Blogs

RSS

An aggregation of our Blog Roll, made up of acmqueue authors.   more

All Postings, Bruce Schneier:  (2,797 posts)

Source blog: Schneier on Security

Fri, 17 Oct 2014 22:17:51 UTC

Friday Squid Blogging: 1,057 Squid T-Shirts

Posted By Bruce Schneier

That's a lot. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. And commenting was broken for a couple of days. It's fixed now, I hope....

Fri, 17 Oct 2014 11:35:45 UTC

Hacking a Video Poker Machine

Posted By Bruce Schneier

Kevin Poulsen has written an interesting story about two people who successfully exploited a bug in a popular video poker machine....

Thu, 16 Oct 2014 11:22:09 UTC

NSA Classification ECI = Exceptionally Controlled Information

Posted By Bruce Schneier

ECI is a classification above Top Secret. It's for things that are so sensitive they're basically not written down, like the names of companies whose cryptography has been deliberately weakened by the NSA, or the names of agents who have infiltrated foreign IT companies. As part of the Intercept story on the NSA's using agents to infiltrate foreign companies and...

Wed, 15 Oct 2014 12:06:52 UTC

DEA Sets Up Fake Facebook Page in Woman's Name

Posted By Bruce Schneier

This is a creepy story. A woman has her phone seized by the Drug Enforcement Agency and gives them permission to look at her phone. Without her knowledge or consent, they steal photos off of the phone (the article says they were "racy") and use it to set up a fake Facebook page in her name. The woman sued the...

Wed, 15 Oct 2014 11:29:19 UTC

FOXACID Operations Manual

Posted By Bruce Schneier

A few days ago, I saw this tweet: "Just a reminder that it is now *a full year* since Schneier cited it, and the FOXACID ops manual remains unpublished." It's true. The citation is this: According to a top-secret operational procedures manual provided by Edward Snowden, an exploit named Validator might be the default, but the NSA has a variety...

Tue, 14 Oct 2014 10:59:32 UTC

Surveillance in Schools

Posted By Bruce Schneier

This essay, "Grooming students for a lifetime of surveillance," talks about the general trends in student surveillance. Related: essay on the need for student privacy in online learning....

Mon, 13 Oct 2014 11:55:37 UTC

How James Bamford Came to Write The Puzzle Palace

Posted By Bruce Schneier

Interesting essay about James Bamford and his efforts to publish The Puzzle Palace over the NSA's objections. Required reading for those who think the NSA's excesses are somehow new....

Sat, 11 Oct 2014 19:54:11 UTC

NSA Has Undercover Operatives in Foreign Companies

Posted By Bruce Schneier

The latest Intercept article on the Snowden NSA documents talks about their undercover operatives working in foreign companies. There are no specifics, although the countries China, Germany, and South Korea are mentioned. It's also hard to tell if the NSA has undercover operatives working in companies in those countries, or has undercover contractors visiting those companies. The document is dated...

Fri, 10 Oct 2014 21:13:32 UTC

Friday Squid Blogging: Flash-Fried Squid Recipe

Posted By Bruce Schneier

Recipe from Tom Douglas. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 Oct 2014 17:31:14 UTC

Online Activism and the Computer Fraud and Abuse Act

Posted By Bruce Schneier

Good essay by Molly Sauter: basically, there is no legal avenue for activism and protest on the Internet. Also note Sauter's new book, The Coming Swarm....

Fri, 10 Oct 2014 08:07:14 UTC

Dynamic Encryption for Voice

Posted By Bruce Schneier

This article reads like snake oil. But the company was founded by Lars Knudsen, so it can't possibly be. I'm curious....

Thu, 09 Oct 2014 12:12:09 UTC

USB Cufflinks

Posted By Bruce Schneier

Just the thing for smuggling data out of secure locations....

Wed, 08 Oct 2014 20:38:26 UTC

BadUSB Code Has Been Published

Posted By Bruce Schneier

In July, I wrote about an unpatchable USB vulnerability called BadUSB. Code for the vulnerability has been published....

Tue, 07 Oct 2014 11:36:14 UTC

Data and Goliath Is Finished

Posted By Bruce Schneier

Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World is finished. I submitted it to my publisher, Norton, this morning. In a few weeks, I'll get the copyedited manuscript back, and a few weeks after that, it'll go into production. Stacks of printed books will come out the other end in February, and the book...

Mon, 06 Oct 2014 11:50:25 UTC

iPhone Encryption and the Return of the Crypto Wars

Posted By Bruce Schneier

Last week Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone's encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it. From now on, all the phone's data is protected. It can no longer be accessed by...

Fri, 03 Oct 2014 23:19:55 UTC

Friday Squid Blogging: Squid Burger

Posted By Bruce Schneier

McDonald's has a Halloween-themed burger with a squid-ink bun. Only in Japan. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 Oct 2014 11:59:40 UTC

William Binney Explains NSA Surveillance Using Snowden's Documents

Posted By Bruce Schneier

Former NSA employee -- not technical director, as the link says -- explains how NSA bulk surveillance works, using some of the Snowden documents. Very interesting....

Thu, 02 Oct 2014 11:58:52 UTC

The NSA's Private Cloud

Posted By Bruce Schneier

The NSA is building a private cloud with its own security features: As a result, the agency can now track every instance of every individual accessing what is in some cases a single word or name in a file. This includes when it arrived, who can access it, who did access it, downloaded it, copied it, printed it, forwarded it,...

Wed, 01 Oct 2014 19:25:16 UTC

Firechat

Posted By Bruce Schneier

Firechat is a secure wireless peer-to-peer chat app: Firechat is theoretically resistant to the kind of centralized surveillance that the Chinese government (as well as western states, especially the US and the UK) is infamous for. Phones connect directly to one another, establish encrypted connections, and transact without sending messages to servers where they can be sniffed and possibly decoded....

Wed, 01 Oct 2014 12:19:51 UTC

Security Theater in China

Posted By Bruce Schneier

The Chinese government checked ten thousand pigeons for "dangerous materials." Because fear....

Mon, 29 Sep 2014 11:02:29 UTC

NSA Patents Available for License

Posted By Bruce Schneier

There's a new article on NSA's Technology Transfer Program, a 1990s-era program to license NSA patents to private industry. I was pretty dismissive about the offerings in the article, but I didn't find anything interesting in the catalog. Does anyone see something I missed? My guess is that the good stuff remains classified, and isn't "transferred" to anyone. Slashdot thread....

Fri, 26 Sep 2014 21:28:15 UTC

Friday Squid Blogging: Squid Fishing Moves North in California

Posted By Bruce Schneier

Warmer waters are moving squid fishing up the California coast. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 26 Sep 2014 17:44:11 UTC

Medical Records Theft and Fraud

Posted By Bruce Schneier

There's a Reuters article on new types of fraud using stolen medical records. I don't know how much of this is real and how much is hype, but I'm certain that criminals are looking for new ways to monetize stolen data....

Thu, 25 Sep 2014 19:17:44 UTC

Security Trade-offs of Cloud Backup

Posted By Bruce Schneier

This is a good essay on the security trade-offs with cloud backup: iCloud backups have not eliminated this problem, but they have made it far less common. This is, like almost everything in tech, a trade-off: Your data is far safer from irretrievable loss if it is synced/backed up, regularly, to a cloud-based service. Your data is more at risk...

Thu, 25 Sep 2014 15:31:42 UTC

Nasty Vulnerability found in Bash

Posted By Bruce Schneier

It's a big and nasty one. Invariably we're going to see articles pointing at this and at Heartbleed and claim a trend in vulnerabilities in open-source software. If anyone has any actual data other than two instances and the natural human tendency to generalize, I'd like to see it....

Wed, 24 Sep 2014 19:21:26 UTC

Julian Sanchez on the NSA and Surveillance Reform

Posted By Bruce Schneier

Julian Sanchez of the Cato Institute has a lengthy audio interview on NSA surveillance and reform. Worth listening to....

Wed, 24 Sep 2014 12:12:41 UTC

Detecting Robot-Handwriting

Posted By Bruce Schneier

Interesting article on the arms race between creating robot "handwriting" that looks human, and detecting text that has been written by a robot. Robots will continue to get better, and will eventually fool all of us....

Tue, 23 Sep 2014 18:09:26 UTC

Lesson in Successful Disaster Planning

Posted By Bruce Schneier

I found the story of the Federal Reserve on 9/11 to be fascinating. It seems they just flipped a switch on all their Y2K preparations, and it worked....

Tue, 23 Sep 2014 13:22:53 UTC

Kill Switches for Weapons

Posted By Bruce Schneier

Jonathan Zittrain argues that our military weapons should be built with a kill switch, so they become useless when they fall into enemy hands....

Mon, 22 Sep 2014 11:03:39 UTC

Security for Vehicle-to-Vehicle Communications

Posted By Bruce Schneier

The National Highway Traffic Safety Administration (NHTSA) has released a report titled "Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application." It's very long, and mostly not interesting to me, but there are security concerns sprinkled throughout: both authentication to ensure that all the communications are accurate and can't be spoofed, and privacy to ensure that the communications can't be used...

Fri, 19 Sep 2014 21:29:07 UTC

Friday Squid Blogging: Colossal Squid Dissected in New Zealand

Posted By Bruce Schneier

Months after it was found in August, scientists have dissected a colossal squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 19 Sep 2014 17:54:59 UTC

iOS 8 Security

Posted By Bruce Schneier

Apple claims that they can no longer unlock iPhones, even if the police show up with a warrant. Of course they still have access to everything in iCloud, but it's a start....

Fri, 19 Sep 2014 11:11:31 UTC

Fake Cell Phone Towers Across the US

Posted By Bruce Schneier

Earlier this month, there were a bunch of stories about fake cell phone towers discovered around the US These seems to be ISMI catchers, like Harris Corporation's Stingray, and are used to capture location information and potentially phone calls, text messages, and smart-phone Internet traffic. A couple of days ago, the Washington Post ran a story about fake cell phone...

Thu, 18 Sep 2014 19:09:48 UTC

Terrible Article on Vernam Ciphers

Posted By Bruce Schneier

If there's anything that confuses wannabe cryptographers, it's one-time pads....

Thu, 18 Sep 2014 12:13:50 UTC

The Full Story of Yahoo's Fight Against PRISM

Posted By Bruce Schneier

In 2008 Yahoo fought the NSA to avoid becoming part of the PRISM program. They eventually lost their court battle, and at one point were threatened with a $250,000 a day fine if they continued to resist. I am continually amazed at the extent of the government coercion....

Wed, 17 Sep 2014 19:30:45 UTC

Identifying Dread Pirate Roberts

Posted By Bruce Schneier

According to court documents, Dread Pirate Roberts was identified because a CAPTCHA service used on the Silk Road login page leaked the users' true location....

Wed, 17 Sep 2014 12:15:19 UTC

Tracking People From their Cellphones with an SS7 Vulnerability

Posted By Bruce Schneier

What's interesting about this story is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What's interesting about this story is that anyone can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and hackers have demonstrated the capability....

Mon, 15 Sep 2014 19:25:35 UTC

Two New Snowden Stories

Posted By Bruce Schneier

New Zealand is spying on its citizens. Edward Snowden weighs in personally. The NSA and GCHQ are mapping the entire Internet, including hacking into Deutsche Telekom....

Mon, 15 Sep 2014 14:26:00 UTC

Security of the SHA Family of Hash Functions

Posted By Bruce Schneier

Good article on the insecurity of SHA-1 and the need to replace it sooner rather than later....

Fri, 12 Sep 2014 21:26:13 UTC

Friday Squid Blogging: 200-Pound Squid Found in Gulf of Mexico

Posted By Bruce Schneier

A 200-pound dead giant squid was found near the coast of Matagorda, Texas. This is only the third giant squid ever found in the Gulf of Mexico. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 12 Sep 2014 11:41:03 UTC

The Concerted Effort to Remove Data Collection Restrictions

Posted By Bruce Schneier

Since the beginning, data privacy regulation focused on collection, storage, and use. You can see it in the OECD Privacy Framework from 1980 (see also this proposed update). Recently, there has been concerted effort to focus all potential regulation on data use, completely ignoring data collection. Microsoft's Craig Mundie argues this. So does the PCAST report. And the World Economic...

Thu, 11 Sep 2014 11:15:57 UTC

Tabnapping: A New Phishing Attack

Posted By Bruce Schneier

Aza Raskin describes a new phishing attack: taking over a background tab on a browser to trick people into entering in their login credentials. Clever....

Wed, 10 Sep 2014 19:08:13 UTC

WikiLeaks Spy Files

Posted By Bruce Schneier

WikiLeaks has organized the trove of documents about corporations aiding government surveillance around the world. It's worth wandering around through all this material....

Wed, 10 Sep 2014 11:35:38 UTC

Safeplug Security Analysis

Posted By Bruce Schneier

Good security analysis of Safeplug, which is basically Tor in a box. Short answer: not yet....

Tue, 09 Sep 2014 19:07:27 UTC

Wi-Fi Jammer

Posted By Bruce Schneier

A device called Cyborg Unplugged can be configured to prevent any Wi-Fi connection: Oliver notes on the product's website that its so-called "All Out Mode" -- which prevents surveillance devices from connecting to any Wi-Fi network in the area -- is likely illegal, and he advises against its use. Nevertheless, we can imagine activists slipping these little devices into public...

Mon, 08 Sep 2014 12:21:19 UTC

iPhone Payment Security

Posted By Bruce Schneier

Apple is including some sort of automatic credit card payment system with the iPhone 6. It's using some security feature of the phone and system to negotiate a cheaper transaction fee. Basically, there are two kinds of credit card transactions: card-present, and card-not-present. The former is cheaper because there's less risk of fraud. The article says that Apple has negotiated...

Fri, 05 Sep 2014 21:06:55 UTC

Friday Squid Blogging: Book by One Squid-Obsessed Person About Another

Posted By Bruce Schneier

Preparing the Ghost: An Essay Concerning the Giant Squid and Its First Photographer, by Matthew Gavin Frank. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 05 Sep 2014 10:18:41 UTC

Security of Password Managers

Posted By Bruce Schneier

At USENIX Security this year, there were two papers studying the security of password managers: David Silver, Suman Jana, and Dan Boneh, "Password Managers: Attacks and Defenses." Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song, "The Emperor's New Password Manager: Security Analysis of Web-based Password Managers." It's interesting work, especially because it looks at security problems in something that...

Wed, 03 Sep 2014 11:53:54 UTC

JackPair Encrypted Phone Add-On

Posted By Bruce Schneier

JackPair is a clever device encrypts your voice between your headset and the audio jack. The crypto looks competent, and the design looks well-thought-out. I'd use it....

Tue, 02 Sep 2014 16:08:43 UTC

Electromagnetic Weapons

Posted By Bruce Schneier

Long article in IEEE Spectrum....

Mon, 01 Sep 2014 14:30:17 UTC

Pencil-and-Paper Codes Used by Central American Criminal Gangs

Posted By Bruce Schneier

No mention of how good the codes are. My guess is not very....

Fri, 29 Aug 2014 21:45:03 UTC

Squid Skin Inspires Eye-Like Photodetector

Posted By Bruce Schneier

Squid are color-blind, but may detect color directly through their skin. A researcher is working on a system to detect colored light the way squid do....

Fri, 29 Aug 2014 17:31:42 UTC

Cell Phone Kill Switches Mandatory in California

Posted By Bruce Schneier

California passed a kill-switch law, meaning that all cell phones sold in California must have the capability to be remotely turned off. It was sold as an antitheft measure. If the phone company could remotely render a cell phone inoperative, there would be less incentive to steal one. I worry more about the side effects: once the feature is in...

Fri, 29 Aug 2014 11:08:51 UTC

ISIS Threatens US with Terrorism

Posted By Bruce Schneier

They're openly mocking our profiling. But in several telephone conversations with a Reuters reporter over the past few months, Islamic State fighters had indicated that their leader, Iraqi Abu Bakr al-Baghdadi, had several surprises in store for the West. They hinted that attacks on American interests or even U.S. soil were possible through sleeper cells in Europe and the United...

Thu, 28 Aug 2014 11:14:24 UTC

Hacking Traffic Lights

Posted By Bruce Schneier

New paper: "Green Lights Forever: Analyzing the Security of Traffic Infrastructure," Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman. Abstract: The safety critical nature of traffic infrastructure requires that it be secure against computer-based attacks, but this is not always the case. We investigate a networked traffic signal system currently deployed in the United States and...

Wed, 04 Jun 2014 20:17:23 UTC

Edward Snowden Wins EPIC "Champion of Freedom" Award

Posted By Bruce Schneier

On Monday I had the honor of presenting Edward Snowden with a "Champion of Freedom" award at the EPIC dinner. Snowden couldn't be there in person -- his father and stepmother were there in his place -- but he recorded this message. Left to right: Mark Rotenberg, Jesselyn Radack (Snowden's attorney), Lonnie Snowden, and Bruce Schneier...

Wed, 04 Jun 2014 11:23:17 UTC

The Human Side of Heartbleed

Posted By Bruce Schneier

The announcement on April 7 was alarming. A new Internet vulnerability called Heartbleed could allow hackers to steal your logins and passwords. It affected a piece of security software that is used on half a million websites worldwide. Fixing it would be hard: It would strain our security infrastructure and the patience of users everywhere. It was a software insecurity,...

Mon, 02 Jun 2014 11:37:07 UTC

Chinese Hacking of the US

Posted By Bruce Schneier

Chinese hacking of American computer networks is old news. For years we've known about their attacks against U.S. government and corporate targets. We've seen detailed reports of how they hacked The New York Times. Google has detected them going after Gmail accounts of dissidents. They've built sophisticated worldwide eavesdropping networks. These hacks target both military secrets and corporate intellectual property....

Fri, 30 May 2014 21:10:05 UTC

Friday Squid Blogging: Squid-Shaped Pancakes

Posted By Bruce Schneier

Here are pictures of squid-shaped pancakes. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 29 May 2014 19:12:25 UTC

Vulnerabilities Found in Law Enforcement Surveillance System

Posted By Bruce Schneier

SEC Consult has published an advisory warning people not to use a government eavesdropping product called Recording eXpress, sold by the Israeli company Nice Systems. Basically, attackers can completely compromise the system. There are good stories on this by Brian Krebs and Dan Goodin....

Thu, 29 May 2014 13:02:59 UTC

TrueCrypt WTF

Posted By Bruce Schneier

I have no idea what's going on with TrueCrypt. Good summary of story is a ArsTechnica, and SlashDot, Hacker News, and Reddit all have long comment threads. See also Brian Krebs and Cory Doctorow. Speculations include a massive hack of the TrueCrypt developers, some Lavabit-like forced shutdown, and an internal power struggle within TrueCrypt. I suppose we'll have to wait...

Wed, 28 May 2014 20:49:30 UTC

Eben Moglen on Snowden and Surveillance

Posted By Bruce Schneier

This is well worth reading. It's based on a series of talks he gave last fall....

Tue, 27 May 2014 15:13:29 UTC

The Economics of Bulk Surveillance

Posted By Bruce Schneier

Ross Anderson has an important new paper on the economics that drive government-on-population bulk surveillance: My first big point is that all the three factors which lead to monopoly  network effects, low marginal costs and technical lock-in  are present and growing in the national-intelligence nexus itself. The Snowden papers show that neutrals like Sweden and India are heavily...

Fri, 23 May 2014 21:00:58 UTC

Friday Squid Blogging: Squid Ink Cocktail

Posted By Bruce Schneier

Del Campo, a restaurant in Washington DC, has a Bloody Mary made with squid ink. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 23 May 2014 11:42:33 UTC

Alan Watts on the Harms of Surveillance

Posted By Bruce Schneier

Biologist Alan Watts makes some good points: Mammals dont respond well to surveillance. We consider it a threat. It makes us paranoid, and aggressive and vengeful. [...] "Natural selection favors the paranoid," Watts said. Those who run away. In the earliest days of man on the savannah, when we roamed among the predatory, wild animals, someone realized pretty quickly that...

Thu, 22 May 2014 11:15:07 UTC

Disclosing vs Hoarding Vulnerabilities

Posted By Bruce Schneier

There's a debate going on about whether the U.S. government -- specifically, the NSA and United States Cyber Comman -- should stockpile Internet vulnerabilities or disclose and fix them. It's a complicated problem, and one that starkly illustrates the difficulty of separating attack and defense in cyberspace. A software vulnerability is a programming mistake that allows an adversary access into...

Wed, 21 May 2014 20:29:37 UTC

The NSA is Not Made of Magic

Posted By Bruce Schneier

I am regularly asked what is the most surprising thing about the Snowden NSA documents. It's this: the NSA is not made of magic. Its tools are no different from what we have in our world, it's just better-funded. X-KEYSCORE is Bro plus memory. FOXACID is Metasploit with a budget. QUANTUM is AirPwn with a seriously privileged position on the...

Wed, 21 May 2014 14:51:39 UTC

Government Policy on Cell Phone Interception Technology

Posted By Bruce Schneier

New paper: "Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and its Impact on National Security and Consumer Privacy," by Christopher Soghoian and Stephanie K. Pell: Abstract: In the early 1990s, off-the-shelf radio scanners allowed any snoop or criminal to eavesdrop on the calls of nearby cell phone users. These radio scanners could intercept...

Tue, 20 May 2014 19:01:09 UTC

Preplay Attack on Chip and PIN

Posted By Bruce Schneier

Interesting research paper on a bank card chip-and-PIN vulnerability. From the blog post: Our new paper shows that it is possible to create clone chip cards which normal bank procedures will not be able to distinguish from the real card. When a Chip and PIN transaction is performed, the terminal requests that the card produces an authentication code for the...

Tue, 20 May 2014 11:13:45 UTC

Advances in Solving the Discrete Log Problem

Posted By Bruce Schneier

At Eurocrypt this year, researchers presented a paper that completely breaks the discrete log problem in any field with a small characteristic. It's nice work, and builds on a bunch of advances in this direction over the last several years. Despite headlines to the contrary, this does not have any cryptanalytic application -- unless they can generalize the result, which...

Mon, 19 May 2014 18:44:07 UTC

Pervasive Monitoring as Network Attack

Posted By Bruce Schneier

New IETF RFC: "RFC 7258: Pervasive Monitoring Is an Attack" that designers must mitigate. Slashdot thread....

Mon, 19 May 2014 12:07:28 UTC

Abusing Power to Shut Down a Twitter Parody Account

Posted By Bruce Schneier

This is a pretty horrible story of a small-town mayor abusing his authority -- warrants where there is no crime, police raids, incidental marijuana bust -- to identify and shut down a Twitter parody account. The ACLU is taking the case....

Fri, 16 May 2014 21:07:43 UTC

Friday Squid Blogging: Fossil Squid

Posted By Bruce Schneier

Rare fossilized cephalopods. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 16 May 2014 17:34:12 UTC

How to Stop an Insider from Stealing All Your Secrets

Posted By Bruce Schneier

This article from Communications of the ACM outlines some of the security measures the NSA could, and should, have had in place to stop someone like Snowden. Mostly obvious stuff, although I'm not sure it would have been effective against such a skilled and tenacious leaker. What's missing is the one thing that would have worked: have fewer secrets....

Fri, 16 May 2014 11:43:38 UTC

Forged SSL Certificates Pervasive on the Internet

Posted By Bruce Schneier

About 0.2% of all SSL certificates are forged. This is the first time I've ever seen a number based on real data. News article: Of 3.45 million real-world connections made to Facebook servers using the transport layer security (TLS) or secure sockets layer protocols, 6,845, or about 0.2 percent of them, were established using forged certificates. Actual paper....

Thu, 15 May 2014 18:18:28 UTC

Is Antivirus Dead?

Posted By Bruce Schneier

Symantec declared anti-virus dead, and Brian Krebs writes a good response. He's right: antivirus won't protect you from the ever-increasing percentage of malware that's specifically designed to bypass antivirus software, but it will protect you from all the random unsophisticated attacks out there: the "background radiation" of the Internet....

Thu, 15 May 2014 11:08:05 UTC

Seventh Movie-Plot Threat Contest Semifinalists

Posted By Bruce Schneier

On April 1, I announced the Seventh Movie Plot Threat Contest: The NSA has won, but how did it do it? How did it use its ability to conduct ubiquitous surveillance, its massive data centers, and its advanced data analytics capabilities to come out on top? Did it take over the world overtly, or is it just pulling the strings...

Wed, 14 May 2014 17:08:05 UTC

Espionage vs. Surveillance

Posted By Bruce Schneier

According to NSA documents published in Glenn Greenwald's new book No Place to Hide, we now know that the NSA spies on embassies and missions all over the world, including those of Brazil, Bulgaria, Colombia, the European Union, France, Georgia, Greece, India, Italy, Japan, Mexico, Slovakia, South Africa, South Korea, Taiwan, Venezuela and Vietnam. This will certainly strain international relations,...

Wed, 14 May 2014 11:30:22 UTC

New Al Qaeda Encryption Software

Posted By Bruce Schneier

The Web intelligence company Recorded Future is reporting -- picked up by the Wall Street Journal -- that al Qaeda is using new encryption software in the wake of the Snowden stories. I've been fielding press queries, asking me how this will adversely affect US intelligence efforts. I think the reverse is true. I think this will help US intelligence...

Tue, 13 May 2014 17:45:56 UTC

Computer Forensics in Fiction

Posted By Bruce Schneier

New television show -- CSI: Cyber. I hope they have some good technical advisers, but I doubt they do....

Tue, 13 May 2014 11:38:56 UTC

New NSA Snowden Documents

Posted By Bruce Schneier

Glenn Greenwald's book, No Place to Hide, has been published today. There are about 100 pages of NSA documents on the book's website. I haven't gone through them yet. At a quick glance, only a few of them have been published before. Here are two book reviews....

Mon, 12 May 2014 21:04:10 UTC

Steganography in Tweets

Posted By Bruce Schneier

Clever, but make sure to heed the caveats in the final two paragraphs....

Mon, 12 May 2014 11:26:04 UTC

Internet Subversion

Posted By Bruce Schneier

In addition to turning the Internet into a worldwide surveillance platform, the NSA has surreptitiously weakened the products, protocols, and standards we all use to protect ourselves. By doing so, it has destroyed the trust that underlies the Internet. We need that trust back. Trust is inherently social. It is personal, relative, situational, and fluid. It is not uniquely human,...

Fri, 09 May 2014 21:11:34 UTC

Friday Squid Blogging: The Evolutionary Purpose of Pain

Posted By Bruce Schneier

A new study shows that Doryteuthis pealei in pain -- or whatever passes for pain in that species -- has heightened sensory sensitivity and heightened reactions. News articles. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 08 May 2014 12:32:35 UTC

Retelling of Stories Increases Bias

Posted By Bruce Schneier

Interesting experiment shows that the retelling of stories increases conflict and bias. For their study, which featured 196 undergraduates, the researchers created a narrative about a dispute between two groups of young people. It described four specific points of tension, but left purposely ambiguous the issue of which party was the aggressor, and "depicted the groups as equally blameworthy." Half...

Wed, 07 May 2014 11:19:47 UTC

Correspondence Between the NSA and Google Leaked

Posted By Bruce Schneier

Al Jazeera is reporting on leaked emails (not leaked by Snowden, but by someone else) detailing close ties between the NSA and Google. There are no smoking guns in the correspondence -- and the Al Jazeera article makes more of the e-mails than I think is there -- but it does show a closer relationship than either side has admitted...

Tue, 06 May 2014 15:30:30 UTC

Fearing Google

Posted By Bruce Schneier

Mathias Dopfner writes an open letter explaining why he fears Google: We know of no alternative which could offer even partially comparable technological prerequisites for the automated marketing of advertising. And we cannot afford to give up this source of revenue because we desperately need the money for technological investments in the future. Which is why other publishers are increasingly...

Mon, 05 May 2014 11:55:02 UTC

The Economics of Video Game Cheating

Posted By Bruce Schneier

Interesting article on the business of selling enhancements that allow you to cheat in online video games....

Fri, 02 May 2014 21:10:24 UTC

Friday Squid Blogging: How Flying Squid Fly

Posted By Bruce Schneier

Someone has finally proven how: How do these squid go from swimming to flying? Four phases of flight are described in the research: launching, jetting, gliding and diving. While swimming, the squid open up their mantle and draw in water. Then these squid launch themselves into the air with a high-powered blast of the water from their bodies. Once launched...

Fri, 02 May 2014 19:00:16 UTC

Unusual Electronic Voting Machine Threat Model

Posted By Bruce Schneier

Rats have destroyed dozens of electronic voting machines by eating the cables. It would have been a better story if the rats had zeroed out the machines after the votes had been cast but before they were counted, but it seems that they just ate the machines while they were in storage. The EVMs had been stored in a pre-designated...

Fri, 02 May 2014 11:26:38 UTC

Analysis of the FBI's Failure to Stop the Boston Marathon Bombings

Posted By Bruce Schneier

Detailed response and analysis of the inspectors general report on the Boston Marathon bombings: Two opposite mistakes in an after-the-fact review of a terrorist incident are equally damaging. One is to fail to recognize the powerful difference between foresight and hindsight in evaluating how an investigative or intelligence agency should have behaved. After the fact, we know on whom we...

Fri, 02 May 2014 11:14:53 UTC

Putin Requires Russian Bloggers to Register with the Government

Posted By Bruce Schneier

This is not good news. Widely known as the "bloggers law," the new Russian measure specifies that any site with more than 3,000 visitors daily will be considered a media outlet akin to a newspaper and be responsible for the accuracy of the information published. Besides registering, bloggers can no longer remain anonymous online, and organizations that provide platforms for...

Thu, 01 May 2014 19:01:27 UTC

Really Weird Keith Alexander Interview

Posted By Bruce Schneier

Comedian John Oliver interviewed now-retired NSA director General Keith Alexander. It's truly weird....

Thu, 01 May 2014 11:52:28 UTC

The Federal Reserve System's Cyberdefense Force

Posted By Bruce Schneier

Interesting article on the cybersecurity branch of the Federal Reserve System....

Wed, 30 Apr 2014 18:05:52 UTC

Tracking People from Smartphone Accelerometers

Posted By Bruce Schneier

It's been long known that individual analog devices have their own fingerprints. Decades ago, individual radio transmitters were identifiable and trackable. Now, researchers have found that accelerometers in smartphone are unique enough to be identifiable. The researchers focused specifically on the accelerometer, a sensor that tracks three-dimensional movements of the phone ­ essential for countless applications, including pedometers, sleep monitoring,...

Wed, 30 Apr 2014 13:58:27 UTC

The Quantified Toilet Hoax

Posted By Bruce Schneier

Good essay on the Quantified Toilet hoax, and the difference between public surveillance and private self-surveillance....

Tue, 29 Apr 2014 11:47:54 UTC

Details of Apple's Fingerprint Recognition

Posted By Bruce Schneier

This is interesting: Touch ID takes a 88x88 500ppi scan of your finger and temporarily sends that data to a secure cache located near the RAM, after the data is vectorized and forwarded to the secure enclave located on the top left of the A7 near the M7 processor it is immediately discarded after processing. The fingerprint scanner uses subdermal...

Mon, 28 Apr 2014 11:45:04 UTC

A New Pencil-and-Paper Encryption Algorithm

Posted By Bruce Schneier

Handycipher is a new pencil-and-paper symmetric encryption algorithm. I'd bet a gazillion dollars that it's not secure, although I haven't done the cryptanalysis myself....

Fri, 25 Apr 2014 21:17:35 UTC

Friday Squid Blogging: New Squid Exhibit at the Monterey Bay Aquarium.

Posted By Bruce Schneier

It's called "Tentacles." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 24 Apr 2014 11:45:05 UTC

Is Google Too Big to Trust?

Posted By Bruce Schneier

Interesting essay about how Google's lack of transparency is hurting their trust: The reality is that Google's business is and has always been about mining as much data as possible to be able to present information to users. After all, it can't display what it doesn't know. Google Search has always been an ad-supported service, so it needs a way...

Wed, 23 Apr 2014 19:33:24 UTC

Conversnitch

Posted By Bruce Schneier

Surveillance is getting cheaper and easier: Two artists have revealed Conversnitch, a device they built for less than $100 that resembles a lightbulb or lamp and surreptitiously listens in on nearby conversations and posts snippets of transcribed audio to Twitter. Kyle McDonald and Brian House say they hope to raise questions about the nature of public and private spaces in...

Wed, 23 Apr 2014 12:53:07 UTC

The Security of Various Programming Languages

Posted By Bruce Schneier

Interesting research on the security of code written in different programming languages. We don't know whether the security is a result of inherent properties of the language, or the relative skill of the typical programmers of that language. The report....

Tue, 22 Apr 2014 12:52:48 UTC

Dan Geer on Heartbleed and Software Monocultures

Posted By Bruce Schneier

Good essay: To repeat, Heartbleed is a common mode failure. We would not know about it were it not open source (Good). That it is open source has been shown to be no talisman against error (Sad). Because errors are statistical while exploitation is not, either errors must be stamped out (which can only result in dampening the rate of...

Mon, 21 Apr 2014 10:55:55 UTC

Info on Russian Bulk Surveillance

Posted By Bruce Schneier

Good information: Russian law gives Russias security service, the FSB, the authority to use SORM (System for Operative Investigative Activities) to collect, analyze and store all data that transmitted or received on Russian networks, including calls, email, website visits and credit card transactions. SORM has been in use since 1990 and collects both metadata and content. SORM-1 collects mobile and...

Fri, 18 Apr 2014 21:16:41 UTC

Friday Squid Blogging: Squid Jigging

Posted By Bruce Schneier

Good news from Malaysia: The Terengganu International Squid Jigging Festival (TISJF) will be continued and become an annual event as one of the state's main tourism products, said Menteri Besar Datuk Seri Ahmad Said. He said TISJF will become a signature event intended to enhance the branding of Terengganu as a leading tourism destination in the region. "Beside introducing squid...

Fri, 18 Apr 2014 19:21:06 UTC

Metaphors of Surveillance

Posted By Bruce Schneier

There's a new study looking at the metaphors we use to describe surveillance. Over 62 days between December and February, we combed through 133 articles by 105 different authors and over 60 news outlets. We found that 91 percent of the articles contained metaphors about surveillance. There is rich thematic diversity in the types of metaphors that are used, but...

Fri, 18 Apr 2014 12:29:13 UTC

Reverse Heartbleed

Posted By Bruce Schneier

Heartbleed can affect clients as well as servers....

