlier this month, the FBI seized control of the Coreflood botnet and shut it down: According to the filing, ISC, under law enforcement supervision, planned to replace the servers with servers that it controlled, then collect the IP addresses of all infected machines communicating with the criminal servers, and send a remote "stop" command to infected machines to disable the...

Fri, 29 Apr 2011 21:43:16 UTC

Friday Squid Blogging: Giant Squid Eye Preserved in a Jar

Posted By Bruce Schneier

Great picture from the Smithsonian Institution....

Fri, 29 Apr 2011 19:45:59 UTC

TED Talk

Posted By Bruce Schneier

This is a surprise. My TED talk made it to the website. It's a surprise because I didn't speak at TED. I spoke last year at a regional TED event, TEDxPSU. And not all talks from the regional events get on the main site, only the good ones....

Thu, 28 Apr 2011 11:56:17 UTC

The Cyberwar Arms Race

Posted By Bruce Schneier

Good paper: "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy," by Jerry Brito and Tate Watkins. Over the past two years there has been a steady drumbeat of alarmist rhetoric coming out of Washington about potential catastrophic cyber threats. For example, at a Senate Armed Services Committee hearing last year, Chairman Carl Levin said that "cyberweapons...

Wed, 27 Apr 2011 14:10:53 UTC

Social Solidarity as an Effect of the 9/11 Terrorist Attacks

Posted By Bruce Schneier

It's standard sociological theory that a group experiences social solidarity in response to external conflict. This paper studies the phenomenon in the United States after the 9/11 terrorist attacks. Conflict produces group solidarity in four phases: (1) an initial few days of shock and idiosyncratic individual reactions to attack; (2) one to two weeks of establishing standardized displays of solidarity...

Tue, 26 Apr 2011 11:59:16 UTC

Security Risks of Running an Open WiFi Network

Posted By Bruce Schneier

As I've written before, I run an open WiFi network. It's stories like these that may make me rethink that. The three stories all fall along the same theme: a Buffalo man, Sarasota man, and Syracuse man all found themselves being raided by the FBI or police after their wireless networks were allegedly used to download child pornography. "You're a...

Mon, 25 Apr 2011 21:15:15 UTC

Friday Squid Blogging: Squid Fabric Designs

Posted By Bruce Schneier

Some of these are actually nice....

Mon, 25 Apr 2011 10:24:43 UTC

Hard-Drive Steganography through Fragmentation

Posted By Bruce Schneier

Clever: Khan and his colleagues have written software that ensures clusters of a file, rather than being positioned at the whim of the disc drive controller chip, as is usually the case, are positioned according to a code. All the person at the other end needs to know is which file's cluster positions have been encoded. The code depends on...

Fri, 22 Apr 2011 21:30:26 UTC

Friday Squid Blogging: Squid Prints

Posted By Bruce Schneier

Okay, this is a little weird: This year's Earth Day will again include the celebrated "squid printing" activity with two big, beautiful Pacific Humboldt squid donated from the Gulf of the Farallones National Marine Sanctuary. We'll be inking them up and laying them out on paper to create fascinating one-of-a- kind imprints of their bodies. I don't know what's worse:...

Thu, 21 Apr 2011 11:38:39 UTC

Declassified World War I Security Documents

Posted By Bruce Schneier

The CIA has just declassified six (1, 2, 3, 4, 5, and 6) documents about World War I security techniques. (The media is reporting they're CIA documents, but the CIA didn't exist before 1947.) Lots of stuff about secret writing and pre-computer tradecraft....

Wed, 20 Apr 2011 11:52:50 UTC

Large-Scale Food Theft

Posted By Bruce Schneier

A criminal gang is stealing truckloads of food: Late last month, a gang of thieves stole six tractor-trailer loads of tomatoes and a truck full of cucumbers from Florida growers. They also stole a truckload of frozen meat. The total value of the illegal haul: about $300,000. The thieves disappeared with the shipments just after the price of Florida tomatoes...

Wed, 20 Apr 2011 11:31:54 UTC

Costs of Security

Posted By Bruce Schneier

Interesting blog post on the security costs for the $50B Air Force bomber program -- estimated to be $8B. This isn't all computer security, but the original article specifically calls out Chinese computer espionage as a primary threat....

Tue, 19 Apr 2011 11:47:53 UTC

Software as Evidence

Posted By Bruce Schneier

Increasingly, chains of evidence include software steps. It's not just the RIAA suing people -- and getting it wrong -- based on automatic systems to detect and identify file sharers. It's forensic programs used to collect and analyze data from computers and smart phones. It's audit logs saved and stored by ISPs and websites. It's location data from cell phones....

Mon, 18 Apr 2011 14:33:49 UTC

WikiLeaks Cable about Chinese Hacking of U.S. Networks

Posted By Bruce Schneier

We know it's prevelent, but there's some new information: Secret U.S. State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches -- colorfully code-named "Byzantine Hades" by U.S. investigators -- to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China's People's Liberation Army. Privately,...

Fri, 15 Apr 2011 21:49:51 UTC

Friday Squid Blogging: Omega 3 Oil from Squid

Posted By Bruce Schneier

New health supplement....

Fri, 15 Apr 2011 18:45:47 UTC

"Schneier's Law"

Posted By Bruce Schneier

Back in 1998, I wrote: Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. In 2004, Cory Doctorow called this Schneier's law: ...what I think of as Schneier's Law: "any person can invent a security system so clever that she or he can't think of how to break it." The...

Fri, 15 Apr 2011 11:49:54 UTC

Unanticipated Security Risk of Keeping Your Money in a Home Safe

Posted By Bruce Schneier

In Japan, lots of people -- especially older people -- keep their life savings in cash in their homes. (The country's banks pay very low interest rates, so the incentive to deposit that money into bank accounts is lower than in other countries.) This is all well and good, until a tsunami destroys your home and washes your money out...

Thu, 14 Apr 2011 11:36:43 UTC

Changing Incentives Creates Security Risks

Posted By Bruce Schneier

One of the things I am writing about in my new book is how security equilibriums change. They often change because of technology, but they sometimes change because of incentives. An interesting example of this is the recent scandal in the Washington, DC, public school system over teachers changing their students' test answers. In the U.S., under the No Child...

Wed, 13 Apr 2011 18:14:57 UTC

Security Fears of Wi-Fi in London Underground

Posted By Bruce Schneier

The London Underground is getting Wi-Fi. Of course there are security fears: But Will Geddes, founder of ICP Group which specialises in reducing terror or technology-related threats, said the plan was problematic. He said: "There are lots of implications in terms of terrorism and security. "This will enable people to use their laptop on the Tube as if it was...

Wed, 13 Apr 2011 11:25:07 UTC

Euro Coin Recycling Scam

Posted By Bruce Schneier

This story is just plain weird. Regularly, damaged coins are taken out of circulation. They're destroyed and then sold to scrap metal dealers. That makes sense, but it seems that one- and two-euro coins aren't destroyed very well. They're both bi-metal designs, and they're just separated into an inner core and an outer ring and then sold to Chinese scrap...

Tue, 12 Apr 2011 19:06:27 UTC

Israel's Counter-Cyberterrorism Unit

Posted By Bruce Schneier

You'd think the country would already have one of these: Israel is mulling the creation of a counter-cyberterrorism unit designed to safeguard both government agencies and core private sector firms against hacking attacks. The proposed unit would supplement the efforts of Mossad and other agencies in fighting cyberespionage and denial of service attacks....

Tue, 12 Apr 2011 11:03:25 UTC

How did the CIA and FBI Know that Australian Government Computers were Hacked?

Posted By Bruce Schneier

Newspapers are reporting that, for about a month, hackers had access to computers "of at least 10 federal ministers including the Prime Minister, Foreign Minister and Defence Minister." That's not much of a surprise. What is odd is the statement that "Australian intelligence agencies were tipped off to the cyber-spy raid by US intelligence officials within the Central Intelligence Agency...

Mon, 11 Apr 2011 18:20:35 UTC

New French Law Reduces Website Security

Posted By Bruce Schneier

I didn't know about this: The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded. Police, the fraud office, customs, tax and social security bodies...

Mon, 11 Apr 2011 11:33:50 UTC

The CIA and Assassinations

Posted By Bruce Schneier

The former CIA general counsel, John A. Rizzo, talks about his agency's assassination program, which has increased dramatically under the Obama administration: The hub of activity for the targeted killings is the CIA's Counterterrorist Center, where lawyers­there are roughly 10 of them, says Rizzo -- write a cable asserting that an individual poses a grave threat to the United States....

Fri, 08 Apr 2011 21:08:44 UTC

Friday Squid Blogging: A New Book About Squid

Posted By Bruce Schneier

Wendy Williams, Kraken: The Curious, Exciting, and Slightly Disturbing Science of Squid. Kraken is the traditional name for gigantic sea monsters, and this book introduces one of the most charismatic, enigmatic, and curious inhabitants of the sea: the squid. The pages take the reader on a wild narrative ride through the world of squid science and adventure, along the way...

Fri, 08 Apr 2011 18:23:27 UTC

Get Your Terrorist Alerts on Facebook and Twitter

Posted By Bruce Schneier

Colors are so last decade: The U.S. government's new system to replace the five color-coded terror alerts will have two levels of warnings ­ elevated and imminent ­ that will be relayed to the public only under certain circumstances for limited periods of time, sometimes using Facebook and Twitter, according to a draft Homeland Security Department plan obtained by The...

Fri, 08 Apr 2011 11:22:20 UTC

Pinpointing a Computer to Within 690 Meters

Posted By Bruce Schneier

This is impressive, and scary: Every computer connected to the web has an internet protocol (IP) address, but there is no simple way to map this to a physical location. The current best system can be out by as much as 35 kilometres. Now, Yong Wang, a computer scientist at the University of Electronic Science and Technology of China in...

Thu, 07 Apr 2011 18:10:52 UTC

Detecting Cheaters

Posted By Bruce Schneier

Our brains are specially designed to deal with cheating in social exchanges. The evolutionary psychology explanation is that we evolved brain heuristics for the social problems that our prehistoric ancestors had to deal with. Once humans became good at cheating, they then had to become good at detecting cheating -- otherwise, the social group would fall apart. Perhaps the most...

Thu, 07 Apr 2011 11:29:48 UTC

Optical Stun Ray

Posted By Bruce Schneier

It's been patented; no idea if it actually works. ...newly patented device can render an assailant helpless with a brief flash of high-intensity light. It works by overloading the neural networks connected to the retina, saturating the target's world in a blinding pool of white light. "It's the inverse of blindness–the technical term is a loss of contrast sensitivity," says...

Wed, 06 Apr 2011 11:03:42 UTC

Counterterrorism Security Cost-Benefit Analysis

Posted By Bruce Schneier

"Terror, Security, and Money: Balancing the Risks, Benefits, and Costs of Homeland Security," by John Mueller and Mark Stewart: Abstract:The cumulative increase in expenditures on US domestic homeland security over the decade since 9/11 exceeds one trillion dollars. It is clearly time to examine these massive expenditures applying risk assessment and cost-benefit approaches that have been standard for decades. Thus...

Tue, 05 Apr 2011 17:58:21 UTC

Epsilon Hack

Posted By Bruce Schneier

I have no idea why the Epsilon hack is getting so much press. Yes, millions of names and e-mail addresses might have been stolen. Yes, other customer information might have been stolen, too. Yes, this personal information could be used to create more personalized and better targeted phishing attacks. So what? These sorts of breaches happen all the time, and...

Tue, 05 Apr 2011 13:46:28 UTC

Reducing Bribery by Legalizing the Giving of Bribes

Posted By Bruce Schneier

Here's some very clever thinking from India's chief economic adviser. In order to reduce bribery, he proposes legalizing the giving of bribes: Under the current law, discussed in some detail in the next section, once a bribe is given, the bribe giver and the bribe taker become partners in crime. It is in their joint interest to keep this fact...

Mon, 04 Apr 2011 14:18:06 UTC

Ebook Fraud

Posted By Bruce Schneier

Interesting post -- and discussion -- on Making Light about ebook fraud. Currently there are two types of fraud. The first is content farming, discussed in these two interesting blog posts. People are creating automatically generated content, web-collected content, or fake content, turning it into a book, and selling it on an ebook site like Amazon.com. Then they use multiple...

Fri, 01 Apr 2011 21:26:56 UTC

Friday Squid Blogging: Shower Squid

Posted By Bruce Schneier

Neat....

Fri, 01 Apr 2011 11:58:27 UTC

34 SCADA Vulnerabilities Published

Posted By Bruce Schneier

It's hard to tell how serious this is. Computer security experts who examined the code say the vulnerabilities are not highly dangerous on their own, because they would mostly just allow an attacker to crash a system or siphon sensitive data, and are targeted at operator viewing platforms, not the backend systems that directly control critical processes. But experts caution...

Thu, 31 Mar 2011 12:00:19 UTC

Comodo Group Issues Bogus SSL Certificates

Posted By Bruce Schneier

This isn't good: The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com. The certificates would have allowed the attacker to craft fake pages that would have...

Wed, 30 Mar 2011 18:48:27 UTC

FBI Asks for Cryptanalysis Help

Posted By Bruce Schneier

Could be interesting....

Wed, 30 Mar 2011 12:14:48 UTC

How Peer Review Doesn't Work

Posted By Bruce Schneier

In this amusing story of a terrorist plotter using pencil-and-paper cryptography instead of actually secure cryptography, there's this great paragraph: Despite urging by the Yemen-based al Qaida leader Anwar Al Anlaki, Karim also rejected the use of a sophisticated code program called "Mujhaddin Secrets", which implements all the AES candidate cyphers, "because 'kaffirs', or non-believers, know about it so it...

Tue, 29 Mar 2011 11:43:04 UTC

Federated Authentication

Posted By Bruce Schneier

New paper by Ross Anderson: "Can We Fix the Security Economics of Federated Authentication?": There has been much academic discussion of federated authentication, and quite some political manoeuvring about `e-ID'. The grand vision, which has been around for years in various forms but was recently articulated in the US National Strategy for Trustworthy Identities in Cyberspace (NSTIC), is that a...

Mon, 28 Mar 2011 18:10:13 UTC

Detecting Liars

Posted By Bruce Schneier

Nice infographic....

Mon, 28 Mar 2011 11:08:41 UTC

Biliteral Ciphers

Posted By Bruce Schneier

Interesting article on William Friedman and biliteral ciphers....

Fri, 25 Mar 2011 21:15:15 UTC

Friday Squid Blogging: Squid Fabric Designs

Posted By Bruce Schneier

Some of these are actually nice....

Fri, 25 Mar 2011 17:22:47 UTC

Authenticating the Authenticators

Posted By Bruce Schneier

This is an interesting read: It was a question that changed his life, and changed mine, and may have changed -- even saved -- all of ours by calling attention to flaws in our nuclear command and control system at the height of the Cold War. It was a question that makes Maj. Hering an unsung hero of the nuclear...

Fri, 25 Mar 2011 11:38:05 UTC

Identifying Tor Users Through Insecure Applications

Posted By Bruce Schneier

Interesting research: "One Bad Apple Spoils the Bunch: Exploiting P2P Applications to Trace and Profile Tor Users": Abstract: Tor is a popular low-latency anonymity network. However, Tor does not protect against the exploitation of an insecure application to reveal the IP address of, or trace, a TCP stream. In addition, because of the linkability of Tor streams sent together over...

Thu, 24 Mar 2011 17:46:16 UTC

Detecting Words and Phrases in Encrypted VoIP Calls

Posted By Bruce Schneier

Interesting: Abstract: Although Voice over IP (VoIP) is rapidly being adopted, its security implications are not yet fully understood. Since VoIP calls may traverse untrusted networks, packets should be encrypted to ensure confidentiality. However, we show that it is possible to identify the phrases spoken within encrypted VoIP calls when the audio is encoded using variable bit rate codecs. To...

Thu, 24 Mar 2011 12:37:25 UTC

Transmitting Data Through Steel

Posted By Bruce Schneier

This is cool: Tristan Lawry, doctoral candidate in electrical and computer engineering, has developed equipment which can transmit data at high rates through thick, solid steel or other barriers. Significantly, Lawry's kit also transmits power. One obvious application here would be transmission through the steel pressure hull of a submarine: at the moment such hulls must have hundreds of penetrations...

Wed, 23 Mar 2011 11:34:58 UTC

Threats vs. Vulnerabilities

Posted By Bruce Schneier

I found this article on the difference between threats and vulnerabilities to be very interesting. I like his taxonomy....

Tue, 22 Mar 2011 12:12:29 UTC

Folk Models in Home Computer Security

Posted By Bruce Schneier

This is a really interesting paper: "Folk Models of Home Computer Security," by Rick Wash. It was presented at SOUPS, the Symposium on Usable Privacy and Security, last year. Abstract: Home computer systems are frequently insecure because they are administered by untrained, unskilled users. The rise of botnets has amplified this problem; attackers can compromise these computers, aggregate them, and...

Mon, 21 Mar 2011 17:57:44 UTC

Times Square Video Screen Hacked with an iPhone

Posted By Bruce Schneier

I didn't post about it when I first saw it because I suspected a hoax. Turns out, I was right. It wasn't even two guys faking hacking a Times Square video screen. It was a movie studio faking two guys faking hacking a Times Square video screen....

Mon, 21 Mar 2011 11:52:45 UTC

RSA Security, Inc Hacked

Posted By Bruce Schneier

The company, not the algorithm. Here's the corporate spin. Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at...

Sat, 19 Mar 2011 14:12:31 UTC

Zombie Fungus

Posted By Bruce Schneier

The security connection is pretty tenuous, so I figured I'd blog this on a Saturday. Once it infects an ant, the fungus uses as-yet-unidentified chemicals to control the ant's behavior, Hughes told LiveScience. It directs the ant to leave its colony (a very un-ant-like thing to do) and bite down on the underside of a leaf – the ant's soon-to-be...

Thu, 17 Mar 2011 11:50:21 UTC

Hacking ATM Users by Gluing Down Keys

Posted By Bruce Schneier

Clever hack: The thieves glue down the "enter," "cancel" and "clear" buttons on the keypad and wait until the customer goes into the bank for help before withdrawing money from their account. The robbed customers have already punched in their PINs when they realize the keypad buttons are stuck. The unwitting customers either do not know that they can use...

Wed, 16 Mar 2011 11:14:07 UTC

Hacking Cars with MP3 Files

Posted By Bruce Schneier

Impressive research: By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car....

Mon, 14 Mar 2011 10:04:45 UTC

Using Language Patterns to Identify Anonymous E-Mail

Posted By Bruce Schneier

Interesting research. It only works when there's a limited number of potential authors: To test the accuracy of their technique, Fung and his colleagues examined the Enron Email Dataset, a collection which contains over 200,000 real-life emails from 158 employees of the Enron Corporation. Using a sample of 10 emails written by each of 10 subjects (100 emails in all),...

Fri, 11 Mar 2011 19:11:52 UTC

Video Interview with Me

Posted By Bruce Schneier

This three-part video interview with me was conducted at the RSA Conference last month....

Fri, 11 Mar 2011 12:06:56 UTC

FBI and the Future of Wiretapping

Posted By Bruce Schneier

Last month I posted Susan Landau's testimony before the House Judiciary Committee, Subcommittee on Crime, Terrorism, and Homeland Security on government eavesdropping. In fairness to the other side, here's testimony of Valerie Caproni, General Counsel of the FBI....

Thu, 10 Mar 2011 12:05:26 UTC

Full Body Scanners

Posted By Bruce Schneier

Wired.com has a good three-part story on full-body scanners....

Wed, 09 Mar 2011 12:38:09 UTC

Malware as Job Security

Posted By Bruce Schneier

A programmer installed malware into the Whack-a-Mole arcade game as a form of job security. It didn't work....

Tue, 08 Mar 2011 12:35:34 UTC

Criminals Stealing Cars by Calling Tow Trucks

Posted By Bruce Schneier

It's a clever hack, but an old problem: the authentication in these sorts of normal operations isn't good enough to prevent abuse....

Mon, 07 Mar 2011 12:47:52 UTC

Recently Declassified NSA History Document

Posted By Bruce Schneier

"American Cryptography During the Cold War 1945-1989; Book IV: Cryptologic Rebirth 1981-1989." Document was first declassified in 2009. Here are some newly declassified pages....

Fri, 04 Mar 2011 22:36:05 UTC

Friday Squid Blogging: Giant Squid Washes Ashore

Posted By Bruce Schneier

A giant squid washed ashore in New South Wales....

Fri, 04 Mar 2011 13:07:17 UTC

Interesting Research in Using Animals to Detect Substances

Posted By Bruce Schneier

Fascinating research summarized in The Economist. Basically, detecting dogs respond to unconscious cues from their handlers, and generate false alarms because of them. It makes sense, as dogs are so attuned to humans. I'll bet bomb-sniffing bees don't make the same mistakes....

Thu, 03 Mar 2011 12:35:09 UTC

Pickpockets are a Dying Breed

Posted By Bruce Schneier

Pickpockets in America are dying out. This is the bit I found interesting: And perhaps most important, the centuries-old apprenticeship system underpinning organized pickpocketing has been disrupted. Pickpocketing has always perpetuated itself by having older hooks­ -- nicknamed "Fagins," after the crime boss in Oliver Twist -- teach younger ones the art, and then absorbing them into canons. But due...

Wed, 02 Mar 2011 13:53:24 UTC

NIST SHA-3 News

Posted By Bruce Schneier

NIST has finally published its rationale for selecting the five finalists....

Tue, 01 Mar 2011 12:29:40 UTC

Erasing Data from Flash Drives

Posted By Bruce Schneier

"Reliably Erasing Data From Flash-Based Solid State Drives," by Michael Wei, Laura M. Grupp, Frederick E. Spada, and Steven Swanson. Abstract: Reliably erasing data from storage media (sanitizing the media) is a critical component of secure data management. While sanitizing entire disks and individual files is well-understood for hard drives, flash-based solid state disks have a very different internal architecture,...

Mon, 28 Feb 2011 11:58:38 UTC

Anonymous vs HBGary

Posted By Bruce Schneier

One of the effects of writing a book is that I don't have the time to devote to other writing. So while I've been wanting to write about Anonymous vs HBGary, I don't think I will have time. Here's an excellent series of posts on the topic from ArsTechnica. In cyberspace, the balance of power is on the side of...