Fri, 18 Apr 2014 11:26:32 UTC

Overreacting to Risk

Posted By Bruce Schneier

This is a crazy overreaction: A 19-year-old man was caught on camera urinating in a reservoir that holds Portland's drinking water Wednesday, according to city officials. Now the city must drain 38 million gallons of water from Reservoir 5 at Mount Tabor Park in southeast Portland. I understand the natural human disgust reaction, but do these people actually think that...

Thu, 17 Apr 2014 18:38:41 UTC

Tails

Posted By Bruce Schneier

Nice article on the Tails stateless operating system. I use it. Initially I would boot my regular computer with Tails on a USB stick, but I went out and bought a remaindered computer from Best Buy for $250 and now use that....

Wed, 16 Apr 2014 14:32:27 UTC

Book Title

Posted By Bruce Schneier

I previously posted that I am writing a book on security and power. Here are some title suggestions: Permanent Record: The Hidden Battles to Capture Your Data and Control Your World Hunt and Gather: The Hidden Battles to Capture Your Data and Control Your World They Already Know: The Hidden Battles to Capture Your Data and Control Your World We...

Tue, 15 Apr 2014 11:56:11 UTC

Auditing TrueCrypt

Posted By Bruce Schneier

Recently, Matthew Green has been leading an independent project to audit TrueCrypt. Phase I, a source code audit by iSEC Partners, is complete. Next up is Phase II, formal cryptanalysis. Quick summary: I'm still using it....

Mon, 14 Apr 2014 21:12:54 UTC

Schneier Talks and Interviews

Posted By Bruce Schneier

Here are three articles about me from the last month. Also these three A/V links....

Mon, 14 Apr 2014 19:11:30 UTC

Schneier Speaking Schedule: AprilMay

Posted By Bruce Schneier

Here's my upcoming speaking schedule for April and May: Stanford Law School on April 15. Brown University in Providence, RI -- two times -- on April 24. The Global Summit for Leaders in Information Technology in Washington, DC, on May 7. The Institute of World Politics on May 8. The University of Zurich on May 21. IT Security Inside in...

Mon, 14 Apr 2014 14:19:59 UTC

GoGo Wireless Adds Surveillance Capabilities for Government

Posted By Bruce Schneier

The important piece of this story is not that GoGo complies with the law, but that it goes above and beyond what is required by law. It has voluntarily decided to violate your privacy and turn your data over to the government....

Fri, 11 Apr 2014 21:07:36 UTC

Friday Squid Blogging: Bronze Giant Squid Sculpture

Posted By Bruce Schneier

A little too big for my house....

Fri, 11 Apr 2014 18:10:35 UTC

More on Heartbleed

Posted By Bruce Schneier

This is an update to my earlier post. Cloudflare is reporting that its very difficult, if not practically impossible, to steal SSL private keys with this attack. Here's the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not...

Fri, 11 Apr 2014 11:41:41 UTC

Police Disabling Their own Voice Recorders

Posted By Bruce Schneier

This is not a surprise: The Los Angeles Police Commission is investigating how half of the recording antennas in the Southeast Division went missing, seemingly as a way to evade new self-monitoring procedures that the Los Angeles Police Department imposed last year. The antennas, which are mounted onto individual patrol cars, receive recorded audio captured from an officers belt-worn transmitter....

Wed, 09 Apr 2014 10:03:09 UTC

Heartbleed

Posted By Bruce Schneier

Heartbleed is a catastrophic bug in OpenSSL: "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows...

Tue, 08 Apr 2014 11:16:31 UTC

"Unbreakable" Encryption Almost Certainly Isn't

Posted By Bruce Schneier

This headline is provocative: "Human biology inspires 'unbreakable' encryption." The article is similarly nonsensical: Researchers at Lancaster University, UK have taken a hint from the way the human lungs and heart constantly communicate with each other, to devise an innovative, highly flexible encryption algorithm that they claim can't be broken using the traditional methods of cyberattack. Information can be encrypted...

Mon, 07 Apr 2014 14:34:03 UTC

The Youngest Security Researcher

Posted By Bruce Schneier

Five-year-old finds login vulnerability in Microsoft Xbox....

Fri, 04 Apr 2014 21:35:42 UTC

Friday Squid Blogging: Squid + Security in a Cartoon

Posted By Bruce Schneier

Funny....

Fri, 04 Apr 2014 13:25:01 UTC

Mass Surveillance by Eavesdropping on Web Cookies

Posted By Bruce Schneier

Interesting research: Abstract: We investigate the ability of a passive network observer to leverage third-party HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which emits a unique pseudonymous identifier, then the adversary can link visits to those pages from the same user (browser instance) even if the users IP address varies. Using simulated browsing...

Wed, 02 Apr 2014 10:07:04 UTC

Ephemeral Apps

Posted By Bruce Schneier

Ephemeral messaging apps such as Snapchat, Wickr and Frankly, all of which advertise that your photo, message or update will only be accessible for a short period, are on the rise. Snapchat and Frankly, for example, claim they permanently delete messages, photos and videos after 10 seconds. After that, there's no record. This notion is especially popular with young people,...

Tue, 01 Apr 2014 11:11:54 UTC

Seventh Movie-Plot Threat Contest

Posted By Bruce Schneier

As you might expect, this year's contest has the NSA as the villain: The NSA has won, but how did it do it? How did it use its ability to conduct ubiquitous surveillance, its massive data centers, and its advanced data analytics capabilities to come out on top? Did it take over the world overtly, or is it just pulling...

Mon, 31 Mar 2014 14:18:32 UTC

The Continuing Public/Private Surveillance Partnership

Posted By Bruce Schneier

If you've been reading the news recently, you might think that corporate America is doing its best to thwart NSA surveillance. Google just announced that it is encrypting Gmail when you access it from your computer or phone, and between data centers. Last week, Mark Zuckerberg personally called President Obama to complain about the NSA using Facebook as a means...

Fri, 28 Mar 2014 21:08:32 UTC

Friday Squid Blogging: Encounter Between a Submersible Robot and a Giant Squid

Posted By Bruce Schneier

Wow....

Fri, 28 Mar 2014 11:22:44 UTC

Creating Forensic Sketches from DNA

Posted By Bruce Schneier

This seems really science fictional: It's already possible to make some inferences about the appearance of crime suspects from their DNA alone, including their racial ancestry and some shades of hair colour. And in 2012, a team led by Manfred Kayser of Erasmus University Medical Center in Rotterdam, the Netherlands, identified five genetic variants with detectable effects on facial shape....

Thu, 27 Mar 2014 11:52:28 UTC

Smarter People are More Trusting

Posted By Bruce Schneier

Interesting research. Both vocabulary and question comprehension were positively correlated with generalized trust. Those with the highest vocab scores were 34 percent more likely to trust others than those with the lowest scores, and someone who had a good perceived understanding of the survey questions was 11 percent more likely to trust others than someone with a perceived poor understanding....

Wed, 26 Mar 2014 18:10:28 UTC

Geolocating Twitter Users

Posted By Bruce Schneier

Interesting research into figuring out where Twitter users are located, based on similar tweets from other users: While geotags are the most definitive location information a tweet can have, tweets can also have plenty more salient information: hashtags, FourSquare check-ins, or text references to certain cities or states, to name a few. The authors of the paper created their algorithm...

Wed, 26 Mar 2014 11:16:38 UTC

Chilean Drug Trafficker Pencil-and-Paper Code

Posted By Bruce Schneier

Interesting....

Tue, 25 Mar 2014 10:58:15 UTC

Password Hashing Competition

Posted By Bruce Schneier

There's a private competition to identify new password hashing schemes. Submissions are due at the end of the month....

Mon, 24 Mar 2014 17:51:46 UTC

NSA Hacks Huawei

Posted By Bruce Schneier

Both Der Spiegel and the New York Times are reporting that the NSA has hacked Huawei pretty extensively, getting copies of the company's products' source code and most of the e-mail from the company. Aside from being a pretty interesting story about the operational capabilities of the NSA, it exposes some pretty blatant US government hypocrisy on this issue. As...

Mon, 24 Mar 2014 11:58:53 UTC

An Open Letter to IBM's Open Letter

Posted By Bruce Schneier

Last week, IBM published an "open letter" about "government access to data," where it tried to assure its customers that it's not handing everything over to the NSA. Unfortunately, the letter (quoted in part below) leaves open more questions than it answers. At the outset, we think it is important for IBM to clearly state some simple facts: IBM has...

Fri, 21 Mar 2014 21:31:09 UTC

Giant Squid as an Omen

Posted By Bruce Schneier

An omen of what? An increase in the number of giant squid being caught along the Sea of Japan coast is leading puzzled fishermen to fear their presence may be some kind of 'omen' -- although experts think the invertebrate are simply a bit cold....

Fri, 21 Mar 2014 17:19:47 UTC

New Book on Data and Power

Posted By Bruce Schneier

I'm writing a new book, with the tentative title of Data and Power. While it's obvious that the proliferation of data affects power, it's less clear how it does so. Corporations are collecting vast dossiers on our activities on- and off-line -- initially to personalize marketing efforts, but increasingly to control their customer relationships. Governments are using surveillance, censorship, and...

Fri, 21 Mar 2014 12:42:54 UTC

Liveblogging the Financial Cryptography Conference

Posted By Bruce Schneier

Ross Anderson liveblogged Financial Cryptography 2014. Interesting stuff....

Fri, 28 Feb 2014 22:38:25 UTC

Friday Squid Blogging: Bobtail Squid Photos

Posted By Bruce Schneier

Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 28 Feb 2014 20:16:24 UTC

NEBULA: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: NEBULA (S//SI//FVEY) Multi-Protocol macro-class Network-In-a-Box (NIB) system. Leverages the existing Typhon GUI and supports GSM, UMTS, CDMA2000 applications. LTE capability currently under development. (S//SI//REL) Operational Restrictions exist for equipment deployment. (S//SI//REL) Features: Dual Carrier System EGSM 900MHz UMTS 2100MHz CDMA2000 1900MHz Macro-class Base station 32+Km Range Optional Battery...

Fri, 28 Feb 2014 12:25:43 UTC

Decoding the Voynich Manuscript

Posted By Bruce Schneier

The Voynich Manuscript has been partially decoded. This seems not to be a hoax. And the manuscript seems not to be a hoax, either. Here's the paper....

Thu, 27 Feb 2014 20:08:44 UTC

GENESIS: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: GENESIS (S//SI//REL) Commercial GSM handset that has been modified to include a Software Defined Radio (SDR) and additional system memory. The internal SDR allows a witting user to covertly perform network surveys, record RF spectrum, or perform handset location in hostile environments. (S//SI//REL) The GENESIS systems are designed...

Thu, 27 Feb 2014 12:03:56 UTC

Was the iOS SSL Flaw Deliberate?

Posted By Bruce Schneier

Last October, I speculated on the best ways to go about designing and implementing a software backdoor. I suggested three characteristics of a good backdoor: low chance of discovery, high deniability if discovered, and minimal conspiracy to implement. The critical iOS vulnerability that Apple patched last week is an excellent example. Look at the code. What caused the vulnerability is...

Wed, 26 Feb 2014 20:38:21 UTC

ENTOURAGE: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: ENTOURAGE (S//SI//REL) Direction Finding application operating on the HOLLOWPOINT platform. The system is capable of providing line of bearing for GSM/UMTS/CDMA2000/FRS signals. A band-specific antenna and laptop controller is needed to compliment the HOLLOWPOINT system and completes the ground based system. (S//SI) The ENTOURAGE application leverages the 4...

Wed, 26 Feb 2014 12:55:46 UTC

DDoSing a Cell Phone Network

Posted By Bruce Schneier

Interesting research: Abstract: The HLR/AuC is considered to be one of the most important network elements of a 3G network. It can serve up to five million subscribers and at least one transaction with HLR/AuC is required for every single phone call or data session. This paper presents experimental results and observations that can be exploited to perform a novel...

Tue, 25 Feb 2014 20:11:40 UTC

EBSR: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: EBSR (S//SI//REL) Multi-purpose, Pico class, tri-band active GSM base station with internal 802.11/GPS/handset capability. (S//SI//REL) Operational Restrictions exist for equipment deployment. (S//SI//REL) Features: LxT Model: 900/1800/1900MHz LxU Model: 850/1800/1900MHz Pico-class (1Watt) Base station Optional Battery Kits Highly Mobile and Deployable Integrated GPS, MS, & 802.11 Voice & High-speed...

Tue, 25 Feb 2014 12:43:23 UTC

Breaking Up the NSA

Posted By Bruce Schneier

The NSA has become too big and too powerful. What was supposed to be a single agency with a dual mission -- protecting the security of U.S. communications and eavesdropping on the communications of our enemies -- has become unbalanced in the post-Cold War, all-terrorism-all-the-time era. Putting the U.S. Cyber Command, the military's cyberwar wing, in the same location and...

Mon, 24 Feb 2014 20:44:34 UTC

CYCLONE Hx9: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: CYCLONE Hx9 (S//SI//FVEY) EGSM (900MGz) macro-class Network-In-a-Box (NIB) system. Uses the existing Typhon GUI and supports the full Typhon feature base and applications. (S//SI//REL) Operational Restrictions exist for equipment deployment. (S//SI//REL) Features: EGSM 900MHz Macro-class (+43dBm) 32+Km Range Optional Battery Kits Highly Mobile and Deployable Integrated GPS, MS,...

Mon, 24 Feb 2014 12:35:46 UTC

New Results in Software Obfuscation

Posted By Bruce Schneier

Amit Sahai and others have some new results in software obfuscation. The papers are here. An over-the top Wired.com story on the research is here. And Matthew Green has a great blog post explaining what's real and what's hype....

Fri, 21 Feb 2014 22:33:17 UTC

Friday Squid Blogging: Squid vs. Owlfish

Posted By Bruce Schneier

This video is pretty fantastic: The narrator does a great job at explaining what's going on here, blow by gross blow, but here are the highlights: Black-eyed squid snares owlfish with its two tentacles, which are tipped with hooks and suckers, and reels it in. Black-eyed squid gnaws away at the owlfish's spinal cord using its very sharp beak. Owlfish...

Fri, 21 Feb 2014 20:41:27 UTC

CROSSBEAM: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: CROSSBEAM (TS//SI//REL) CROSSBEAM is a GSM module that mates a modified commercial cellular product with a WAGONBED controller board. (TS//SI//REL) CROSSBEAM is a reusable CHIMNEYPOOL-compliant GSM communications module capable of collecting and compressing voice data. CROSSBEAM can receive GSM voice, record voice data, and transmit the received information...

Fri, 21 Feb 2014 20:06:00 UTC

Co3 Systems at the RSA Conference

Posted By Bruce Schneier

Co3 Systems is going to be at the RSA Conference. We don't have our own booth on the show floor, but there are four ways you can find us. Monday, we're at the Innovation Sandbox: 1:005:00 in Moscone North. At the conference, we're in the RSA Security booth. Go to the SecOps section of the booth and ask about us....

Fri, 21 Feb 2014 14:34:52 UTC

Building an Online Lie Detector

Posted By Bruce Schneier

There's an interesting project to detect false rumors on the Internet. The EU-funded project aims to classify online rumours into four types: speculation -- such as whether interest rates might rise; controversy -- as over the MMR vaccine; misinformation, where something untrue is spread unwittingly; and disinformation, where it's done with malicious intent. The system will also automatically categorise sources...

Thu, 20 Feb 2014 22:09:56 UTC

Brian Krebs

Posted By Bruce Schneier

Nice profile of Brian Krebs, cybersecurity journalist: Russian criminals routinely feed Mr. Krebs information about their rivals that they obtained through hacks. After one such episode, he began receiving daily calls from a major Russian cybercriminal seeking his files back. Mr. Krebs is writing a book about the ordeal, called "Spam Nation," to be published by Sourcebooks this year. In...

Thu, 20 Feb 2014 20:11:11 UTC

CANDYGRAM: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: CANDYGRAM (S//SI//REL) Mimics GSM cell tower of a target network. Capable of operations at 900, 1800, or 1900 MHz. Whenever a target handset enters the CANDYGRAM base station's area of influence, the system sends out an SMS through the external network to registered watch phones. (S//SI//REL) Typical use...

Thu, 20 Feb 2014 15:19:17 UTC

RCS Spyware and Citizen Lab

Posted By Bruce Schneier

Remote-Controlled System (RCS) is a piece of spyware sold exclusively to governments by a Milan company called Hacking Team. Recently, Citizen Lab found this spyware being used by the Ethiopian government against journalists, including American journalists. More recently, Citizen Lab mapped the software and who's using it: Hacking Team advertises that their RCS spyware is "untraceable" to a specific government...

Wed, 19 Feb 2014 20:18:58 UTC

TOTEGHOSTLY 2.0: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: TOTEGHOSTLY 2.0 (TS//SI//REL) TOTEGHOSTLY 2.0 is STRAITBIZARRE based implant for the Windows Mobile embedded operating system and uses the CHIMNEYPOOL framework. TOTEGHOSTLY 2.0 is compliant with the FREEFLOW project, therefore it is supported in the TURBULENCE architecture. (TS//SI//REL) TOTEGHOSTLY 2.0 is a software implant for the Windows Mobile...

Wed, 19 Feb 2014 12:47:42 UTC

Debating Snowden's Actions

Posted By Bruce Schneier

It's the season. Here are two....

Tue, 18 Feb 2014 20:17:26 UTC

TOTECHASER: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: TOTECHASER (TS//SI//REL) TOTECHASER is a Windows CE implant targeting the Thuraya 2520 handset. The Thuraya is a dual mode phone that can operate either in SAT or GSM modes. The phone also supports a GPRS data connection for Web browsing, e-mail, and MMS messages. The initial software implant...

Tue, 18 Feb 2014 14:30:30 UTC

What Information Are Stun Guns Recording?

Posted By Bruce Schneier

In a story about a stolen Stradivarius violin, there's this: Information from a stun gun company, an anonymous tip and hours of surveillance paved the way for authorities to find a stolen 300-year-old Stradivarius violin in the attic of a Milwaukee home, police said Thursday. [...] Taser International, the maker of the stun gun used in the attack, "provided invaluable...

Mon, 17 Feb 2014 20:20:04 UTC

PICASSO: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: PICASSO (S//SI//REL) Modified GSM (target) handset that collects user data, location information and room audio. Command and data exfil is done from a laptop and regular phone via SMS (Short Messaging Service), without alerting the target. (S//SI) Target Data via SMS: Incoming call numbers Outgoing call numbers Recently...

Mon, 17 Feb 2014 18:13:49 UTC

US Infosec Researchers Against NSA Surveillance

Posted By Bruce Schneier

I signed an open letter from US researchers in cryptography and information security on NSA surveillance. It has received a lot of media coverage....

Mon, 17 Feb 2014 11:23:20 UTC

Who Should Store NSA Surveillance Data

Posted By Bruce Schneier

One of the recommendations by the president's Review Group on Intelligence and Communications Technologies on reforming the National Security Agency—No. 5, if you're counting—is that the government should not collect and store telephone metadata. Instead, a private company -- either the phone companies themselves or some other third party -- should store the metadata and provide it to the government...

Fri, 14 Feb 2014 22:02:09 UTC

Friday Squid Blogging: Giant Squid TED Talk

Posted By Bruce Schneier

Interesting. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 14 Feb 2014 21:19:37 UTC

MONKEYCALENDAR: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: MONKEYCALENDAR (TS//SI//REL) MONKEYCALENDAR is a software implant for GSM (Global System for Mobile communication) subscriber identity module (SIM) cards. This implant pulls geolocation information from a target handset and exfiltrates it to a user-defined phone number via short message service (SMS). (TS//SI//REL) Modern SIM cards (Phase 2+) have...

Fri, 14 Feb 2014 20:50:28 UTC

My Talk on the NSA

Posted By Bruce Schneier

Earlier this month, I gave a talk about the NSA at MIT. The video is available. ETA: The video doesn't display on some Firefox browsers. If you have trouble, try a different browser....

Fri, 14 Feb 2014 12:50:29 UTC

The Insecurity of Secret IT Systems

Posted By Bruce Schneier

We now know a lot about the security of the Rapiscan 522 B x-ray system used to scan carry-on baggage in airports worldwide. Billy Rios, director of threat intelligence at Qualys, got himself one and analyzed it. And he presented his results at the Kaspersky Security Analyst Summit this week. Its worse than you might have expected: It runs on...

Thu, 13 Feb 2014 20:05:20 UTC

GOPHERSET: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: GOPHERSET (TS//SI//REL) GOPHERSET is a software implant for GSM (Global System for Mobile communication) subscriber identity module (SIM) cards. This implant pulls Phonebook, SMS, and call log information from a target handset and exfiltrates it to a user-defined phone number via short message service (SMS). (TS//SI//REL) Modern SIM...

Thu, 13 Feb 2014 12:03:23 UTC

Finding People's Location Based on Their Activities in Cyberspace

Posted By Bruce Schneier

Glenn Greenwald is back reporting about the NSA, now with Pierre Omidyar's news organization FirstLook and its introductory publication, The Intercept. Writing with national security reporter Jeremy Scahill, his first article covers how the NSA helps target individuals for assassination by drone. Leaving aside the extensive political implications of the story, the article and the NSA source documents reveal additional...

Wed, 12 Feb 2014 20:06:33 UTC

DROPOUTJEEP: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: DROPOUTJEEP (TS//SI//REL) DROPOUTJEEP is a STRAITBIZARRE based software implant for the Apple iPhone operating system and uses the CHIMNEYPOOL framework. DROPOUTJEEP is compliant with the FREEFLOW project, therefore it is supported in the TURBULENCE architecture. (TS//SI//REL) DROPOUTJEEP is a software implant for the Apple iPhone that utilizes modular...

Tue, 11 Feb 2014 20:55:55 UTC

SURLYSPAWN: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: SURLYSPAWN (TS//SI//REL TO USA,FVEY) Data RF retro-reflector. Provides return modulated with target data (keyboard, low data rate digital device) when illuminated with radar. (U) Capabilities(TS//SI//REL TO USA,FVEY) SURLYSPAWN has the capability to gather keystrokes without requiring any software running on the targeted system. It also only requires that...

Tue, 11 Feb 2014 13:15:04 UTC

DRM and the Law

Posted By Bruce Schneier

Cory Doctorow gives a good history of the intersection of Digital Rights Management (DRM) software and the law, describes how DRM software is antithetical to end-user security, and speculates how we might convince the law to recognize that. Every security system relies on reports of newly discovered vulnerabilities as a means of continuously improving. The forces that work against security...

Tue, 11 Feb 2014 12:57:22 UTC

"The Mask" Espionage Malware

Posted By Bruce Schneier

Weve got a new nation-state espionage malware. "The Mask" was discovered by Kaspersky Labs: The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world -- from the Middle East and Europe to Africa and the Americas. The...

Mon, 10 Feb 2014 20:58:24 UTC

WISTFULTOLL: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: WISTFULTOLL (TS//SI//REL) WISTFULTOLL is a UNITEDRAKE and STRAITBIZZARE plug-in used for harvesting and returning forensic information from a target using Windows Management Instrumentation (WMI) calls and Registry extractions. (TS//SI//REL) This plug-in supports systems running Microsoft Windows 2000, 2003, and XP. (TS//SI//REL) Through remote access or interdiction, WISTFULLTOLL is...

Mon, 10 Feb 2014 12:57:22 UTC

NSA/GCHQ Accused of Hacking Belgian Cryptographer

Posted By Bruce Schneier

There has been a lot of news about Bengian cryptographer Jean-Jacques Quisquater having his computer hacked, and whether the NSA or GCHQ is to blame. It's a lot of assumptions and hyperbole, mostly related to the GCHQ attack against the Belgian telcom operator Belgicom. I'm skeptical. Not about the attack, but about the NSA's or GCHQ's involvement. I don't think...

Fri, 07 Feb 2014 22:54:10 UTC

Friday Squid Blogging: Radioactive Giant Squid Washes Ashore in California

Posted By Bruce Schneier

Uh oh. And the real story. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 07 Feb 2014 20:53:50 UTC

TRINITY: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: TRINITY (TS//SI//REL) TRINITY is a miniaturized digital core packaged in a Multi-Chip Module (MCM) to be used in implants with size constraining concealments. (TS//SI//REL) TRINITY uses the TAO standard implant architecture. The architecture provides a robust, reconfigurable, standard digital platform resulting in a dramatic performance improvement over the...

Fri, 07 Feb 2014 20:23:19 UTC

Another Fake NSA Codename Generator

Posted By Bruce Schneier

Generate your own fake TAO implant. This is even more fun than the fake NSA program generator. Sadly, the NSA will probably use these to help develop their R&D roadmap....

Thu, 06 Feb 2014 20:07:54 UTC

SWAP: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: SWAP (TS//SI//REL) SWAP provides software application persistence by exploiting the motherboard BIOS and the hard drive's Host Protected Area to gain periodic execution before the Operating System loads. (TS//SI//REL) This technique supports single or multi-processor systems running Windows, Linux, FreeBSD, or Solaris with the following file systems: FAT32,...

Thu, 06 Feb 2014 12:05:58 UTC

Dispute Resolution Systems for Security Protocols

Posted By Bruce Schneier

Interesting paper by Steven J. Murdoch and Ross Anderson in this year's Financial Cryptography conference: "Security Protocols and Evidence: Where Many Payment Systems Fail." Abstract: As security protocols are used to authenticate more transactions, they end up being relied on in legal proceedings. Designers often fail to anticipate this. Here we show how the EMV protocol -- the dominant card...

Wed, 05 Feb 2014 20:04:12 UTC

SOMBERKNAVE: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: SOMBERKNAVE (TS//SI//REL) SOMBERKNAVE is Windows XP wireless software implant that provides covert internet connectivity for isolated targets. (TS//SI//REL) SOMBEKNAVE is a software implant that surreptitiously routes TCP traffic from a designated process to a secondary network via an unused embedded 802.11 network device. If an Internet-connected wireless Access...

Wed, 05 Feb 2014 12:02:38 UTC

1971 Social Engineering Attack

Posted By Bruce Schneier

From Betty Medsger's book on the 1971 FBI burglary (page 22): As burglars, they used some unusual techniques, ones Davidon enjoyed recalling years later, such as what some of them did in 1970 at a draft board office in Delaware. During their casing, they had noticed that the interior door that opened to the draft board office was always locked....

Tue, 04 Feb 2014 20:09:42 UTC

MAESTRO-II: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: MAESTRO-II (TS//SI//REL) MAESTRO-II is a miniaturized digital core packaged in a Multi-Chip Module (MCM) to be used in implants with size constraining concealments. (TS//SI//REL) MAESTRO-II uses the TAO standard implant architecture. The architecture provides a robust, reconfigurable, standard digital platform resulting in a dramatic performance improvement over the...

Tue, 04 Feb 2014 12:45:34 UTC

Hacking Airline Lounges for Free Meals

Posted By Bruce Schneier

I think this is a great hack: A man bought a first-class ticket and used it to have free meals and drinks at the airport's VIP lounge almost every day for nearly a year, Kwong Wah Yit Poh reported. The itinerary for the ticket was found to have been changed more than 300 times within a year, and the owner...

Mon, 03 Feb 2014 20:09:22 UTC

JUNIORMINT: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: JUNIORMINT (TS//SI//REL) JUNIORMINT is a digital core packaged in both a mini Printed circuit Board (PCB), to be used in typical concealments, and a miniaturized Flip Chip Module (FCM), to be used in implants with size constraining concealments. (TS//SI//REL) JUNIORMINT uses the TAO standard implant architecture. The architecture...

Mon, 03 Feb 2014 11:09:27 UTC

CSEC Surveillance Analysis of IP and User Data

Posted By Bruce Schneier

The most recent story from the Snowden documents is from Canada: it claims the CSEC (Communications Security Establishment Canada) used airport Wi-Fi information to track travelers. That's not really true. What the top-secret presentation shows is a proof-of-concept project to identify different IP networks, using a database of user IDs found on those networks over time, and then potentially using...

Fri, 31 Jan 2014 22:41:41 UTC

Friday Squid Blogging: Squid T-Shirt

Posted By Bruce Schneier

A T-shirt with a drawing of a squid reading. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 31 Jan 2014 20:17:41 UTC

IRATEMONK: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: IRATEMONK (TS//SI//REL) IRATEMONK provides software application persistence on desktop and laptop computers by implanting in the hard drive firmware to gain execution through Master Boot Record (MBR) substitution. (TS//SI//REL) This technique supports systems without RAID hardware that boot from a variety of Western Digital, Seagate, Maxtor, and Samsung...

Fri, 31 Jan 2014 12:16:44 UTC

Another Credit-Card-as-Authentication Hack

Posted By Bruce Schneier

This is a pretty impressive social engineering story: an attacker compromised someone's GoDaddy domain registration in order to change his e-mail address and steal his Twitter handle. It's a complicated attack. My claim was refused because I am not the "current registrant." GoDaddy asked the attacker if it was ok to change account information, while they didn't bother asking me...

Fri, 31 Jan 2014 02:38:00 UTC

HOWLERMONKEY: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: HOWLERMONKEY (TS//SI//REL) HOWLERMONKEY is a custom Short to Medium range impant RF Tranceiver. It is used in conjumction with a digital core to provide a complete implant. (TS//SI//REL) HOWLERMONKEY is a COTS-based transceiver deigned to be compatible with CONJECTURE/SPECULATION networks and STRIKEZONE devices running a HOWLERMONKEY personality. PCB...

Thu, 30 Jan 2014 18:08:19 UTC

Side-Channel Attacks on Frog Calls

Posted By Bruce Schneier

The male túngara frog Physalaemus pustulosus uses calls to attract females. But croaking also causes ripples in the water, which are eavesdropped on -- both by rival male frogs and frog-eating bats....

Thu, 30 Jan 2014 12:52:28 UTC

Catalog of Snowden Revelations

Posted By Bruce Schneier

This looks to be very good. Add that to these three indexes of NSA source material, and these two summaries. This excellent parody website has a good collection of all the leaks, too....

Wed, 29 Jan 2014 20:28:56 UTC

GINSU: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: GINSU (TS//SI//REL) GINSU provides software application persistence for the CNE implant, KONGUR, on target systems with the PCI bus hardware implant, BULLDOZER. (TS//SI//REL) This technique supports any desktop PC system that contains at least one PCI connector (for BULLDOZER installation) and Microsoft Windows 9x, 2000, 20003, XP, or...

Wed, 29 Jan 2014 18:26:19 UTC

Trying to Value Online Privacy

Posted By Bruce Schneier

Interesting paper: "The value of Online Privacy," by Scott Savage and Donald M. Waldman. Abstract: We estimate the value of online privacy with a differentiated products model of the demand for Smartphone apps. We study the apps market because it is typically necessary for the consumer to relinquish some personal information through "privacy permissions" to obtain the app and its...

Wed, 29 Jan 2014 12:24:23 UTC

The Politics of Fear

Posted By Bruce Schneier

This is very good: ...one might suppose that modern democratic states, with the lessons of history at hand, would seek to minimize fear ­ or at least minimize its effect on deliberative decision-making in both foreign and domestic policy. But today the opposite is frequently true. Even democracies founded in the principles of liberty and the common good often take...

Tue, 28 Jan 2014 20:13:13 UTC

TAWDRYYARD: NSA Exploit of the Day

Posted By Bruce Schneier

Back in December, Der Spiegel published a lot of information about the NSA's Tailored Access Operations (TAO) group, including a 2008 catalog of hardware and software "implants." Because there were so many items in the catalog, the individual items didn't get a lot of discussion. By highlighting an individual implant every day, my goal is to fix that. Today's item:...

Tue, 28 Jan 2014 18:39:12 UTC

US Privacy and Civil Liberties Oversight Board (PCLOB) Condems NSA Mass Surveillance

Posted By Bruce Schneier

Now we know why the president gave his speech on NSA surveillance last week; he wanted to get ahead of the Privacy and Civil Liberties Oversight Board. Last week, it issued a report saying that NSA mass surveillance of Americans is illegal and should end. Both EPIC and EFF have written about this. What frustrates me about all of this...

Tue, 28 Jan 2014 12:47:48 UTC

EU Might Raise Fines for Data Breaches

Posted By Bruce Schneier

This makes a lot of sense. Viviane Reding dismissed recent fines for Google as "pocket money" and said the firm would have had to pay $1bn under her plans for privacy failings. Ms Reding said such punishments were necessary to ensure firms took the use of personal data seriously. And she questioned how Google was able to take so long...

Tue, 28 Jan 2014 02:06:31 UTC

SPARROW II: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: SPARROW II (TS//SI//REL) An embedded computer system running BLINDDATE tools. Sparrow II is a fully functional WLAN collection system with integrated Mini PCI slots for added functionality such as GPS and multiple Wireless Network Interface Cards. (U//FOUO) System Specs Processor: IBM Power PC 405GPR Memory: 64MB (SDRAM), 16MB...

Mon, 27 Jan 2014 12:32:08 UTC

New Security Risks for Windows XP Systems

Posted By Bruce Schneier

Microsoft is trying to stop supporting Windows XP. The problem is that a majority of ATMs still use that OS. And once Microsoft stops issuing security updates to XP, those machines will become increasingly vulnerable. Although I have to ask the question: how many of those ATMs have been keeping up with their patches so far? We have far to...

Fri, 24 Jan 2014 22:15:05 UTC

Friday Squid Blogging: Giant Squid Caught by Japanese Fisherman

Posted By Bruce Schneier

It's big: 13 feet long. The fisherman was stunned to discover the giant squid trapped in his net, having been caught at a depth of around 70m, about two-thirds of a mile from the coast. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 24 Jan 2014 20:09:51 UTC

PHOTOANGLO: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: PHOTOANGLO (TS//SI//REL TO USA,FVEY) PHOTOANGLO is a joint NSA/GCHQ project to develop a new radar system to take the place of the CTX4000. (U) Capabilities(TS//SI//REL TO USA,FVEY) The planned capabilities for this system are: Frequency range: 1 - 2 GHz, which will be later extended to 1 -...

Fri, 24 Jan 2014 18:43:47 UTC

Applied Cryptography Available Online

Posted By Bruce Schneier

I'm sure this is a pirated copy. Looking at it, it's amazing how long ago twenty years was....

Fri, 24 Jan 2014 12:51:15 UTC

Income Inequality as a Security Issue

Posted By Bruce Schneier

This is an interesting way to characterizing income inequality as a security issue: &growing inequality menaces vigorous societies. It is a proxy for how effectively an elite has constructed institutions that extract value from the rest of society. Professor Sam Bowles, also part of the INET network, goes further. He argues that inequality pulls production away from value creation to...