Fri, 25 Feb 2011 22:00:13 UTC

Friday Squid Blogging: Squid Tattoo

Posted By Bruce Schneier

Impressive, even if it isn't real....

Fri, 25 Feb 2011 21:17:12 UTC

Interview with Me

Posted By Bruce Schneier

I was interviewed on chomp.fm....

Fri, 25 Feb 2011 12:14:14 UTC

HBGary and the Future of the IT Security Industry

Posted By Bruce Schneier

This is a really good piece by Paul Roberts on Anonymous vs. HBGary: not the tactics or the politics, but what HBGary demonstrates about the IT security industry. But I think the real lesson of the hack - and of the revelations that followed it - is that the IT security industry, having finally gotten the attention of law makers,...

Thu, 24 Feb 2011 12:44:14 UTC

Good Article About the Terrorist Non-Threat

Posted By Bruce Schneier

From Reason: Know thy enemy is an ancient principle of warfare. And if America had heeded it, it might have refrained from a full-scale "war" on terrorism whose price tag is touching $2 TRILLION. That's because the Islamist enemy it is confronting is not some hyper-power capable of inflicting existential -- or even grave -- harm. It is, rather, a...

Wed, 23 Feb 2011 11:53:29 UTC

Susan Landau on Government Surveillance of the Internet

Posted By Bruce Schneier

Excellent House testimony....

Tue, 22 Feb 2011 13:21:30 UTC

Terrorist-Catching Con Man

Posted By Bruce Schneier

Interesting story about a con man who conned the U.S. government, and how the government is trying to hide its dealings with him. For eight years, government officials turned to Dennis Montgomery, a California computer programmer, for eye-popping technology that he said could catch terrorists. Now, federal officials want nothing to do with him and are going to extraordinary lengths...

Fri, 18 Feb 2011 22:17:39 UTC

Friday Squid Blogging: Research into Squid Hearing

Posted By Bruce Schneier

Interesting: Squid can hear, scientists have confirmed. But they don't detect the changes in pressure associated with sound waves, like we do. They have another, more primitive, technique for listening: They sense the motion generated by sound waves. [...] Squid have two sac-like organs called statocysts near the base of their brains. Hair cells line the sac and project into...

Fri, 18 Feb 2011 19:45:23 UTC

Biometric Wallet

Posted By Bruce Schneier

Not an electronic wallet, a physical one: Virtually indestructible, the dunhill Biometric Wallet will open only with touch of your fingerprint. It can be linked via Bluetooth to the owner's mobile phone ­ sounding an alarm if the two are separated by more than 5 metres! This provides a brilliant warning if either the phone or wallet is stolen or...

Fri, 18 Feb 2011 12:22:35 UTC

NIST Defines New Versions of SHA-512

Posted By Bruce Schneier

NIST has just defined two new versions of SHA-512. They're SHA-512/224 and SHA-512/256: 224- and 256-bit truncations of SHA-512 with a new IV. They've done this because SHA-512 is faster than SHA-256 on 64-bit CPUs, so these new SHA variants will be faster. This is a good thing, and exactly what we did in the design of Skein. We defined...

Thu, 17 Feb 2011 14:38:40 UTC

Historical Study of the NSA Scientific Advisory Board

Posted By Bruce Schneier

Recently declassified: "Historical Study: The National Security Agency Scientific Advisory Board 1952¿1963."...

Wed, 16 Feb 2011 12:26:16 UTC

Romanian Hackers

Posted By Bruce Schneier

Interesting article from Wired: "How a Remote Town in Romania Has Become Cybercrime Central."...

Tue, 15 Feb 2011 19:11:39 UTC

The Seven Types of Hackers

Posted By Bruce Schneier

Roger Grimes has an article describing "the seven types of malicious hackers." I generally like taxonomies, and this one is pretty good. He says the seven types are: Cyber criminals Spammers and adware spreaders Advanced persistent threat (APT) agents Corporate spies Hactivists Cyber warriors Rogue hackers...

Tue, 15 Feb 2011 11:43:03 UTC

Societal Security

Posted By Bruce Schneier

Humans have a natural propensity to trust non-kin, even strangers. We do it so often, so naturally, that we don't even realize how remarkable it is. But except for a few simplistic counterexamples, it's unique among life on this planet. Because we are intelligently calculating and value reciprocity (that is, fairness), we know that humans will be honest and nice:...

Mon, 14 Feb 2011 12:37:24 UTC

Credit Card Fraud Ring

Posted By Bruce Schneier

It amazes me that credit card fraud is so easy that you can run it from prison....

Fri, 11 Feb 2011 22:52:48 UTC

Friday Squid Blogging: Squid Pheromone

Posted By Bruce Schneier

A newly discovered female squid pheromone sparks aggression in male squids. Article....

Fri, 11 Feb 2011 18:48:54 UTC

Julian Sanchez on Balancing Privacy and Security

Posted By Bruce Schneier

From a blog post: In my own area of study, the familiar trope of "balancing privacy and security" is a source of constant frustration to privacy advocates, because while there are clearly sometimes tradeoffs between the two, it often seems that the zero-sum rhetoric of "balancing" leads people to view them as always in conflict. This is, I suspect, the...

Fri, 11 Feb 2011 13:05:19 UTC

How Feed-Over-Email Circumvents Chinese Censorship

Posted By Bruce Schneier

Neat article, both the technology and the hacker who created it....

Thu, 10 Feb 2011 12:42:18 UTC

Hacking Scratch Lottery Tickets

Posted By Bruce Schneier

Design failure means you can pick winning tickets before scratching the coatings off. Most interesting is that there's statistical evidence that this sort of attack has been occurring in the wild: not necessarily this particular attack, but some way to separate winners from losers without voiding the tickets. Since this article was published in Wired, another technique of hacking scratch...

Wed, 09 Feb 2011 17:39:01 UTC

Bomb-Sniffing Mice

Posted By Bruce Schneier

I was interviewed for this story on a mouse-powered explosives detector. Animal senses are better than any detection machine current technology can build, which makes it a good idea. But the challenges of using animals in this sort of situation are considerable. The neat thing about the technology profiled in the article, which the article didn't make as clear as...

Tue, 08 Feb 2011 11:46:46 UTC

Micromorts

Posted By Bruce Schneier

I'd never heard the term "micromort" before. It's a probability: a one-in-a-million probability of death. For example, one-micromort activities are "travelling 230 miles (370 km) by car (accident)," and "living 2 days in New York or Boston (air pollution)." I don't know if that data is accurate; it's from the Wikipedia entry. In any case, I think it's a useful...

Mon, 07 Feb 2011 14:45:31 UTC

Scareware: How Crime Pays

Posted By Bruce Schneier

Scareware is fraudulent software that uses deceptive advertising to trick users into believing they're infected with some variety of malware, then convinces them to pay money to protect themselves. The infection isn't real, and the software they buy is fake, too. It's all a scam. Here's one scareware operator who sold "more than 1 million software products" at "$39.95 or...

Fri, 04 Feb 2011 22:33:16 UTC

Friday Squid Blogging: Reducing Squid Odor

Posted By Bruce Schneier

Research from Japan: "Improvement of 'kurozukuri ika-shiokara' (fermented squid meat with ink) odor with Staphylococcus nepalensis isolated from the fish sauce mush of frigate mackerel Auxis rochei."...

Fri, 04 Feb 2011 19:35:37 UTC

UK Immigration Officer Puts Wife on the No-Fly List

Posted By Bruce Schneier

A UK immigration officer decided to get rid of his wife by putting her on the no-fly list, ensuring that she could not return to the UK from abroad. This worked for three years, until he put in for a promotion and -- during the routine background check -- someone investigated why his wife was on the no-fly list. Okay,...

Fri, 04 Feb 2011 12:00:05 UTC

Terrorist Targets of Choice

Posted By Bruce Schneier

This makes sense. Generally, militants prefer to attack soft targets where there are large groups of people, that are symbolic and recognizable around the world and that will generate maximum media attention when attacked. Some past examples include the World Trade Center in New York, the Taj Mahal Hotel in Mumbai and the London Underground. The militants' hope is that...

Thu, 03 Feb 2011 11:54:05 UTC

ATM Skimmer on Bank Door Lock

Posted By Bruce Schneier

This is a clever development in ATM skimming technology. It's a skimmer that attaches to the ATM-room door lock, not the ATM itself. Combined with a hidden camera, it's an ATM skimmer that requires no modification to the ATM....

Wed, 02 Feb 2011 20:26:22 UTC

Hacking HTTP Status Codes

Posted By Bruce Schneier

One website can learn if you're logged into other websites. When you visit my website, I can automatically and silently determine if you're logged into Facebook, Twitter, GMail and Digg. There are almost certainly thousands of other sites with this issue too, but I picked a few vulnerable well known ones to get your attention. You may not care that...

Wed, 02 Feb 2011 12:42:30 UTC

Kip Hawley Comments on the Domodedovo Airport Bombing

Posted By Bruce Schneier

This is the first piece of writing I've seen from Kip Hawley since he left the TSA in 2009. It's mostly generalities and platitudes....

Tue, 01 Feb 2011 13:40:59 UTC

Me on Color-Coded Terrorist Threat Levels

Posted By Bruce Schneier

I wrote an op-ed for CNN.com on the demise of the color-coded terrorist theat level system. It's nothing I haven't said before, so I won't reprint it here. The best thing about the system was the jokes it inspired late-night comedians, and others, to make. In memoriam, people should post the funniest of those jokes here....

Mon, 31 Jan 2011 12:56:31 UTC

Jury Says it's Okay to Record the TSA

Posted By Bruce Schneier

The Seattle man who refused to show ID to the TSA and recorded the whole incident has been cleared of all charges: [The jury] returned not guilty verdicts for charges that included concealing his identity, refusing to obey a lawful order, trespassing, and disorderly conduct. Papers, Please! says the acquittal proves what TSA critics have said all along: That checkpoint...

Sat, 29 Jan 2011 13:45:49 UTC

Trojan Steals Credit Card Numbers

Posted By Bruce Schneier

It's only a proof of concept, but it's scary nonetheless. It's a Trojan for Android phones that looks for credit-card numbers, either typed or spoken, and relays them back to its controller. Software released for Android devices has to request permissions for each system function it accesses–with apps commonly requesting access to the network, phone call functionality, internal and external...

Fri, 28 Jan 2011 21:15:44 UTC

Domodedovo Airport Bombing

Posted By Bruce Schneier

I haven't written anything about the suicide bombing at Moscow's Domodedovo Airport because I didn't think there was anything to say. The bomber was outside the security checkpoint, in the area where family and friends wait for arriving passengers. From a security perspective, the bombing had nothing to do with airport security. He could have just as easily been in...

Fri, 28 Jan 2011 19:40:05 UTC

$100 to Put a Bomb on an Airplane

Posted By Bruce Schneier

An undercover TSA agent successfully bribed JetBlue ticket agent to check a suitcase under a random passenger's name and put it on an airplane. As with a lot of these tests, I'm not that worried because it's not a reliable enough tactic to build a plot around. But untrustworthy airline personnel -- or easily bribeable airline personal -- could be...