Thu, 23 Jan 2014 20:39:35 UTC

NIGHTWATCH: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: NIGHTWATCH (TS//SI//REL TO USA,FVEY) NIGHTWATCH is a portable computer with specialized, internal hardware designed to process progressive-scan (non-interlaced VAGRANT signals. (U) Capability Summary (TS//SI//REL TO USA,FVEY) The current implementation of NIGHTWATCH consists of a general-purpose PC inside of a shielded case. The PC has PCI digitizing and clock...

Thu, 23 Jan 2014 13:03:05 UTC

Consumer Manipulation

Posted By Bruce Schneier

Tim Hartford talks about consumer manipulation: Consider, first, confusion by design: Las Vegas casinos are mazes, carefully crafted to draw players to the slot machines and to keep them there. Casino designers warn against the "yellow brick road" effect of having a clear route through the casino. (One side effect: it takes paramedics a long time to find gamblers in...

Wed, 22 Jan 2014 20:15:32 UTC

NIGHTSTAND: NSA Exploit of the Day

Posted By Bruce Schneier

Today's device from the NSA's Tailored Access Operations (TAO) group implant catalog: NIGHTSTAND (TS//SI//REL) An active 802.11 wireless exploitation and injection tool for payload /exploit delivery into otherwise denied target space. NIGHTSTAND is typically used in operations where wired access to the target is not possible. (TS//SI//REL) NIGHTSTAND - Close Access Operations " Battlefield Tested " Windows Exploitation " Standalone...

Wed, 22 Jan 2014 18:19:17 UTC

Refrigerator Sending Spam Messages?

Posted By Bruce Schneier

Coming barely weeks after my essay on the security risks from embedded systems, the Proofpoint report of a span-sending refrigerator was just too good to be true. I was skeptical, so I didn't blog it. Now Ars Technica has a good analysis of the report, and is also skeptical. In any case: it could happen, and sooner or later it...

Wed, 22 Jan 2014 12:41:07 UTC

Questioning the Efficacy of NSA's Bulk-Collection Programs

Posted By Bruce Schneier

Two reports have recently been published questioning the efficacy of the NSA's bulk-collection programs. The first one is from the left-leaning New American Foundation (report here, and one-page tabular summary here). However, our review of the governments claims about the role that NSA bulk surveillance of phone and email communications records has had in keeping the United States safe from...

Tue, 21 Jan 2014 20:11:39 UTC

LOUDAUTO: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: LOUDAUTO (TS//SI//REL TO USA,FVEY) Audio-based RF retro-reflector. Provides room audio from targeted space using radar and basic post-processing. (U) Capabilities (TS//SI//REL TO USA,FVEY) LOUDAUTO's current design maximizes the gain of the microphone. This makes it extremely useful for picking up room audio. It can pick up speech at...

Tue, 21 Jan 2014 12:33:41 UTC

Adware Vendors Buy and Abuse Chrome Extensions

Posted By Bruce Schneier

This is not a good development: To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is...

Mon, 20 Jan 2014 20:20:46 UTC

CTX4000: NSA Exploit of the Day

Posted By Bruce Schneier

Today's device -- this one isn't an implant -- from the NSA's Tailored Access Operations (TAO) group implant catalog: CTX4000 (TS//SI//REL TO USA,FVEY) The CTX4000 is a portable continuous wave (CW) radar unit. It can be used to illuminate a target system to recover different off net information. Primary uses include VAGRANT and DROPMIRE collection. (TS//SI//REL TO USA,FVEY) The CTX4000...

Mon, 20 Jan 2014 12:18:58 UTC

DDOS Attacks Using NTP

Posted By Bruce Schneier

This is new: The NTP method first began to appear late last year. To bring down a server such as one running "League of Legends," the attackers trick NTP servers into thinking they've been queried by the "League of Legends" server. The NTP servers, thinking they're responding to a legitimate query, message the "League of Legends" server, overloading it with...

Fri, 17 Jan 2014 22:44:12 UTC

Friday Squid Blogging: Camouflage in Squid Eyes

Posted By Bruce Schneier

Interesting research: Cephalopods possess a sophisticated array of mechanisms to achieve camouflage in dynamic underwater environments. While active mechanisms such as chromatophore patterning and body posturing are well known, passive mechanisms such as manipulating light with highly evolved reflectors may also play an important role. To explore the contribution of passive mechanisms to cephalopod camouflage, we investigated the optical and...

Fri, 17 Jan 2014 20:57:43 UTC

PowerLocker uses Blowfish

Posted By Bruce Schneier

There's a new piece of ransomware out there, PowerLocker (also called PrisonLocker), that uses Blowfish: PowerLocker could prove an even more potent threat because it would be sold in underground forums as a DIY malware kit to anyone who can afford the $100 for a license, Friday's post warned. CryptoLocker, by contrast, was custom built for use by a single...

Fri, 17 Jan 2014 20:06:48 UTC

STUCCOMONTANA: NSA Exploit of the Day

Posted By Bruce Schneier

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: STUCCOMONTANA (TS//SI//REL) STUCCOMONTANA provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system -- including physically replacing the router's compact flash card. (TS//SI//REL) Currently, the intended DNT Implant to persist is VALIDATOR, which must be run as a user process...

Fri, 17 Jan 2014 18:53:57 UTC

NSA-O-Matic

Posted By Bruce Schneier

Generate your own fake NSA programs....

Fri, 17 Jan 2014 11:32:20 UTC

NSA Collects Hundreds of Millions of Text Messages Daily

Posted By Bruce Schneier

No surprise here. Although we some new codenames: DISHFIRE: The NSA's program to collect text messages and text-message metadata. PREFER: The NSA's program to perform automatic analysis on the text-message data and metadata. The documents talk about not just collecting chatty text messages, but VCards, SIM card changes, missed calls, roaming information indicating border crossings, travel itineraries, and financial transactions....

Thu, 16 Jan 2014 20:00:21 UTC

SIERRAMONTANA: NSA Exploit of the Day

Posted By Bruce Schneier

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: SIERRAMONTANA (TS//SI//REL) SIERRAMONTANA provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system -- including physically replacing the router's compact flash card. (TS//SI//REL) Currently, the intended DNT Implant to persist is VALIDATOR, which must be run as a user process...

Thu, 16 Jan 2014 18:27:40 UTC

Today I Briefed Congress on the NSA

Posted By Bruce Schneier

This morning I spent an hour in a closed room with six Members of Congress: Rep. Logfren, Rep. Sensenbrenner, Rep. Scott, Rep. Goodlate, Rep Thompson, and Rep. Amash. No staffers, no public: just them. Lofgren asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn't forthcoming about their activities, and they wanted...

Thu, 16 Jan 2014 18:03:27 UTC

Edward Elgar's Ciphers

Posted By Bruce Schneier

Elgar's cryptography puzzles from the late 1890s....

Thu, 16 Jan 2014 13:29:59 UTC

Cell Phone Tracking by Non-State Actors

Posted By Bruce Schneier

This is interesting: Adding credence to the theory that Brooklyn landlord Menachem Stark was kidnapped and murdered by professionals, a law enforcement source tells the Post that the NYPD found a cell phone attached to the bottom of his car, which could have been used to track his movements. This is interesting. Presumably the criminals installed one of those "track...

Wed, 15 Jan 2014 20:56:44 UTC

SCHOOLMONTANA: NSA Exploit of the Day

Posted By Bruce Schneier

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: SCHOOLMONTANA (TS//SI//REL) SCHOOLMONTANA provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system -- including physically replacing the router's compact flash card. (TS//SI//REL) Currently, the intended DNT Implant to persist is VALIDATOR, which must be run as a user process...

Wed, 15 Jan 2014 12:23:38 UTC

The Changing Cost of Surveillance

Posted By Bruce Schneier

From Ashkan Soltani's blog post: The Yale Law Journal Online (YLJO) just published an article that I co-authored with Kevin Bankston (first workshopped at the Privacy Law Scholars Conference last year) entitled "Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones." In it, we discuss the drastic reduction in the cost of tracking an...

Tue, 14 Jan 2014 20:10:22 UTC

HEADWATER: NSA Exploit of the Day

Posted By Bruce Schneier

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: HEADWATER (TS//SI//REL) HEADWATER is a Persistent Backdoor (PDB) software implant for selected Huawei routers. The implant will enable covert functions to be remotely executed within the router via an Internet connection. (TS//SI//REL) HEADWATER PBD implant will be transferred remotely over the Internet to the selected target router by...

Tue, 14 Jan 2014 13:15:55 UTC

Debunking the "NSA Mass Surveillance Could Have Stopped 9/11" Myth

Posted By Bruce Schneier

It's something that we're hearing a lot, both from NSA Director General Keith Alexander and others: the NSA's mass surveillance programs could have stopped 9/11. It's not true, and recently two people have published good essays debunking this claim. The first is from Lawrence Wright, who wrote the best book (The Looming Tower) on the lead-up to 9/11: Judge Pauley...

Mon, 13 Jan 2014 20:45:09 UTC

SOUFFLETROUGH: NSA Exploit of the Day

Posted By Bruce Schneier

One of the top secret NSA documents published by Der Spiegel is a 50-page catalog of "implants" from the NSA's Tailored Access Group. Because the individual implants are so varied and we saw so many at once, most of them were never discussed in the security community. (Also, the pages were pds, which makes them harder to index and search.)...

Mon, 13 Jan 2014 12:28:55 UTC

How the NSA Threatens National Security

Posted By Bruce Schneier

Secret NSA eavesdropping is still in the news. Details about once secret programs continue to leak. The Director of National Intelligence has recently declassified additional information, and the President's Review Group has just released its report and recommendations. With all this going on, it's easy to become inured to the breadth and depth of the NSA's activities. But through the...

Fri, 10 Jan 2014 22:27:21 UTC

Friday Squid Blogging: Squid New Year

Posted By Bruce Schneier

Happy squid new year. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 Jan 2014 12:45:35 UTC

1971 FBI Burglary

Posted By Bruce Schneier

Interesting story: ...burglars took a lock pick and a crowbar and broke into a Federal Bureau of Investigation office in a suburb of Philadelphia, making off with nearly every document inside. They were never caught, and the stolen documents that they mailed anonymously to newspaper reporters were the first trickle of what would become a flood of revelations about extensive...

Thu, 09 Jan 2014 19:02:25 UTC

JETPLOW: NSA Exploit of the Day

Posted By Bruce Schneier

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: JETPLOW (TS//SI//REL) JETPLOW is a firmware persistence implant for Cisco PIX Series and ASA (Adaptive Security Appliance) firewalls. It persists DNT's BANANAGLEE software implant. JETPLOW also has a persistent back-door capability. (TS//SI//REL) JETPLOW is a firmware persistence impant for Cisco PIX Series and ASA (Adaptive Security Appliance) firewalls....

Thu, 09 Jan 2014 12:33:29 UTC

Security Risks of Embedded Systems

Posted By Bruce Schneier

We're at a crisis point now with regard to the security of embedded systems, where computing is embedded into the hardware itself -- as with the Internet of Things. These embedded computers are riddled with vulnerabilities, and there's no good way to patch them. It's not unlike what happened in the mid-1990s, when the insecurity of personal computers was reaching...

Wed, 08 Jan 2014 19:48:29 UTC

HALLUXWATER: NSA Exploit of the Day

Posted By Bruce Schneier

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: HALLUXWATER (TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, the PBD installer software will find the needed patch points and install the back door in the inbound packet processing routine. Once installed,...

Wed, 08 Jan 2014 14:07:03 UTC

The Failure of Privacy Notices and Consumer Choice

Posted By Bruce Schneier

Paper from First Monday: "Transaction costs, privacy, and trust: The laudable goals and ultimate failure of notice and choice to respect privacy." Abstract: The goal of this paper is to outline the laudable goals and ultimate failure of notice and choice to respect privacy online and suggest an alternative framework to manage and research privacy. This paper suggests that the...

Tue, 07 Jan 2014 22:53:26 UTC

Twitter Users: Please Make Sure You're Following the Right Feed

Posted By Bruce Schneier

I have an official Twitter feed of my blog; it's @schneierblog. There's also an unofficial feed at @Bruce_Schneier. I have nothing to do with that one. I wouldn't mind the unofficial feed -- if people are reading my blog, who cares -- except that it isn't working right, and hasn't been for some time. It publishes some posts weeks late...

Tue, 07 Jan 2014 19:16:12 UTC

GOURMETTROUGH: NSA Exploit of the Day

Posted By Bruce Schneier

Continuing our walk through the NSA's Tailored Access Operations (TAO) group implant catalog: GOURMETTROUGH (TS//SI//REL) GOURMETTROUGH is a user configurable implant for certain Juniper firewalls. It persists DNT's BANANAGLEE implant across reboots and OS upgrades. For some platforms, it supports a minimal implant with beaconing for OS's unsupported by BANANAGLEE. (TS//SI//REL) For supported platforms, DNT may configure without ANT involvement....

Tue, 07 Jan 2014 14:22:45 UTC

Matt Blaze on TAO's Methods

Posted By Bruce Schneier

Matt Blaze makes a point that I have been saying for a while now: Don't get me wrong, as a security specialist, the NSA's Tailored Access Operations (TAO) scare the daylights of me. I would never want these capabilities used against me or any other innocent person. But these tools, as frightening and abusable as they are, represent far less...

Mon, 06 Jan 2014 19:28:37 UTC

FEEDTROUGH: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: FEEDTROUGH (TS//SI//REL) FEEDTROUGH is a persistence technique for two software implants, DNT's BANANAGLEE and CES's ZESTYLEAK used against Juniper Netscreen firewalls. (TS//SI//REL) FEEDTROUGH can be used to persist two implants, ZESTYLEAK and/or BANANAGLEE across reboots and software upgrades on known and covered OS's for the following Netscreen firewalls,...

Mon, 06 Jan 2014 12:18:30 UTC

I've Joined Co3 Systems

Posted By Bruce Schneier

For decades, I've said that good security is a combination of protection, detection, and response. In 1999, when I formed Counterpane Internet Security, I focused the company on what was then the nascent area of detection. Since then, there have been many products and services that focus on detection, and it's a huge part of the information security industry. Now,...

Fri, 03 Jan 2014 22:09:38 UTC

Friday Squid Blogging: Squid-Shaped Dog Toy

Posted By Bruce Schneier

Just the thing....

Fri, 03 Jan 2014 20:23:43 UTC

NSA Documents from the Spiegel Story

Posted By Bruce Schneier

There are more source documents from the recent Spiegel story on the NSA than I realized. Here is what I think is the complete list: "Tailored Access Operations" presentation, 14 pages. Lots of information about QUANTUM. "NSA QUANTUM Tasking Techniques for the R&T Analyst" presentation, 28 pages. Includes details about MARINA. "Getting Close to the Adversary: Forward-based Defense with QFIRE"...

Fri, 03 Jan 2014 18:20:47 UTC

NSA Exploit of the Day: IRONCHEF

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog is IRONCHEF: IRONCHEF (TS//SI//REL) IRONCHEF provides access persistence to target systems by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to communicate with a hardware implant that provides two-way RF communication. (TS//SI//REL) This technique supports the HP Proliant 380DL G6 server, onto which a hardware implant...

Fri, 03 Jan 2014 12:10:49 UTC

Cost/Benefit Analysis of NSA's 215 Metadata Collection Program

Posted By Bruce Schneier

It has amazed me that the NSA doesn't seem to do any cost/benefit analyses on any of its surveillance programs. This seems particularly important for bulk surveillance programs, as they have significant costs aside from the obvious monetary costs. In this paper, John Mueller and Mark G. Stewart have done the analysis on one of these programs. Worth reading....

Thu, 02 Jan 2014 21:25:27 UTC

NSA Exploit of the Day: DEITYBOUNCE

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog is DEITYBOUNCE: DEITYBOUNCE (TS//SI//REL) DEITYBOUNCE provides software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads. (TS//SI//REL) This technique supports multi-processor systems with RAID hardware and Microsoft Windows 2000, 2003, and...

Thu, 02 Jan 2014 12:40:02 UTC

"Military Style" Raid on California Power Station

Posted By Bruce Schneier

I don't know what to think about this: Around 1:00 AM on April 16, at least one individual (possibly two) entered two different manholes at the PG&E Metcalf power substation, southeast of San Jose, and cut fiber cables in the area around the substation. That knocked out some local 911 services, landline service to the substation, and cell phone service...

Tue, 31 Dec 2013 13:31:26 UTC

More about the NSA's Tailored Access Operations Unit

Posted By Bruce Schneier

Der Spiegel has a good article on the NSA's Tailored Access Operations unit: basically, its hackers. The article also has more details on how QUANTUM -- particularly, QUANTUMINSERT -- works. Another article discusses the various tools TAO has at its disposal. A document viewed by SPIEGEL resembling a product catalog reveals that an NSA division called ANT has burrowed its...

Mon, 30 Dec 2013 15:55:49 UTC

Joseph Stiglitz on Trust

Posted By Bruce Schneier

Joseph Stiglitz has an excellent essay on the value of trust, and the lack of it in today's society. Trust is what makes contracts, plans and everyday transactions possible; it facilitates the democratic process, from voting to law creation, and is necessary for social stability. It is essential for our lives. It is trust, more than money, that makes the...

Fri, 27 Dec 2013 22:14:27 UTC

Friday Squid Blogging: Kim Jong Un Tours Frozen Squid Factory

Posted By Bruce Schneier

Frozen squid makes him happy. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 26 Dec 2013 12:44:29 UTC

Operation Vula

Posted By Bruce Schneier

"Talking to Vula" is the story of a 1980s secret communications channel between black South African leaders and others living in exile in the UK. The system used encrypted text encoded into DTMF "touch tones" and transmitted from pay phones. Our next project was one that led to the breakthrough we had been waiting for. We had received a request,...

Wed, 25 Dec 2013 12:44:11 UTC

Christmas Comic

Posted By Bruce Schneier

Amusing....

Tue, 24 Dec 2013 12:54:43 UTC

Report on Syrian Malware

Posted By Bruce Schneier

Fascinating report from Citizen Lab on the use of malware in the current Syrian conflict (EFF summary and Wired article)....

Mon, 23 Dec 2013 12:26:23 UTC

NSA Spying: Who Do You Believe?

Posted By Bruce Schneier

On Friday, Reuters reported that RSA entered a secret contract to make DUAL_EC_PRNG the default random number generator in the BSAFE toolkit. DUA_EC_PRNG is now known to be back-doored by the NSA. Yesterday, RSA denied it: Recent press coverage has asserted that RSA entered into a secret contract with the NSA to incorporate a known flawed random number generator into...

Fri, 20 Dec 2013 22:21:51 UTC

Friday Squid Blogging: "What Does the Squid Say?"

Posted By Bruce Schneier

Minecraft parody. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 20 Dec 2013 20:31:43 UTC

Yes, I'm Leaving BT

Posted By Bruce Schneier

The Register reported that I am leaving BT at the end of the year. It quoted BT as saying: We hired Bruce because of his thought leadership in security and as part of our acquisition of Counterpane. We have agreed to part ways as we felt our relationship had run its course and come to a natural end. It has...

Fri, 20 Dec 2013 12:30:18 UTC

Eben Moglen and I Talk about the NSA

Posted By Bruce Schneier

Last week, Eben Moglen and I had a conversation about NSA surveillance. Audio and video are online....

Thu, 19 Dec 2013 12:29:58 UTC

Acoustic Cryptanalysis

Posted By Bruce Schneier

This is neat: Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be...

Wed, 18 Dec 2013 15:59:13 UTC

Tor User Identified by FBI

Posted By Bruce Schneier

Eldo Kim sent an e-mail bomb threat to Harvard so he could skip a final exam. (It's just a coincidence that I was on the Harvard campus that day.) Even though he used an anonymous account and Tor, the FBI identified him. Reading the criminal complaint, it seems that the FBI got itself a list of Harvard users that accessed...

Tue, 17 Dec 2013 13:10:05 UTC

Security Vulnerabilities of Legacy Code

Posted By Bruce Schneier

An interesting research paper documents a "honeymoon effect" when it comes to software and vulnerabilities: attackers are more likely to find vulnerabilities in older and more familiar code. It's a few years old, but I haven't seen it before now. The paper is by Sandy Clark, Stefan Frei, Matt Blaze, and Jonathan Smith: "Familiarity Breeds Contempt: The Honeymoon Effect and...

Mon, 16 Dec 2013 12:09:00 UTC

Attacking Online Poker Players

Posted By Bruce Schneier

This story is about how at least two professional online poker players had their hotel rooms broken into and their computers infected with malware. I agree with the conclusion: So, what's the moral of the story? If you have a laptop that is used to move large amounts of money, take good care of it. Lock the keyboard when you...

Fri, 13 Dec 2013 22:05:30 UTC

Friday Squid Blogging: Squid Bow Tie

Posted By Bruce Schneier

Snappy-looking bow tie. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 13 Dec 2013 19:24:57 UTC

President Obama and the Intelligence Community

Posted By Bruce Schneier

Really good article from the New Yorker....

Fri, 13 Dec 2013 17:20:14 UTC

World War II Anecdote about Trust and Security

Posted By Bruce Schneier

This is an interesting story from World War II about trust: Jones notes that the Germans doubted their system because they knew the British could radio false orders to the German bombers with no trouble. As Jones recalls, "In fact we did not do this, but it seemed such an easy countermeasure that the German crews thought that we might,...

Thu, 12 Dec 2013 18:55:48 UTC

How the NSA Tracks Mobile Phone Data

Posted By Bruce Schneier

Last week the Washington Post reported on how the NSA tracks mobile phones world-wide, and this week they followed up with source documents and more detail. Barton Gellman and Ashkan Soltani are doing some fantastic reporting on the Snowden NSA documents. I hope to be able to do the same again, once Pierre Omidyar's media venture gets up and running....

Thu, 12 Dec 2013 12:21:27 UTC

NSA Tracks People Using Google Cookies

Posted By Bruce Schneier

The Washington Post has a detailed article on how the NSA uses cookie data to track individuals. The EFF also has a good post on this. I have been writing and saying that government surveillance largely piggy backs on corporate capabilities, and this is an example of that. The NSA doesn't need the cooperation of any Internet company to use...

Tue, 10 Dec 2013 15:08:34 UTC

NSA Spying on Online Gaming Worlds

Posted By Bruce Schneier

The NSA is spying on chats in World of Warcraft and other games. There's lots of information -- and a good source document. While it's fun to joke about the NSA and elves and dwarves from World of Warcraft, this kind of surveillance makes perfect sense. If, as Dan Geer has pointed out, your assigned mission is to ensure that...

Mon, 09 Dec 2013 17:33:41 UTC

Bitcoin Explanation

Posted By Bruce Schneier

This is the best explanation of the Bitcoin protocol that I have read....

Fri, 06 Dec 2013 22:33:23 UTC

Friday Squid Blogging: Hoax Squid-Like Creature

Posted By Bruce Schneier

The weird squid-like creature floating around Bristol Harbour is a hoax. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 06 Dec 2013 20:47:02 UTC

New Book: Carry On

Posted By Bruce Schneier

I have a new book. It's Carry On: Sound Advice from Schneier on Security, and it's my second collection of essays. This book covers my writings from March 2008 to June 2013. (My first collection of essays, Schneier on Security, covered my writings from April 2002 to February 2008.) There's nothing in this book that hasn't been published before, and...

Fri, 06 Dec 2013 20:16:03 UTC

Bruce Schneier Facts T-Shirts

Posted By Bruce Schneier

0-Day Clothing has taken 25 Bruce Schneier Facts and turned them into T-shirts just in time for Christmas....

Fri, 06 Dec 2013 12:19:52 UTC

Telepathwords: A New Password Strength Estimator

Posted By Bruce Schneier

Telepathwords is a pretty clever research project that tries to evaluate password strength. It's different from normal strength meters, and I think better. Telepathwords tries to predict the next character of your passwords by using knowledge of: common passwords, such as those made public as a result of security breaches common phrases, such as those that appear frequently on web...

Thu, 05 Dec 2013 19:16:13 UTC

Heartwave Biometric

Posted By Bruce Schneier

Here's a new biometric I know nothing about: The wristband relies on authenticating identity by matching the overall shape of the user's heartwave (captured via an electrocardiogram sensor). Unlike other biotech authentication methods -- like fingerprint scanning and iris-/facial-recognition tech -- the system doesn't require the user to authenticate every time they want to unlock something. Because it's a wearable...

Thu, 05 Dec 2013 12:58:15 UTC

The Problem with EULAs

Posted By Bruce Schneier

Some apps are being distributed with secret Bitcoin-mining software embedded in them. Coins found are sent back to the app owners, of course. And to make it legal, it's part of the end-user license agreement (EULA): COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and...

Wed, 04 Dec 2013 12:28:05 UTC

Evading Airport Security

Posted By Bruce Schneier

The news is reporting about Evan Booth, who builds weaponry out of items you can buy after airport security. It's clever stuff. It's not new, though. People have been explaining how to evade airport security for years. Back in 2006, I -- and others -- explained how to print your own boarding pass and evade the photo-ID check, a trick...

Tue, 03 Dec 2013 12:14:05 UTC

Keeping Track of All the Snowden Documents

Posted By Bruce Schneier

As more and more media outlets from all over the world continue to report on the Snowden documents, it's harder and harder to keep track of what has been released. The EFF, ACLU, and Cryptome are all trying. None of them is complete, I believe. Please post additions in the comments, and I will do my best to feed the...

Mon, 02 Dec 2013 18:48:37 UTC

The TQP Patent

Posted By Bruce Schneier

One of the things I do is expert witness work in patent litigations. Often, it's defending companies against patent trolls. One of the patents I have worked on for several defendants is owned by a company called TQP Development. The patent owner claims that it covers SSL and RC4, which is does not. The patent owner claims that the patent...

Mon, 02 Dec 2013 12:05:31 UTC

How Antivirus Companies Handle State-Sponsored Malware

Posted By Bruce Schneier

Since we learned that the NSA has surreptitiously weakened Internet security so it could more easily eavesdrop, we've been wondering if it's done anything to antivirus products. Given that it engages in offensive cyberattacks -- and launches cyberweapons like Stuxnet and Flame -- it's reasonable to assume that it's asked antivirus companies to ignore its malware. (We know that antivirus...

Fri, 29 Nov 2013 22:15:54 UTC

Friday Squid Blogging: Squid Worm Discovered

Posted By Bruce Schneier

This squid-like worm -- Teuthidodrilus samae -- is new to science. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 29 Nov 2013 12:18:38 UTC

More on Stuxnet

Posted By Bruce Schneier

Ralph Langer has written the definitive analysis of Stuxnet: short, popular version, and long, technical version. Stuxnet is not really one weapon, but two. The vast majority of the attention has been paid to Stuxnet's smaller and simpler attack routine -- the one that changes the speeds of the rotors in a centrifuge, which is used to enrich uranium. But...

Wed, 27 Nov 2013 12:28:42 UTC

Tor Appliance

Posted By Bruce Schneier

Safeplug is an easy-to-use Tor appliance. I like that it can also act as a Tor exit node....

Tue, 26 Nov 2013 12:29:05 UTC

The FBI Might Do More Domestic Surveillance than the NSA

Posted By Bruce Schneier

This is a long article about the FBI's Data Intercept Technology Unit (DITU), which is basically its own internal NSA. It carries out its own signals intelligence operations and is trying to collect huge amounts of email and Internet data from U.S. companies -- an operation that the NSA once conducted, was reprimanded for, and says it abandoned. [...] The...

Mon, 25 Nov 2013 19:51:03 UTC

US Working to Kill UN Resolutions to Limit International Surveillance

Posted By Bruce Schneier

This story should get more publicity than it has....

Mon, 25 Nov 2013 12:53:29 UTC

Surveillance as a Business Model

Posted By Bruce Schneier

Google recently announced that it would start including individual users' names and photos in some ads. This means that if you rate some product positively, your friends may see ads for that product with your name and photo attached—without your knowledge or consent. Meanwhile, Facebook is eliminating a feature that allowed people to retain some portions of their anonymity on...

Fri, 22 Nov 2013 22:53:42 UTC

Friday Squid Blogging: Magnapinna Squid Photo

Posted By Bruce Schneier

Neat photo. Video, too. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 22 Nov 2013 20:56:26 UTC

Reddit "Ask Me Anything"

Posted By Bruce Schneier

I just did an AMA on Reddit....

Thu, 21 Nov 2013 19:42:38 UTC

Rerouting Internet Traffic by Attacking BGP

Posted By Bruce Schneier

Renesys is reporting that Internet traffic is being manipulatively rerouted, presumably for eavesdropping purposes. The attacks exploit flaws in the Border Gateway Protocol (BGP). Ars Technica has a good article explaining the details. The odds that the NSA is not doing this sort of thing are basically zero, but I'm sure that their activities are going to be harder to...

Wed, 20 Nov 2013 12:47:56 UTC

How to Avoid Getting Arrested

Posted By Bruce Schneier

The tips are more psychological than security....

Tue, 19 Nov 2013 12:32:54 UTC

Fokirtor

Posted By Bruce Schneier

Fokirtor is a Linux Trojan that exfiltrates traffic by inserting it into SSH connections. It looks very well-designed and -constructed....

Mon, 18 Nov 2013 13:35:01 UTC

Explaining and Speculating About QUANTUM

Posted By Bruce Schneier

Nicholas Weaver has a great essay explaining how the NSA's QUANTUM packet injection system works, what we know it does, what else it can possibly do, and how to defend against it. Remember that while QUANTUM is an NSA program, other countries engage in these sorts of attacks as well. By securing the Internet against QUANTUM, we protect ourselves against...

Fri, 15 Nov 2013 22:05:30 UTC

Friday Squid Blogging: Squid Fishermen Seen from Space

Posted By Bruce Schneier

Cool photo. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 15 Nov 2013 20:34:21 UTC

Various Schneier Audio and Video Talks and Interviews

Posted By Bruce Schneier

News articles about me (or with good quotes by me). My talk at the IETF Vancouver meeting on NSA and surveillance. I'm the first speaker after the administrivia. Press articles about me and the IETF meeting. Other video interviews with me....

Fri, 15 Nov 2013 12:28:45 UTC

Security Tents

Posted By Bruce Schneier

The US government sets up secure tents for the president and other officials to deal with classified material while traveling abroad. Even when Obama travels to allied nations, aides quickly set up the security tent -- which has opaque sides and noise-making devices inside -- in a room near his hotel suite. When the president needs to read a classified...

Thu, 14 Nov 2013 12:21:57 UTC

A Fraying of the Public/Private Surveillance Partnership

Posted By Bruce Schneier

The public/private surveillance partnership between the NSA and corporate data collectors is starting to fray. The reason is sunlight. The publicity resulting from the Snowden documents has made companies think twice before allowing the NSA access to their users' and customers' data. Pre-Snowden, there was no downside to cooperating with the NSA. If the NSA asked you for copies of...

Wed, 13 Nov 2013 20:17:52 UTC

Microsoft Retiring SHA-1 in 2016

Posted By Bruce Schneier

I think this is a good move on Microsoft's part: Microsoft is recommending that customers and CA's stop using SHA-1 for cryptographic applications, including use in SSL/TLS and code signing. Microsoft Security Advisory 2880823 has been released along with the policy announcement that Microsoft will stop recognizing the validity of SHA-1 based certificates after 2016. More news. SHA-1 isn't broken...

Wed, 13 Nov 2013 12:46:32 UTC

Another QUANTUMINSERT Attack Example

Posted By Bruce Schneier

Der Speigel is reporting that the GCHQ used QUANTUMINSERT to direct users to fake LinkedIn and Slashdot pages run by -- this code name is not in the article -- FOXACID servers. There's not a lot technically new in the article, but we do get some information about popularity and jargon. According to other secret documents, Quantum is an extremely...

Tue, 12 Nov 2013 19:04:12 UTC

Cryptographic Blunders Revealed by Adobe's Password Leak

Posted By Bruce Schneier

Adobe lost 150 million customer passwords. Even worse, they had a pretty dumb cryptographic hash system protecting those passwords....

Tue, 12 Nov 2013 12:35:43 UTC

Bizarre Online Gambling Movie-Plot Threat

Posted By Bruce Schneier

This article argues that online gambling is a strategic national threat because terrorists could use it to launder money. The Harper demonstration showed the technology and techniques that terror and crime organizations could use to operate untraceable money laundering built on a highly liquid legalized online poker industry -- just the environment that will result from the spread of poker...

Mon, 11 Nov 2013 12:21:29 UTC

Dan Geer Explains the Government Surveillance Mentality

Posted By Bruce Schneier

This talk by Dan Geer explains the NSA mindset of "collect everything": I previously worked for a data protection company. Our product was, and I believe still is, the most thorough on the market. By "thorough" I mean the dictionary definition, "careful about doing something in an accurate and exact way." To this end, installing our product instrumented every system...

Fri, 08 Nov 2013 22:10:50 UTC

Friday Squid Blogging: Tree Yarn-Bombed

Posted By Bruce Schneier

This tree http://www.thisiscolossal.com/2013/10/a-yarn-bombed-tree-squid/">in San Mateo, CA, has been turned into a giant blue squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 08 Nov 2013 19:06:24 UTC

Another Snowden Lesson: People Are the Weak Security Link

Posted By Bruce Schneier

There's a story that Edward Snowden successfully socially engineered other NSA employees into giving him their passwords....

Fri, 08 Nov 2013 12:58:58 UTC

Why the Government Should Help Leakers

Posted By Bruce Schneier

In the Information Age, it's easier than ever to steal and publish data. Corporations and governments have to adjust to their secrets being exposed, regularly. When massive amounts of government documents are leaked, journalists sift through them to determine which pieces of information are newsworthy, and confer with government agencies over what needs to be redacted. Managing this reality is...

Thu, 07 Nov 2013 13:06:53 UTC

Risk-Based Authentication

Posted By Bruce Schneier

I like this idea of giving each individual login attempt a risk score, based on the characteristics of the attempt: The risk score estimates the risk associated with a log-in attempt based on a user's typical log-in and usage profile, taking into account their device and geographic location, the system they're trying to access, the time of day they typically...

Wed, 06 Nov 2013 19:53:31 UTC

Deception in Fruit Flies

Posted By Bruce Schneier

The wings of the Goniurellia tridens fruit fly have images of an ant on them, to deceive predators: "When threatened, the fly flashes its wings to give the appearance of ants walking back and forth. The predator gets confused and the fly zips off." Click on the link to see the photo....

Wed, 06 Nov 2013 12:35:02 UTC

Elliptic Curve Crypto Primer

Posted By Bruce Schneier

This is well-written and very good....

Tue, 05 Nov 2013 12:53:34 UTC

The Story of the Bomb Squad at the Boston Marathon

Posted By Bruce Schneier

This is interesting reading, but I'm left wanting more. What are the lessons here? How can we do this better next time? Clearly we won't be able to anticipate bombings; even Israel can't do that. We have to get better at responding. Several years after 9/11, I conducted training with a military bomb unit charged with guarding Washington, DC. Our...

Mon, 04 Nov 2013 19:39:56 UTC

More NSA Revelations

Posted By Bruce Schneier

This New York Times story on the NSA is very good, and contains lots of little tidbits of new information gleaned from the Snowden documents. The agencys Dishfire database -- nothing happens without a code word at the N.S.A. -- stores years of text messages from around the world, just in case. Its Tracfin collection accumulates gigabytes of credit card...

Mon, 04 Nov 2013 12:15:24 UTC

badBIOS

Posted By Bruce Schneier

Good story of badBIOS, a really nasty piece of malware. The weirdest part is how it uses ultrasonic sound to jump air gaps. Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected machine that had no obvious network connection with -- but was in close...

Fri, 01 Nov 2013 21:40:24 UTC

Friday Squid Blogging: 8-Foot Giant Squid Pillow

Posted By Bruce Schneier

Make your own 8-foot giant squid pillow. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 01 Nov 2013 19:26:53 UTC

A Template for Reporting Government Surveillance News Stories

Posted By Bruce Schneier

This is from 2006 -- I blogged it here -- but it's even more true today. Under a top secret program initiated by the Bush Administration after the Sept. 11 attacks, the [name of agency (FBI, CIA, NSA, etc.)] have been gathering a vast database of [type of records] involving United States citizens. "This program is a vital tool in...

Fri, 01 Nov 2013 19:03:32 UTC

Reading Group at Harvard Law School

Posted By Bruce Schneier

In Spring Semester, I'm running a reading group -- which seems to be a formal variant of a study group -- at Harvard Law School on "Security, Power, and the Internet. I would like a good mix of people, so non law students and non Harvard students are both welcome to sign up....

Fri, 01 Nov 2013 11:32:29 UTC

Close-In Surveillance Using Your Phone's Wi-Fi

Posted By Bruce Schneier

This article talks about applications in retail, but the possibilities are endless. Every smartphone these days comes equipped with a WiFi card. When the card is on and looking for networks to join, it's detectable by local routers. In your home, the router connects to your device, and then voila ­ you have the Internet on your phone. But in...

Thu, 31 Oct 2013 15:29:21 UTC

NSA Eavesdropping on Google and Yahoo Networks

Posted By Bruce Schneier

The Washington Post reported that the NSA is eavesdropping on the Google and Yahoo private networks -- the code name for the program is MUSCULAR. I may write more about this later, but I have some initial comments: It's a measure of how far off the rails the NSA has gone that it's taking its Cold Warera eavesdropping tactics --...

Wed, 30 Oct 2013 11:50:10 UTC

The Battle for Power on the Internet

Posted By Bruce Schneier

We're in the middle of an epic battle for power in cyberspace. On one side are the traditional, organized, institutional powers such as governments and large multinational corporations. On the other are the distributed and nimble: grassroots movements, dissident groups, hackers, and criminals. Initially, the Internet empowered the second side. It gave them a place to coordinate and communicate efficiently,...

Tue, 29 Oct 2013 18:46:58 UTC

What the NSA Can and Cannot Do

Posted By Bruce Schneier

Good summary from the London Review of Books....

Tue, 29 Oct 2013 10:54:52 UTC

Arguing for NSA-Level Internet Surveillance

Posted By Bruce Schneier

Jack Goldsmith argues that we need the NSA to surveil the Internet not for terrorism reasons, but for cyberespionage and cybercrime reasons. Daniel Gallington argues -- the headline has nothing to do with the content -- that the balance between surveillance and privacy is about right....

Mon, 28 Oct 2013 11:39:30 UTC

Understanding the Threats in Cyberspace

Posted By Bruce Schneier

The primary difficulty of cyber security isn't technology -- it's policy. The Internet mirrors real-world society, which makes security policy online as complicated as it is in the real world. Protecting critical infrastructure against cyber-attack is just one of cyberspace's many security challenges, so it's important to understand them all before any one of them can be solved. The list...

Sat, 26 Oct 2013 22:43:43 UTC

US Government Monitoring Public Internet in Real Time

Posted By Bruce Schneier

Here's a demonstration of the US government's capabilities to monitor the public Internet. Former CIA and NSA Director Michael Hayden was on the Acela train between New York and Washington DC, taking press interviews on the phone. Someone nearby overheard the conversation, and started tweeting about it. Within 15 or so minutes, someone somewhere noticed the tweets, and informed someone...

Sat, 26 Oct 2013 02:08:54 UTC

Friday Squid Blogging: Dynamic Biophotonics in Squid

Posted By Bruce Schneier

Female squid exhibit sexually dimorphic tunable leucophores and iridocytes. Just so you know. Here's the story in more accessible language. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 25 Oct 2013 14:26:30 UTC

Book Review: Cyber War Will Not Take Place

Posted By Bruce Schneier

Thomas Rid, Cyber War Will Not Take Place, Oxford University Press, 2013. Cyber war is possibly the most dangerous buzzword of the Internet era. The fear-inducing rhetoric surrounding it is being used to justify major changes in the way the Internet is organized, governed, and constructed. And in Cyber War Will Not Take Place, Thomas Rid convincingly argues that cyber...

Fri, 25 Oct 2013 11:30:01 UTC

Cognitive Biases About Violence as a Negotiating Tactic

Posted By Bruce Schneier

Interesting paper: Max Abrahms, "The Credibility Paradox: Violence as a Double-Edged Sword in International Politics," International Studies Quarterly, 2013: Abstract: Implicit in the rationalist literature on bargaining over the last half-century is the political utility of violence. Given our anarchical international system populated with egoistic actors, violence is thought to promote concessions by lending credibility to their threats. From the...

Thu, 24 Oct 2013 13:45:11 UTC

DARPA Contest for Fully-Automated Network Defense

Posted By Bruce Schneier

DARPA is looking for a fully-automated network defense system: What if computers had a "check engine" light that could indicate new, novel security problems? What if computers could go one step further and heal security problems before they happen? To find out, the Defense Advanced Research Projects Agency (DARPA) intends to hold the Cyber Grand Challenge (CGC) -- the first-ever...

Wed, 23 Oct 2013 15:03:13 UTC

Code Names for NSA Exploit Tools

Posted By Bruce Schneier

This is from a Snowden document released by Le Monde: General Term Descriptions: HIGHLANDS: Collection from Implants VAGRANT: Collection of Computer Screens MAGNETIC: Sensor Collection of Magnetic Emanations MINERALIZE: Collection from LAN Implant OCEAN: Optical Collection System for Raster-Based Computer Screens LIFESAFER: Imaging of the Hard Drive GENIE: Multi-stage operation: jumping the airgap etc. BLACKHEART: Collection from an FBI Implant...

Wed, 23 Oct 2013 10:35:39 UTC

Dry Ice Bombs at LAX

Posted By Bruce Schneier

The news story about the guy who left dry ice bombs in restricted areas of LAX is really weird. I can't get worked up over it, though. Dry ice bombs are a harmless prank. I set off a bunch of them when I was in college, although I used liquid nitrogen, because I was impatient -- and they're harmless. I...

Tue, 22 Oct 2013 16:32:49 UTC

Can I Be Trusted?

Posted By Bruce Schneier

SlashDot asks the question: I'm a big fan of Bruce Schneier, but just to play devil's advocate, let's say, hypothetically, that Schneier is actually in cahoots with the NSA. Who better to reinstate public trust in weakened cryptosystems? As an exercise in security that Schneier himself may find interesting, what methods are available for proving (or at least affirming) that...

Tue, 22 Oct 2013 11:15:41 UTC

Defending Against Crypto Backdoors

Posted By Bruce Schneier

We already know the NSA wants to eavesdrop on the Internet. It has secret agreements with telcos to get direct access to bulk Internet traffic. It has massive systems like TUMULT, TURMOIL, and TURBULENCE to sift through it all. And it can identify ciphertext -- encrypted information -- and figure out which programs could have created it. But what the...

Mon, 21 Oct 2013 11:05:05 UTC

The Trajectories of Government and Corporate Surveillance

Posted By Bruce Schneier

Historically, surveillance was difficult and expensive. Over the decades, as technology advanced, surveillance became easier and easier. Today, we find ourselves in a world of ubiquitous surveillance, where everything is collected, saved, searched, correlated and analyzed. But while technology allowed for an increase in both corporate and government surveillance, the private and public sectors took very different paths to get...

Fri, 18 Oct 2013 21:10:58 UTC

Friday Squid Blogging: Fiona Apple Wears a Squid as a Hat in New Video

Posted By Bruce Schneier

Even I think this is weird....

Fri, 18 Oct 2013 17:03:20 UTC

D-Link Router Backdoor

Posted By Bruce Schneier

Several versions of D-Link router firmware contain a backdoor. Just set the browser's user agent string to "xmlset_roodkcableoj28840ybtide," and you're in. (Hint, remove the number and read it backwards.) It was probably put there for debugging purposes, but has all sorts of applications for surveillance. Good article on the subject....

Fri, 18 Oct 2013 11:37:09 UTC

Identifying Cell Phones Through Sensor Imperfections

Posted By Bruce Schneier

There seems to be a bunch of research into uniquely identifying cell phones through unique analog characteristics of the various embedded sensors. These sorts of things could replace cookies as surveillance tools. Slashdot and MetaFilter threads....

Thu, 17 Oct 2013 17:50:15 UTC

"A Court Order Is an Insider Attack"

Posted By Bruce Schneier

Ed Felten makes a strong argument that a court order is exactly the same thing as an insider attack: To see why, consider two companies, which we'll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party -- in this case, the government. Meanwhile, over at Guavabit,...

Thu, 17 Oct 2013 12:15:08 UTC

SecureDrop

Posted By Bruce Schneier

SecureDrop is an open-source whistleblower support system, originally written by Aaron Swartz and now run by the Freedom of the Press Foundation. The first instance of this system was named StrongBox and is being run by the New Yorker. To further add to the naming confusion, Aaron Swartz called the system DeadDrop when he wrote the code. I participated in...

Wed, 16 Oct 2013 12:33:42 UTC

iPhone Sensor Surveillance

Posted By Bruce Schneier

The new iPhone has a motion sensor chip, and that opens up new opportunities for surveillance: The M7 coprocessors introduce functionality that some may instinctively identify as "creepy." Even Apples own description hints at eerie omniscience: "M7 knows when youre walking, running, or even driving&" While its quietly implemented within iOS, its not secret for third party apps (which require...

Tue, 15 Oct 2013 18:37:26 UTC

NSA Harvesting Contact Lists

Posted By Bruce Schneier

A new Snowden document shows that the NSA is harvesting contact lists -- e-mail address books, IM buddy lists, etc. -- from Google, Yahoo, Microsoft, Facebook, and others. Unlike PRISM, this unnamed program collects the data from the Internet . This is similar to how the NSA identifies Tor users. They get direct access to the Internet backbone, either through...

Tue, 15 Oct 2013 17:37:02 UTC

New Secure Smart Phone App

Posted By Bruce Schneier

It's hard not to poke fun at this press release for Safeslinger, a new cell phone security app from Carnegie Mellon. "SafeSlinger provides you with the confidence that the person you are communicating with is actually the person they have represented themselves to be," said Michael W. Farb, a research programmer at Carnegie Mellon CyLab. "The most important feature is...

Tue, 15 Oct 2013 11:27:14 UTC

Massive MIMO Cryptosystem

Posted By Bruce Schneier

New paper: "Physical-Layer Cryptography Through Massive MIMO." Abstract: We propose the new technique of physical-layer cryptography based on using a massive MIMO channel as a key between the sender and desired receiver, which need not be secret. The goal is for low-complexity encoding and decoding by the desired transmitter-receiver pair, whereas decoding by an eavesdropper is hard in terms of...

Mon, 14 Oct 2013 18:06:19 UTC

Insecurities in the Linux /dev/random

Posted By Bruce Schneier

New paper: "Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust, by Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs. Abstract: A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and...

Mon, 14 Oct 2013 11:37:44 UTC

Fingerprinting Burner Phones

Posted By Bruce Schneier

In one of the documents recently released by the NSA as a result of an EFF lawsuit, there's discussion of a specific capability of a call records database to identify disposable "burner" phones. Lets consider, then, the very specific data this query tool was designed to return: The times and dates of the first and last call events, but apparently...

Fri, 11 Oct 2013 21:09:00 UTC

Friday Squid Blogging: 30-Foot Giant Squid Washes Ashore

Posted By Bruce Schneier

A 30-foot-long giant squid has washed ashore in Cantabria, Spain. It died at sea, with a broken tentacle. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 11 Oct 2013 19:53:05 UTC

Stuff I Say

Posted By Bruce Schneier

It's a Tumblr feed. Right now there are only six posts, all a year old. Presumably that will change soon. To clarify: I have nothing to do with the feed, and anyone can post stuff to it....

Fri, 11 Oct 2013 17:33:27 UTC

New Low in Election Fraud

Posted By Bruce Schneier

Azerbaijan achieves a new low in voter fraud. They government accidentally publishes the results of the election before the polls open. The mistake came when an electoral commission accidentally published results showing a victory for Ilham Aliyev, the countrys long-standing President, a day before voting. Meydan TV, an online channel critical of the government, released a screenshot from a mobile...

Fri, 11 Oct 2013 11:45:00 UTC

Air Gaps

Posted By Bruce Schneier

Since I started working with Snowden's documents, I have been using a number of tools to try to stay secure from the NSA. The advice I shared included using Tor, preferring certain cryptography over others, and using public-domain encryption wherever possible. I also recommended using an air gap, which physically isolates a computer or local network of computers from the...

Thu, 10 Oct 2013 16:52:47 UTC

Build Your Own Enigma

Posted By Bruce Schneier

Neat....

Thu, 10 Oct 2013 11:03:46 UTC

Breaking Taiwan's Digital ID

Posted By Bruce Schneier

There's a serious random-number generation flaw in the cryptographic systems used to protect the Taiwanese digital ID. Article and paper....

Wed, 09 Oct 2013 18:08:09 UTC

A New Postal Privacy Product

Posted By Bruce Schneier

The idea is basically to use indirection to hide physical addresses. You would get a random number to give to your correspondents, and the post office would use that number to determine your real address. No security against government surveillance, but potentially valuable nonetheless. Here are a bunch of documents. I honestly have no idea what's going on. It seems...

Wed, 09 Oct 2013 11:28:27 UTC

The NSA's New Risk Analysis

Posted By Bruce Schneier

As I recently reported in the Guardian, the NSA has secret servers on the Internet that hack into other computers, codename FOXACID. These servers provide an excellent demonstration of how the NSA approaches risk management, and exposes flaws in how the agency thinks about the secrecy of its own programs. Here are the FOXACID basics: By the time the NSA...

Tue, 08 Oct 2013 18:05:16 UTC

Me on Surveillance

Posted By Bruce Schneier

This is a video of me talking about surveillance and privacy, both relating to the NSA and more generally....

Tue, 08 Oct 2013 11:44:23 UTC

Why It's Important to Publish the NSA Programs

Posted By Bruce Schneier

The Guardian recently reported on how the NSA targets Tor users, along with details of how it uses centrally placed servers on the Internet to attack individual computers. This builds on a Brazilian news story from a mid-September that, in part, shows that the NSA is impersonating Google servers to users; a German story on how the NSA is hacking...

Mon, 07 Oct 2013 18:35:41 UTC

Silk Road Author Arrested Due to Bad Operational Security

Posted By Bruce Schneier

Details of how the FBI found the administrator of Silk Road, a popular black market e-commerce site. Despite the elaborate technical underpinnings, however, the complaint portrays Ulbricht as a drug lord who made rookie mistakes. In an October 11, 2011 posting to a Bitcoin Talk forum, for instance, a user called "altoid" advertised he was looking for an "IT pro...

Mon, 07 Oct 2013 11:24:38 UTC

How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID

Posted By Bruce Schneier

The online anonymity network Tor is a high-priority target for the National Security Agency. The work of attacking Tor is done by the NSA's application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world. According to a...

Fri, 04 Oct 2013 21:17:25 UTC

Friday Squid Blogging: Squid Exhibit at the Monterey Bay Aquarium

Posted By Bruce Schneier

Opens spring 2014. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 04 Oct 2013 19:09:47 UTC

"Trust the Math"

Posted By Bruce Schneier

I like this piece of art. Someone should do T-shirts....

Fri, 04 Oct 2013 11:59:15 UTC

Developments in Microphone Technology

Posted By Bruce Schneier

What's interesting is that this matchstick-sized microphone can be attached to drones. Conventional microphones work when sound waves make a diaphragm move, creating an electrical signal. Microflown's sensor has no moving parts. It consists of two parallel platinum strips, each just 200 nanometres deep, that are heated to 200° C. Air molecules flowing across the strips cause temperature differences between...

Thu, 03 Oct 2013 17:55:15 UTC

Is Cybersecurity a Profession?

Posted By Bruce Schneier

A National Academy of Sciences panel says no: Sticking to the quality control aspect of the report, professionalization, it says, has the potential to attract workers and establish long-term paths to improving the work force overall, but measures such as standardized education or requirements for certification, have their disadvantages too. For example, formal education or certification could be helpful to...

Thu, 03 Oct 2013 11:43:05 UTC

On Anonymous

Posted By Bruce Schneier

Gabriella Coleman has published an interesting analysis of the hacker group Anonymous: Abstract: Since 2010, digital direct action, including leaks, hacking and mass protest, has become a regular feature of political life on the Internet. The source, strengths and weakness of this activity are considered in this paper through an in-depth analysis of Anonymous, the protest ensemble that has been...

Wed, 02 Oct 2013 18:28:58 UTC

On Secrecy

Posted By Bruce Schneier

"When everything is classified, then nothing is classified." I should suppose that moral, political, and practical considerations would dictate that a very first principle of that wisdom would be an insistence upon avoiding secrecy for its own sake. For when everything is classified, then nothing is classified, and the system becomes one to be disregarded by the cynical or the...

Wed, 02 Oct 2013 11:46:26 UTC

My TEDx Talk

Posted By Bruce Schneier

I spoke at TEDxCambridge last month on security and power. Here's the video....

Tue, 01 Oct 2013 18:08:15 UTC

NSA Storing Internet Data, Social Networking Data, on Pretty Much Everybody

Posted By Bruce Schneier

Two new stories based on the Snowden documents. This is getting silly. General Alexander just lied about this to Congress last week. The old NSA tactic of hiding behind a shell game of different code names is failing. It used to be they could get away with saying "Project X doesn't do that," knowing full well that Projects Y and...

Tue, 01 Oct 2013 15:50:19 UTC

Will Keccak = SHA-3?

Posted By Bruce Schneier

Last year, NIST selected Keccak as the winner of the SHA-3 hash function competition. Yes, I would have rather my own Skein had won, but it was a good choice. But last August, John Kelsey announced some changes to Keccak in a talk (slides 44-48 are relevant). Basically, the security levels were reduced and some internal changes to the algorithm...

Tue, 01 Oct 2013 14:09:00 UTC

WhoIs Privacy and Proxy Service Abuse

Posted By Bruce Schneier

ICANN has a draft study that looks at abuse of the Whois database. This study, conducted by the National Physical Laboratory (NPL) in the United Kingdom, analyzes gTLD domain names to measure whether the percentage of privacy/proxy use among domains engaged in illegal or harmful Internet activities is significantly greater than among domain names used for lawful Internet activities. Furthermore,...

Sat, 28 Sep 2013 11:10:09 UTC

Senator Feinstein Admits the NSA Taps the Internet Backbone

Posted By Bruce Schneier

We know from the Snowden documents (and other sources) that the NSA taps Internet backbone through secret-agreements with major U.S. telcos., but the U.S. government still hasn't admitted it. In late August, the Obama administration declassified a ruling from the Foreign Intelligence Surveillance Court. Footnote 3 reads: The term 'upstream collection' refers to NSA's interception of Internet communications as they...

Fri, 27 Sep 2013 21:53:26 UTC

Friday Squid Blogging: A Squid that Fishes

Posted By Bruce Schneier

The Grimalditeuthis bonplandi is the only known squid to use its tenticles to fish: Its tentacles are thin and fragile, and almost always break off when it's captured. For ages, people thought it lacked tentacles altogether until a full specimen was found in the stomach of a fish. Weirder still, its clubs have neither suckers nor hooks. Instead, they are...

Fri, 27 Sep 2013 19:47:26 UTC

Another Schneier Interview

Posted By Bruce Schneier

I was interviewed for Technology Review on the NSA and the Snowden documents....

Fri, 27 Sep 2013 11:21:59 UTC

3D-Printed Robot to Break Android PINs

Posted By Bruce Schneier

Neat project. The reason it works is that the Android system doesn't start putting in very long delays between PIN attempts after a whole bunch of unsuccessful attempts. The iPhone does....

Thu, 26 Sep 2013 11:58:35 UTC

Paradoxes of Big Data

Posted By Bruce Schneier

Interesting paper: "Three Paradoxes of Big Data," by Neil M. Richards and Jonathan H. King, Stanford Law Review Online, 2013. Abstract: Big data is all the rage. Its proponents tout the use of sophisticated analytics to mine large data sets for insight as the solution to many of our society's problems. These big data evangelists insist that data-driven decisionmaking can...

Wed, 25 Sep 2013 12:17:01 UTC

Good Summary of Potential NSA Involvement in a NIST RNG Standard

Posted By Bruce Schneier

Kim Zetter has written the definitive story -- at least so far -- of the possible backdoor in the Dual_EC_DRBG random number generator that's part of the NIST SP800-90 standard....

Tue, 24 Sep 2013 14:20:01 UTC

Apple's iPhone Fingerprint Reader Successfully Hacked

Posted By Bruce Schneier

Nice hack from the Chaos Computer Club: The method follows the steps outlined in this how-to with materials that can be found in almost every household: First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner...

Mon, 23 Sep 2013 18:14:17 UTC

NSA Job Opening

Posted By Bruce Schneier

The NSA is looking for a Civil Liberties & Privacy Officer. It appears to be an internal posting. The NSA Civil Liberties & Privacy Officer (CLPO) is conceived as a completely new role, combining the separate responsibilities of NSA's existing Civil Liberties and Privacy (CL/P) protection programs under a single official. The CLPO will serve as the primary advisor to...

Mon, 23 Sep 2013 11:21:37 UTC

Metadata Equals Surveillance

Posted By Bruce Schneier

Back in June, when the contents of Edward Snowden's cache of NSA documents were just starting to be revealed and we learned about the NSA collecting phone metadata of every American, many people -- including President Obama -- discounted the seriousness of the NSA's actions by saying that it's just metadata. Lots and lots of people effectively demolished that trivialization,...

Fri, 20 Sep 2013 21:25:59 UTC

Friday Squid Blogging: How Bacteria Terraform a Squid

Posted By Bruce Schneier

Fascinating: The bacterium Vibrio fischeri is a squid terraformer. Although it can live independently in seawater, it also colonises the body of the adorable Hawaiian bobtail squid. The squid nourishes the bacteria with nutrients and the bacteria, in turn, act as an invisibility cloak. They produce a dim light that matches the moonlight shining down from above, masking the squid's...

Fri, 20 Sep 2013 17:01:34 UTC

Legally Justifying NSA Surveillance of Americans

Posted By Bruce Schneier

Kit Walsh has an interesting blog post where he looks at how existing law can be used to justify the surveillance of Americans. Just to challenge ourselves, we'll ignore the several statutory provisions and other doctrines that allow for spying without court oversight, such as urgent collection, gathering information not considered protected by the Fourth Amendment, the wartime spying provision,...

Fri, 20 Sep 2013 12:05:01 UTC

Google Knows Every Wi-Fi Password in the World

Posted By Bruce Schneier

This article points out that as people are logging into Wi-Fi networks from their Android phones, and backing up those passwords along with everything else into Google's cloud, that Google is amassing an enormous database of the world's Wi-Fi passwords. And while it's not every Wi-Fi password in the world, it's almost certainly a large percentage of them. Leaving aside...

Wed, 18 Sep 2013 12:06:23 UTC

Yochai Benkler on the NSA

Posted By Bruce Schneier

Excellent essay: We have learned that in pursuit of its bureaucratic mission to obtain signals intelligence in a pervasively networked world, the NSA has mounted a systematic campaign against the foundations of American power: constitutional checks and balances, technological leadership, and market entrepreneurship. The NSA scandal is no longer about privacy, or a particular violation of constitutional or legislative obligations....

Tue, 17 Sep 2013 11:15:46 UTC

The Limitations of Intelligence

Posted By Bruce Schneier

We recently learned that US intelligence agencies had at least three days' warning that Syrian President Bashar al-Assad was preparing to launch a chemical attack on his own people, but wasn't able to stop it. At least that's what an intelligence briefing from the White House reveals. With the combined abilities of our national intelligence apparatus -- the CIA, NSA,...

Mon, 16 Sep 2013 18:25:41 UTC

Surreptitiously Tampering with Computer Chips

Posted By Bruce Schneier

This is really interesting research: "Stealthy Dopant-Level Hardware Trojans." Basically, you can tamper with a logic gate to be either stuck-on or stuck-off by changing the doping of one transistor. This sort of sabotage will not be noticed on any visual reverse-engineering of the chip -- remove all the layers, generate the netlist-style reverse engineering, and so on. And it...

Mon, 16 Sep 2013 17:59:49 UTC

Tom Tomorrow from 1994

Posted By Bruce Schneier

This was published during the battle about the Clipper Chip, and is remarkably prescient....

Mon, 16 Sep 2013 11:55:42 UTC

Reforming the NSA

Posted By Bruce Schneier

Leaks from the whistleblower Edward Snowden have catapulted the NSA into newspaper headlines and demonstrated that it has become one of the most powerful government agencies in the country. From the secret court rulings that allow it collect data on all Americans to its systematic subversion of the entire Internet as a surveillance platform, the NSA has amassed an enormous...

Sun, 15 Sep 2013 16:53:06 UTC

Take Back the Internet

Posted By Bruce Schneier

Government and industry have betrayed the Internet, and us. By subverting the Internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our Internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our...

Sun, 15 Sep 2013 13:11:49 UTC

How to Remain Secure Against the NSA

Posted By Bruce Schneier

Now that we have enough details about how the >NSA eavesdrops on the Internet, including today's disclosures of the NSA's deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves. For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided...

Fri, 13 Sep 2013 21:07:37 UTC

Friday Squid Blogging: Squid Fishing in the Cook Islands

Posted By Bruce Schneier

Diamondback squid could be a source of food. No word on taste. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 13 Sep 2013 16:02:51 UTC

Radio Interviews with Me

Posted By Bruce Schneier

Four interviews with me on the NSA....

Fri, 13 Sep 2013 11:23:53 UTC

New NSA Leak Shows MITM Attacks Against Major Internet Services

Posted By Bruce Schneier

The Brazilian television show "Fantastico" has exposed an NSA training presentation that discusses how the agency runs man-in-the-middle attacks on the Internet. The point of the story was that the NSA engages in economic espionage against Petrobras, the Brazilian giant oil company, but I'm more interested in the tactical details. The video on the webpage is long, and includes what...

Thu, 12 Sep 2013 18:34:12 UTC

Did I Actually Say That?

Posted By Bruce Schneier

I'm quoted (also here) as using this analogy to explain how IT companies will be damaged by the news that they've been collaborating with the NSA: "How would it be if your doctor put rat poison in your medicine? Highly damaging," said Bruce Schneier, a US computer security expert. Not the most eloquent I've been recently. Clearly I need to...

Thu, 12 Sep 2013 11:05:14 UTC

Ed Felten on the NSA Disclosures

Posted By Bruce Schneier

Ed Felten has an excellent essay on the damage caused by the NSA secretly breaking the security of Internet systems: In security, the worst case -- the thing you most want to avoid -- is thinking you are secure when you're not. And that's exactly what the NSA seems to be trying to perpetuate. Suppose you're driving a car that...

Wed, 11 Sep 2013 16:53:04 UTC

Matthew Green Speculates on How the NSA Defeats Encryption

Posted By Bruce Schneier

This blog post is well worth reading, and not just because Johns Hopkins University asked him to remove it, and then backed down a few hours later....

Wed, 11 Sep 2013 11:43:37 UTC

iPhone Fingerprint Authentication

Posted By Bruce Schneier

When Apple bought AuthenTec for its biometrics technology -- reported as one of its most expensive purchases -- there was a lot of speculation about how the company would incorporate biometrics in its product line. Many speculate that the new Apple iPhone to be announced tomorrow will come with a fingerprint authentication system, and there are several ways it could...

Tue, 10 Sep 2013 11:55:08 UTC

The TSA Is Legally Allowed to Lie to Us

Posted By Bruce Schneier

The TSA does not have to tell the truth: Can the TSA (or local governments as directed by the TSA) lie in response to a FOIA request? Sure, no problem! Even the NSA responds that they "can't confirm or deny the existence" of classified things for which admitting or denying existence would (allegedly, of course) damage national security. But the...

Mon, 09 Sep 2013 18:30:59 UTC

Government Secrecy and the Generation Gap

Posted By Bruce Schneier

Big-government secrets require a lot of secret-keepers. As of October 2012, almost 5m people in the US have security clearances, with 1.4m at the top-secret level or higher, according to the Office of the Director of National Intelligence. Most of these people do not have access to as much information as Edward Snowden, the former National Security Agency contractor turned...

Mon, 09 Sep 2013 11:20:25 UTC

Excess Automobile Deaths as a Result of 9/11

Posted By Bruce Schneier

People commented about a point I made in a recent essay: In the months after 9/11, so many people chose to drive instead of fly that the resulting deaths dwarfed the deaths from the terrorist attack itself, because cars are much more dangerous than airplanes. Yes, that's wrong. Where I said "months," I should have said "years." I got the...

Sat, 07 Sep 2013 12:55:54 UTC

My New PGP/GPG and OTR Keys

Posted By Bruce Schneier

You can find my new PGP public key and my OTR key fingerprint here....

Fri, 06 Sep 2013 21:50:00 UTC

Friday Squid Blogging: Giant Squid Found Off the Coast of Spain

Posted By Bruce Schneier

The incomplete specimen weighs over 160 lbs. And here's a map of squid spottings. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 06 Sep 2013 21:50:00 UTC

Friday Squid Blogging: Giant Squid Found Off the Coast of Spain

Posted By Bruce Schneier

The incomplete specimen weighs over 160 lbs. And here's a map of squid spottings. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 06 Sep 2013 19:09:17 UTC

Another Interview

Posted By Bruce Schneier

I was interviewed by MinnPost....

Fri, 06 Sep 2013 19:09:17 UTC

Another Interview

Posted By Bruce Schneier

I was interviewed by MinnPost....

Fri, 06 Sep 2013 16:08:06 UTC

Conspiracy Theories and the NSA

Posted By Bruce Schneier

I've recently seen two articles speculating on the NSA's capability, and practice, of spying on members of Congress and other elected officials. The evidence is all circumstantial and smacks of conspiracy thinking -- and I have no idea whether any of it is true or not -- but it's a good illustration of what happens when trust in a public...

Fri, 06 Sep 2013 16:08:06 UTC

Conspiracy Theories and the NSA

Posted By Bruce Schneier

I've recently seen two articles speculating on the NSA's capability, and practice, of spying on members of Congress and other elected officials. The evidence is all circumstantial and smacks of conspiracy thinking -- and I have no idea whether any of it is true or not -- but it's a good illustration of what happens when trust in a public...

Fri, 06 Sep 2013 11:30:18 UTC

The NSA's Cryptographic Capabilities

Posted By Bruce Schneier

The latest Snowden document is the US intelligence "black budget." There's a lot of information in the few pages the Washington Post decided to publish, including an introduction by Director of National Intelligence James Clapper. In it, he drops a tantalizing hint: "Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic." Honestly, I'm...

Fri, 06 Sep 2013 11:30:18 UTC

The NSA's Cryptographic Capabilities

Posted By Bruce Schneier

The latest Snowden document is the US intelligence "black budget." There's a lot of information in the few pages the Washington Post decided to publish, including an introduction by Director of National Intelligence James Clapper. In it, he drops a tantalizing hint: "Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic." Honestly, I'm...

Thu, 05 Sep 2013 19:46:54 UTC

The NSA is Breaking Most Encryption on the Internet

Posted By Bruce Schneier

The new Snoden revelations are explosive. Basically, the NSA is able to decrypt most of the Internet. They're doing it primarily by cheating, not by mathematics. It's joint reporting between the Guardian, the New York Times, and ProPublica. I have been working with Glenn Greenwald on the Snowden documents, and I have seen a lot of them. These are my...

Thu, 05 Sep 2013 19:46:54 UTC

The NSA Is Breaking Most Encryption on the Internet

Posted By Bruce Schneier

The new Snowden revelations are explosive. Basically, the NSA is able to decrypt most of the Internet. They're doing it primarily by cheating, not by mathematics. It's joint reporting between the Guardian, the New York Times, and ProPublica. I have been working with Glenn Greenwald on the Snowden documents, and I have seen a lot of them. These are my...

Thu, 05 Sep 2013 18:57:05 UTC

The Effect of Money on Trust

Posted By Bruce Schneier

Money reduces trust in small groups, but increases it in larger groups. Basically, the introduction of money allows society to scale. The team devised an experiment where subjects in small and large groups had the option to give gifts in exchange for tokens. They found that there was a social cost to introducing this incentive. When all tokens were "spent",...

Thu, 05 Sep 2013 18:57:05 UTC

The Effect of Money on Trust

Posted By Bruce Schneier

Money reduces trust in small groups, but increases it in larger groups. Basically, the introduction of money allows society to scale. The team devised an experiment where subjects in small and large groups had the option to give gifts in exchange for tokens. They found that there was a social cost to introducing this incentive. When all tokens were "spent",...

Thu, 05 Sep 2013 17:13:09 UTC

Journal of Homeland Security and Emergency Management

Posted By Bruce Schneier

I keep getting alerts of new issues, but there are rarely articles I find interesting....

Thu, 05 Sep 2013 17:13:09 UTC

Journal of Homeland Security and Emergency Management

Posted By Bruce Schneier

I keep getting alerts of new issues, but there are rarely articles I find interesting....

Thu, 05 Sep 2013 13:32:30 UTC

Human/Machine Trust Failures

Posted By Bruce Schneier

I jacked a visitor's badge from the Eisenhower Executive Office Building in Washington, DC, last month. The badges are electronic; they're enabled when you check in at building security. You're supposed to wear it on a chain around your neck at all times and drop it through a slot when you leave. I kept the badge. I used my body...