Fri, 28 Jan 2011 11:02:05 UTC

Whitelisting vs. Blacklisting

Posted By Bruce Schneier

The whitelist/blacklist debate is far older than computers, and it's instructive to recall what works where. Physical security works generally on a whitelist model: if you have a key, you can open the door; if you know the combination, you can open the lock. We do it this way not because it's easier -- although it is generally much easier...

Thu, 27 Jan 2011 19:11:01 UTC

Security Theater, Illustrated

Posted By Bruce Schneier

Security theater, illustrated....

Thu, 27 Jan 2011 12:22:15 UTC

U.S. Strategy to Prevent Leaks is Leaked

Posted By Bruce Schneier

As the article says, it doesn't get any more ironic than that. More importantly, it demonstrates how hard it is to keep secrets in the age of the Internet. Me: I think the government is learning what the music and movie industries were forced to learn years ago: it's easy to copy and distribute digital files. That's what's different between...

Wed, 26 Jan 2011 19:42:55 UTC

Security Theater in the Theater

Posted By Bruce Schneier

This is a bit surreal: Additional steps are needed to prepare Broadway theaters in New York City for a potential WMD attack or other crisis, a New York state legislature subcommittee said yesterday. [...] Broadway district personnel did not know "what to do in case of an emergency as well as the unique problems that a theater workplace poses in...

Wed, 26 Jan 2011 12:28:08 UTC

Unsecured IP Security Cameras

Posted By Bruce Schneier

It's amazing how many security cameras are on the Internet, accessible by anyone. And it's not just for viewing; a lot of these cameras can be reprogrammed by anyone....

Tue, 25 Jan 2011 19:40:21 UTC

Bioencryption

Posted By Bruce Schneier

A group of students at the Chinese University in Hong Kong have figured out how to store data in bacteria. The article talks about how secure it is, and the students even coined the term "bioencryption," but I don't see any encryption. It's just storage. Another article: They have also developed a three-tier security fence to encode the data, which...

Tue, 25 Jan 2011 12:16:14 UTC

REAL-ID Implementation

Posted By Bruce Schneier

According to this study, REAL-ID has not only been cheaper to implement than the states estimated, but also helpful in reducing fraud. States are finding that implementation of the 2005 REAL ID Act is much easier and less expensive than previously thought, and is a significant factor in reducing fraud. In cases like Indiana, REAL ID has significantly improved customer...

Mon, 24 Jan 2011 19:20:39 UTC

Hacking Tamper-Evident Devices

Posted By Bruce Schneier

At the Black Hat conference lasts week, Jamie Schwettmann and Eric Michaud presented some great research on hacking tamper-evident seals. Jamie Schwettmann and Eric Michaud of i11 Industries went through a long list of tamper evident devices at the conference here and explained, step-by-step, how each seal can be circumvented with common items, such as various solvents, hypodermic needles, razors,...

Mon, 24 Jan 2011 12:15:09 UTC

Brute-Force Safecracking

Posted By Bruce Schneier

This safecracking robot tries every possible combination, one after another: Combination space optimization is the key. By exploiting of the mechanical tolerances of the lock and certain combination "forbidden zones", we reduced the number of possible combinations by about an order of magnitude. Opening the safe took "just a few hours." Along the same lines, here's a Lego robot that...

Fri, 21 Jan 2011 20:36:56 UTC

Blowfish in Good Time Max

Posted By Bruce Schneier

This screen shot is from the movie "Good Time Max." 17 minutes and 52 seconds into the movie, it shows Blowfish being used as an encryption algorithm....

Fri, 21 Jan 2011 17:59:23 UTC

Cyberwar is Overhyped

Posted By Bruce Schneier

A new report from the OECD says the threat of cyberwar has been grossly exaggerated. (Hey, that's what I said.) There are lots of news articles. Also worth reading is this article on cyberwar hype and how it isn't serving our national interests, with some good policy guidelines....

Fri, 21 Jan 2011 11:31:04 UTC

The Legality of the Certificate Authority Trust Model

Posted By Bruce Schneier

Interesting research: We looked at the standard legal documents issued by the certificate authorities or "CAs," including exemplar Subscriber Agreements (agreements between CAs and website operators); "Certification Practice Statements" (statements by CAs outlining their business practices); and Relying Party Agreements (purported agreements between CAs and "relying parties," such as end-users). What we found was surprising: "Relying Party Agreements" purport to...

Thu, 20 Jan 2011 19:39:58 UTC

Cost-Benefit Analysis of Full-Body Scanners

Posted By Bruce Schneier

Research paper from Mark Stewart and John Mueller: The Transportation Security Administration (TSA) has been deploying Advanced Imaging Technologies (AIT) that are full-body scanners to inspect a passenger's body for concealed weapons, explosives, and other prohibited items. The terrorist threat that AITs are primarily dedicated to is preventing the downing of a commercial airliner by an IED (Improvised Explosive Device)...

Thu, 20 Jan 2011 12:44:34 UTC

Do Corporations Have a Right to Privacy?

Posted By Bruce Schneier

This week, the U.S. Supreme Court will hear arguments about whether or not corporations have the same rights to "personal privacy" that individuals do. This is a good analysis of the case. I signed on to a "friend of the court" brief put together by EPIC, arguing that they do not. More background here. And an editorial from The Washington...

Wed, 19 Jan 2011 13:02:40 UTC

Odd Art Forger

Posted By Bruce Schneier

He's not in it for the money: Mr. Landis...has been one of the most prolific forgers American museums have encountered in years, writing, calling and presenting himself at their doors, where he tells well-concocted stories about his family's collection and donates small, expertly faked works, sometimes in honor of nonexistent relatives. Unlike most forgers, he does not seem to be...

Tue, 18 Jan 2011 12:29:06 UTC

Movie-Plot Threats at the U.S. Capitol

Posted By Bruce Schneier

This would make a great movie: Rep. Dan Burton, R-Ind., renewed his call for the installation of an impenetrable, see-through security shield around the viewing gallery overlooking the House floor. Burton points out that, while guns and some bombs would be picked up by metal detectors, a saboteur could get into the Capitol concealing plastic explosives. The House floor, he...

Mon, 17 Jan 2011 18:31:04 UTC

More Stuxnet News

Posted By Bruce Schneier

This long New York Times article includes some interesting revelations. The article claims that Stuxnet was a joint Israeli-American project, and that its effectiveness was tested on live equipment: "Behind Dimona's barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran's at Natanz, where Iranian scientists are struggling to enrich uranium." The worm itself now appears...

Mon, 17 Jan 2011 11:47:56 UTC

New Revelations in the Mahmoud al-Mabhouh Assassination

Posted By Bruce Schneier

I wrote a lot last year about the assassination of Mahmoud al-Mabhouh in Dubai. There's a new article by an Israeli investigative journalist that tells the story we already knew, and adds a bunch of interesting details. Well worth reading....

Fri, 14 Jan 2011 22:27:42 UTC

Friday Squid Blogging: Deep-Sea Squid Video

Posted By Bruce Schneier

"Anthology of Deep-Sea Squids," from the Monterey Bay Aquarium....

Fri, 14 Jan 2011 20:11:07 UTC

Me on Airport Security

Posted By Bruce Schneier

Last week, I spoke at an airport security conference hosted by EPIC: The Stripping of Freedom: A Careful Scan of TSA Security Procedures. Here's the video of my half-hour talk....

Fri, 14 Jan 2011 17:03:23 UTC

Loaded Gun Slips Past TSA

Posted By Bruce Schneier

I'm not really worried about mistakes like this. Sure, a gun slips through occasionally, and a knife slips through even more often. (I'm sure the TSA doesn't catch 100% of all bombs in tests, either.) But these items are caught by the TSA often enough, and when the TSA does catch someone, they're going to call the police and totally...

Fri, 14 Jan 2011 13:07:26 UTC

Surviving a Terrorist's Nuclear Attack

Posted By Bruce Schneier

Interesting reading, mostly for the probable effects of a terrorist-sized nuclear bomb. A terrorist bomb is likely to be relatively small -- possibly only a fraction of the Hiroshima bomb's explosive power -- and likely exploded at ground level. This means that the area totally destroyed by the explosion is likely to be much smaller than the area exposed to...

Thu, 13 Jan 2011 18:54:53 UTC

Stealing SIM Cards from Traffic Lights

Posted By Bruce Schneier

Johannesburg installed hundreds of networked traffic lights on its streets. The lights use a cellular modem and a SIM card to communicate. Those lights introduced a security risk I'll bet no one gave a moment's thought to: that criminals might steal the SIM cards from the traffic lights and use them to make free phone calls. But that's exactly what...

Thu, 13 Jan 2011 14:00:12 UTC

The Security Threat of Forged Law-Enforcement Credentials

Posted By Bruce Schneier

Here's a U.S. Army threat assessment of forged law-enforcement credentials. The authors bought a bunch of fake badges: Between November 2009 and March 2010, undercover investigators were able to purchase nearly perfect counterfeit badges for all of the Department of Defense's military criminal investigative organizations to include the Army Criminal Investigation Command (Army CID), Naval Criminal Investigative Service (NCIS), Air...

Wed, 12 Jan 2011 12:59:19 UTC

Attacking High-Frequency Trading Networks

Posted By Bruce Schneier

Turns out you can make money by manipulating the network latency. cPacket has developed a proof of concept showing that these side-channel attacks can be used to create tiny delays in the transmission of market data and trades. By manipulating specific trading activities by several microseconds, an attacker could gain unfair trading advantage. And because the operation occurs outside the...

Tue, 11 Jan 2011 13:47:25 UTC

"Homeland Security Hasn't Made Us Safer"

Posted By Bruce Schneier

This will be nothing new to readers of this blog, but it's nice to read other people saying it too....

Mon, 10 Jan 2011 13:04:51 UTC

James Fallows on Political Shootings

Posted By Bruce Schneier

Interesting: So the train of logic is: anything that can be called an "assassination" is inherently political; very often the "politics" are obscure, personal, or reflecting mental disorders rather than "normal" political disagreements. But now a further step, the political tone of an era can have some bearing on violent events. The Jonestown/Ryan and Fromme/Ford shootings had no detectable source...

Fri, 07 Jan 2011 22:08:13 UTC

Friday Squid Blogging: Biggest Squid Ever

Posted By Bruce Schneier

It's an oil field: Brazil's state-run Petrobras confirmed Wednesday that oil fields recently discovered offshore contained 8.3 billion barrels of recoverable crude and gas -- and said the biggest field was being renamed "Lula." That nomenclature happens to be the nickname of President Luiz Inacio Lula da Silva, who steps down on Saturday after overseeing eight years of prosperity in...

Fri, 07 Jan 2011 12:30:54 UTC

The Social Dynamics of Terror

Posted By Bruce Schneier

Good essay: Nineteenth-century anarchists promoted what they called the "propaganda of the deed," that is, the use of violence as a symbolic action to make a larger point, such as inspiring the masses to undertake revolutionary action. In the late 1960s and early 1970s, modern terrorist organizations began to conduct operations designed to serve as terrorist theater, an undertaking greatly...

Thu, 06 Jan 2011 19:13:34 UTC

SMS of Death

Posted By Bruce Schneier

This will be hard to fix: Using only Short Message Service (SMS) communications–messages that can be sent between mobile phones–a pair of security researchers were able to force low-end phones to shut down abruptly and knock them off a cellular network. As well as text messages, the SMS protocol can be used to transmit small programs, called "binaries," that run...