Thu, 05 Sep 2013 13:32:30 UTC

Human-Machine Trust Failures

Posted By Bruce Schneier

I jacked a visitor's badge from the Eisenhower Executive Office Building in Washington, DC, last month. The badges are electronic; they're enabled when you check in at building security. You're supposed to wear it on a chain around your neck at all times and drop it through a slot when you leave. I kept the badge. I used my body...

Wed, 04 Sep 2013 17:08:48 UTC

SHA-3 Status

Posted By Bruce Schneier

NIST's John Kelsey gave an excellent talk on the history, status, and future of the SHA-3 hashing standard. The slides are online....

Wed, 04 Sep 2013 12:02:41 UTC

Business Opportunities in Cloud Security

Posted By Bruce Schneier

Bessemer Venture Partners partner David Cowan has an interesting article on the opportunities for cloud security companies. Richard Stiennnon, an industry analyst, has a similar article. And Zscaler comments on a 451 Research report on the cloud security business....

Tue, 03 Sep 2013 18:45:12 UTC

Syrian Electronic Army Cyberattacks

Posted By Bruce Schneier

The Syrian Electronic Army attacked again this week, compromising the websites of the New York Times, Twitter, the Huffington Post, and others. Political hacking isn't new. Hackers were breaking into systems for political reasons long before commerce and criminals discovered the Internet. Over the years, we've seen U.K. vs. Ireland, Israel vs. Arab states, Russia vs. its former Soviet republics,...

Tue, 03 Sep 2013 11:41:42 UTC

Our Newfound Fear of Risk

Posted By Bruce Schneier

We're afraid of risk. It's a normal part of life, but we're increasingly unwilling to accept it at any level. So we turn to technology to protect us. The problem is that technological security measures aren't free. They cost money, of course, but they cost other things as well. They often don't provide the security they advertise, and -- paradoxically...

Mon, 02 Sep 2013 11:40:38 UTC

1983 Article on the NSA

Posted By Bruce Schneier

The moral is that NSA surveillance overreach has been going on for a long, long time....

Fri, 30 Aug 2013 21:40:28 UTC

Friday Squid Blogging: Bobtail Squid Photo

Posted By Bruce Schneier

Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 30 Aug 2013 18:54:06 UTC

Opsec Details of Snowden Meeting with Greenwald and Poitras

Posted By Bruce Schneier

I don't like stories about the personalities in the Snowden affair, because it detracts from the NSA and the policy issues. But I'm a sucker for operational security, and just have to post this detail from their first meeting in Hong Kong: Snowden had instructed them that once they were in Hong Kong, they were to go at an appointed...

Fri, 30 Aug 2013 11:12:23 UTC

More on the NSA Commandeering the Internet

Posted By Bruce Schneier

If there's any confirmation that the U.S. government has commandeered the Internet for worldwide surveillance, it is what happened with Lavabit earlier this month. Lavabit is -- well, was -- an e-mail service that offered more privacy than the typical large-Internet-corporation services that most of us use. It was a small company, owned and operated by Ladar Levison, and it...

Thu, 29 Aug 2013 18:13:22 UTC

How Many Leakers Came Before Snowden?

Posted By Bruce Schneier

Assume it's really true that the NSA has no idea what documents Snowden took, and that they wouldn't even know he'd taken anything if he hadn't gone public. The fact that abuses of their systems by NSA officers were largely discovered through self-reporting substantiates that belief. Given that, why should anyone believe that Snowden is the first person to walk...

Thu, 29 Aug 2013 17:28:05 UTC

The Federal Trade Commission and Privacy

Posted By Bruce Schneier

New paper on the FTC and its actions to protect privacy: Abstract: One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies' privacy policies through its authority to police...

Wed, 28 Aug 2013 20:13:31 UTC

Feds Target Polygraph-Beating Company

Posted By Bruce Schneier

A company that teaches people how to beat lie detectors is under investigation....

Wed, 28 Aug 2013 12:07:34 UTC

Evading Internet Censorship

Posted By Bruce Schneier

This research project by Brandon Wiley -- the tool is called "Dust" -- looks really interesting. Here's the description of his Defcon talk: Abstract: The greatest danger to free speech on the Internet today is filtering of traffic using protocol fingerprinting. Protocols such as SSL, Tor, BitTorrent, and VPNs are being summarily blocked, regardless of their legal and ethical uses....

Tue, 27 Aug 2013 18:19:13 UTC

More on NSA Data Collection

Posted By Bruce Schneier

There's an article from Wednesday's Wall Street Journal that gives more details about the NSA's data collection efforts. The system has the capacity to reach roughly 75% of all U.S. Internet traffic in the hunt for foreign intelligence, including a wide array of communications by foreigners and Americans. In some cases, it retains the written content of emails sent between...

Tue, 27 Aug 2013 11:39:27 UTC

Detaining David Miranda

Posted By Bruce Schneier

Last Sunday, David Miranda was detained while changing planes at London Heathrow Airport by British authorities for nine hours under a controversial British law -- the maximum time allowable without making an arrest. There has been much made of the fact that he's the partner of Glenn Greenwald, the Guardian reporter whom Edward Snowden trusted with many of his NSA...

Mon, 26 Aug 2013 18:19:59 UTC

Protecting Against Leakers

Posted By Bruce Schneier

Ever since Edward Snowden walked out of a National Security Agency facility in May with electronic copies of thousands of classified documents, the finger-pointing has concentrated on government's security failures. Yet the debacle illustrates the challenge with trusting people in any organization. The problem is easy to describe. Organizations require trusted people, but they don't necessarily know whether those people...

Mon, 26 Aug 2013 12:02:53 UTC

"The Next Generation Communications Privacy Act"

Posted By Bruce Schneier

Orin Kerr envisions what the ECPA should look like today: Abstract: In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to regulate government access to Internet communications and records. ECPA is widely seen as outdated, and ECPA reform is now on the Congressional agenda. At the same time, existing reform proposals retain the structure of the 1986 Act and...

Fri, 23 Aug 2013 21:00:09 UTC

Friday Squid Blogging: New Research in How Squids Change Color

Posted By Bruce Schneier

Interesting: Structural colors rely exclusively on the density and shape of the material rather than its chemical properties. The latest research from the UCSB team shows that specialized cells in the squid skin called iridocytes contain deep pleats or invaginations of the cell membrane extending deep into the body of the cell. This creates layers or lamellae that operate as...

Fri, 23 Aug 2013 18:23:00 UTC

How Security Becomes Banal

Posted By Bruce Schneier

Interesting paper: "The Banality of Security: The Curious Case of Surveillance Cameras," by Benjamin Goold, Ian Loader, and Angélica Thumala (full paper is behind a paywall). Abstract: Why do certain security goods become banal (while others do not)? Under what conditions does banality occur and with what effects? In this paper, we answer these questions by examining the story of...

Fri, 23 Aug 2013 11:00:11 UTC

Hacking Consumer Devices

Posted By Bruce Schneier

Last weekend, a Texas couple apparently discovered that the electronic baby monitor in their children's bedroom had been hacked. According to a local TV station, the couple said they heard an unfamiliar voice coming from the room, went to investigate and found that someone had taken control of the camera monitor remotely and was shouting profanity-laden abuse. The child's father...

Thu, 22 Aug 2013 11:54:17 UTC

Susan Landau Article on the Snowden Documents

Posted By Bruce Schneier

Really good article by Susan Landau on the Snowden documents and what they mean....

Wed, 21 Aug 2013 12:01:45 UTC

Measuring Entropy and its Applications to Encryption

Posted By Bruce Schneier

There have been a bunch of articles about an information theory paper with vaguely sensational headlines like "Encryption is less secure than we thought" and "Research shakes crypto foundations." It's actually not that bad. Basically, the researchers arguethat the traditional measurement of Shannon entropy isn't the right model to use for cryptography, and that minimum entropy is. This difference may...

Tue, 20 Aug 2013 12:10:15 UTC

Teens and Privacy

Posted By Bruce Schneier

Not much surprising in this new survey. Many teens ages 12-17 report that they usually figure out how to manage content sharing and privacy settings on their own. Focus group interviews with teens suggest that for their day-to-day privacy management, teens are guided through their choices in the app or platform when they sign up, or find answers through their...

Mon, 19 Aug 2013 11:47:58 UTC

The Cryptopocalypse

Posted By Bruce Schneier

There was a presentation at Black Hat last month warning us of a "factoring cryptopocalypse": a moment when factoring numbers and solving the discrete log problem become easy, and both RSA and DH break. This presentation was provocative, and has generated a lot of commentary, but I don't see any reason to worry. Yes, breaking modern public-key cryptosystems has gotten...

Fri, 16 Aug 2013 21:13:06 UTC

Friday Squid Blogging: Squid Ink as Food Coloring

Posted By Bruce Schneier

Alton Brown suggests it for ice cream. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 16 Aug 2013 19:12:35 UTC

Wired Names "Schneier on Security" to Best Blog List

Posted By Bruce Schneier

I made the list of Wired's best "Government and Security" blogs....

Fri, 16 Aug 2013 12:31:09 UTC

Management Issues in Terrorist Organizations

Posted By Bruce Schneier

Terrorist organizations have the same management problems as other organizations, and new ones besides: Terrorist leaders also face a stubborn human resources problem: Their talent pool is inherently unstable. Terrorists are obliged to seek out recruits who are predisposed to violence -- that is to say, young men with a chip on their shoulder. Unsurprisingly, these recruits are not usually...

Thu, 15 Aug 2013 11:10:55 UTC

The NSA is Commandeering the Internet

Posted By Bruce Schneier

It turns out that the NSA's domestic and world-wide surveillance apparatus is even more extensive than we thought. Bluntly: The government has commandeered the Internet. Most of the largest Internet companies provide information to the NSA, betraying their users. Some, as we've learned, fight and lose. Others cooperate, either out of patriotism or because they believe it's easier that way....

Wed, 14 Aug 2013 18:12:35 UTC

Time Magazine Names "Schneier on Security" to Best Blog List

Posted By Bruce Schneier

My blog as made the Time magazine "The 25 Best Bloggers 2013 Edition" list. I can't believe this was published ten days ago, and I'm only just finding out about it. Aren't all you people supposed to be sending me links of things I might be interested in?...

Wed, 14 Aug 2013 17:06:10 UTC

Stories from MI5

Posted By Bruce Schneier

This essay is filled historical MI5 stories -- often bizarre, sometimes amusing. My favorite: It was recently revealed that back in the 1970s -- at the height of the obsession with traitors -- MI5 trained a specially bred group of Gerbils to detect spies. Gerbils have a very acute sense of smell and they were used in interrogations to tell...

Wed, 14 Aug 2013 12:43:21 UTC

Circumventing Communications Blackouts

Posted By Bruce Schneier

Rangzen looks like a really interesting ad hoc mesh networking system to circumvent government-imposed communications blackouts. I am particularly interested in how it uses reputation to determine who can be trusted, while maintaining some level of anonymity. Academic paper: Abstract: A challenging problem in dissent networking is that of circumventing large-scale communication blackouts imposed by oppressive governments. Although prior work...

Tue, 13 Aug 2013 18:31:36 UTC

Book Review: Rise of the Warrior Cop

Posted By Bruce Schneier

Rise of the Warrior Cop: The Militarization of America's Police Forces, by Radley Balko, PublicAffairs, 2013, 400 pages. War as a rhetorical concept is firmly embedded in American culture. Over the past several decades, federal and local law enforcement has been enlisted in a war on crime, a war on drugs and a war on terror. These wars are...

Tue, 13 Aug 2013 11:45:54 UTC

The 2013 Cryptologic History Symposium

Posted By Bruce Schneier

The 2013 Cryptologic History Symposium, sponsored by the NSA, will be held at John Hopkins University this October....

Mon, 12 Aug 2013 19:33:02 UTC

NSA Increasing Security by Firing 90% of Its Sysadmins

Posted By Bruce Schneier

General Keith Alexander thinks he can improve security by automating sysadmin duties such that 90% of them can be fired: Using technology to automate much of the work now done by employees and contractors would make the NSA's networks "more defensible and more secure," as well as faster, he said at the conference, in which he did not mention Snowden...

Mon, 12 Aug 2013 11:29:54 UTC

Security at Sports Stadiums

Posted By Bruce Schneier

Lots of sports stadiums have instituted Draconian new rules. Here are the rules for St. Louis Rams games: Fans will be able to carry the following style and size bag, package, or container at stadium plaza areas, stadium gates, or when approaching queue lines of fans awaiting entry into the stadium: Bags that are clear plastic, vinyl or PVC and...

Fri, 09 Aug 2013 21:16:32 UTC

Friday Squid Blog: Rickshaw Cart Woodblock Print

Posted By Bruce Schneier

With a squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 09 Aug 2013 16:45:34 UTC

Lavabit E-Mail Service Shut Down

Posted By Bruce Schneier

Lavabit, the more-secure e-mail service that Edward Snowden -- among others -- used, has abruptly shut down. From the message on their homepage: I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I...

Fri, 09 Aug 2013 11:04:14 UTC

Latest Movie-Plot Threat: Explosive-Dipped Clothing

Posted By Bruce Schneier

It's being reported, although there's no indication of where this rumor is coming from or what it's based on. ...the new tactic allows terrorists to dip ordinary clothing into the liquid to make the clothes themselves into explosives once dry. "It's ingenious," one of the officials said. Another senior official said that the tactic would not be detected by current...

Thu, 08 Aug 2013 17:20:13 UTC

Twitter's Two-Factor Authentication System

Posted By Bruce Schneier

Twitter just rolled out a pretty nice two-factor authentication system using your smart phone as the second factor: The new two-factor system works like this. A user enrolls using the mobile app, which generates a 2048-bit RSA keypair. The private key lives on the phone itself, and the public key is uploaded to Twitters server. When Twitter receives a new...

Thu, 08 Aug 2013 11:14:49 UTC

Kip Hawley on Fixing the TSA

Posted By Bruce Schneier

The further Kip Hawley has gotten from running the TSA, the more sense he has started to make. This is pretty good....

Wed, 07 Aug 2013 11:29:18 UTC

Restoring Trust in Government and the Internet

Posted By Bruce Schneier

In July 2012, responding to allegations that the video-chat service Skype -- owned by Microsoft -- was changing its protocols to make it possible for the government to eavesdrop on users, Corporate Vice President Mark Gillett took to the company's blog to deny it. Turns out that wasn't quite true. Or at least he -- or the company's lawyers --...

Tue, 06 Aug 2013 18:42:19 UTC

Has Tor Been Compromised?

Posted By Bruce Schneier

There's speculation that the FBI is responsible for an exploit that compromised the Tor anonymity service. Note that Tor nodes installed or updated after June 26 are secure....

Tue, 06 Aug 2013 11:16:44 UTC

NSA Surveillance and Mission Creep

Posted By Bruce Schneier

Last month, I wrote about the potential for mass surveillance mission creep: the tendency for the vast NSA surveillance apparatus to be used for other, lesser, crimes. My essay was theoretical, but it turns out to be already happening. Other agencies are already asking to use the NSA data: Agencies working to curb drug trafficking, cyberattacks, money laundering, counterfeiting and...

Mon, 05 Aug 2013 11:02:44 UTC

The Public/Private Surveillance Partnership

Posted By Bruce Schneier

Imagine the government passed a law requiring all citizens to carry a tracking device. Such a law would immediately be found unconstitutional. Yet we all carry mobile phones. If the National Security Agency required us to notify it whenever we made a new friend, the nation would rebel. Yet we notify Facebook. If the Federal Bureau of Investigation demanded copies...

Fri, 02 Aug 2013 22:59:20 UTC

Friday Squid Blogging: Squid Watch

Posted By Bruce Schneier

I like watches with no numbers. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 02 Aug 2013 20:20:03 UTC

XKeyscore

Posted By Bruce Schneier

The Guardian discusses a new secret NSA program: XKeyscore. It's the desktop system that allows NSA agents to spy on anyone over the Internet in real time. It searches existing NSA databases -- presumably including PRISM -- and can create fingerprints to search for all future data collections from systems like TRAFFIC THIEF. This seems to be what Edward Snowden...

Fri, 02 Aug 2013 19:28:29 UTC

Cryptography Engineering Book Review

Posted By Bruce Schneier

Good review of the strengths and weaknesses of Cryptography Engineering and Applied Cryptography. Best -- at least to me -- is the list of things missing, which we'll have to address if we do another edition....

Fri, 02 Aug 2013 13:03:11 UTC

False Positives and Ubiquitous Surveillance

Posted By Bruce Schneier

Searching on Google for a pressure cooker and backpacks got one family investigated by the police. More stories and comments. This seems not to be the NSA eavesdropping on everyone's Internet traffic, as was first assumed. It was one of those "see something say something" amateur tips: Suffolk County Criminal Intelligence Detectives received a tip from a Bay Shore based...

Thu, 01 Aug 2013 20:54:50 UTC

Economist Cyberwar Debate

Posted By Bruce Schneier

Richard Bejtlich and Thomas Rid (author of the excellent book Cyber War Will Not Take Place) debate the cyberwar threat on the Economist website....

Thu, 01 Aug 2013 11:37:46 UTC

Scientists Banned from Revealing Details of Car-Security Hack

Posted By Bruce Schneier

The UK has banned researchers from revealing details of security vulnerabilities in car locks. In 2008, Phillips brought a similar suit against researchers who broke the Mifare chip. That time, they lost. This time, Volkswagen sued and won. This is bad news for security researchers. (Remember back in 2001 when security researcher Ed Felten sued the RIAA in the US...

Wed, 31 Jul 2013 11:25:29 UTC

Brian Krebs Harassed

Posted By Bruce Schneier

This is what happens when you're a security writer and you piss off the wrong people: they conspire to have heroin mailed to you, and then to tip off the police. And that's after they've called in a fake hostage situation....

Tue, 30 Jul 2013 18:44:06 UTC

Neighborhood Security: Feeling vs. Reality

Posted By Bruce Schneier

Research on why some neighborhoods feel safer: Salesses and collaborators Katja Schechtner and César A. Hidalgo built an online comparison tool using Google Street View images to identify these often unseen triggers of our perception of place. Have enough people compare paired images of streets in New York or Boston, for instance, for the scenes that look more "safe" or...

Tue, 30 Jul 2013 12:33:54 UTC

Really Clever Bank Card Fraud

Posted By Bruce Schneier

This is a really clever social engineering attack against a bank-card holder: It all started, according to the police, on the Saturday night where one of this gang will have watched me take money from the cash point. That's the details of my last transaction taken care of. Sinister enough, the thought of being spied on while you're trying to...

Mon, 29 Jul 2013 11:28:17 UTC

Obama's Continuing War Against Leakers

Posted By Bruce Schneier

The Obama Administration has a comprehensive "insider threat" program to detect leakers from within government. This is pre-Snowden. Not surprisingly, the combination of profiling and "see something, say something" is unlikely to work. In an initiative aimed at rooting out future leakers and other security violators, President Barack Obama has ordered federal employees to report suspicious actions of their colleagues...

Fri, 26 Jul 2013 21:27:18 UTC

Friday Squid Blogging: Squid Song

Posted By Bruce Schneier

It's "Sparky the Giant Squid." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 26 Jul 2013 18:19:18 UTC

NSA Cracked the Kryptos Sculpture Years Before the CIA Did

Posted By Bruce Schneier

We interrupt this blog for some important inter-agency rivalry. The fourth part is still uncracked, though. Older links....

Fri, 26 Jul 2013 11:25:05 UTC

Secret Information Is More Trusted

Posted By Bruce Schneier

This is an interesting, if slightly disturbing, result: In one experiment, we had subjects read two government policy papers from 1995, one from the State Department and the other from the National Security Council, concerning United States intervention to stop the sale of fighter jets between foreign countries. The documents, both of which were real papers released through the Freedom...

Thu, 25 Jul 2013 17:27:34 UTC

Details on NSA/FBI Eavesdropping

Posted By Bruce Schneier

We're starting to see Internet companies talk about the mechanics of how the US government spies on their users. Here, a Utah ISP owner describes his experiences with NSA eavesdropping: We had to facilitate them to set up a duplicate port to tap in to monitor that customer's traffic. It was a 2U (two-unit) PC that we ran a mirrored...

Thu, 25 Jul 2013 11:46:10 UTC

Poached Eggs

Posted By Bruce Schneier

The story of people who poach and collect rare eggs, and the people who hunt them down. Securing wildlife against poachers is a difficult problem, especially when the defenders are poor countries with not a lot of resources....

Wed, 24 Jul 2013 19:52:02 UTC

Michael Hayden on the Effects of Snowden's Whistleblowing

Posted By Bruce Schneier

Former NSA director Michael Hayden lists three effects of the Snowden documents: "...the undeniable operational effect of informing adversaries of American intelligence's tactics, techniques and procedures." "...the undeniable economic punishment that will be inflicted on American businesses for simply complying with American law." "...the erosion of confidence in the ability of the United States to do anything discreetly or keep...

Wed, 24 Jul 2013 11:18:36 UTC

NSA Implements Two-Man Control for Sysadmins

Posted By Bruce Schneier

In an effort to lock the barn door after the horse has escaped, the NSA is implementing two-man control for sysadmins: NSA chief Keith Alexander said his agency had implemented a "two-man rule," under which any system administrator like Snowden could only access or move key information with another administrator present. With some 15,000 sites to fix, Alexander said, it...

Tue, 23 Jul 2013 18:00:11 UTC

How the FISA Court Undermines Trust

Posted By Bruce Schneier

This is a succinct explanation of how the secrecy of the FISA court undermines trust. Surveillance types make a distinction between secrecy of laws, secrecy of procedures and secrecy of operations. The expectation is that the laws that empower or limit the government's surveillance powers are always public. The programs built atop those laws are often secret. And the individual...

Tue, 23 Jul 2013 11:21:50 UTC

Marc Rotenberg on the NSA Supreme Court Suit

Posted By Bruce Schneier

Marc Rotenberg of EPIC explains why he is suing the NSA in the Supreme Court. And USA Today has a back and forth on the topic....

Mon, 22 Jul 2013 18:04:08 UTC

Prosecuting Snowden

Posted By Bruce Schneier

I generally don't like stories about Snowden as a person, because they distract from the real story of the NSA surveillance programs, but this article on the costs and benefits of the US government prosecuting Edward Snowden is worth reading....

Mon, 22 Jul 2013 11:36:09 UTC

Violence as a Source of Trust in Criminal Societies

Posted By Bruce Schneier

This is interesting: If I know that you have committed a violent act, and you know that I have committed a violent act, we each have information on each other that we might threaten to use if relations go sour (Schelling notes that one of the most valuable rights in business relations is the right to be sued -- this...

Fri, 19 Jul 2013 21:12:31 UTC

Friday Squid Blogging: Paul Burke Giant Squid Sculpture

Posted By Bruce Schneier

The wood sculpture is part of an art exhibit at the VanDusen Botanical Garden in Vancouver....

Fri, 19 Jul 2013 19:45:23 UTC

TSA Considering Implementing Randomized Security

Posted By Bruce Schneier

For a change, here's a good idea by the TSA: TSA has just issued a Request for Information (RFI) to prospective vendors who could develop and supply such randomizers, which TSA expects to deploy at CAT X through CAT IV airports throughout the United States. "The Randomizers would be used to route passengers randomly to different checkpoint lines," says the...

Fri, 19 Jul 2013 14:40:22 UTC

Counterterrorism Mission Creep

Posted By Bruce Schneier

One of the assurances I keep hearing about the U.S. government's spying on American citizens is that it's only used in cases of terrorism. Terrorism is, of course, an extraordinary crime, and its horrific nature is supposed to justify permitting all sorts of excesses to prevent it. But there's a problem with this line of reasoning: mission creep. The definitions...

Thu, 18 Jul 2013 20:58:37 UTC

PRISM Q&A

Posted By Bruce Schneier

Mikko Hypponen and I answered questions about PRISM on the TED website....

Thu, 18 Jul 2013 13:37:39 UTC

Snowden's Dead Man's Switch

Posted By Bruce Schneier

Edward Snowden has set up a dead man's switch. He's distributed encrypted copies of his document trove to various people, and has set up some sort of automatic system to distribute the key, should something happen to him. Dead man's switches have a long history, both for safety (the machinery automatically stops if the operator's hand goes slack) and security...

Wed, 17 Jul 2013 19:45:20 UTC

DHS Puts its Head in the Sand

Posted By Bruce Schneier

On the subject of the recent Washington Post Snowden document, the DHS sent this e-mail out to at least some of its employees: From: xxxxx Sent: Thursday, July 11, 2013 10:28 AM To: xxxxx Cc: xxx Security Reps; xxx SSO; xxxx;xxxx Subject: //// SECURITY ADVISORY//// NEW WASHINGTON POST WEBPAGE ARTICLE -- DO NOT CLICK ON THIS LINK I have been...

Wed, 17 Jul 2013 17:03:02 UTC

Tapping Undersea Cables

Posted By Bruce Schneier

Good article on the longstanding practice of secretly tapping undersea cables. This is news right now because of a new Snowden document....

Tue, 16 Jul 2013 17:35:56 UTC

The Value of Breaking the Law

Posted By Bruce Schneier

Interesting essay on the impossibility of being entirely lawful all the time, the balance that results from the difficulty of law enforcement, and the societal value of being able to break the law. What's often overlooked, however, is that these legal victories would probably not have been possible without the ability to break the law. The state of Minnesota, for...

Tue, 16 Jul 2013 12:11:32 UTC

A Problem with the US Privacy and Civil Liberties Oversight Board

Posted By Bruce Schneier

I haven't heard much about the Privacy and Civil Liberties Oversight Board. They recently held hearings regarding the Snowden documents. This particular comment stood out: Rachel Brand, another seemingly unsympathetic board member, concluded: "There is nothing that is more harmful to civil liberties than terrorism. This discussion here has been quite sterile because we have not been talking about terrorism."...

Mon, 15 Jul 2013 12:03:16 UTC

Walls Around Nations

Posted By Bruce Schneier

A political history of walls: Roman walls such as Hadrian's Wall, the Great Wall of China, the Berlin Wall, and the wall between Mexico and the U.S. Moral: they solve the wrong problem....

Sat, 13 Jul 2013 23:30:27 UTC

My Fellowship at the Berkman Center

Posted By Bruce Schneier

I have been awarded a fellowship at the Berkman Center for Internet and Society at Harvard University, for the 20132014 academic year. I'm excited about this; Berkman and Harvard is where a lot of the cool kids hang out, and I'm looking forward to working with them this coming year. In particular, I have three goals for the year: I...

Fri, 12 Jul 2013 21:49:11 UTC

Friday Squid Blogging: SquidBacteria Symbiotic Relationships

Posted By Bruce Schneier

This is really interesting research. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 12 Jul 2013 11:37:24 UTC

F2P Monetization Tricks

Posted By Bruce Schneier

This is a really interesting article about something I never even thought about before: how games ("F2P" means "free to play") trick players into paying for stuff. For example: This is my favorite coercive monetization technique, because it is just so powerful. The technique involves giving the player some really huge reward, that makes them really happy, and then threatening...

Thu, 11 Jul 2013 11:36:30 UTC

More NSA Code Names

Posted By Bruce Schneier

We don't know what they mean, but there are a bunch of NSA code names on LinkedIn profiles. ANCHORY, AMHS, NUCLEON, TRAFFICTHIEF, ARCMAP, SIGNAV, COASTLINE, DISHFIRE, FASTSCOPE, OCTAVE/CONTRAOCTAVE, PINWALE, UTT, WEBCANDID, MICHIGAN, PLUS, ASSOCIATION, MAINWAY, FASCIA, OCTSKYWARD, INTELINK, METRICS, BANYAN, MARINA...

Wed, 10 Jul 2013 18:19:52 UTC

The NSA's Project SHAMROCK

Posted By Bruce Schneier

Nice history of Project SHAMROCK, the NSA's illegal domestic surveillance program from the 1970s. It targeted telegrams....

Wed, 10 Jul 2013 10:55:10 UTC

Musing on Secret Languages

Posted By Bruce Schneier

This is really interesting. It starts by talking about a "cant" dictionary of 16th-century thieves' argot, and ends up talking about secret languages in general. Incomprehension breeds fear. A secret language can be a threat: signifier has no need of signified in order to pack a punch. Hearing a conversation in a language we don't speak, we wonder whether were...

Tue, 09 Jul 2013 17:17:12 UTC

The Effectiveness of Privacy Audits

Posted By Bruce Schneier

This study concludes that there is a benefit to forcing companies to undergo privacy audits: "The results show that there are empirical regularities consistent with the privacy disclosures in the audited financial statements having some effect. Companies disclosing privacy risks are less likely to incur a breach of privacy related to unintentional disclosure of privacy information; while companies suffering a...

Tue, 09 Jul 2013 11:24:03 UTC

Another Perspective on the Value of Privacy

Posted By Bruce Schneier

A philosophical perspective: But while Descartes's overall view has been rightly rejected, there is something profoundly right about the connection between privacy and the self, something that recent events should cause us to appreciate. What is right about it, in my view, is that to be an autonomous person is to be capable of having privileged access (in the two...

Mon, 08 Jul 2013 16:50:44 UTC

Big Data Surveillance Results in Bad Policy

Posted By Bruce Schneier

Evgeny Morozov makes a point about surveillance and big data: it just looks for useful correlations without worrying about causes, and leads people to implement "fixes" based simply on those correlations -- rather than understanding and correcting the underlying the causes. As the media academic Mark Andrejevic points out in Infoglut, his new book on the political implications of information...

Mon, 08 Jul 2013 11:43:43 UTC

Protecting E-Mail from Eavesdropping

Posted By Bruce Schneier

In the wake of the Snowden NSA documents, reporters have been asking me whether encryption can solve the problem. Leaving aside the fact that much of what the NSA is collecting can't be encrypted by the user -- telephone metadata, e-mail headers, phone calling records, e-mail you're reading from a phone or tablet or cloud provider, anything you post on...

Fri, 05 Jul 2013 21:01:02 UTC

Friday Squid Blogging: Giant Origami Squid

Posted By Bruce Schneier

Giant origami squid photo found -- without explanation -- on Reddit. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 05 Jul 2013 18:33:21 UTC

How Apple Continues to Make Security Invisible

Posted By Bruce Schneier

Interesting article: Apple is famously focused on design and human experience as their top guiding principles. When it comes to security, that focus created a conundrum. Security is all about placing obstacles in the way of attackers, but (despite the claims of security vendors) those same obstacles can get in the way of users, too. [...] For many years, Apple...

Fri, 05 Jul 2013 17:08:44 UTC

Sixth Movie-Plot Threat Contest Winner

Posted By Bruce Schneier

On April 1, I announced the Sixth Mostly-Annual Movie-Plot Threat Contest: For this year's contest, I want a cyberwar movie-plot threat. (For those who don't know, a movie-plot threat is a scare story that would make a great movie plot, but is much too specific to build security policy around.) Not the Chinese attacking our power grid or shutting off...

Fri, 05 Jul 2013 12:04:39 UTC

Is Cryptography Engineering or Science?

Posted By Bruce Schneier

Responding to a tweet by Thomas Ptacek saying, "If you're not learning crypto by coding attacks, you might not actually be learning crypto," Colin Percival published a well-thought-out rebuttal, saying in part: If we were still in the 1990s, I would agree with Thomas. 1990s cryptography was full of holes, and the best you could hope for was to know...

Thu, 04 Jul 2013 12:07:42 UTC

The Office of the Director of National Intelligence Defends NSA Surveillance Programs

Posted By Bruce Schneier

Here's a transcript of a panel discussion about NSA surveillance. There's a lot worth reading here, but I want to quote Bob Litt's opening remarks. He's the General Council for ODNI, and he has a lot to say about the programs revealed so far in the Snowden documents. I'm reminded a little bit of a quote that, like many quotes,...

Wed, 03 Jul 2013 17:30:40 UTC

Privacy Protests

Posted By Bruce Schneier

Interesting law journal article: "Privacy Protests: Surveillance Evasion and Fourth Amendment Suspicion," by Elizabeth E. Joh. Abstract: The police tend to think that those who evade surveillance are criminals. Yet the evasion may only be a protest against the surveillance itself. Faced with the growing surveillance capacities of the government, some people object. They buy "burners" (prepaid phones) or "freedom...

Wed, 03 Jul 2013 11:02:57 UTC

US Department of Defense Censors Snowden Story

Posted By Bruce Schneier

The US Department of Defense is blocking sites that are reporting about the Snowden documents. I presume they're not censoring sites that are smearing him personally. Note that the DoD is only blocking those sites on its own network, not on the Internet at large. The blocking is being done by automatic filters, presumably the same ones used to block...

Tue, 02 Jul 2013 17:08:09 UTC

Security Analysis of Children

Posted By Bruce Schneier

This is a really good paper describing the unique threat model of children in the home, and the sorts of security philosophies that are effective in dealing with them. Stuart Schechter, "The User IS the Enemy, and (S)he Keeps Reaching for that Bright Shiny Power Button!" Definitely worth reading. Abstract: Children represent a unique challenge to the security and privacy...

Tue, 02 Jul 2013 11:49:40 UTC

NSA E-Mail Eavesdropping

Posted By Bruce Schneier

More Snowden documents analyzed by the Guardian -- two articles -- discuss how the NSA collected e-mails and data on Internet activity of both Americans and foreigners. The program might have ended in 2011, or it might have continued under a different name. This is the program that resulted in that bizarre tale of Bush officials confronting then-Attorney General John...

Mon, 01 Jul 2013 19:06:36 UTC

I've Joined the EFF Board

Posted By Bruce Schneier

I'm now on the board of directors of the EFF....

Mon, 01 Jul 2013 17:16:50 UTC

How the NSA Eavesdrops on Americans

Posted By Bruce Schneier

Two weeks ago, the Guardian published two new Snowden documents. These outline how the NSA's data-collection procedures allow it to collect lots of data on Americans, and how the FISA court fails to provide oversight over these procedures. The documents are complicated, but I strongly recommend that people read both the Guardian analysis and the EFF analysis -- and possibly...

Mon, 01 Jul 2013 11:24:54 UTC

SIMON and SPECK: New NSA Encryption Algorithms

Posted By Bruce Schneier

The NSA has published some new symmetric algorithms: Abstract: In this paper we propose two families of block ciphers, SIMON and SPECK, each of which comes in a variety of widths and key sizes. While many lightweight block ciphers exist, most were designed to perform well on a single platform and were not meant to provide high performance across a...