Thu, 06 Jan 2011 11:52:23 UTC

Sony PS3 Security Broken

Posted By Bruce Schneier

Sony used an ECDSA signature scheme to protect the PS3. Trouble is, they didn't pay sufficient attention to their random number generator....

Wed, 05 Jan 2011 12:20:05 UTC

Eavesdropping on GSM Calls

Posted By Bruce Schneier

It's easy and cheap: Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network "sniffers," a laptop computer, and a variety of open source software. The encryption is lousy: Several of the individual...

Tue, 04 Jan 2011 15:34:58 UTC

Guard Towers at WalMart

Posted By Bruce Schneier

This feels very creepy and police-state-like. What on earth could WalMart be worried about?...

Mon, 03 Jan 2011 15:07:27 UTC

Polar Bears Destroying Hidden Cameras

Posted By Bruce Schneier

Watch the video. What valuable security lessons does this teach? EDITED TO ADD (1/3): And why aren't the polar bears destroying the hidden cameras that are filming the polar bears destroying the hidden cameras?...

Fri, 31 Dec 2010 22:08:41 UTC

Friday Squid Blogging: Research into Squid Skin

Posted By Bruce Schneier

DoD awarded a $6M grant to study squid skin: "Our internal nickname for this project is 'squid skin,' but it is really about fundamental research," said Naomi Halas, a nano-optics pioneer at Rice and the principal investigator on the four-year grant. "Our deliverable is knowledge -- the basic discoveries that will allow us to make materials that are observant, adaptive...

Fri, 31 Dec 2010 12:14:21 UTC

Tor Routers

Posted By Bruce Schneier

Home routers that automatically run Tor....

Thu, 30 Dec 2010 12:55:10 UTC

Civil War Message Decoded

Posted By Bruce Schneier

Interesting....

Wed, 29 Dec 2010 17:09:45 UTC

TSA Inspecting Thermoses

Posted By Bruce Schneier

This is new: Adm. James Winnefeld told The Associated Press Friday that the Transportation Security Administration is "always trying to think ahead." Winnefeld is the head of the U.S. Northern Command, which is charged with protecting the homeland. TSA officials had said Thursday that in coming days, passengers flying within and to the U.S. may notice additional security measures related...

Tue, 28 Dec 2010 18:52:53 UTC

Terrorism Reading List

Posted By Bruce Schneier

Interesting interview, discussing five books (none of which I've read, by the way)....

Mon, 27 Dec 2010 19:04:19 UTC

An Honest Privacy Policy

Posted By Bruce Schneier

Funny: The data we collect is strictly anonymous, unless you've been kind enough to give us your name, email address, or other identifying information. And even if you have been that kind, we promise we won't sell that information to anyone else, unless of course our impossibly obtuse privacy policy says otherwise and/or we change our minds tomorrow. There's a...

Mon, 27 Dec 2010 12:12:29 UTC

This Suspicious Photography Stuff Is Confusing

Posted By Bruce Schneier

See: Last week, Metro Transit Police received a report from a rider about suspicious behavior at the L'Enfant Plaza station and on an Orange Line train to Vienna. The rider told Metro he saw two men acting suspiciously and videotaping platforms, trains and riders. "The men, according to the citizen report, were trying to be inconspicuous, holding the cameras at...

Sat, 25 Dec 2010 12:51:25 UTC

Garfield Comic

Posted By Bruce Schneier

Merry Christmas....

Fri, 24 Dec 2010 22:50:51 UTC

Friday Squid Blogging: Great Flying Squid Photo

Posted By Bruce Schneier

Great photo....

Fri, 24 Dec 2010 22:29:44 UTC

Friday Squid Blogging: Squid Nativity

Posted By Bruce Schneier

Merry Christmas....

Fri, 24 Dec 2010 19:14:25 UTC

PlugBot

Posted By Bruce Schneier

Interesting: PlugBot is a hardware bot. It's a covert penetration testing device designed for use during physical penetration tests. PlugBot is a tiny computer that looks like a power adapter; this small size allows it to go physically undetected all the while powerful enough to scan, collect and deliver test results externally. How do you use it? Gain access to...

Fri, 24 Dec 2010 11:39:59 UTC

Cyberwar Movie Plot from an Actual Thriller Writer

Posted By Bruce Schneier

It could make a good movie....

Thu, 23 Dec 2010 11:59:55 UTC

Interview with the European Union Privacy Chief

Posted By Bruce Schneier

Interesting interview with Viviane Reding, the vice president of the EU Justice Commission and head of privacy regulation: The basic values in Europe are that we have the right to our own private, personal data. It's mine. And if one agrees to give that data,then it is available. That is known as opt-in consent and we've had that as law...

Wed, 22 Dec 2010 13:15:23 UTC

Adam Shostack on TSA Threat Modeling

Posted By Bruce Schneier

Good commentary: I've said before and I'll say again, there are lots of possible approaches to threat modeling, and they all involve tradeoffs. I've commented that much of the problem is the unmeetable demands TSA labors under, and suggested fixes. If TSA is trading planned responses to Congress for effective security, I think Congress ought to be asking better questions....

Tue, 21 Dec 2010 19:39:09 UTC

Recording the Police

Posted By Bruce Schneier

I've written a lot on the "War on Photography," where normal people are harassed as potential terrorists for taking pictures of things in public. This article is different; it's about recording the police: Allison's predicament is an extreme example of a growing and disturbing trend. As citizens increase their scrutiny of law enforcement officials through technologies such as cell phones,...

Tue, 21 Dec 2010 13:23:24 UTC

Book Review: Cyber War

Posted By Bruce Schneier

Cyber War: The Next Threat to National Security and What to do About It by Richard Clarke and Robert Knake, HarperCollins, 2010. Cyber War is a fast and enjoyable read. This means you could give the book to your non-techy friends, and they'd understand most of it, enjoy all of it, and learn a lot from it. Unfortunately, while there's...

Mon, 20 Dec 2010 17:48:52 UTC

Computational Forensics

Posted By Bruce Schneier

Interesting article from IEEE Spectrum: During two years of deliberation by the National Academy's forensic science committee (of which I was a member), a troubling picture emerged. A large part of current forensics practice is skill and art rather than science, and the influences present in a typical law-enforcement setting are not conducive to doing the best science. Also, many...

Mon, 20 Dec 2010 11:55:53 UTC

"Architecture of Fear"

Posted By Bruce Schneier

I like the phrase: Németh said the zones not only affect the appearance of landmark buildings but also reflect an 'architecture of fear' as evidenced, for example, by the bunker-like appearance of embassies and other perceived targets. Ultimately, he said, these places impart a dual message -- simultaneously reassuring the public while causing a sense of unease. And in the...

Fri, 17 Dec 2010 22:48:14 UTC

Friday Squid Blogging: Prosthetic Tentacle

Posted By Bruce Schneier

Impressive: Designed for a class project while getting her degree at the Industrial Design Department at the University of Washington, Kaylene Kau has not only exploded perceptions of how prosthetic arms should look, but sent an entire subset of Japanese Hentai fans to their feet, cheering her on. If that's not worth an employer's attention, I don't know what is....

Fri, 17 Dec 2010 20:13:59 UTC

Hiding PETN from Full-Body Scanners

Posted By Bruce Schneier

From the Journal of Transporation Security, "An evaluation of airport x-ray backscatter units based on image characteristics," by Leon Kaufman and Joseph W. Carlson: Abstract: Little information exists on the performance of x-ray backscatter machines now being deployed through UK, US and other airports. We implement a Monte Carlo simulation using as input what is known about the x-ray spectra...

Fri, 17 Dec 2010 16:49:07 UTC

Did the FBI Plant Backdoors in OpenBSD?

Posted By Bruce Schneier

It has been accused of it. I doubt this is true. One, it's a very risky thing to do. And two, there are more than enough exploitable security vulnerabilities in a piece of code that large. Finding and exploiting them is a much better strategy than planting them. But maybe someone at the FBI is that dumb. Further information is...

Fri, 17 Dec 2010 12:28:05 UTC

Fake Amazon Receipt Generators

Posted By Bruce Schneier

They can be used to scam Amazon Marketplace merchants: What happens once our scammer is armed with his fake receipt? Well, many sellers on Amazon will ask you to send them a copy of your receipt should you run into trouble, have orders go missing, lose your license key for a piece of software and so on. The gag here...

Thu, 16 Dec 2010 12:27:09 UTC

Security in 2020

Posted By Bruce Schneier

There's really no such thing as security in the abstract. Security can only be defined in relation to something else. You're secure from something or against something. In the next 10 years, the traditional definition of IT security–­that it protects you from hackers, criminals, and other bad guys–­will undergo a radical shift. Instead of protecting you from the bad guys,...

Wed, 15 Dec 2010 12:14:19 UTC

Open Source Digital Forensics

Posted By Bruce Schneier

A good resource....

Tue, 14 Dec 2010 19:12:10 UTC

Realistic Masks

Posted By Bruce Schneier

They're causing problems: A white bank robber in Ohio recently used a "hyper-realistic" mask manufactured by a small Van Nuys company to disguise himself as a black man, prompting police there to mistakenly arrest an African American man for the crimes. In October, a 20-year-old Chinese man who wanted asylum in Canada used one of the same company's masks to...

Tue, 14 Dec 2010 11:35:04 UTC

Evan Kohlmann

Posted By Bruce Schneier

Interesting profile of Evan Kohlmann: Evan Kohlmann spends his days lurking in the darkest corners of the Internet, where jihadists recruit sympathizers from across the globe. He has testified in over two dozen terrorism trials -- and sees danger everywhere he looks. Is he prescient or naïve?...

Mon, 13 Dec 2010 20:02:47 UTC

Proprietary Encryption in Car Immobilizers Cracked

Posted By Bruce Schneier

This shouldn't be a surprise: Karsten Nohl's assessment of dozens of car makes and models found weaknesses in the way immobilisers are integrated with the rest of the car's electronics. The immobiliser unit should be connected securely to the vehicle's electronic engine control unit, using the car's internal data network. But these networks often use weaker encryption than the immobiliser...

Mon, 13 Dec 2010 20:01:29 UTC

Sometimes CCTV Cameras Work

Posted By Bruce Schneier

Sex attack caught on camera. Hamilton police have arrested two men after a sex attack on a woman early today was caught on the city's closed circuit television (CCTV) cameras. CCTV operators contacted police when they became concerned about the safety of a woman outside an apartment block near the intersection of Victoria and Collingwood streets about 5am today. Remember,...

Mon, 13 Dec 2010 12:42:21 UTC

CRB Check Backlash

Posted By Bruce Schneier

Against stupid CRB checks: Last January, Annabel Hayter, chairwoman of Gloucester Cathedral Flower Guild, received an email saying that she and her 60 fellow flower arrangers would have to undergo a CRB check. CRB stands for Criminal Records Bureau, and a CRB check is a time-consuming, sometimes expensive, pretty much always pointless vetting procedure that you must go through if...

Sun, 12 Dec 2010 18:27:06 UTC

Interview with TSA Administrator John Pistole

Posted By Bruce Schneier

He's more realistic than one normally hears: So if they get through all those defenses, they get to Reagan [National Airport] over here, and they've got an underwear bomb, they got a body cavity bomb -- what's reasonable to expect TSA to do? Hopefully our behavior detection people will see somebody sweating, or they're dancing on their shoes or something,...

Fri, 10 Dec 2010 22:24:35 UTC

Friday Squid Blogging: Glowing Squid

Posted By Bruce Schneier

Recent research. And an older video....

Fri, 10 Dec 2010 20:11:59 UTC

New TSA Security Test

Posted By Bruce Schneier

I experienced a new TSA security check at Phoenix Airport last Thursday. The agent took my over-three-ounce bottle of saline, put a drop of it on a white cardboard strip, and then put a drop of another liquid on top of that. Nothing changed color, and she let me go. Anyone know what the test is, and what it's testing...

Fri, 10 Dec 2010 18:04:18 UTC

NIST Announces SHA-3 Finalists (Skein is One of Them)

Posted By Bruce Schneier

Yesterday, NIST announced the five hash functions to advance to the third (and final) round in the SHA-3 selection process: BLAKE, Grøstl, JH, Keccak, and Skein. Not really a surprise; my predictions -- which I did not publish -- listed ECHO instead of JH, but correctly identified the other four. (Most of the predictions I saw guessed BLAKE, Grøstl, Keccak,...

Fri, 10 Dec 2010 12:22:59 UTC

Alternate Scanning Technologies

Posted By Bruce Schneier

Iscon uses infrared light rather than X-rays. I have no idea how well it works. And Rapiscan has a new patent: Abstract: The present invention is directed towards an X-ray people screening system capable of rapidly screening people for detection of metals, low Z materials (plastics, ceramics and illicit drugs) and other contraband which might be concealed beneath the person's...

Thu, 09 Dec 2010 18:22:19 UTC

Department of Homeland Security Getting a Little too 1984ish

Posted By Bruce Schneier

A DHS video message, reminding people to look out for and report suspicious activity, will be displayed at WalMart stores around the country....

Thu, 09 Dec 2010 11:50:10 UTC

WikiLeaks

Posted By Bruce Schneier

I don't have a lot to say about WikiLeaks, but I do want to make a few points. 1. Encryption isn't the issue here. Of course the cables were encrypted, for transmission. Then they were received and decrypted, and -- so it seems -- put into an archive on SIPRNet, where lots of people had access to them. 2. Secrets...

Wed, 08 Dec 2010 20:27:21 UTC

Never Let the Terrorists Know How We're Storing Road Salt

Posted By Bruce Schneier

This seems not to be a joke: The American Civil Liberties Union has filed a lawsuit against the state after it refused to release the construction plans for a barn used to store road salt, on the basis that doing so would be a security risk. [...] Chiaffarano filed an OPRA request for the state's building plans, but was denied...

Wed, 08 Dec 2010 13:10:20 UTC

Sane Comments on Terrorism

Posted By Bruce Schneier

From Michael Leiter, the director of the National Counterterrorism Center: Ultimately, Leiter said, it'll be the "quiet, confident resilience" of Americans after a terrorist attack that will "illustrate ultimately the futility of terrorism." That doesn't mean not to hit back: Leiter quickly added that "we will hold those accountable [and] we will be ready to respond to those attacks." But...

Tue, 07 Dec 2010 12:43:58 UTC

Profiling Lone Terrorists

Posted By Bruce Schneier

Masters Thesis from the Naval Postgraduate School: "Patterns of Radicalization: Identifying the Markers and Warning Signs of Domestic Lone Wolf Terrorists in Our Midst." Abstract: This thesis will scrutinize the histories of our nation's three most prolific domestic lone wolf terrorists: Tim McVeigh, Ted Kaczynski, and Eric Rudolph. It will establish a chronological pattern to their radicalization and reveal that...

Mon, 06 Dec 2010 19:52:50 UTC

FTC Privacy Report

Posted By Bruce Schneier

The U.S. Federal Trade Commission released its privacy report: "Protecting Consumer Privacy in an Era of Rapid Change." From the press release: One method of simplified choice the FTC staff recommends is a "Do Not Track" mechanism governing the collection of information about consumer's Internet activity to deliver targeted advertisements and for other purposes. Consumers and industry both support increased...

Mon, 06 Dec 2010 12:42:06 UTC

Cyberwar and the Future of Cyber Conflict

Posted By Bruce Schneier

The world is gearing up for cyberwar. The U.S. Cyber Command became operational in November. NATO has enshrined cyber security among its new strategic priorities. The head of Britain's armed forces said recently that boosting cyber capability is now a huge priority for the UK. And we know China is already engaged in broad cyber espionage attacks against the west....

Fri, 03 Dec 2010 22:25:26 UTC

Friday Squid Blogging: New Species of Squid Discovered

Posted By Bruce Schneier

New species of squid discovered in the Southern Indian Ocean....

Fri, 03 Dec 2010 18:41:56 UTC

Football Match Fixing

Posted By Bruce Schneier

Detecting fixed football (soccer) games. There is a certain buzz of expectation, because Oscar, one of the fraud analysts, has spotted a game he is sure has been fixed. "We've been watching this for a couple of weeks now," he says. "The odds have gone to a very suspicious level. We believe that this game will finish in an away...

Fri, 03 Dec 2010 12:20:23 UTC

Full Body Scanners: What's Next?

Posted By Bruce Schneier

Organizers of National Opt Out Day, the Wednesday before Thanksgiving when air travelers were urged to opt out of the full-body scanners at security checkpoints and instead submit to full-body patdowns -- were outfoxed by the TSA. The government pre-empted the protest by turning off the machines in most airports during the Thanksgiving weekend. Everyone went through the metal...

Thu, 02 Dec 2010 16:41:33 UTC

Close the Washington Monument

Posted By Bruce Schneier

Securing the Washington Monument from terrorism has turned out to be a surprisingly difficult job. The concrete fence around the building protects it from attacking vehicles, but there's no visually appealing way to house the airport-level security mechanisms the National Park Service has decided are a must for visitors. It is considering several options, but I think we should close...

Thu, 02 Dec 2010 13:06:16 UTC

Brian Snow Sows Cyber Fears

Posted By Bruce Schneier

That's no less sensational than the Calgary Herald headline: "Total cyber-meltdown almost inevitable, expert tells Calgary audience." That's former NSA Technical Director Brian Snow talking to a university audience. "It's long weeks to short months at best before there's a security meltdown," said Snow, as a guest lecturer for the Institute for Security, Privacy and Information Assurance, an interdisciplinary group...

Wed, 01 Dec 2010 19:27:52 UTC

Risk Reduction Strategies on Social Networking Sites

Posted By Bruce Schneier

By two teenagers: Mikalah uses Facebook but when she goes to log out, she deactivates her Facebook account. She knows that this doesn't delete the account ­ that's the point. She knows that when she logs back in, she'll be able to reactivate the account and have all of her friend connections back. But when she's not logged in, no...

Wed, 01 Dec 2010 11:55:53 UTC

Software Monoculture

Posted By Bruce Schneier

In 2003, a group of security experts -- myself included -- published a paper saying that 1) software monocultures are dangerous and 2) Microsoft, being the largest creator of monocultures out there, is the most dangerous. Marcus Ranum responded with an essay that basically said we were full of it. Now, eight years later, Marcus and I thought it would...

Tue, 30 Nov 2010 18:09:42 UTC

The Constitutionality of Full-Body Scanners

Posted By Bruce Schneier

Jeffrey Rosen opines: Although the Supreme Court hasn't evaluated airport screening technology, lower courts have emphasized, as the U.S. Court of Appeals for the 9th Circuit ruled in 2007, that "a particular airport security screening search is constitutionally reasonable provided that it 'is no more extensive nor intensive than necessary, in the light of current technology, to detect the presence...

Tue, 30 Nov 2010 11:54:49 UTC

Mohamed Osman Mohamud

Posted By Bruce Schneier

I agree with Glenn Greenwald. I don't know if it's an actual terrorist that the FBI arrested, or if it's another case of entrapment. All of the information about this episode -- all of it -- comes exclusively from an FBI affidavit filed in connection with a Criminal Complaint against Mohamud. As shocking and upsetting as this may be to...

Mon, 29 Nov 2010 18:32:46 UTC

Zoo Security

Posted By Bruce Schneier

From a study on zoo security: Among other measures, the scientists recommend not allowing animals to walk freely within the zoo grounds, and ensuring there is a physical barrier marking the zoo boundaries, and preventing individuals from escaping through drains, sewers or any other channels. Isn't all that sort of obvious?...

Mon, 29 Nov 2010 12:52:36 UTC

Causing Terror on the Cheap

Posted By Bruce Schneier

Total cost for the Yemeni printer cartridge bomb plot: $4200. "Two Nokia mobiles, $150 each, two HP printers, $300 each, plus shipping, transportation and other miscellaneous expenses add up to a total bill of $4,200. That is all what Operation Hemorrhage cost us," the magazine said. Even if you add in costs for training, recruiting, logistics, and everything else, that's...

Fri, 26 Nov 2010 22:58:17 UTC

Friday Squid Blogging: Studying Squid Hearing

Posted By Bruce Schneier

At Woods Hole: It is known now, through the work of Mooney and others, that the squid hearing system has some similarities and some differences compared to human hearing. Squid have a pair of organs called statocysts, balance mechanisms at the base of the brain that contain a tiny grain of calcium, which maintains its position as the animal maneuvers...

Fri, 26 Nov 2010 19:52:38 UTC

Psychopaths and Security

Posted By Bruce Schneier

I have been thinking a lot about security against psychopaths. Or, at least, how we have traditionally secured social systems against these sorts of people, and how we can secure our socio-technical systems against them. I don't know if I have any conclusions yet, only a short reading list....

Fri, 26 Nov 2010 11:51:06 UTC

The Withdrawal of the A5/2 Encryption Algorithm

Posted By Bruce Schneier

Interesting story of the withdrawal of the A5/2 encryption algorithm from GSM phones....

Thu, 25 Nov 2010 12:39:34 UTC

The DHS is Getting Rid of the Color-Coded Terrorism Alert System

Posted By Bruce Schneier

Good. It was always a dumb idea: The color-coded threat levels were doomed to fail because "they don't tell people what they can do --­ they just make people afraid," said Bruce Schneier, an author on security issues. He said the system was "a relic of our panic after 9/11" that "never served any security purpose." I wrote this in...

Wed, 24 Nov 2010 19:33:19 UTC

New ATM Skimming Attack

Posted By Bruce Schneier

In Europe, although the article doesn't say where: Many banks have fitted ATMs with devices that are designed to thwart criminals from attaching skimmers to the machines. But it now appears in some areas that those devices are being successfully removed and then modified for skimming, according to the latest report from the European ATM Security Team (EAST), which collects...

Wed, 24 Nov 2010 13:21:32 UTC

David Kahn Donates his Cryptography Collection to the National Cryptologic Museum

Posted By Bruce Schneier

Good for him. I think that's where my collection will be going, too....

Tue, 23 Nov 2010 19:08:59 UTC

Spoofing Geolocation

Posted By Bruce Schneier

How to spoof your location on Facebook with your BlackBerry....