Fri, 28 Jun 2013 21:07:47 UTC

Friday Squid Blogging: Man Pulled Under by Squids

Posted By Bruce Schneier

Video story on Animal Planet. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 28 Jun 2013 19:44:48 UTC

Me on EconTalk

Posted By Bruce Schneier

Another audio interview; this one is mostly about security and power....

Fri, 28 Jun 2013 19:42:25 UTC

My Talk at Google

Posted By Bruce Schneier

Last week, I gave a talk at Google. It's another talk about power and security, my continually evolving topic-of-the-moment that could very well become my next book. This installment is different than the previous talks and interviews, but not different enough that you should feel the need to watch it if you've seen the others. There are things I got...

Fri, 28 Jun 2013 18:37:18 UTC

Preventing Cell Phone Theft through Benefit Denial

Posted By Bruce Schneier

Adding a remote kill switch to cell phones would deter theft. Here we can see how the rise of the surveillance state permeates everything about computer security. On the face of it, this is a good idea. Assuming it works -- that 1) it's not possible for thieves to resurrect phones in order to resell them, and 2) that it's...

Fri, 28 Jun 2013 10:31:29 UTC

Malware that Foils Two-Factor Authentication

Posted By Bruce Schneier

This is an interesting article about a new breed of malware that also hijack's the victim's phone text messaging system, to intercept one-time passwords sent via that channel....

Thu, 27 Jun 2013 16:49:00 UTC

Pre-9/11 NSA Thinking

Posted By Bruce Schneier

This quote is from the Spring 1997 issue of CRYPTOLOG, the internal NSA newsletter. The writer is William J. Black, Jr., the Director's Special Assistant for Information Warfare. Specifically, the focus is on the potential abuse of the Government's applications of this new information technology that will result in an invasion of personal privacy. For us, this is difficult to...

Thu, 27 Jun 2013 11:34:02 UTC

Lessons from Biological Security

Posted By Bruce Schneier

Nice essay: The biological world is also open source in the sense that threats are always present, largely unpredictable, and always changing. Because of this, defensive measures that are perfectly designed for a particular threat leave you vulnerable to other ones. Imagine if our immune system were designed to deal only with a single strain of flu. In fact, our...

Wed, 26 Jun 2013 17:35:22 UTC

Secrecy and Privacy

Posted By Bruce Schneier

Interesting article on the history of, and the relationship between, secrecy and privacy As a matter of historical analysis, the relationship between secrecy and privacy can be stated in an axiom: the defense of privacy follows, and never precedes, the emergence of new technologies for the exposure of secrets. In other words, the case for privacy always comes too late....

Wed, 26 Jun 2013 12:02:56 UTC

Cracking the Kryptos Sculpture

Posted By Bruce Schneier

Great story....

Tue, 25 Jun 2013 11:24:04 UTC

MAD in Cyberspace

Posted By Bruce Schneier

Ron Beckstrom gives a talk ( ">video and transcript) about "Mutually Assured Destruction," "Mutually Assured Disruption," and "Mutually Assured Dependence."...

Mon, 24 Jun 2013 18:38:30 UTC

Spear Phishing Attack Against the Financial Times

Posted By Bruce Schneier

Interesting story with a lot of details....

Mon, 24 Jun 2013 10:31:09 UTC

The Future of Satellite Surveillance

Posted By Bruce Schneier

Pretty scary -- and cool. Remember, it's not any one thing that's worrisome; it's everything together....

Fri, 21 Jun 2013 21:28:54 UTC

Friday Squid Blogging: How the Acidification of the Oceans Affects Squid

Posted By Bruce Schneier

It's not good. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 21 Jun 2013 19:32:30 UTC

Me on the Lou Dobbs Show

Posted By Bruce Schneier

I was on the Lou Dobbs Show earlier this week....

Fri, 21 Jun 2013 16:43:45 UTC

US Offensive Cyberwar Policy

Posted By Bruce Schneier

Today, the United States is conducting offensive cyberwar actions around the world. More than passively eavesdropping, we're penetrating and damaging foreign networks for both espionage and to ready them for attack. We're creating custom-designed Internet weapons, pretargeted and ready to be "fired" against some piece of another country's electronic infrastructure on a moment's notice. This is much worse than what...

Fri, 21 Jun 2013 11:25:36 UTC

The Japanese Response to Terrorism

Posted By Bruce Schneier

Lessons from Japan's response to Aum Shinrikyo: Yet what's as remarkable as Aum's potential for mayhem is how little of it, on balance, they actually caused. Don't misunderstand me: Aum's crimes were horrific, not merely the terrible subway gassing but their long history of murder, intimidation, extortion, fraud, and exploitation. What they did was unforgivable, and the human cost, devastating....

Thu, 20 Jun 2013 19:42:51 UTC

New Details on Skype Eavesdropping

Posted By Bruce Schneier

This article, on the cozy relationship between the commercial personal-data industry and the intelligence industry, has new information on the security of Skype. Skype, the Internet-based calling service, began its own secret program, Project Chess, to explore the legal and technical issues in making Skype calls readily available to intelligence agencies and law enforcement officials, according to people briefed on...

Thu, 20 Jun 2013 17:19:30 UTC

Love Letter to an NSA Agent

Posted By Bruce Schneier

A fine piece: "A Love Letter to the NSA Agent who is Monitoring my Online Activity." A similar sentiment is expressed in this video....

Thu, 20 Jun 2013 11:04:23 UTC

The US Uses Vulnerability Data for Offensive Purposes

Posted By Bruce Schneier

Companies allow US intelligence to exploit vulnerabilities before it patches them: Microsoft Corp. (MSFT), the world's largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists...

Wed, 19 Jun 2013 19:18:05 UTC

Petition the NSA to Subject its Surveillance Program to Public Comment

Posted By Bruce Schneier

I have signed a petition calling on the NSA to "suspend its domestic surveillance program pending public comment." This is what's going on: In a request today to National Security Agency director Keith Alexander and Defense Secretary Chuck Hagel, the group argues that the NSA's recently revealed domestic surveillance program is "unlawful" because the agency neglected to request public comments...

Wed, 19 Jun 2013 16:19:12 UTC

Finding Sociopaths on Facebook

Posted By Bruce Schneier

On his blog, Scott Adams suggests that it might be possible to identify sociopaths based on their interactions on social media. My hypothesis is that science will someday be able to identify sociopaths and terrorists by their patterns of Facebook and Internet use. I'll bet normal people interact with Facebook in ways that sociopaths and terrorists couldn't duplicate. Anyone can...

Wed, 19 Jun 2013 11:24:04 UTC

Cost/Benefit Questions NSA Surveillance

Posted By Bruce Schneier

John Mueller and Mark Stewart ask the important questions about the NSA surveillance programs: why were they secret, what have they accomplished, and what do they cost? This essay attempts to figure out if they accomplished anything, and this essay attempts to figure out if they can be effective at all....

Tue, 18 Jun 2013 21:00:47 UTC

Details of NSA Data Requests from US Corporations

Posted By Bruce Schneier

Facebook (here), Apple (here), and Yahoo (here) have all released details of US government requests for data. They each say that they've turned over user data for about 10,000 people, although the time frames are different. The exact number isn't important; what's important is that it's much lower than the millions implied by the PRISM document. Now the big question:...

Tue, 18 Jun 2013 16:02:52 UTC

NSA Secrecy and Personal Privacy

Posted By Bruce Schneier

In an excellent essay about privacy and secrecy, law professor Daniel Solove makes an important point. There are two types of NSA secrecy being discussed. It's easy to confuse them, but they're very different. Of course, if the government is trying to gather data about a particular suspect, keeping the specifics of surveillance efforts secret will decrease the likelihood of...

Tue, 18 Jun 2013 11:57:57 UTC

Evidence that the NSA Is Storing Voice Content, Not Just Metadata

Posted By Bruce Schneier

Interesting speculation that the NSA is storing everyone's phone calls, and not just metadata. Definitely worth reading. I expressed skepticism about this just a month ago. My assumption had always been that everyone's compressed voice calls is just too much data to move around and store. Now, I don't know. There's a bit of a conspiracy-theory air to all of...

Mon, 17 Jun 2013 17:47:38 UTC

Project C-43: A Final Piece of Public-Key Cryptography History

Posted By Bruce Schneier

This finally explains what John Ellis was talking about in "The Possibility of Non-Secret Encryption" when he dropped a tantalizing hint about wartime work at Bell Labs....

Mon, 17 Jun 2013 11:13:27 UTC

Blowback from the NSA Surveillance

Posted By Bruce Schneier

There's one piece of blowback that isn't being discussed -- aside from the fact that Snowden killed the chances of a liberal arts major getting a job at the DoD for a decade -- and that's how the massive NSA surveillance of the Internet affects the US's role in Internet governance. Ron Deibert makes this point: But there are unintended...

Fri, 14 Jun 2013 21:53:53 UTC

Friday Squid Blogging: Sperm Consumption in the Southern Bottletail Squid

Posted By Bruce Schneier

It's a novel behavior. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 14 Jun 2013 17:20:07 UTC

Sixth Annual Movie-Plot Threat Contest Semifinalists

Posted By Bruce Schneier

On April 1, I announced the Sixth Annual Movie Plot Threat Contest: I want a cyberwar movie-plot threat. (For those who don't know, a movie-plot threat is a scare story that would make a great movie plot, but is much too specific to build security policy around.) Not the Chinese attacking our power grid or shutting off 911 emergency services...

Fri, 14 Jun 2013 12:15:16 UTC

Ricin as a Terrorist Tool

Posted By Bruce Schneier

This paper (full paper behind paywall) -- from Environment International (2009) -- does a good job of separating fact from fiction: Abstract: In recent years there has been an increased concern regarding the potential use of chemical and biological weapons for mass urban terror. In particular, there are concerns that ricin could be employed as such an agent. This has...

Thu, 13 Jun 2013 21:06:11 UTC

Trading Privacy for Convenience

Posted By Bruce Schneier

Ray Wang makes an important point about trust and our data: This is the paradox. The companies contending to win our trust to manage our digital identities all seem to have complementary (or competing) business models that breach that trust by selling our data. ...and by turning it over to the government. The current surveillance state is a result of...

Thu, 13 Jun 2013 16:34:42 UTC

More on Feudal Security

Posted By Bruce Schneier

Facebook regularly abuses the privacy of its users. Google has stopped supporting its popular RSS feeder. Apple prohibits all iPhone apps that are political or sexual. Microsoft might be cooperating with some governments to spy on Skype calls, but we don't know which ones. Both Twitter and LinkedIn have recently suffered security breaches that affected the data of hundreds of...

Thu, 13 Jun 2013 11:09:34 UTC

Essays Related to NSA Spying Documents

Posted By Bruce Schneier

Here's a quick list of some of my older writings that are related to the current NSA spying documents: "The Internet Is a Surveillance State ," 2013. The importance of government transparency and accountability, 2013. The dangers of a government/corporate eavesdropping partnership, 2013. "Why Data Mining Won't Stop Terror," 2006. "The Eternal Value of Privacy," 2006. The dangers of our...

Wed, 12 Jun 2013 11:16:10 UTC

Prosecuting Snowden

Posted By Bruce Schneier

Edward Snowden broke the law by releasing classified information. This isn't under debate; it's something everyone with a security clearance knows. It's written in plain English on the documents you have to sign when you get a security clearance, and it's part of the culture. The law is there for a good reason, and secrecy has an important role in...

Tue, 11 Jun 2013 17:30:02 UTC

The Psychology of Conspiracy Theories

Posted By Bruce Schneier

Interesting. Crazy as these theories are, those propagating them are not -- theyre quite normal, in fact. But recent scientific research tells us this much: if you think one of the theories above is plausible, you probably feel the same way about the others, even though they contradict one another. And its very likely that this isn't the only news...

Tue, 11 Jun 2013 11:21:36 UTC

Trust in IT

Posted By Bruce Schneier

Ignore the sensationalist headline. This article is a good summary of the need for trust in IT, and provides some ideas for how to enable more of it. Virtually everything we work with on a day-to-day basis is built by someone else. Avoiding insanity requires trusting those who designed, developed and manufactured the instruments of our daily existence. All these...

Mon, 10 Jun 2013 17:50:39 UTC

Tagging and Location Technologies

Posted By Bruce Schneier

Interesting speculative article....

Mon, 10 Jun 2013 11:12:06 UTC

Government Secrets and the Need for Whistle-blowers

Posted By Bruce Schneier

Yesterday, we learned that the NSA received all calling records from Verizon customers for a three-month period starting in April. That's everything except the voice content: who called who, where they were, how long the call lasted -- for millions of people, both Americans and foreigners. This "metadata" allows the government to track the movements of everyone during that period,...

Fri, 07 Jun 2013 21:35:19 UTC

Friday Squid Blogging: Squid Comic

Posted By Bruce Schneier

A squid comic about the importance of precise language in security warnings. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 07 Jun 2013 19:22:58 UTC

Audio Interview with Me

Posted By Bruce Schneier

In this podcast interview, I talk about security, power, and the various things I have been thinking about recently....

Fri, 07 Jun 2013 11:41:26 UTC

A Really Good Article on How Easy it Is to Crack Passwords

Posted By Bruce Schneier

Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break them. The winner got 90% of them, the loser 62% -- in a few hours. The list of "plains," as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. "123456,"...

Thu, 06 Jun 2013 10:58:02 UTC

The Cost of Terrorism in Pakistan

Posted By Bruce Schneier

This study claims "terrorism has cost Pakistan around 33.02% of its real national income" between the years 1973 and 2008, or about 1% per year. The St. Louis Fed puts the real gross national income of the U.S. at about $13 trillion total, hand-waving an average over the past few years. The best estimate I've seen for the increased cost...

Wed, 05 Jun 2013 18:11:21 UTC

Eugene Spafford Answers Questions on CNN.com

Posted By Bruce Schneier

Excellent interview....

Wed, 05 Jun 2013 12:20:43 UTC

Security and Human Behavior (SHB 2013)

Posted By Bruce Schneier

I'm at the Sixth Interdisciplinary Workshop on Security and Human Behavior (SHB 2013). This year we're in Los Angeles, at USC -- hosted by CREATE. My description from last year still applies: SHB is an invitational gathering of psychologists, computer security researchers, behavioral economists, sociologists, law professors, business school professors, political scientists, anthropologists, philosophers, and others -- all of whom...

Tue, 04 Jun 2013 17:44:37 UTC

The Problems with CALEA-II

Posted By Bruce Schneier

The FBI wants a new law that will make it easier to wiretap the Internet. Although its claim is that the new law will only maintain the status quo, it's really much worse than that. This law will result in less-secure Internet products and create a foreign industry in more-secure alternatives. It will impose costly burdens on affected companies. It...

Tue, 04 Jun 2013 11:19:24 UTC

The Security Risks of Unregulated Google Search

Posted By Bruce Schneier

Someday I need to write an essay on the security risks of secret algorithms that become part of our infrastructure. This paper gives one example of that. Could Google tip an election by manipulating what comes up from search results on the candidates? The studys participants, selected to resemble the US voting population, viewed the results for two candidates on...

Mon, 03 Jun 2013 11:15:22 UTC

The Problems with Managing Privacy by Asking and Giving Consent

Posted By Bruce Schneier

New paper from the Harvard Law Review by Daniel Solove: "Privacy Self-Management and the Consent Dilemma": Privacy self-management takes refuge in consent. It attempts to be neutral about substance -- whether certain forms of collecting, using, or disclosing personal data are good or bad -- and instead focuses on whether people consent to various privacy practices. Consent legitimizes nearly any...

Fri, 31 May 2013 21:39:11 UTC

Friday Squid Blogging: Squid Pronouns

Posted By Bruce Schneier

The translated version of a Spanish menu contains the entry "squids in his (her, your) ink." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 31 May 2013 11:07:46 UTC

The Rise of Amateurs Recording Events

Posted By Bruce Schneier

Interesting article on a greatly increased aspect of surveillance: "the ordinary citizen who by chance finds himself in a position to record events of great public import, and to share the results with the rest of us."...

Thu, 30 May 2013 11:31:22 UTC

Why We Lie

Posted By Bruce Schneier

This, by Judge Kozinski, is from a Federal court ruling about false statements and First Amendment protection Saints may always tell the truth, but for mortals living means lying. We lie to protect our privacy ("No, I don't live around here"); to avoid hurt feelings ("Friday is my study night"); to make others feel better ("Gee you've gotten skinny"); to...

Wed, 29 May 2013 16:22:22 UTC

Are We Finally Thinking Sensibly About Terrorism?

Posted By Bruce Schneier

This article wonders if we are: Yet for pretty much the first time there has been a considerable amount of media commentary seeking to put terrorism in context -- commentary that concludes, as a Doyle McManus article in the Los Angeles Times put it a day after the attack, "Were safer than we think." Similar tunes were sung by Tom...

Tue, 28 May 2013 17:52:54 UTC

Nassim Nicholas Taleb on Risk Perception

Posted By Bruce Schneier

From his Facebook page: An illustration of how the news are largely created, bloated and magnified by journalists. I have been in Lebanon for the past 24h, and there were shells falling on a suburb of Beirut. Yet the news did not pass the local *social filter* and did [not] reach me from social sources.... The shelling is the kind...

Tue, 28 May 2013 10:09:16 UTC

The Politics of Security in a Democracy

Posted By Bruce Schneier

Terrorism causes fear, and we overreact to that fear. Our brains aren't very good at probability and risk analysis. We tend to exaggerate spectacular, strange and rare events, and downplay ordinary, familiar and common ones. We think rare risks are more common than they are, and we fear them more than probability indicates we should. Our leaders are just as...

Fri, 24 May 2013 21:54:17 UTC

Friday Squid Blogging: Eating Giant Squid

Posted By Bruce Schneier

How does he know this? Chris Cosentino, the Bay Areas "Offal Chef" at Incanto in San Francisco and PIGG at Umamicatessen in Los Angeles, opted for the most intimidating choice of all -- giant squid. "When it comes to underutilized fish, I wish the public wasn't so afraid of different shapes and sizes outside of the standard fillet," he said....

Fri, 24 May 2013 17:17:02 UTC

Training Baggage Screeners

Posted By Bruce Schneier

The research in G. Giguère and B.C. Love, "Limits in decision making arise from limits in memory retrieval," Proceedings of the National Academy of Sciences v. 19 (2013) has applications in training airport baggage screeners. Abstract: Some decisions, such as predicting the winner of a baseball game, are challenging in part because outcomes are probabilistic. When making such decisions, one...

Fri, 24 May 2013 13:40:57 UTC

New Report on Teens, Social Media, and Privacy

Posted By Bruce Schneier

Interesting report from the From the Pew Internet and American Life Project: Teens are sharing more information about themselves on their social media profiles than they did when we last surveyed in 2006: 91% post a photo of themselves, up from 79% in 2006. 71% post their school name, up from 49%. 71% post the city or town where they...

Thu, 23 May 2013 14:18:26 UTC

One-Shot vs. Iterated Prisoner's Dilemma

Posted By Bruce Schneier

This post by Aleatha Parker-Wood is very applicable to the things I wrote in Liars & Outliers: A lot of fundamental social problems can be modeled as a disconnection between people who believe (correctly or incorrectly) that they are playing a non-iterated game (in the game theory sense of the word), and people who believe that (correctly or incorrectly) that...

Wed, 22 May 2013 17:05:54 UTC

"The Global Cyber Game"

Posted By Bruce Schneier

This 127-page report was just published by the UK Defence Academy. I have not read it yet, but it looks really interesting. Executive Summary: This report presents a systematic way of thinking about cyberpower and its use by a variety of global players. The urgency of addressing cyberpower in this way is a consequence of the very high value of...

Wed, 22 May 2013 11:24:45 UTC

DDOS as Civil Disobedience

Posted By Bruce Schneier

For a while now, I have been thinking about what civil disobedience looks like in the Internet Age. Certainly DDOS attacks, and politically motivated hacking in general, is a part of that. This is one of the reasons I found Molly Sauter's recent thesis, "Distributed Denial of Service Actions and the Challenge of Civil Disobedience on the Internet," so interesting:...

Tue, 21 May 2013 11:15:11 UTC

Surveillance and the Internet of Things

Posted By Bruce Schneier

The Internet has turned into a massive surveillance tool. We're constantly monitored on the Internet by hundreds of companies -- both familiar and unfamiliar. Everything we do there is recorded, collected, and collated -- sometimes by corporations wanting to sell us stuff and sometimes by governments wanting to keep an eye on us. Ephemeral conversation is over. Wholesale surveillance is...

Mon, 20 May 2013 11:34:17 UTC

Security Risks of Too Much Security

Posted By Bruce Schneier

All of the anti-counterfeiting features of the new Canadian $100 bill are resulting in people not bothering to verify them. The fanfare about the security features on the bills, may be part of the problem, said RCMP Sgt. Duncan Pound. "Because the polymer series' notes are so secure ... there's almost an overconfidence among retailers and the public in terms...

Fri, 17 May 2013 21:57:09 UTC

Friday Squid Blogging: Striped Pyjama Squid Pet Sculpture

Posted By Bruce Schneier

Technically, it's a cuttlefish and not a squid. But it's still nice art. I posted a photo of a real striped pyjama squid way back in 2006. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 17 May 2013 19:59:37 UTC

Applied Cryptography on Elementary

Posted By Bruce Schneier

In the episode that aired on May 9th, about eight or nine minutes in, there's a scene with a copy of Applied Cryptography prominently displayed on the coffee table. This isn't the first time that my books have appeared on that TV show....

Thu, 16 May 2013 13:45:20 UTC

Bluetooth-Controlled Door Lock

Posted By Bruce Schneier

Here is a new lock that you can control via Bluetooth and an iPhone app. That's pretty cool, and I can imagine all sorts of reasons to get one of those. But I'm sure there are all sorts of unforeseen security vulnerabilities in this system. And even worse, a single vulnerability can affect all the locks. Remember that vulnerability found...

Tue, 14 May 2013 10:48:13 UTC

Transparency and Accountability

Posted By Bruce Schneier

As part of the fallout of the Boston bombings, we're probably going to get some new laws that give the FBI additional investigative powers. As with the Patriot Act after 9/11, the debate over whether these new laws are helpful will be minimal, but the effects on civil liberties could be large. Even though most people are skeptical about sacrificing...

Mon, 13 May 2013 13:15:20 UTC

2007 NSA Manual on Internet Hacking

Posted By Bruce Schneier

Mildly interesting....

Fri, 10 May 2013 21:26:12 UTC

Friday Squid Blogging: Squid Festival in Monterey

Posted By Bruce Schneier

It's at the end of May. Note that it's being put on by the Calamari Entertainment Group. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 May 2013 18:49:42 UTC

The Onion on Browser Security

Posted By Bruce Schneier

Wise advice: At Chase Bank, we recognize the value of online banking­ -- its quick, convenient, and available any time you need it. Unfortunately, though, the threats posed by malware and identity theft are very real and all too common nowadays. Thats why, when youre finished with your online banking session, we recommend three simple steps to protect your personal...

Fri, 10 May 2013 11:47:32 UTC

Mail Cover

Posted By Bruce Schneier

From a FOIAed Department of Transportation document on investigative techniques: A "mail cover" is the process by which the U.S. Postal Service records any data appearing on the outside cover of any class of mail, sealed or unsealed, or by which a record is made of the contents of unsealed (second-, third-, or fourth-class) mail matter as allowed by law....

Thu, 09 May 2013 10:16:46 UTC

The Economist on Guantanamo

Posted By Bruce Schneier

Maybe the tide is turning: America is in a hole. The last response of the blowhards and cowards who have put it there is always: "So what would you do: set them free?" Our answer remains, yes. There is clearly a risk that some of them would then commit some act of violence -- in Yemen, elsewhere in the Middle...

Wed, 08 May 2013 18:54:28 UTC

Reidentifying Anonymous Data

Posted By Bruce Schneier

Latanya Sweeney has demonstrated how easy it can be to identify people from their birth date, gender, and zip code. The anonymous data she reidentified happened to be DNA data, but that's not relevant to her methods or results. Of the 1,130 volunteers Sweeney and her team reviewed, about 579 provided zip code, date of birth and gender, the three...

Wed, 08 May 2013 11:32:35 UTC

Evacuation Alerts at the Airport

Posted By Bruce Schneier

Last week, an employee error caused the monitors at LAX to display a building evacuation order: At a little before 9:47 p.m., the message read: "An emergency has been declared in the terminal. Please evacuate." An airport police source said officers responded to the scene at the Tom Bradley International Terminal, believing the system had been hacked. But an airport...

Tue, 07 May 2013 17:57:36 UTC

Is the U.S. Government Recording and Saving All Domestic Telephone Calls?

Posted By Bruce Schneier

I have no idea if "former counterterrorism agent for the FBI" Tom Clemente knows what he's talking about, but that's certainly what he implies here: More recently, two sources familiar with the investigation told CNN that Russell had spoken with Tamerlan after his picture appeared on national television April 18. What exactly the two said remains under investigation, the sources...

Tue, 07 May 2013 11:10:49 UTC

Intelligence Analysis and the Connect-the-Dots Metaphor

Posted By Bruce Schneier

The FBI and the CIA are being criticized for not keeping better track of Tamerlan Tsarnaev in the months before the Boston Marathon bombings. How could they have ignored such a dangerous person? How do we reform the intelligence community to ensure this kind of failure doesn't happen again? It's an old song by now, one we heard after the...

Mon, 06 May 2013 18:17:15 UTC

Michael Chertoff on Google Glass

Posted By Bruce Schneier

Interesting op-ed by former DHS head Michael Chertoff on the privacy risks of Google Glass. Now imagine that millions of Americans walk around each day wearing the equivalent of a drone on their head: a device capable of capturing video and audio recordings of everything that happens around them. And imagine that these devices upload the data to large-scale commercial...

Mon, 06 May 2013 10:44:34 UTC

Honeywords

Posted By Bruce Schneier

Here is a simple but clever idea. Seed password files with dummy entries that will trigger an alarm when used. That way a site can know when a hacker is trying to decrypt the password file....

Fri, 03 May 2013 21:33:52 UTC

Friday Squid Blogging: Squid Escape Artist

Posted By Bruce Schneier

It's amazing how small a hole he can fit through. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 May 2013 17:44:28 UTC

Another WWII Message Decoded

Posted By Bruce Schneier

It's a really interesting code and story. (The first link has the most detailed information about the code and the cryptanalysis.)...

Fri, 03 May 2013 11:15:48 UTC

The Public/Private Surveillance Partnership

Posted By Bruce Schneier

Our government collects a lot of information about us. Tax records, legal records, license records, records of government services received-- it's all in databases that are increasingly linked and correlated. Still, there's a lot of personal information the government can't collect. Either they're prohibited by law from asking without probable cause and a judicial order, or they simply have no...

Thu, 02 May 2013 18:09:29 UTC

Risks of Networked Systems

Posted By Bruce Schneier

Interesting research: Helbing's publication illustrates how cascade effects and complex dynamics amplify the vulnerability of networked systems. For example, just a few long-distance connections can largely decrease our ability to mitigate the threats posed by global pandemics. Initially beneficial trends, such as globalization, increasing network densities, higher complexity, and an acceleration of institutional decision processes may ultimately push human-made or...

Thu, 02 May 2013 11:50:28 UTC

More on FinSpy/FinFisher

Posted By Bruce Schneier

FinFisher (also called FinSpy) is a commercially sold spyware package that is used by governments world-wide, including the U.S. There's a new report that has a bunch of new information: Our new findings include: We have identified FinFisher Command & Control servers in 11 new Countries. Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, Austria. Taken together...

Wed, 01 May 2013 18:58:05 UTC

Google Pays $31,000 for Three Chrome Vulnerabilities

Posted By Bruce Schneier

Google is paying bug bounties. This is important; there's a market in vulnerabilities that provides incentives for their being kept secret and exploitable; for Google to buy and patch them makes us all more secure. The U.S. government should do the same....

Wed, 01 May 2013 15:26:40 UTC

Details of a Cyberheist

Posted By Bruce Schneier

Really interesting article detailing how criminals steal from a company's accounts over the Internet. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years. Basically, the criminals break into the...

Tue, 30 Apr 2013 18:29:38 UTC

The Importance of Backups

Posted By Bruce Schneier

I've already written about the guy who got a new trial because a virus ate his court records. Here's someone who will have to redo his thesis research because someone stole his only copy of the data. Remember the rule: no one ever wants backups, but everyone always wants restores. I have no idea if that image is real or...

Tue, 30 Apr 2013 11:11:44 UTC

Pinging the Entire Internet

Posted By Bruce Schneier

Turns out there's a lot of vulnerable systems out there: Many of the two terabytes (2,000 gigabytes) worth of replies Moore received from 310 million IPs indicated that they came from devices vulnerable to well-known flaws, or configured in a way that could to let anyone take control of them. On Tuesday, Moore published results on a particularly troubling segment...

Mon, 29 Apr 2013 15:27:24 UTC

More Links on the Boston Terrorist Attacks

Posted By Bruce Schneier

Max Abrahms has two sensible essays. Probably the ultimate in security theater: Williams-Sonoma stops selling pressure cookers "out of respect." They say it's temporary. (I bought a Williams-Sonoma pressure cooker last Christmas; I wonder if I'm now on a list.) A tragedy: Sunil Tripathi, whom Reddit and other sites wrongly identified as one of the bombers, was found dead in...

Fri, 26 Apr 2013 21:05:44 UTC

Friday Squid Blogging: Lego Giant Squid Model

Posted By Bruce Schneier

This is a fantastic Lego model of a space kraken attacking a Star Wars Super Star Destroyer. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 26 Apr 2013 17:21:46 UTC

xkcd on a Bad Threat Model

Posted By Bruce Schneier

Funny, and true....

Fri, 26 Apr 2013 12:19:58 UTC

Tor Needs Bridges

Posted By Bruce Schneier

The Internet anonymity service Tor needs people who are willing to run bridges. It's a goodness for the world; do it if you can....

Thu, 25 Apr 2013 19:37:05 UTC

Cryptanalyst on British Postage Stamps

Posted By Bruce Schneier

A 92-year-old World War II Bletchley Park codebreaker has had a set of commemorative stamps issued in his honor....

Thu, 25 Apr 2013 11:42:54 UTC

Random Links on the Boston Terrorist Attack

Posted By Bruce Schneier

Encouraging poll data says that maybe Americans are starting to have realistic fears about terrorism, or at least are refusing to be terrorized. Good essay by Scott Atran on terrorism and our reaction. Reddit apologizes. I think this is a big story. The Internet is going to help in everything, including trying to identify terrorists. This will happen whether or...

Wed, 24 Apr 2013 18:06:27 UTC

Ellen on Protecting Passwords

Posted By Bruce Schneier

Pretty good video. Ellen makes fun of the "Internet Password Minder," which is -- if you think about it -- only slightly different than Password Safe....

Wed, 24 Apr 2013 11:51:07 UTC

More Plant Security Countermeasures

Posted By Bruce Schneier

I've talked about plant security systems, both here and in Beyond Fear. Specifically, I've talked about tobacco plants that call air strikes against insects that eat them, by releasing a scent that attracts predators to those insects. Here's another defense: the plants also tag caterpillars for predators by feeding them a sweet snack (full episode here) that makes them give...

Tue, 23 Apr 2013 17:34:27 UTC

The Police Now Like Amateur Photography

Posted By Bruce Schneier

PhotographyIsNotACrime.com points out the obvious: after years of warning us that photography is suspicious, the police were happy to accept all of those amateur photographs and videos at the Boston Marathon. Adding to the hypocrisy is that these same authorities will most likely start clamping down on citizens with cameras more than ever once the smoke clears and we once...

Tue, 23 Apr 2013 12:10:50 UTC

Securing Members of Congress from Transparency

Posted By Bruce Schneier

I commented in this article on the repeal of the transparency provisions of the STOCK Act: Passed in 2012 after a 60 Minutes report on insider trading practices in Congress, the STOCK Act banned members of Congress and senior executive and legislative branch officials from trading based on government knowledge. To give the ban teeth, the law directed that many...

Sun, 21 Apr 2013 15:48:08 UTC

About Police Shoot Outs and Spectators

Posted By Bruce Schneier

Hopefully this advice is superfluous for my audience, but it's so well written it's worth reading nonetheless: 7. SO, the bottom line is this: If you are in a place where you hear steady, and sustained, and nearby (lets call that, for some technical reasons, anything less than 800 meters) gunfire, do these things: Go to your basement. You are...

Sun, 21 Apr 2013 11:36:17 UTC

A Discussion of Redaction

Posted By Bruce Schneier

Interesting....

Sat, 20 Apr 2013 13:19:32 UTC

The Boston Marathon Bomber Manhunt

Posted By Bruce Schneier

I generally give the police a lot of tactical leeway in times like this. The very armed and very dangerous suspects warranted extraordinary treatment. They were perfectly capable of killing again, taking hostages, planting more bombs -- and we didn't know the extent of the plot or the group. That's why I didn't object to the massive police dragnet, the...

Fri, 19 Apr 2013 18:40:57 UTC

Me at the Berkman Center

Posted By Bruce Schneier

Earlier this month I spent a week at the Berkman Center for Internet and Society, talking to people about power, security, technology, and threats (details here). As part of that week, I gave a public talk at Harvard. Because my thoughts are so diffuse and disjoint, I didn't think I could pull it all together into a coherent talk. Instead,...

Fri, 19 Apr 2013 18:35:01 UTC

Friday Squid Blogging: Giant Squid Bike Rack

Posted By Bruce Schneier

It's the first on this page. Apparently this is the finished version of the design I blogged about last year. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 19 Apr 2013 11:47:21 UTC

NSA Cryptography Course

Posted By Bruce Schneier

This article, from some internal NSA publication, is about Lambros Callimahos, who taught an intensive 18-week course on cryptology for many years and died in 1977. Be sure to notice the great redacted photo of him and his students on page 17....

Thu, 18 Apr 2013 16:36:56 UTC

The Nemim.gen Trojan

Posted By Bruce Schneier

This clever piece of malware evades forensic examination by deleting its own components....

Tue, 16 Apr 2013 14:19:09 UTC

Initial Thoughts on the Boston Bombings

Posted By Bruce Schneier

I rewrote my "refuse to be terrorized" essay for the Atlantic. David Rothkoph (author of the great book Power, Inc.) wrote something similar, and so did John Cole. It's interesting to see how much more resonance this idea has today than it did a dozen years ago. If other people have written similar essays, please post links in the comments....

Tue, 16 Apr 2013 11:37:40 UTC

FBI and Cell Phone Surveillance

Posted By Bruce Schneier

We're learning a lot about how the FBI eavesdrops on cell phones from a recent court battle....

Mon, 15 Apr 2013 09:29:45 UTC

Google Glass Enables New Forms of Cheating

Posted By Bruce Schneier

It's mentioned here: Mr. Doerr said he had been wearing the glasses and uses them especially for taking pictures and looking up words while playing Scattergories with his family, though it is questionable whether that follows the game's rules. Questionable? Questionable? It just like using a computer's dictionary while playing Scrabble, or a computer odds program while playing poker, or...

Fri, 12 Apr 2013 21:34:41 UTC

Friday Squid Blogging: Illegal Squid Fishing

Posted By Bruce Schneier

While we we're on the subject of squid fishing in Argentina, the country is dealing with foreign boats illegally fishing for squid inside its territorial waters. So yet again, squid and security collide. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 12 Apr 2013 15:50:14 UTC

Remotely Hijacking an Aircraft

Posted By Bruce Schneier

There is a lot of buzz on the the Internet about a talk at the Hack-in-the Box conference by Hugo Teso, who claims he can hack in to remotely control an airplane's avionics. He even wrote an Android app to do it. I honestly can't tell how real this is, and how much of it is the unique configuration of...

Thu, 11 Apr 2013 11:42:43 UTC

Thieves Use Video Camera to Stake Out Properties

Posted By Bruce Schneier

If the police can use cameras, so can the burglars....

Wed, 10 Apr 2013 17:46:44 UTC

Security Externalities and DDOS Attacks

Posted By Bruce Schneier

Ed Felten has a really good blog post about the externalities that the recent Spamhaus DDOS attack exploited: The attackers' goal was to flood Spamhaus or its network providers with Internet traffic, to overwhelm their capacity to handle incoming network packets. The main technical problem faced by a DoS attacker is how to amplify the attacker's traffic-sending capacity, so that...

Wed, 10 Apr 2013 11:40:46 UTC

Last Battle of Midway Cryptanalyst

Posted By Bruce Schneier

The last cryptanalyst at the Battle of Midway, Rear Admiral Donald "Mac" Showers, USN-Ret, passed away 19 October 2012. His interment at Arlington National Cemetery at Arlington, Virginia, will be Monday, April 15, at 3:00. The family made this a public event to celebrate his life and contributions to the cryptologic community....

Tue, 09 Apr 2013 18:49:51 UTC

Nice Security Mindset Example

Posted By Bruce Schneier

A real-world one-way function: Alice and Bob procure the same edition of the white pages book for a particular town, say Cambridge. For each letter Alice wants to encrypt, she finds a person in the book whose last name starts with this letter and uses his/her phone number as the encryption of that letter. To decrypt the message Bob has...

Tue, 09 Apr 2013 11:05:25 UTC

Bitcoins in the Mainstream Media

Posted By Bruce Schneier

Interesting article from the New Yorker. I'm often asked what I think about bitcoins. I haven't analyzed the security, but what I have seen looks good. The real issues are economic and political, and I don't have the expertise to have an opinion on that. BTW, here's a recent criticism of BitCoins....

Mon, 08 Apr 2013 18:30:08 UTC

Elite Panic

Posted By Bruce Schneier

I hadn't heard of this term before, but it's an interesting one. The excerpt below is from an interview with Rebecca Solnit, author of A Paradise Built in Hell: The Extraordinary Communities That Arise in Disaster: The term "elite panic" was coined by Caron Chess and Lee Clarke of Rutgers. From the beginning of the field in the 1950s to...

Mon, 08 Apr 2013 11:34:49 UTC

Government Use of Hackers as an Object of Fear

Posted By Bruce Schneier

Interesting article about the perception of hackers in popular culture, and how the government uses the general fear of them to push for more power: But these more serious threats don't seem to loom as large as hackers in the minds of those who make the laws and regulations that shape the Internet. It is the hacker -- a sort...

Fri, 05 Apr 2013 21:08:43 UTC

Friday Squid Blogging: Nighttime Squid Fishing Seen from Space

Posted By Bruce Schneier

Page 18 of this thesis explains that squid fishing is done at night, and the lighting is so bright shows up in the satellite surveys of planetary lighting. This video shows the phenomenon off the coast line of Argentina. As usual, you can also use this squid post to talk about the security stories in the news that I haven't...

Fri, 05 Apr 2013 18:05:36 UTC

Apple's iMessage Encryption Seems to Be Pretty Good

Posted By Bruce Schneier

The U.S. Drug Enforcement Agency has complained (in a classified report, not publicly) that Apple's iMessage end-to-end encryption scheme can't be broken. On the one hand, I'm not surprised; end-to-end encryption of a messaging system is a fairly easy cryptographic problem, and it should be unbreakable. On the other hand, it's nice to have some confirmation that Apple is looking...

Fri, 05 Apr 2013 11:35:45 UTC

Skein Collision Competition

Posted By Bruce Schneier

Xkcd had a Skein collision competition. The contest is over -- Carnegie Mellon University won, with 384 (out of 1024) mismatched bits -- but it's explained here....

Thu, 04 Apr 2013 11:28:42 UTC

NSA Crossword Puzzles

Posted By Bruce Schneier

Two puzzles from a 1977 issue of Cryptolog....

Wed, 03 Apr 2013 12:29:39 UTC

IT for Oppression

Posted By Bruce Schneier

Whether it's Syria using Facebook to help identify and arrest dissidents or China using its "Great Firewall" to limit access to international news throughout the country, repressive regimes all over the world are using the Internet to more efficiently implement surveillance, censorship, propaganda, and control. They're getting really good at it, and the IT industry is helping. We're helping by...

Tue, 02 Apr 2013 11:02:06 UTC

Narratives of Secrecy

Posted By Bruce Schneier

How people talked about the secrecy surrounding the Manhattan project....

Mon, 01 Apr 2013 17:38:25 UTC

Sixth Movie-Plot Threat Contest

Posted By Bruce Schneier

It's back, after a two-year hiatus. Terrorism is boring; cyberwar is in. Cyberwar, and its kin: cyber Pearl Harbor, cyber 9/11, cyber Armageddon. (Or make up your own: a cyber Black Plague, cyber Ragnarok, cyber comet-hits-the-earth.) This is how we get budget and power for militaries. This is how we convince people to give up their freedoms and liberties. This...

Mon, 01 Apr 2013 11:07:15 UTC

What I've Been Thinking About

Posted By Bruce Schneier

I'm starting to think about my next book, which will be about power and the Internet -- from the perspective of security. My objective will be to describe current trends, explain where those trends are leading us, and discuss alternatives for avoiding that outcome. Many of my recent essays have touched on various facets of this, although Im still looking...

Fri, 29 Mar 2013 21:19:59 UTC

Friday Squid Blogging: Bomb Discovered in Squid at Market

Posted By Bruce Schneier

Really: An unexploded bomb was found inside a squid when the fish was slaughtered at a fish market in Guangdong province. Oddly enough, this doesn't seem to be the work of terrorists: The stall owner, who has been selling fish for 10 years, told the newspaper the 1-meter-long squid might have mistaken the bomb for food. Clearly there's much to...

Fri, 29 Mar 2013 17:25:11 UTC

The Dangers of Surveillance

Posted By Bruce Schneier

Interesting article, "The Dangers of Surveillance," by Neil M. Richards, Harvard Law Review, 2013. From the abstract: ....We need a better account of the dangers of surveillance. This article offers such an account. Drawing on law, history, literature, and the work of scholars in the emerging interdisciplinary field of "surveillance studies," I explain what those harms are and why they...

Fri, 29 Mar 2013 11:59:08 UTC

New RC4 Attack

Posted By Bruce Schneier

This is a really clever attack on the RC4 encryption algorithm as used in TLS. We have found a new attack against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used. The attacks arise from statistical flaws in the keystream generated by the RC4 algorithm which become apparent...

Thu, 28 Mar 2013 13:36:49 UTC

Unwitting Drug Smugglers

Posted By Bruce Schneier

This is a story about a physicist who got taken in by an imaginary Internet girlfriend and ended up being arrested in Argentina for drug smuggling. Readers of this blog will see it coming, of course, but it's a still a good read. I don't know whether the professor knew what he was doing -- it's pretty clear that the...

Wed, 27 Mar 2013 11:47:03 UTC

Security Awareness Training

Posted By Bruce Schneier

Should companies spend money on security awareness training for their employees? It's a contentious topic, with respected experts on both sides of the debate. I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere. Moreover, I believe that our industry's focus on training serves to obscure greater...

Tue, 26 Mar 2013 19:15:35 UTC

The NSA's Cryptolog

Posted By Bruce Schneier

The NSA has published declassified versions of its Cryptolog newsletter. All the issues from Aug 1974 through Summer 1997 are on the web, although there are some pretty heavy redactions in places. (Here's a link to the documents on a non-government site, in case they disappear.) I haven't even begun to go through these yet. If you find anything good,...

Tue, 26 Mar 2013 11:38:14 UTC

Identifying People from Mobile Phone Location Data

Posted By Bruce Schneier

Turns out that it's pretty easy: Researchers at the Massachusetts Institute of Technology (MIT) and the Catholic University of Louvain studied 15 months' worth of anonymised mobile phone records for 1.5 million individuals. They found from the "mobility traces" - the evident paths of each mobile phone - that only four locations and times were enough to identify a particular...

Mon, 25 Mar 2013 11:28:13 UTC

Our Internet Surveillance State

Posted By Bruce Schneier

I'm going to start with three data points. One: Some of the Chinese military hackers who were implicated in a broad set of attacks against the U.S. government and corporations were identified because they accessed Facebook from the same network infrastructure they used to carry out their attacks. Two: Hector Monsegur, one of the leaders of the LulzSac hacker movement,...

Fri, 22 Mar 2013 21:12:38 UTC

Friday Squid Blogging: Giant Squid Genetics

Posted By Bruce Schneier

Despite looking very different from each other and being distributed across the world's oceans, all giant squid are the same species. There's also not a lot of genetic diversity. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 22 Mar 2013 20:46:55 UTC

Changes to the Blog

Posted By Bruce Schneier

I have made a few changes to my blog that I'd like to talk about. The first is the various buttons associated with each post: a Facebook Like button, a Retweet button, and so on. These buttons are ubiquitous on the Internet now. We publishers like them because it makes it easier for our readers to share our content. I...

Fri, 22 Mar 2013 12:10:57 UTC

FBI Secretly Spying on Cloud Computer Users

Posted By Bruce Schneier

Both Google and Microsoft have admitted it. Presumably every other major cloud service provider is getting these National Security Letters as well. If you've been following along, you know that a U.S. District Court recently ruled National Security Letters unconstitutional. Not that this changes anything yet....

Thu, 21 Mar 2013 18:17:25 UTC

Text Message Retention Policies

Posted By Bruce Schneier

The FBI wants cell phone carriers to store SMS messages for a long time, enabling them to conduct surveillance backwards in time. Nothing new there -- data retention laws are being debated in many countries around the world -- but this was something I did not know: Wireless providers' current SMS retention policies vary. An internal Justice Department document (PDF)...

Thu, 21 Mar 2013 12:02:28 UTC

When Technology Overtakes Security

Posted By Bruce Schneier

A core, not side, effect of technology is its ability to magnify power and multiply force -- for both attackers and defenders. One side creates ceramic handguns, laser-guided missiles, and new-identity theft techniques, while the other side creates anti-missile defense systems, fingerprint databases, and automatic facial recognition systems. The problem is that it's not balanced: Attackers generally benefit from new...

Wed, 20 Mar 2013 16:51:42 UTC

Lessons From the FBI's Insider Threat Program

Posted By Bruce Schneier

This article is worth reading. One bit: For a time the FBI put its back into coming up with predictive analytics to help predict insider behavior prior to malicious activity. Rather than coming up with a powerful tool to stop criminals before they did damage, the FBI ended up with a system that was statistically worse than random at ferreting...

Tue, 19 Mar 2013 18:34:57 UTC

FinSpy

Posted By Bruce Schneier

Twenty five countries are using the FinSpy surveillance software package (also called FinFisher) to spy on their own citizens: The list of countries with servers running FinSpy is now Australia, Bahrain, Bangladesh, Britain, Brunei, Canada, the Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, the United Arab Emirates, the United States...

Tue, 19 Mar 2013 11:44:17 UTC

Gauss

Posted By Bruce Schneier

Nice summary article on the state-sponsored Gauss malware....

Mon, 18 Mar 2013 18:00:52 UTC

A 1962 Speculative Essay on Computers and Intelligence

Posted By Bruce Schneier

From the CIA archives: Orrin Clotworthy, "Some Far-out Thoughts on Computers," Studies in Intelligence v. 6 (1962)....

Mon, 18 Mar 2013 14:38:00 UTC

Prison Escape

Posted By Bruce Schneier

Audacious daytime prison escape by helicopter. The escapees have since been recaptured....

Fri, 15 Mar 2013 21:10:46 UTC

Friday Squid Blogging: WTF, Evolution?

Posted By Bruce Schneier

WTF, Evolution? is a great blog, and they finally mentioned squid....

Fri, 15 Mar 2013 19:01:01 UTC

xkcd on PGP

Posted By Bruce Schneier

How security interacts with users....

Fri, 15 Mar 2013 10:46:12 UTC

Stuxnet is Much Older than We Thought

Posted By Bruce Schneier

Symantec has found evidence of Stuxnet variants from way back in 2005. That's much older than the 2009 creation date we originally thought it had. More here and here. What's impressive is how advanced the cyberattack capabilities of the U.S. and/or Israel were back then....

Thu, 14 Mar 2013 17:19:08 UTC

On Secrecy

Posted By Bruce Schneier

Interesting law paper: "The Implausibility of Secrecy," by Mark Fenster. Abstract: Government secrecy frequently fails. Despite the executive branchs obsessive hoarding of certain kinds of documents and its constitutional authority to do so, recent high-profile events ­ among them the WikiLeaks episode, the Obama administrations celebrated leak prosecutions, and the widespread disclosure by high-level officials of flattering confidential information to...

Thu, 14 Mar 2013 11:11:56 UTC

Nationalism on the Internet

Posted By Bruce Schneier

For technology that was supposed to ignore borders, bring the world closer together, and sidestep the influence of national governments the Internet is fostering an awful lot of nationalism right now. We've started to see increased concern about the country of origin of IT products and services; U.S. companies are worried about hardware from China; European companies are worried about...

Wed, 13 Mar 2013 18:30:38 UTC

Security Theater on the Wells Fargo Website

Posted By Bruce Schneier

Click on the "Establishing secure connection" link at the top of this page. It's a Wells Fargo page that displays a progress bar with a bunch of security phrases -- "Establishing Secure Connection," "Sending credentials," "Building Secure Environment," and so on -- and closes after a few seconds. It's complete security theater; it doesn't actually do anything but make account...

Wed, 13 Mar 2013 12:24:27 UTC

Hacking Best-seller Lists

Posted By Bruce Schneier

It turns out that you can buy a position for your book on best-seller lists....

Tue, 12 Mar 2013 18:43:11 UTC

Cisco IP Phone Hack

Posted By Bruce Schneier

Nice work: All current Cisco IP phones, including the ones seen on desks in the White House and aboard Air Force One, have a vulnerability that allows hackers to take complete control of the devices....

Tue, 12 Mar 2013 11:45:35 UTC

"The Logic of Surveillance"

Posted By Bruce Schneier

Interesting essay: Surveillance is part of the system of control. "The more surveillance, the more control" is the majority belief amongst the ruling elites. Automated surveillance requires fewer "watchers", and since the watchers cannot watch all the surveillance, long term storage increases the ability to find some "crime" anyone is guilty of. [...] This is one of the biggest problems...

Mon, 11 Mar 2013 17:58:40 UTC

Dead Drop from the 1870s

Posted By Bruce Schneier

Hats: De Blowitz was staying at the Kaiserhof. Each day his confederate went there for lunch and dinner. The two never acknowledged one another, but they hung their hats on neighboring pegs. At the end of the meal the confederate departed with de Blowitz's hat, and de Blowitz innocently took the confederate's. The communications were hidden in the hat's lining....

Mon, 11 Mar 2013 11:12:21 UTC

Is Software Security a Waste of Money?

Posted By Bruce Schneier

I worry that comments about the value of software security made at the RSA Conference last week will be taken out of context. John Viega did not say that software security wasn't important. He said: For large software companies or major corporations such as banks or health care firms with large custom software bases, investing in software security can prove...

Fri, 08 Mar 2013 22:06:27 UTC

Friday Squid Blogging: Squid/Whale Yin-Yang

Posted By Bruce Schneier

Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 08 Mar 2013 18:08:07 UTC

Ross Anderson's Security Engineering Online

Posted By Bruce Schneier

The second edition of Ross Anderson's fantastic book, Security Engineering, is now free online. Required reading for any security engineer....

Fri, 08 Mar 2013 12:23:16 UTC

Oxford University Blocks Google Docs

Posted By Bruce Schneier

Google Docs is being used for phishing. Oxford University felt that it had to block the service because Google isn't responding to takedown requests quickly enough. Think about this in light of my essay on feudal security. Oxford University has to trust that Google will act in its best interest, and has no other option if it doesn't....

Thu, 07 Mar 2013 19:39:15 UTC

How the FBI Intercepts Cell Phone Data

Posted By Bruce Schneier

Good article on "Stingrays," which the FBI uses to monitor cell phone data. Basically, they trick the phone into joining a fake network. And, since cell phones inherently trust the network -- as opposed to computers which inherently do not trust the Internet -- it's easy to track people and collect data. There are lots of questions about whether or...

Thu, 07 Mar 2013 12:45:04 UTC

Browser Security

Posted By Bruce Schneier

Interesting discussion on browser security from Communications of the ACM. Also, an article on browser and web privacy from the same issue....

Wed, 06 Mar 2013 19:24:15 UTC

The NSA's Ragtime Surveillance Program and the Need for Leaks

Posted By Bruce Schneier

A new book reveals details about the NSA's Ragtime surveillance program: A book published earlier this month, "Deep State: Inside the Government Secrecy Industry," contains revelations about the NSA's snooping efforts, based on information gleaned from NSA sources. According to a detailed summary by Shane Harris at the Washingtonian yesterday, the book discloses that a codename for a controversial NSA...

Wed, 06 Mar 2013 12:50:07 UTC

Al Qaeda Document on Avoiding Drone Strikes

Posted By Bruce Schneier

Interesting: 3  Spreading the reflective pieces of glass on a car or on the roof of the building. 4  Placing a group of skilled snipers to hunt the drone, especially the reconnaissance ones because they fly low, about six kilometers or less. 5  Jamming of and confusing of electronic communication using the ordinary water-lifting dynamo fitted with...

Tue, 05 Mar 2013 19:58:04 UTC

Marketing at the RSA Conference

Posted By Bruce Schneier

Marcus Ranum has an interesting screed on "booth babes" in the RSA Conference exhibition hall: I'm not making a moral argument about sexism in our industry or the objectification of women. I could (and probably should) but it's easier to just point out the obvious: the only customers that will be impressed by anyone's ability to hire pretty models to...

Tue, 05 Mar 2013 12:28:50 UTC

Technologies of Surveillance

Posted By Bruce Schneier

It's a new day for the New York Police Department, with technology increasingly informing the way cops do their jobs. With innovation comes new possibilities but also new concerns. For one, the NYPD is testing a new type of security apparatus that uses terahertz radiation to detect guns under clothing from a distance. As Police Commissioner Ray Kelly explained to...

Mon, 04 Mar 2013 20:04:34 UTC

New Internet Porn Scam

Posted By Bruce Schneier

I hadn't heard of this one before. In New Zealand, people viewing adult websites -- it's unclear whether these are honeypot sites, or malware that notices the site being viewed -- get a pop-up message claiming it's from the NZ Police and demanding payment of an instant fine for viewing illegal pornography....

Mon, 04 Mar 2013 12:38:18 UTC

Getting Security Incentives Right

Posted By Bruce Schneier

One of the problems with motivating proper security behavior within an organization is that the incentives are all wrong. It doesn't matter how much management tells employees that security is important, employees know when it really isn't -- when getting the job done cheaply and on schedule is much more important. It seems to me that his co-workers understand the...

Fri, 01 Mar 2013 22:36:01 UTC

Friday Squid Blogging: Another Squid Cartoon.

Posted By Bruce Schneier

Another. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 01 Mar 2013 20:11:07 UTC

Me on "Virtually Speaking"

Posted By Bruce Schneier

Last week I was on "Virtually Speaking."...

Fri, 01 Mar 2013 11:05:22 UTC

Phishing Has Gotten Very Good

Posted By Bruce Schneier

This isn't phishing; it's not even spear phishing. It's laser-guided precision phishing: One of the leaked diplomatic cables referred to one attack via email on US officials who were on a trip in Copenhagen to debate issues surrounding climate change. "The message had the subject line 'China and Climate Change' and was spoofed to appear as if it were from...

Thu, 28 Feb 2013 20:40:38 UTC

The Court of Public Opinion

Posted By Bruce Schneier

Recently, Elon Musk and the New York Times took to Twitter and the Internet to argue the data -- and their grievances -- over a failed road test and car review. Meanwhile, an Applebee's server is part of a Change.org petition to get her job back after posting a pastor's no-tip receipt comment online. And when he wasn't paid quickly...

Thu, 28 Feb 2013 12:35:53 UTC

Brazen Physical Thefts

Posted By Bruce Schneier

Three brazen robberies are in the news this week. The first was a theft at a small museum of gold nuggets worth $750,000: Police said the daring heist happened between daytime tours, during a 20-minute window. Museum employees said the thief used an ax to smash the acrylic window, and then left the ax behind. "He just grabbed it, threw...

Wed, 27 Feb 2013 19:26:01 UTC

Alan F. Westin Died

Posted By Bruce Schneier

Obituary here. His 1967 book, Privacy and Freedom, almost single-handedly created modern privacy law....

Wed, 27 Feb 2013 13:09:47 UTC

How Complex Systems Fail

Posted By Bruce Schneier

Good summary list. It's not directly about security, but it's all fundamentally about security. Any real-world security system is inherently complex. I wrote about this long ago in Beyond Fear....

Tue, 26 Feb 2013 19:38:35 UTC

Security Lessons from the Battle of Hoth

Posted By Bruce Schneier

Someone has analyzed the security mistakes in the Battle of Hoth, from the movie The Empire Strikes Back....

Tue, 26 Feb 2013 13:10:03 UTC

House Hearing: How Well Is the TSA Doing?

Posted By Bruce Schneier

I would have liked to participate in this hearing: Committee on Homeland Security, Subcommittee on Oversight and Management Efficiency: "Assessing DHS 10 Years Later: How Wisely is DHS Spending Taxpayer Dollars?" February 15, 2013....

Mon, 25 Feb 2013 19:49:53 UTC

Me at the RSA Conference

Posted By Bruce Schneier

I'll be speaking twice at the RSA Conference this year. I'm giving a solo talk Tuesday at 1:00, and participating in a debate about training Wednesday at noon. This is a short written preview of my solo talk, and this is an audio interview on the topic. Additionally: Akamai is giving away 1,500 copies of Liars and Outliers, and Zcaler...

Mon, 25 Feb 2013 11:52:51 UTC

Another Essay about Liars and Outliers

Posted By Bruce Schneier

The Montréal Review asked me to write an essay about my latest book. Not much that regular readers haven't seen before....

Fri, 22 Feb 2013 22:38:30 UTC

Friday Squid Blogging: Land Squids

Posted By Bruce Schneier

Funny. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 22 Feb 2013 20:21:39 UTC

I Was on Inventing the Future

Posted By Bruce Schneier

I was a guest on Inventing the Future, for an episode on surveillance technology. The video is here....

Fri, 22 Feb 2013 17:12:01 UTC

Hacking the Papal Election

Posted By Bruce Schneier

As the College of Cardinals prepares to elect a new pope, security people like me wonder about the process. How does it work, and just how hard would it be to hack the vote? The rules for papal elections are steeped in tradition. John Paul II last codified them in 1996, and Benedict XVI left the rules largely untouched. The...

Fri, 22 Feb 2013 12:03:34 UTC

All Those Companies that Can't Afford Dedicated Security

Posted By Bruce Schneier

This is interesting: In the security practice, we have our own version of no-man's land, and that's midsize companies. Wendy Nather refers to these folks as being below the "Security Poverty Line." These folks have a couple hundred to a couple thousand employees. That's big enough to have real data interesting to attackers, but not big enough to have a...

Thu, 21 Feb 2013 18:54:28 UTC

More on Chinese Cyberattacks

Posted By Bruce Schneier

Wow, is this a crazy media frenzy. We should know better. These attacks happen all the time, and just because the media is reporting about them with greater frequency doesn't mean that they're happening with greater frequency. Hype aside, the Mandiant report on the hackers is very good, especially the part where the Chinese hackers outted themselves through poor opsec:...

Thu, 21 Feb 2013 13:24:45 UTC

Age Biases in Perceptions of Trust

Posted By Bruce Schneier

Interesting research (full article is behind a paywall): Abstract: Older adults are disproportionately vulnerable to fraud, and federal agencies have speculated that excessive trust explains their greater vulnerability. Two studies, one behavioral and one using neuroimaging methodology, identified age differences in trust and their neural underpinnings. Older and younger adults rated faces high in trust cues similarly, but older adults...

Wed, 20 Feb 2013 18:03:29 UTC

Cheating at Chess

Posted By Bruce Schneier

Good summary of cheating in tournament chess....

Wed, 20 Feb 2013 13:29:50 UTC

Fixing Soccer Matches

Posted By Bruce Schneier

How international soccer matches are fixed. Right now, Dan Tan's programmers are busy reverse-engineering the safeguards of online betting houses. About $3 billion is wagered on sports every day, most of it on soccer, most of it in Asia. That's a lot of noise on the big exchanges. We can exploit the fluctuations, rig the bets in a way that...

Tue, 19 Feb 2013 18:52:43 UTC

19th-Century Traffic Analysis

Posted By Bruce Schneier

There's a nice example of traffic analysis in the book No Name, by Wilkie Collins (1862). The attacker, Captain Wragge, needs to know whether a letter has been placed in the mail. He knows who it will have been addressed to if it has been mailed, and with that information, is able to convince the postmaster to tell him that...

Tue, 19 Feb 2013 12:11:29 UTC

Hacking Citation Counts

Posted By Bruce Schneier

Hacking citation counts using Google Scholar....

Mon, 18 Feb 2013 19:43:55 UTC

More State-Sponsored Hacking

Posted By Bruce Schneier

After the New York Times broke the story of what seemed to be a state-sponsored hack from China against the newspaper, the Register has stories of two similar attacks: one from Burma and another from China....

Mon, 18 Feb 2013 12:14:41 UTC

Automobile Data Surveillance and the Future of Black Boxes

Posted By Bruce Schneier

Tesla Motors gave one of its electric cars to John Broder, a very outspoken electric-car skeptic from the New York Times, for a test drive. After a negative review, Tesla revealed that it logged a dizzying amount of data from that text drive. The company then matched the reporter's claims against its logs and published a rebuttal. Broder rebutted the...

Fri, 15 Feb 2013 22:09:57 UTC

Friday Squid Blogging: More on Flying Squid

Posted By Bruce Schneier

Japanese squid researchers have confirmed flying squid can fly, and how they do it. (Note: I have written about flying squid before.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 15 Feb 2013 18:52:24 UTC

Jacob Appelbaum's 29C3 Keynote Speech

Posted By Bruce Schneier

This QNsePZj_Yks">speech from last December's 29C3 (29th Chaos Communication Congress) is worth listening to. He talks about what we can do in the face of oppressive power on the Internet. I'm not sure his answers are right, but am glad to hear someone talking about the real problems....

Fri, 15 Feb 2013 12:48:58 UTC

Guessing Smart Phone PINs by Monitoring the Accelerometer

Posted By Bruce Schneier

"Practicality of Accelerometer Side Channels on Smartphones," by Adam J. Aviv. Benjamin Sapp, Matt Blaze, and Jonathan M. Smith. Abstract: Modern smartphones are equipped with a plethora of sensors that enable a wide range of interactions, but some of these sensors can be employed as a side channel to surreptitiously learn about user input. In this paper, we show that...

Thu, 14 Feb 2013 17:42:59 UTC

Using the iWatch for Authentication

Posted By Bruce Schneier

Usability engineer Bruce Tognazzini talks about how an iWatch -- which seems to be either a mythical Apple product or one actually in development -- can make authentication easier. Passcodes. The watch can and should, for most of us, eliminate passcodes altogether on iPhones, and Macs and, if Apple's smart, PCs: As long as my watch is in range, let...

Thu, 14 Feb 2013 12:32:47 UTC

Anti-Cheating Security in Casinos

Posted By Bruce Schneier

Long article. With over a thousand cameras operating 24/7, the monitoring room creates tremendous amounts of data every day, most of which goes unseen. Six technicians watch about 40 monitors, but all the feeds are saved for later analysis. One day, as with OCR scanning, it might be possible to search all that data for suspicious activity. Say, a baccarat...

Wed, 13 Feb 2013 19:39:57 UTC

Real-World Prisoner's Dilemma from France

Posted By Bruce Schneier

This is a real story of a pair of identical twins who are suspected in a crime. There is there is CCTV and DNA evidence that could implicate either suspect. Detailed DNA testing that could resolve the guilty twin is prohibitively expensive. So both have been arrested in the hope that one may confess or implicate the other....

Wed, 13 Feb 2013 12:13:31 UTC

New al Qaeda Encryption Tool

Posted By Bruce Schneier

There's not a lot of information -- and quite a lot of hyperbole -- in this article: With the release of the Asrar Al Dardashah plugin, GIMF promised "secure correspondence" based on the Pidgin chat client, which supports multiple chat platforms, including Yahoo Messenger, Windows Live Messenger, AOL Instant Messenger, Google Talk and Jabber/XMPP. "The Asrar Al Dardashah plugin supports...

Tue, 12 Feb 2013 18:55:26 UTC

Massive Police Shootout in Cleveland Despite Lack of Criminals

Posted By Bruce Schneier

This is an amazing story. I urge you to read the whole thing, but here's the basics: A November car chase ended in a "full blown-out" firefight, with glass and bullets flying, according to Cleveland police officers who described for investigators the chaotic scene at the end of the deadly 25-minute pursuit. But when the smoky haze -- caused by...

Tue, 12 Feb 2013 12:53:19 UTC

Our New Regimes of Trust

Posted By Bruce Schneier

Society runs on trust. Over the millennia, we've developed a variety of mechanisms to induce trustworthy behavior in society. These range from a sense of guilt when we cheat, to societal disapproval when we lie, to laws that arrest fraudsters, to door locks and burglar alarms that keep thieves out of our homes. They're complicated and interrelated, but they tend...

Mon, 11 Feb 2013 19:25:40 UTC

Really Clever TLS Attack

Posted By Bruce Schneier

This is an extremely clever man-in-the-middle timing attack against AES that exploits the interaction between how the protocol implements AES in CBC mode for encryption, and HMAC-SHA1 for authentication. (And this is a really good plain-language description of it.)...

Mon, 11 Feb 2013 12:49:11 UTC

Platform Fragmentation as a Security Issue

Posted By Bruce Schneier

Interesting article about the difficulty Google has pushing security updates onto Android phones. The problem is that the phone manufacturer is in charge, and there are a lot of different phone manufacturers of varying ability and interest....

Sat, 09 Feb 2013 00:28:21 UTC

Friday Squid Blogging: Squid Recipe

Posted By Bruce Schneier

Chorizo-stuffed squid with potatoes, capers and sage. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 08 Feb 2013 20:41:19 UTC

I Seem to Be a Physical Security Expert Now

Posted By Bruce Schneier

This seems so obviously written by someone who Googled me on the Internet, without any other knowledge of who I am or what i do....

Fri, 08 Feb 2013 17:20:44 UTC

Millennials and Cybersecurity

Posted By Bruce Schneier

This long report looks at risky online behavior among the Millennial generation, and finds that they respond positively to automatic reminders and prodding. No surprise, really....

Fri, 08 Feb 2013 12:16:47 UTC

Inauguration Security

Posted By Bruce Schneier

A first-person account of the security surrounding the second inauguration of President Obama....

Thu, 07 Feb 2013 18:51:41 UTC

Tide Becomes Drug Currency

Posted By Bruce Schneier

Basically, Tide detergent is a popular product with a very small profit margin. So small non-chain grocery and convenience stores are happy to buy it cheaply, no questions asked. This makes it easy to sell if you steal it. And drug dealers have started taking it as currency, large bottles being worth about $5....

Thu, 07 Feb 2013 12:35:01 UTC

Over $3M in Prizes to Hack Google Chrome

Posted By Bruce Schneier

Google's contest at the CanSecWest conference: Today were announcing our third Pwnium competition­Pwnium 3. Google Chrome is already featured in the Pwn2Own competition this year, so Pwnium 3 will have a new focus: Chrome OS. Well issue Pwnium 3 rewards for Chrome OS at the following levels, up to a total of $3.14159 million USD: $110,000: browser or system level...

Wed, 06 Feb 2013 18:21:36 UTC

Why Is Quantum Computing So Hard?

Posted By Bruce Schneier

Blog post (and two papers) by Ross Anderson and Robert Brady. News article....

Wed, 06 Feb 2013 12:36:06 UTC

New York Times Hacked by China

Posted By Bruce Schneier

This was big news last week, and I spent a lot of time doing press interviews about it. But while it is an important story -- hacking a newspaper, looking for confidential sources is fundamentally different from hacking for financial gain -- it's not much different than GhostNet in 2009, Google's Chinese hacking stories from 2010 and 2011, or others....

Tue, 05 Feb 2013 18:16:05 UTC

Anti-Drone Clothing

Posted By Bruce Schneier

Clothing designed to thwart drones....

Tue, 05 Feb 2013 13:38:59 UTC

Proactive Defense Papers

Posted By Bruce Schneier

I just printed this out: "Proactive Defense for Evolving Cyber Threats," a Sandia Report by Richard Colbaugh and Kristin Glass. It's a collection of academic papers, and it looks interesting....

Mon, 04 Feb 2013 19:43:40 UTC

Security Seals

Posted By Bruce Schneier

I don't see a lot written about security seals, despite how common they are. This article is a very basic overview of the technologies....

Mon, 04 Feb 2013 12:39:35 UTC

Using Imagery to Avoid Censorship

Posted By Bruce Schneier

Interesting: "It's really hard for the government to censor things when they don't understand the made-up words or meaning behind the imagery," said Kevin Lee, COO of China Youthology, in conversation at the DLD conference in Munich on Monday. "The people there aren't even relying on text anymore It's audio, visual, photos. All the young people are creating their own...