Tue, 23 Nov 2010 12:11:52 UTC

Me on Airport Security

Posted By Bruce Schneier

Yesterday I participated in a New York Times "Room for Debate" discussion on airline security. My contribution is nothing I haven't said before, so I won't reprint it here. The other participants are worth reading too. I also did an interview in -- or all places -- Popular Mechanics....

Mon, 22 Nov 2010 19:08:24 UTC

Defeating al Qaeda

Posted By Bruce Schneier

Rare common sense: But Gen Richards told the BBC it was not possible to defeat the Taliban or al-Qaeda militarily. "You can't. We've all said this. David Petraeus has said it, I've said it. "The trick is the balance of things that you're doing and I say that the military are just about, you know, there. "The biggest problem's been...

Mon, 22 Nov 2010 12:19:02 UTC

Stuxnet News

Posted By Bruce Schneier

Another piece of the puzzle: New research, published late last week, has established that Stuxnet searches for frequency converter drives made by Fararo Paya of Iran and Vacon of Finland. In addition, Stuxnet is only interested in frequency converter drives that operate at very high speeds, between 807 Hz and 1210 Hz. The malware is designed to change the output...

Fri, 19 Nov 2010 22:19:05 UTC

Friday Squid Blogging: Flying Squid

Posted By Bruce Schneier

Photographic evidence from Jamaica....

Fri, 19 Nov 2010 19:13:34 UTC

Me on Cyberwar

Posted By Bruce Schneier

Last week, I gave a talk on cyberwar and cyberconflict at the Institute for International and European Affairs in Dublin. Here's the video. It was only the second time I've given the talk. About three quarters in, I noticed that I didn't have my fourth and final page of notes. So if the ending feels a bit scattered, that's why....

Fri, 19 Nov 2010 11:37:44 UTC

TSA Backscatter X-ray Backlash

Posted By Bruce Schneier

Things are happening so fast that I don't know if I should bother. But here are some links and observations. The head of the Allied Pilots Association is telling its members to avoid both the full body scanners and the patdowns. This first-hand report, from a man who refused to fly rather than subject himself to a full-body scan or...

Thu, 18 Nov 2010 18:19:09 UTC

Airplane Terrorism Twenty Years Ago

Posted By Bruce Schneier

Excellent: Here's a scenario: Middle Eastern terrorists hijack a U.S. jetliner bound for Italy. A two-week drama ensues in which the plane's occupants are split into groups and held hostage in secret locations in Lebanon and Syria. While this drama is unfolding, another group of terrorists detonates a bomb in the luggage hold of a 747 over the North Atlantic,...

Thu, 18 Nov 2010 12:13:53 UTC

Unsolicited Terrorism Tips to the U.S. Government

Posted By Bruce Schneier

Adding them all up, the U.S. government "receives between 8,000 and 10,000 pieces of information per day, fingering just as many different people as potential threats. They also get information about 40 supposed plots against the United States or its allies daily." All of this means that first-time suspects and isolated pieces of information are less likely to be exhaustively...

Wed, 17 Nov 2010 13:13:25 UTC

New Biometric

Posted By Bruce Schneier

Eye movements instead of eye structures. The new system tracks the way a person's eye moves as he watches an icon roam around a computer screen. The way the icon moves can be different every time, but the user's eye movements include "kinetic features" -- slight variations in trajectory -- that are unique, making it possible to identify him....

Tue, 16 Nov 2010 19:22:52 UTC

Security Haiku

Posted By Bruce Schneier

These could surely be better. Anyone?...

Tue, 16 Nov 2010 12:36:44 UTC

Term Paper Writing for Hire

Posted By Bruce Schneier

This recent essay (commentary here) reminded me of this older essay, both by people who write student term papers for hire. There are several services that do automatic plagiarism detection -- basically, comparing phrases from the paper with general writings on the Internet and even caches of previously written papers -- but detecting this kind of custom plagiarism work is...

Mon, 15 Nov 2010 10:55:22 UTC

Internet Quarantines

Posted By Bruce Schneier

Last month, Scott Charney of Microsoft proposed that infected computers be quarantined from the Internet. Using a public health model for Internet security, the idea is that infected computers spreading worms and viruses are a risk to the greater community and thus need to be isolated. Internet service providers would administer the quarantine, and would also clean up and update...

Fri, 12 Nov 2010 22:23:17 UTC

Friday Squid Blogging: Tentacle Pot Pie

Posted By Bruce Schneier

Nice....

Fri, 12 Nov 2010 18:49:38 UTC

Albert Gonzalez

Posted By Bruce Schneier

Long article on convicted hacker Albert Gonzalez from The New York Times Magazine....

Fri, 12 Nov 2010 12:28:41 UTC

Camouflaging Test Cars

Posted By Bruce Schneier

Interesting: In an effort to shield their still-secret products from prying eyes, automakers testing prototype models, often in the desert and at other remote locales, have long covered the grilles and headlamps with rubber, vinyl and tape ­ the perfunctory equivalent of masks and hats. Now the old materials are being replaced or supplemented with patterned wrappings applied like wallpaper....

Thu, 11 Nov 2010 18:45:55 UTC

Bulletproof Service Providers

Posted By Bruce Schneier

From Brian Krebs: Hacked and malicious sites designed to steal data from unsuspecting users via malware and phishing are a dime a dozen, often located in the United States, and are a key target for takedown by ISPs and security researchers. But when online miscreants seek stability in their Web projects, they often turn to so-called "bulletproof hosting" providers, mini-ISPs...

Thu, 11 Nov 2010 12:45:17 UTC

Changing Passwords

Posted By Bruce Schneier

How often should you change your password? I get asked that question a lot, usually by people annoyed at their employer's or bank's password expiration policy: people who finally memorized their current password and are realizing they'll have to write down their new password. How could that possibly be more secure, they want to know. The answer depends on what...

Wed, 10 Nov 2010 19:41:57 UTC

Removing Belts at Airport Security

Posted By Bruce Schneier

The TSA is making us remove our belts even when we don't have to. European airports have made us remove our belts for years. My normal tactic is to pull my shirt tails out of my pants and over my belt. Then I flash my waist and tell them I'm not wearing a belt. It doesn't set off the metal...

Wed, 10 Nov 2010 13:09:31 UTC

Securing the Washington Monument

Posted By Bruce Schneier

Good article on security options for the Washington Monument: Unfortunately, the bureaucratic gears are already grinding, and what will be presented to the public Monday doesn't include important options, including what became known as the "tunnel" in previous discussions of the issue. Nor does it include the choice of more minimal visitor screening -- simple wanding or visual bag inspection...

Tue, 09 Nov 2010 18:59:11 UTC

Crowdsourcing Surveillance

Posted By Bruce Schneier

Internet Eyes is a U.K. startup designed to crowdsource digital surveillance. People pay a small fee to become a "Viewer." Once they do, they can log onto the site and view live anonymous feeds from surveillance cameras at retail stores. If they notice someone shoplifting, they can alert the store owner. Viewers get rated on their ability to differentiate real...

Tue, 09 Nov 2010 12:01:25 UTC

Kahn, Diffie, Clark, and Me at Bletchley Park

Posted By Bruce Schneier

Saturday, I visited Bletchley Park to speak at the Annual ACCU Security Fundraising Conference. They had a stellar line of speakers this year, and I was pleased to be a part of the day. Talk #1: "The Art of Forensic Warfare," Andy Clark. Riffing on Sun Tzu's The Art of War, Clark discussed the war -- the back and forth...

Mon, 08 Nov 2010 20:55:56 UTC

Young Man in "Old Man" Mask Boards Plane in Hong Kong

Posted By Bruce Schneier

It's kind of an amazing story. A young Asian man used a rubber mask to disguise himself as an old Caucasian man and, with a passport photo that matched his disguise, got through all customs and airport security checks and onto a plane to Canada. The fact that this sort of thing happens occasionally doesn't surprise me. It's human nature...

Mon, 08 Nov 2010 16:21:08 UTC

The End of In-Flight Wi-Fi?

Posted By Bruce Schneier

Okay, now the terrorists have really affected me personally: they're forcing us to turn off airplane Wi-Fi. No, it's not that the Yemeni package bombs had a Wi-Fi triggering mechanism -- they seem to have had a cell phone triggering mechanism, dubious at best -- but we can imagine an Internet-based triggering mechanism. Put together a sloppy and unsuccessful package...

Fri, 05 Nov 2010 21:39:37 UTC

Friday Squid Blogging: Squid Costume

Posted By Bruce Schneier

Just in time for Halloween....

Fri, 05 Nov 2010 11:56:53 UTC

"A Social Network Approach to Understanding an Insurgency"

Posted By Bruce Schneier

Interesting....

Thu, 04 Nov 2010 12:04:15 UTC

The Business of Botnets

Posted By Bruce Schneier

It can be lucrative: Avanesov allegedly rented and sold part of his botnet, a common business model for those who run the networks. Other cybercriminals can rent the hacked machines for a specific time for their own purposes, such as sending a spam run or mining the PCs for personal details and files, among other nefarious actions. Dutch prosecutors believe...

Wed, 03 Nov 2010 12:06:34 UTC

Did the FBI Invent the D.C. Bomb Plot?

Posted By Bruce Schneier

Last week the police arrested Farooque Ahmed for plotting a terrorist attack on the D.C. Metro system. However, it's not clear how much of the plot was his idea and how much was the idea of some paid FBI informants: The indictment offers some juicy tidbits -- Ahmed allegedly proposed using rolling suitcases instead of backpacks to bomb the Metro...

Tue, 02 Nov 2010 10:51:40 UTC

Dan Geer on "Cybersecurity and National Policy"

Posted By Bruce Schneier

Worth reading: Those with either an engineering or management background are aware that one cannot optimize everything at once ­ that requirements are balanced by constraints. I am not aware of another domain where this is as true as it is in cybersecurity and the question of a policy response to cyber insecurity at the national level. In engineering, this...

Mon, 01 Nov 2010 11:02:56 UTC

Control Fraud

Posted By Bruce Schneier

I had never heard the term "control fraud" before: Control fraud theory was developed in the savings and loan debacle. It explained that the person controlling the S&L (typically the CEO) posed a unique risk because he could use it as a weapon. The theory synthesized criminology (Wheeler and Rothman 1982), economics (Akerlof 1970), accounting, law, finance, and political science....

Sun, 31 Oct 2010 15:02:29 UTC

Halloween and the Irational Fear of Stranger Danger

Posted By Bruce Schneier

From the Wall Street Journal: Take "stranger danger," the classic Halloween horror. Even when I was a kid, back in the "Bewitched" and "Brady Bunch" costume era, parents were already worried about neighbors poisoning candy. Sure, the folks down the street might smile and wave the rest of the year, but apparently they were just biding their time before stuffing...

Sat, 30 Oct 2010 14:41:06 UTC

Cargo Security

Posted By Bruce Schneier

The New York Times writes: "Despite the increased scrutiny of people and luggage on passenger planes since 9/11, there are far fewer safeguards for packages and bundles, particularly when loaded on cargo-only planes." Well, of course. We've always known this. We've not worried about terrorism on cargo planes because it isn't very terrorizing. Packages aren't people. If a passenger plane...

Fri, 29 Oct 2010 21:17:28 UTC

Friday Squid Blogging: Dissecting a Giant Squid

Posted By Bruce Schneier

Interesting television program from UK Channel 4....

Fri, 29 Oct 2010 19:31:45 UTC

Me at TED

Posted By Bruce Schneier

Okay, it's not TED. It's one of the independent regional TED events: TEDxPSU. My talk was "Reconceptualizing Security," a condensation of the hour-long talk into 18 minutes....

Fri, 29 Oct 2010 11:48:26 UTC

The Militarization of the Internet

Posted By Bruce Schneier

Good blog post....

Thu, 28 Oct 2010 11:09:37 UTC

New Orleans Scrapping Surveillance Cameras

Posted By Bruce Schneier

They're not worth it: In seven years, New Orleans' crime camera program has yielded six indictments: three for crimes caught on video and three for bribes and kickbacks a vendor is accused of paying a former city official to sell the cameras to City Hall....

Wed, 27 Oct 2010 20:24:49 UTC

FBI Bugging Embassies in 1940

Posted By Bruce Schneier

Old -- but recently released -- document discussing the bugging of the Russian embassy in 1940. The document also mentions bugging the embassies of France, Germany, Italy, and Japan....

Wed, 27 Oct 2010 12:53:03 UTC

Firesheep

Posted By Bruce Schneier

Firesheep is a new Firefox plugin that makes it easy for you to hijack other people's social network connections. Basically, Facebook authenticates clients with cookies. If someone is using a public WiFi connection, the cookies are sniffable. Firesheep uses wincap to capture and display the authentication information for accounts it sees, allowing you to hijack the connection. Slides from the...

Tue, 26 Oct 2010 11:40:53 UTC

Seymour Hersh on Cyberwar

Posted By Bruce Schneier

Excellent article from The New Yorker....

Mon, 25 Oct 2010 11:21:13 UTC

Declassified NSA Documents

Posted By Bruce Schneier

It's a long list. These items are not online; they're at the National Archives and Records Administration in College Park, MD. You can either ask for copies by mail under FOIA (at a 75 cents per page) or come in in person. There, you can read and scan them for free, or photocopy them for about 20 cents a page....

Fri, 22 Oct 2010 21:31:20 UTC

Steganography in the Longfin Inshore Squid

Posted By Bruce Schneier

Really: While the notion that a few animals produce polarization signals and use them in communication is not new, Mäthger and Hanlon's findings present the first anatomical evidence for a “hidden communication channel” that can remain masked by typical camouflage patterns. Their results suggest that it might be possible for squid to send concealed polarized signals to one another while...

Fri, 22 Oct 2010 19:29:28 UTC

Video Interview with Me from RSA Europe

Posted By Bruce Schneier

I was interviewed this week at RSA Europe....

Fri, 22 Oct 2010 10:45:21 UTC

FaceTime for Mac Security Hole

Posted By Bruce Schneier

Once a user has logged into FaceTime, anyone with access to the machine can change the user's Apple ID password without knowing the old password....

Thu, 21 Oct 2010 19:07:08 UTC

Electronic Car Lock Denial-of-Service Attack

Posted By Bruce Schneier

Clever: Inspector Richard Haycock told local newspapers that the possible use of the car lock jammers would help explain a recent spate of thefts from vehicles that have occurred without leaving any signs of forced entry. "We do get quite a lot of car crime in the borough where there's no sign of a break-in and items have been taken...

Thu, 21 Oct 2010 00:11:54 UTC

Workshop on the Economics of Information Security

Posted By Bruce Schneier

I am the program chair for WEIS 2011, which is to be held next June in Washington, DC. Submissions are due at the end of February. Please forward and repost the call for papers....

Wed, 20 Oct 2010 12:21:20 UTC

Predator Software Pirated?

Posted By Bruce Schneier

This isn't good: Intelligent Integration Systems (IISi), a small Boston-based software development firm, alleges that their Geospatial Toolkit and Extended SQL Toolkit were pirated by Massachusetts-based Netezza for use by a government client. Subsequent evidence and court proceedings revealed that the "government client" seeking assistance with Predator drones was none other than the Central Intelligence Agency. IISi is seeking an...

Tue, 19 Oct 2010 12:34:38 UTC

Hiding in Plain Sight

Posted By Bruce Schneier

Ha! When he's out and about near his Denver home, former Broncos quarterback John Elway has come up with a novel way to travel incognito–­he wears his own jersey. "I do that all the time here," the 50-year-old Hall of Famer told me. "I go to the mall that way. They know it's not me because they say there's no...

Mon, 18 Oct 2010 11:23:10 UTC

Fingerprinting Telephone Calls

Posted By Bruce Schneier

This is clever: The tool is called PinDr0p, and works by analysing the various characteristic noise artifacts left in audio by the different types of voice network -- cellular, VoIP etc. For instance, packet loss leaves tiny gaps in audio signals, too brief for the human ear to detect, but quite perceptible to the PinDr0p algorithms. Vishers and others wishing...

Fri, 15 Oct 2010 08:12:59 UTC

Indian OS

Posted By Bruce Schneier

India is writing its own operating system so it doesn't have to rely on Western technology: India's Defence Research and Development Organisation (DRDO) wants to build an OS, primarily so India can own the source code and architecture. That will mean the country won't have to rely on Western operating systems that it thinks aren't up to the job of...

Thu, 14 Oct 2010 17:10:14 UTC

Picking a Single Voice out of a Crowd

Posted By Bruce Schneier

Interesting new technology. Squarehead's new system is like bullet-time for sound. 325 microphones sit in a carbon-fiber disk above the stadium, and a wide-angle camera looks down on the scene from the center of this disk. All the operator has to do is pinpoint a spot on the court or field using the screen, and the Audioscope works out how...

Thu, 14 Oct 2010 11:35:00 UTC

Pen-and-Paper SQL Injection Attack Against Swedish Election

Posted By Bruce Schneier

Some copycat imitated this xkcd cartoon in Sweden, hand writing an SQL injection attack onto a paper ballot. Even though the ballot was manually entered into the vote database, the attack (and the various other hijinks) failed. This time. Three news links, in Swedish....

Wed, 13 Oct 2010 11:20:02 UTC

The FBI is Tracking Whom?

Posted By Bruce Schneier

They're tracking a college student in Silicon Valley. He's 20, partially Egyptian, and studying marketing at Mission College. He found the tracking device attached to his car. Near as he could tell, what he did to warrant the FBI's attention is be the friend of someone who did something to warrant the FBI's attention. Afifi retrieved the device from his...

Tue, 12 Oct 2010 11:12:16 UTC

The Mahmoud al-Mabhouh Assassination

Posted By Bruce Schneier

Remember the Mahmoud al-Mabhouh assassination last January? The police identified 30 suspects, but haven't been able to find any of them. Police spent about 10,000 hours poring over footage from some 1,500 security cameras around Dubai. Using face-recognition software, electronic-payment records, receipts and interviews with taxi drivers and hotel staff, they put together a list of suspects and publicized it....

Mon, 11 Oct 2010 11:54:40 UTC

The Economist on Biometrics

Posted By Bruce Schneier

Good article. Here's my essay on biometrics, from 1999....

Fri, 08 Oct 2010 21:23:39 UTC

Friday Squid Blogging: Squid's Restaurant

Posted By Bruce Schneier

In Chapel Hill, NC....

Fri, 08 Oct 2010 17:49:36 UTC

The Ineffectiveness of Vague Security Warnings

Posted By Bruce Schneier

From Slate: We do nothing, first and foremost, because there is nothing we can do. Unless the State Department gets specific–­e.g., "don't go to the Eiffel Tower tomorrow"–information at that level of generality is completely meaningless. Unless we are talking about weapons of mass destruction, the chances of being hit by a car while crossing the street are still greater...

Fri, 08 Oct 2010 11:23:09 UTC

Hacking Trial Breaks D.C. Internet Voting System

Posted By Bruce Schneier

Sounds like it was easy: Last week, the D.C. Board of Elections and Ethics opened a new Internet-based voting system for a weeklong test period, inviting computer experts from all corners to prod its vulnerabilities in the spirit of "give it your best shot." Well, the hackers gave it their best shot -- and midday Friday, the trial period was...

Thu, 07 Oct 2010 14:56:59 UTC

Stuxnet

Posted By Bruce Schneier

Computer security experts are often surprised at which stories get picked up by the mainstream media. Sometimes it makes no sense. Why this particular data breach, vulnerability, or worm and not others? Sometimes it's obvious. In the case of Stuxnet, there's a great story. As the story goes, the Stuxnet worm was designed and released by a government--the U.S. and...

Thu, 07 Oct 2010 12:03:37 UTC

The Politics of Allocating Homeland Security Money to States

Posted By Bruce Schneier

From the Journal of Homeland Security and Emergency Management: "Politics or Risks? An Analysis of Homeland Security Grant Allocations to the States." Abstract: In the days following the September 11 terrorist attacks on the United States, the nation's elected officials created the USA Patriot Act. The act included a grant program for the 50 states that was intended to assist...

Wed, 06 Oct 2010 11:59:18 UTC

Putting Unique Codes on Objects to Detect Counterfeiting

Posted By Bruce Schneier

This will help some. At least two rival systems plan to put unique codes on packages containing antimalarials and other medications. Buyers will be able to text the code to a phone number on the package and get an immediate reply of "NO" or "OK," with the drug's name, expiration date, and other information. To defeat the system, the counterfeiter...

Tue, 05 Oct 2010 12:22:12 UTC

Analyzing CAPTCHAs

Posted By Bruce Schneier

New research: "Attacks and Design of Image Recognition CAPTCHAs." Abstract. We systematically study the design of image recognition CAPTCHAs (IRCs) in this paper. We first review and examine all IRCs schemes known to us and evaluate each scheme against the practical requirements in CAPTCHA applications, particularly in large-scale real-life applications such as Gmail and Hotmail. Then we present a security...

Mon, 04 Oct 2010 18:55:35 UTC

Sky Marshals Flying First Class

Posted By Bruce Schneier

I regularly say that security decisions are primarily made for non-security reasons. This article about the placement of sky marshals on airplanes is an excellent example. Basically, the airlines would prefer they fly coach instead of first class. Airline CEOs met recently with TSA administrator John Pistole and officials from the Federal Air Marshal Service requesting the TSA to reconsider...

Mon, 04 Oct 2010 11:31:13 UTC

Monitoring Employees' Online Behavior

Posted By Bruce Schneier

Not their online behavior at work, but their online behavior in life. Using automation software that slogs through Facebook, Twitter, Flickr, YouTube, LinkedIn, blogs, and "thousands of other sources," the company develops a report on the "real you" --- not the carefully crafted you in your resume. The service is called Social Intelligence Hiring. The company promises a 48-hour turn-around....

Fri, 01 Oct 2010 21:01:13 UTC

Friday Squid Blogging: Beautiful Squid Sketches

Posted By Bruce Schneier

The Cephalopoda....

Fri, 01 Oct 2010 19:43:31 UTC

My Recording Debut

Posted By Bruce Schneier

Okay, so this isn't a normal blog post. It's not about security. I've been playing doumbek with a band at the Minneapolis Renaissance Festival called Brother Seamus. They've released a CD, "Hale and Sound," where I play on three of the tracks. If you're interested in a copy, it's only $15 -- including shipping anywhere in the world. If you're...

Fri, 01 Oc