Fri, 01 Feb 2013 22:40:31 UTC

Friday Squid Blogging: Squid Anchor

Posted By Bruce Schneier

Webpage says that it's "the most effective lightweight, portable anchor around." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 01 Feb 2013 18:36:44 UTC

Pentagon Staffs Up U.S. Cyber Command

Posted By Bruce Schneier

The Washington Post has the story: The move, requested by the head of the Defense Department's Cyber Command, is part of an effort to turn an organization that has focused largely on defensive measures into the equivalent of an Internet-era fighting force. The command, made up of about 900 personnel, will expand to include 4,900 troops and civilians. [...] The...

Fri, 01 Feb 2013 12:08:15 UTC

Jared Diamond on Common Risks

Posted By Bruce Schneier

Jared Diamond has an op-ed in the New York Times where he talks about how we overestimate rare risks and underestimate common ones. Nothing new here -- I and others have written about this sort of thing extensively -- but he says that this is a bias found more in developed countries than in primitive cultures. I first became aware...

Thu, 31 Jan 2013 19:28:59 UTC

The Eavesdropping System in Your Computer

Posted By Bruce Schneier

Dan Farmer has an interesting paper (long version here; short version here) discussing the Baseboard Management Controller on your computer's motherboard: The BMC is an embedded computer found on most server motherboards made in the last 10 or 15 years. Often running Linux, the BMC's CPU, memory, storage, and network run independently. It runs Intel's IPMI out-of-band systems management protocol...

Thu, 31 Jan 2013 13:09:16 UTC

Power and the Internet

Posted By Bruce Schneier

All disruptive technologies upset traditional power balances, and the Internet is no exception. The standard story is that it empowers the powerless, but that's only half the story. The Internet empowers everyone. Powerful institutions might be slow to make use of that new power, but since they are powerful, they can use it more effectively. Governments and corporations have woken...

Wed, 30 Jan 2013 18:20:08 UTC

"People, Process, and Technology"

Posted By Bruce Schneier

Back in 1999 when I formed Counterpane Internet Security, Inc., I popularized the notion that security was a combination of people, process, and technology. Back then, it was an important notion; security back then was largely technology-only, and I was trying to push the idea that people and process needed to be incorporated into an overall security system. This blog...

Wed, 30 Jan 2013 12:51:55 UTC

Who Does Skype Let Spy?

Posted By Bruce Schneier

Lately I've been thinking a lot about power and the Internet, and what I call the feudal model of IT security that is becoming more and more pervasive. Basically, between cloud services and locked-down end-user devices, we have less control and visibility over our security -- and have no point but to trust those in power to keep us safe....

Tue, 29 Jan 2013 19:06:14 UTC

Backdoors Built in to Barracuda Networks Equipment

Posted By Bruce Schneier

Don't we know enough not to do this anymore?...

Tue, 29 Jan 2013 12:32:58 UTC

Complexity and Security

Posted By Bruce Schneier

I have written about complexity and security for over a decade now (for example, this from 1999). Here's the results of a survey that confirms this: Results showed that more than half of the survey respondents from mid-sized (identified as 50-2500 employees) and enterprise organizations (identified as 2500+ employees) stated that complex policies ultimately led to a security breach, system...

Mon, 28 Jan 2013 19:25:17 UTC

Dangerous Security Theater: Scrambling Fighter Jets

Posted By Bruce Schneier

This story exemplifies everything that's wrong with our see-something-say-something war on terror: a perfectly innocent person on an airplane, a random person identifying him as a terrorist threat, and a complete overreaction on the part of the authorities. Typical overreaction, but in this case -- as in several others over the past decade -- F-15 fighter jets were scrambled to...

Mon, 28 Jan 2013 12:07:31 UTC

Violence as a Contagious Disease

Posted By Bruce Schneier

This is fascinating: Intuitively we understand that people surrounded by violence are more likely to be violent themselves. This isn't just some nebulous phenomenon, argue Slutkin and his colleagues, but a dynamic that can be rigorously quantified and understood. According to their theory, exposure to violence is conceptually similar to exposure to, say, cholera or tuberculosis. Acts of violence are...

Fri, 25 Jan 2013 22:15:12 UTC

Friday Squid Blogging: Squirming Tentacle USB Drive

Posted By Bruce Schneier

Just the thing. (Note that this is different than the previous squid USB drive I blogged about.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 25 Jan 2013 20:47:30 UTC

Video Interview with Me

Posted By Bruce Schneier

This interview was conducted last month, at an artificial intelligence conference at Oxford....

Fri, 25 Jan 2013 13:03:50 UTC

Shaming as Punishment for Repeated Drunk Driving

Posted By Bruce Schneier

Janesville, Wisconsin, has published information about repeated drunk driving offenders since 2010. The idea is that the public shame will reduce future incidents....

Thu, 24 Jan 2013 19:33:22 UTC

Identifying People from their Writing Style

Posted By Bruce Schneier

It's called stylometry, and it's based on the analysis of things like word choice, sentence structure, syntax and punctuation. In one experiment, researchers were able to identify 80% of users with a 5,000-word writing sample. Download tools here, including one to anonymize your writing style....

Thu, 24 Jan 2013 12:48:36 UTC

Identifying People from their DNA

Posted By Bruce Schneier

Interesting: The genetic data posted online seemed perfectly anonymous ­- strings of billions of DNA letters from more than 1,000 people. But all it took was some clever sleuthing on the Web for a genetics researcher to identify five people he randomly selected from the study group. Not only that, he found their entire families, even though the relatives had...

Wed, 23 Jan 2013 18:55:43 UTC

The Security of the Mega File-Sharing Service

Posted By Bruce Schneier

Ever since the launch of Kim Dotcom's file-sharing service, I have been asked about the unorthodox encryption and security system. I have not reviewed it, and don't have an opinion. All I know is what I read: this, this, this, this, and this. Please add other links in the comments....

Wed, 23 Jan 2013 12:14:37 UTC

Commenting on Aaron Swartz's Death

Posted By Bruce Schneier

There has been an enormous amount written about the suicide of Aaron Swartz. This is primarily a collection of links, starting with those that use his death to talk about the broader issues at play: Orin Kerr, Larry Lessig, Jennifer Granick, Glenn Greenwald, Henry Farrell, danah boyd, Cory Doctorow, James Fallows, Brewster Kahle, Carl Malamud, and Mark Bernstein. Here are...

Tue, 22 Jan 2013 18:04:33 UTC

Google's Authentication Research

Posted By Bruce Schneier

Google is working on non-password authentication techniques. But for Google's password-liberation plan to really take off, theyre going to need other websites to play ball. "Others have tried similar approaches but achieved little success in the consumer world," they write. "Although we recognize that our initiative will likewise remain speculative until we've proven large scale acceptance, were eager to test...

Tue, 22 Jan 2013 11:23:44 UTC

Thinking About Obscurity

Posted By Bruce Schneier

This essay is worth reading: Obscurity is the idea that when information is hard to obtain or understand, it is, to some degree, safe. Safety, here, doesn't mean inaccessible. Competent and determined data hunters armed with the right tools can always find a way to get it. Less committed folks, however, experience great effort as a deterrent. Online, obscurity is...

Mon, 21 Jan 2013 12:38:47 UTC

TSA Removing Rapiscan Full-Body Scanners from U.S. Airports

Posted By Bruce Schneier

This is big news: The U.S. Transportation Security Administration will remove airport body scanners that privacy advocates likened to strip searches after OSI Systems Inc. (OSIS) couldn't write software to make passenger images less revealing. This doesn't mean the end of full-body scanning. There are two categories of these devices: backscatter X-ray and millimeter wave. The government said Friday it...

Fri, 18 Jan 2013 21:31:17 UTC

Friday Squid Blogging: The Search for the Colossal Squid

Posted By Bruce Schneier

Now that videographers have bagged a giant squid, the search turns to the colossal squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 17 Jan 2013 15:50:13 UTC

Man-in-the-Middle Attacks Against Browser Encryption

Posted By Bruce Schneier

Last week, a story broke about how Nokia mounts man-in-the-middle attacks against secure browser sessions. The Finnish phone giant has since admitted that it decrypts secure data that passes through HTTPS connections -- including social networking accounts, online banking, email and other secure sessions -- in order to compress the data and speed up the loading of Web pages. The...

Thu, 17 Jan 2013 13:39:07 UTC

Essay on FBI-Mandated Backdoors

Posted By Bruce Schneier

Good essay by Matt Blaze and Susan Landau....

Wed, 16 Jan 2013 12:25:47 UTC

Cheating at Chess

Posted By Bruce Schneier

There's a fascinating story about a probable tournament chess cheat. No one knows how he does it; there's only the facts that 1) historically he's not nearly as good as his recent record, and 2) his moves correlate almost perfectly with one of best computer chess programs. The general question is how valid statistical evidence is when there is no...

Tue, 15 Jan 2013 12:10:50 UTC

Lexical Warfare

Posted By Bruce Schneier

This essay, which uses the suicide of Aaron Swartz as a jumping off point for how the term "hactivist" has been manipulated by various powers, has this to say about "lexical warfare": I believe the debate itself is far broader than the specifics of this unhappy case, for if there was prosecutorial overreach it raises the question of whether we...

Mon, 14 Jan 2013 19:27:28 UTC

Anti-Surveillance Clothing

Posted By Bruce Schneier

It's both an art project and a practical clothing line. ...Harvey's line of "Stealth Wear" clothing includes an "anti-drone hoodie" that uses metalized material designed to counter thermal imaging used by drones to spot people on the ground. He's also created a cellphone pouch made of a special "signal attenuating fabric." The pocket blocks your phone signal so that it...

Mon, 14 Jan 2013 12:54:58 UTC

The Origins of War

Posted By Bruce Schneier

Philosophy professor David Livingstone Smith on the origins of war....

Fri, 11 Jan 2013 21:59:07 UTC

Friday Squid Blogging: Giant Squid Video

Posted By Bruce Schneier

Last week, I blogged about an upcoming Discovery Channel program with actual video footage of a live giant squid. ABC News has a tantalizingly short sneak peak. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 11 Jan 2013 14:10:17 UTC

Experimental Results: Liars and Outliers Trust Offer

Posted By Bruce Schneier

Last August, I offered to sell Liars and Outliers for $11 in exchange for a book review. This was much less than the $30 list price; less even than the $16 Amazon price. For readers outside the U.S., where books can be very expensive, it was a great price. I sold 800 books from this offer -- much more than...

Thu, 10 Jan 2013 12:49:12 UTC

The Politics and Philosophy of National Security

Posted By Bruce Schneier

This essay explains why we're all living in failed Hobbesian states: What do these three implications -- states have a great deal of freedom to determine what threatens a people and how to respond to those threats, and in making those determinations, they are influenced by the interests and ideologies of their primary constituencies; states have strong incentives and have...

Wed, 09 Jan 2013 12:44:18 UTC

Denial-of-Service Attack Against Facebook

Posted By Bruce Schneier

Just claim the person is dead. All you need to do is fake an online obituary....

Tue, 08 Jan 2013 19:36:53 UTC

Cat Smuggler

Posted By Bruce Schneier

Not a cat burglar, a cat smuggler. Guards thought there was something suspicious about a little white cat slipping through a prison gate in northeastern Brazil. A prison official says that when they caught the animal, they found a cellphone, drills, small saws and other contraband taped to its body. Another article, with video. A prison spokesperson was quoted by...

Tue, 08 Jan 2013 12:28:14 UTC

DHS Gets to Spy on Everyone

Posted By Bruce Schneier

This Wall Street Journal investigative piece is a month old, but well worth reading. Basically, the Total Information Awareness program is back with a different name: The rules now allow the little-known National Counterterrorism Center to examine the government files of U.S. citizens for possible criminal behavior, even if there is no reason to suspect them. That is a departure...

Mon, 07 Jan 2013 12:31:33 UTC

Details of an Internet Scam

Posted By Bruce Schneier

Interesting details of an Amazon Marketplace scam. Worth reading. Most scams use a hook to cause a reaction. The idea being that if you are reacting, they get to control you. If you take the time to stop and think things through, you take control back and can usually spot the scam. Common hooks involve Urgency, Uncertainty, Sex, Fear or...

Fri, 04 Jan 2013 21:36:32 UTC

Friday Squid Blogging: Giant Squid Finally Captured on Video

Posted By Bruce Schneier

We'll see it later this month. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 04 Jan 2013 13:48:22 UTC

What Facebook Gives the Police

Posted By Bruce Schneier

This is what Facebook gives the police in response to a subpoena. (Note that this isn't in response to a warrant; it's in response to a subpoena.) This might be the first one of these that has ever become public....

Thu, 03 Jan 2013 12:03:48 UTC

Classifying a Shape

Posted By Bruce Schneier

This is a great essay: Spheres are special shapes for nuclear weapons designers. Most nuclear weapons have, somewhere in them, that spheres-within-spheres arrangement of the implosion nuclear weapon design. You dont have to use spheres -- cylinders can be made to work, and there are lots of rumblings and rumors about non-spherical implosion designs around these here Internets -- but...

Wed, 02 Jan 2013 14:44:41 UTC

Apollo Robbins, Pickpocket

Posted By Bruce Schneier

Fascianting story: "Come on," Jillette said. "Steal something from me." Again, Robbins begged off, but he offered to do a trick instead. He instructed Jillette to place a ring that he was wearing on a piece of paper and trace its outline with a pen. By now, a small crowd had gathered. Jillette removed his ring, put it down on...

Mon, 31 Dec 2012 12:44:16 UTC

Terms of Service as a Security Threat

Posted By Bruce Schneier

After the Instagram debacle, where it changed its terms of service to give itself greater rights over user photos and reversed itself after a user backlash, it's worth thinking about the security threat stemming from terms of service in general. As cloud computing becomes the norm, as Internet security becomes more feudal, these terms of service agreements define what our...

Fri, 28 Dec 2012 21:16:09 UTC

Friday Squid Blogging: William Gilly, Squid Researcher

Posted By Bruce Schneier

Good article. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 28 Dec 2012 18:34:37 UTC

I Seem to Be a Verb

Posted By Bruce Schneier

From "The Insider's TSA Dictionary": Bruce Schneiered: (V, ints) When a passenger uses logic in order to confound and perplex an officer into submission. Ex: "A TSA officer took my Swiss army knife, but let my scissors go. I then asked him wouldn't it be more dangerous if I were to make my scissors into two blades, or to go...

Fri, 28 Dec 2012 12:37:49 UTC

Becoming a Police Informant in Exchange for a Lighter Sentence

Posted By Bruce Schneier

Fascinating article. Snitching has become so commonplace that in the past five years at least 48,895 federal convicts -- one of every eight -- had their prison sentences reduced in exchange for helping government investigators, a USA TODAY examination of hundreds of thousands of court cases found. The deals can chop a decade or more off of their sentences. How...

Thu, 27 Dec 2012 19:02:46 UTC

Breaking Hard-Disk Encryption

Posted By Bruce Schneier

The newly announced ElcomSoft Forensic Disk Decryptor can decrypt BitLocker, PGP, and TrueCrypt. And it's only $300. How does it work? Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. You'll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes...

Thu, 27 Dec 2012 12:21:53 UTC

Public Shaming as a Security Measure

Posted By Bruce Schneier

In Liars and Outliers, I talk a lot about the more social forms of security. One of them is reputational. This post is about that squishy sociological security measure: public shaming as a way to punish bigotry (and, by extension, to reduce the incidence of bigotry). It's a pretty rambling post, first listing some of the public shaming sites, then...

Wed, 26 Dec 2012 17:50:21 UTC

Cryptography Engineering Available as an eBook

Posted By Bruce Schneier

Finally, Cryptography Engineering is available as an ebook. Even better, it's today's deal of the day at O'Reilly: $27.50 (50% off) and no copy protection. (The discount won't show until you add the book to your cart.)...

Wed, 26 Dec 2012 12:05:50 UTC

Hackers Use Backdoor to Break System

Posted By Bruce Schneier

Industrial control system comes with a backdoor: Although the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. "[Th]e published backdoor URL provided the same level of access to the company's control system as the password-protected administrator login," said the memo. The security of this...

Mon, 24 Dec 2012 18:59:13 UTC

Peruvian Spider Species Creates Decoys

Posted By Bruce Schneier

Clyclosa spiders create decoys to fool predators....

Mon, 24 Dec 2012 12:31:48 UTC

Phishing via Twitter

Posted By Bruce Schneier

Interesting firsthand phishing story: A few nights ago, I got a Twitter direct message (DM) from a friend saying that someone was saying nasty things about me, with a link. The link was a shortened (t.co) link, so it was hard to see exactly what it pointed to. I followed the link on my cell phone, and got to a...

Fri, 21 Dec 2012 22:58:14 UTC

Friday Squid Blogging: Laughing Squid

Posted By Bruce Schneier

The small San Francisco film and video company is celebrating its 17th anniversary. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 21 Dec 2012 18:12:11 UTC

This Week's Overreactions

Posted By Bruce Schneier

Schools go into lockdown over a thermometer, a car backfiring, a bank robbery a few blocks away, a student alone in a gym, a neighbor on the street, and some vague unfounded rumors. And one high-school kid was arrested for drawing pictures of guns. Everywhere else, post-traumatic stupidity syndrome." (It's not a new phrase -- Google shows hits back to...

Fri, 21 Dec 2012 12:20:05 UTC

Amazon Replacement-Order Scam

Posted By Bruce Schneier

Clever: Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon....

Thu, 20 Dec 2012 12:32:21 UTC

China Now Blocking Encryption

Posted By Bruce Schneier

The "Great Firewall of China" is now able to detect and block encryption: A number of companies providing "virtual private network" (VPN) services to users in China say the new system is able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems. China Unicom, one of the biggest telecoms providers in the...

Wed, 19 Dec 2012 12:47:27 UTC

Information-Age Law Enforcement Techniques

Posted By Bruce Schneier

This is an interesting blog post: Buried inside a recent United Nations Office on Drugs and Crime report titled Use of Internet for Terrorist Purposes one can carve out details and examples of law enforcement electronic surveillance techniques that are normally kept secret. [...] Point 280: International members of the guerilla group Revolutionary Armed Forces of Colombia (FARC) communicated with...

Tue, 18 Dec 2012 12:38:47 UTC

Nasty Samsung Phone Exploit

Posted By Bruce Schneier

There's a new exploit against Samsung Galaxy phones that allows a rogue app access to all memory. A hacker could copy all of your data, erase all of your data, and basically brick your phone. I haven't found an offical Samsung response, but there is a quick fix....

Mon, 17 Dec 2012 18:39:05 UTC

Possible Decryption of World War II Pigeon Message

Posted By Bruce Schneier

A Canadian claims that the message is based on a WWI codebook. A spokesman from GCHQ remains dubious, but says they'll be happy to look at the proposed solution....

Fri, 14 Dec 2012 22:44:32 UTC

Friday Squid Blogging: Giant PVC Squid

Posted By Bruce Schneier

Neat art project. Another link. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 14 Dec 2012 18:24:13 UTC

Book Review: Against Security

Posted By Bruce Schneier

Against Security: How We Go Wrong at Airports, Subways, and Other Sites of Ambiguous Danger, by Harvey Molotch, Princeton University Press, 278 pages, $35 Security is both a feeling and a reality, and the two are different things. People can feel secure when theyre actually not, and they can be secure even when they believe otherwise. This discord explains much...

Fri, 14 Dec 2012 13:28:14 UTC

The History of Security Economics

Posted By Bruce Schneier

Ross Anderson recalls the history of security economics (presentation and paper.)...

Thu, 13 Dec 2012 18:33:14 UTC

The Internet in North Korea

Posted By Bruce Schneier

How Internet censorship works in North Korea....

Thu, 13 Dec 2012 12:19:23 UTC

QR Code Scams

Posted By Bruce Schneier

There's a rise in QR codes that point to fraudulent sites. One of the warning signs seems to be a sticker with the code, rather than a code embedded in an advertising poster. This brings up another question: does anyone actually use these things?...

Wed, 12 Dec 2012 18:59:30 UTC

Detecting Edited Audio

Posted By Bruce Schneier

Interesting development in forensic analysis: Comparing the unique pattern of the frequencies on an audio recording with a database that has been logging these changes for 24 hours a day, 365 days a year provides a digital watermark: a date and time stamp on the recording. Philip Harrison, from JP French Associates, another forensic audio laboratory that has been logging...

Wed, 12 Dec 2012 12:06:26 UTC

Drone Flights Over the US

Posted By Bruce Schneier

The EFF has been prying data out of the government and analyzing it....

Tue, 11 Dec 2012 19:03:22 UTC

The National Cyber Security Framework Manual

Posted By Bruce Schneier

This book is available as a free pdf download: The National Cyber Security Framework Manual provides detailed background information and in-depth theoretical frameworks to help the reader understand the various facets of National Cyber Security, according to different levels of public policy formulation. The four levels of government -- political, strategic, operational and tactical/technical -- each have their own perspectives...

Tue, 11 Dec 2012 12:08:25 UTC

Dictators Shutting Down the Internet

Posted By Bruce Schneier

Excellent article: "How to Shut Down Internets." First, he describes what just happened in Syria. Then: Egypt turned off the internet by using the Border Gateway Protocol trick, and also by switching off DNS. This has a similar effect to throwing bleach over a map. The location of every street and house in the country is blotted out. All the...

Mon, 10 Dec 2012 19:04:05 UTC

Bypassing Two-Factor Authentication

Posted By Bruce Schneier

Yet another way two-factor authentication has been bypassed: For a user to fall prey to Eurograbber, he or she must first be using a computer infected with the trojan. This was typically done by luring the user onto a malicious web page via a round of unfortunate web surfing or email phishing attempts. Once infected, the trojan would monitor that...

Mon, 10 Dec 2012 11:56:12 UTC

Buy Your Own ATM Skimmer for $3000

Posted By Bruce Schneier

I have no idea if this is real. If I had to guess, I would say no....

Fri, 07 Dec 2012 22:04:33 UTC

Squids on the Economist Cover

Posted By Bruce Schneier

Four squids on the cover of this week's Economist represent the four massive (and intrusive) data-driven Internet giants: Google, Facebook, Apple, and Amazon. Interestingly, these are the same four companies I've been listing as the new corporate threat to the Internet. The first of three pillars propping up this outside threat are big data collectors, which in addition to Apple...

Thu, 06 Dec 2012 16:59:03 UTC

Comedy and Cryptography

Posted By Bruce Schneier

Not the sort of pairing I normally think of, but: Robin Ince and Brian Cox are joined on stage by comedian Dave Gorman, author and Enigma Machine owner Simon Singh and Bletchley Park enthusiast Dr Sue Black as they discuss secret science, code-breaking and the extraordinary achievements of the team working at Bletchley during WW II. Audio here....

Wed, 05 Dec 2012 12:01:00 UTC

Roger Williams' Cipher Cracked

Posted By Bruce Schneier

Another historical cipher, this one from the 1600s, has been cracked: Senior math major Lucas Mason-Brown, who has done the majority of the decoding, said his first instinct was to develop a statistical tool. The 21-year-old from Belmont, Mass., used frequency analysis, which looks at the frequency of letters or groups of letters in a text, but initially didn't get...

Mon, 03 Dec 2012 13:24:27 UTC

Feudal Security

Posted By Bruce Schneier

Its a feudal world out there. Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft...

Fri, 30 Nov 2012 20:18:00 UTC

Friday Squid Blogging: Possible Squid Eyeball Found in Florida

Posted By Bruce Schneier

It's the size of a softball. No sign of the squid it came from. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 30 Nov 2012 11:23:15 UTC

Hacking by the Syrian Government

Posted By Bruce Schneier

Good article on how the Syrian government hacked into the computers of dissidents: The cyberwar in Syria began with a feint. On Feb. 8, 2011, just as the Arab Spring was reaching a crescendo, the government in Damascus suddenly reversed a long-standing ban on websites such as Facebook, Twitter, YouTube, and the Arabic version of Wikipedia. It was an odd...

Thu, 29 Nov 2012 22:36:25 UTC

Advances in Attacking ATMs

Posted By Bruce Schneier

Cash traps and card traps are the new thing: [Card traps] involve devices that fit over the card acceptance slot and include a razor-edged spring trap that prevents the customers card from being ejected from the ATM when the transaction is completed. "Spring traps are still being widely used," EAST wrote in its most recently European Fraud Update. "Once the...

Wed, 28 Nov 2012 19:30:35 UTC

James Bond Movie-Plot Threats

Posted By Bruce Schneier

Amusing post on the plausibility of the evil plans from the various movies....

Wed, 28 Nov 2012 11:55:47 UTC

The Psychology of IT Security Trade-offs

Posted By Bruce Schneier

Good article. I agree with the conclusion that the solution isn't to convince people to make better choices, but to change the IT architecture so that it's easier to make better choices....

Tue, 27 Nov 2012 18:12:19 UTC

Classified Information Confetti

Posted By Bruce Schneier

Some of the confetti at the Macy's Thanksgiving Day Parade in New York consisted of confidential documents from the Nassau County Police Department, shredded sideways....

Tue, 27 Nov 2012 12:39:05 UTC

Hackback

Posted By Bruce Schneier

Stewart Baker, Orin Kerr, and Eugene Volokh on the legality of hackback....

Mon, 26 Nov 2012 15:48:10 UTC

Liars and Outliers Ebook 50% Off and DRM-Free

Posted By Bruce Schneier

Today only, O'Reilly is offering 50% off all its ebooks, including Liars and Outliers. This is probably the cheapest you'll find a DRM-free copy of the book....

Mon, 26 Nov 2012 15:35:19 UTC

Homeland Security Essay Contest

Posted By Bruce Schneier

The Naval Postgraduate School's Center for Homeland Defense and Security is running its sixth annual essay competition. There are cash prizes. (Info on previous years here.)...

Fri, 23 Nov 2012 22:50:52 UTC

Friday Squid Blogging: Another Squid Comic

Posted By Bruce Schneier

Another squid comic. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 23 Nov 2012 12:18:19 UTC

Preventing Catastrophic Threats

Posted By Bruce Schneier

"Recommendations to Prevent Catastrophic Threats." Federation of American Scientists, 9 November 2012. It's twelve specific sets of recommendations for twelve specific threats. See also this....

Wed, 21 Nov 2012 20:06:29 UTC

Cell Phone Surveillance

Posted By Bruce Schneier

Good article on the different ways the police can eavesdrop on cell phone calls....

Wed, 21 Nov 2012 12:34:40 UTC

Decrypting a Secret Society's Documents from the 1740s

Posted By Bruce Schneier

Great story, both the cryptanalysis process and the Oculists....

Tue, 20 Nov 2012 18:53:47 UTC

Anonymous Claims it Sabotaged Rove Election Hacking

Posted By Bruce Schneier

Can anyone make heads or tails of this story? (More links.) For my part, I'd like a little -- you know -- evidence. Remember that Ohio was not the deciding state in the election. Neither was Florida or Virginia. It was Colorado. So even if there was this magic election-stealing software running in Ohio, it wouldn't have made any difference....

Mon, 19 Nov 2012 18:40:03 UTC

E-Mail Security in the Wake of Petraeus

Posted By Bruce Schneier

I've been reading lots of articles articles discussing how little e-mail and Internet privacy we actually have in the U.S. This is a good one to start with: The FBI obliged apparently obtaining subpoenas for Internet Protocol logs, which allowed them to connect the senders anonymous Google Mail account to others accessed from the same computers, accounts that belonged to...

Mon, 19 Nov 2012 11:41:01 UTC

Security Theater in American Diplomatic Missions

Posted By Bruce Schneier

I noticed this in an article about how increased security and a general risk aversion is harming US diplomatic missions: "Barbara Bodine, who was the U.S. ambassador to Yemen during the Qaeda bombing of the U.S.S. Cole in 2000, told me she believes that much of the security American diplomats are forced to travel with is counterproductive. "There's this idea...

Fri, 16 Nov 2012 22:30:44 UTC

Friday Squid Blogging: Vampire Squid

Posted By Bruce Schneier

Vampire squid eats marine wastes (paper and video). As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 16 Nov 2012 18:11:27 UTC

Jamming 4G Cell Networks

Posted By Bruce Schneier

It's easy....

Fri, 16 Nov 2012 12:13:03 UTC

Stealing VM Keys from the Hardware Cache

Posted By Bruce Schneier

Research into one VM stealing crypto keys from another VM running on the same hardware. ABSTRACT: This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-grained information from a victim VM running on the same physical computer. This attack is the first such attack demonstrated on a symmetric multiprocessing system virtualized...

Thu, 15 Nov 2012 12:45:24 UTC

The Terrorist Risk of Food Trucks

Posted By Bruce Schneier

This is idiotic: Public Intelligence recently posted a Powerpoint presentation from the NYC fire department (FDNY) discussing the unique safety issues mobile food trucks present. Along with some actual concerns (many food trucks use propane and/or gasoline-powered generators to cook; some *gasp* aren't properly licensed food vendors), the presenter decided to toss in some DHS speculation on yet another way...

Wed, 14 Nov 2012 18:28:08 UTC

Webmail as Dead Drop

Posted By Bruce Schneier

I noticed this amongst the details of the Petraeus scandal: Petraeus and Broadwell apparently used a trick, known to terrorists and teenagers alike, to conceal their email traffic, one of the law enforcement officials said. Rather than transmitting emails to the other's inbox, they composed at least some messages and instead of transmitting them, left them in a draft folder...

Wed, 14 Nov 2012 11:57:07 UTC

Keys to the Crown Jewels Stolen?

Posted By Bruce Schneier

At least, that's the story: The locks at the Tower of London, home to the Crown Jewels, had to be changed after a burglar broke in and stole keys. The intruder scaled gates and took the keys from a sentry post. Guards spotted him but couldn't give chase as they are not allowed to leave their posts. But the story...

Tue, 13 Nov 2012 12:15:35 UTC

Free Online Cryptography Course

Posted By Bruce Schneier

Dan Boneh of Stanford University is offering a free online cryptography course. The course runs for six weeks, and has five to seven hours of coursework per week. It just started last week....

Mon, 12 Nov 2012 19:03:48 UTC

Fairy Wren Passwords

Posted By Bruce Schneier

Mother fairy wrens teach their children passwords while they're still in their eggs to tell them from cuckoo impostors: She kept 15 nests under constant audio surveillance, and discovered that fairy-wrens call to their unhatched chicks, using a two-second trill with 19 separate elements to it. They call once every four minutes while sitting on their eggs, starting on the...

Mon, 12 Nov 2012 11:47:17 UTC

Encryption in Cloud Computing

Posted By Bruce Schneier

This article makes the important argument that encryption -- where the user and not the cloud provider holds the keys -- is critical to protect cloud data. The problem is, it upsets cloud providers' business models: In part it is because encryption with customer controlled keys is inconsistent with portions of their business model. This architecture limits a cloud provider's...

Fri, 09 Nov 2012 22:16:27 UTC

Friday Squid Blogging: Squid Ink as a Condiment

Posted By Bruce Schneier

Burger King introduces a black burger with ketchup that includes squid ink. Only in Japan, of course....

Fri, 09 Nov 2012 19:32:39 UTC

How To Tell if Your Hotel Guest Is a Terrorist

Posted By Bruce Schneier

From the Department of Homeland Security, a handy list of 19 suspicious behaviors that could indicate that a hotel guest is actually a terrorist. I myself have done several of these. More generally, this is another example of why all the "see something say something" campaigns fail: "If you ask amateurs to act as front-line security personnel, you shouldn't be...

Fri, 09 Nov 2012 12:41:39 UTC

How Terrorist Groups Disband

Posted By Bruce Schneier

Interesting research from RAND: Abstract: How do terrorist groups end? The evidence since 1968 indicates that terrorist groups rarely cease to exist as a result of winning or losing a military campaign. Rather, most groups end because of operations carried out by local police or intelligence agencies or because they join the political process. This suggests that the United States...

Thu, 08 Nov 2012 19:24:59 UTC

Gary McGraw on National Cybersecurity

Posted By Bruce Schneier

Good essay, making the point that cyberattack and counterattack aren't very useful -- actual cyberdefense is what's wanted. Creating a cyber-rock is cheap. Buying a cyber-rock is even cheaper since zero-day attacks exist on the open market for sale to the highest bidder. In fact, if the bad guy is willing to invest time rather than dollars and become an...

Thu, 08 Nov 2012 12:57:17 UTC

Micromorts

Posted By Bruce Schneier

Here's a great concept: a micromort: Shopping for coffee you would not ask for 0.00025 tons (unless you were naturally irritating), you would ask for 250 grams. In the same way, talking about a 1/125,000 or 0.000008 risk of death associated with a hang-gliding flight is rather awkward. With that in mind. Howard coined the term "microprobability" (¼p) to refer...

Wed, 07 Nov 2012 19:39:08 UTC

New SSL Vulnerability

Posted By Bruce Schneier

It's hard for me to get too worked up about this vulnerability: Many popular applications, HTTP(S) and WebSocket transport libraries, and SOAP and REST Web-services middleware use SSL/TLS libraries incorrectly, breaking or disabling certificate validation. Their SSL and TLS connections are not authenticated, thus they -- and any software using them -- are completely insecure against a man-in-the-middle attacker. Great...

Wed, 07 Nov 2012 12:16:10 UTC

Regulation as a Prisoner's Dilemma

Posted By Bruce Schneier

This is the sort of thing I wrote about in my latest book. The Prisoners Dilemma as outlined above can be seen in action in two variants within regulatory activities, and offers a clear insight into why those involved in regulation act as they do. The first relationship is that between the various people and organisations being regulated ­ banks,...

Tue, 06 Nov 2012 18:17:00 UTC

Three-Rotor Enigma Machine Up for Auction

Posted By Bruce Schneier

Expensive, but it's in complete working order. They're also auctioning off a complete set of rotors; those are even rarer than the machines -- which are often missing their rotors....

Tue, 06 Nov 2012 16:13:43 UTC

Wanted: RSA Exhibitor for Book Signing

Posted By Bruce Schneier

Is anyone out there interested in buying a pile of copies of my Liars and Outliers for a giveaway and book signing at the RSA Conference? I can guarantee enormous crowds at your booth for as long as there are books to give away. This could also work for an after-hours event. Please let me know. I can get you...

Tue, 06 Nov 2012 12:40:09 UTC

New Vulnerability Against Industrial Control Systems

Posted By Bruce Schneier

It doesn't look good. These are often called SCADA vulnerabilities, although it isn't SCADA that's involved here. They're against programmable logic controllers (PLCs): the same industrial controllers that Stuxnet attacked....

Mon, 05 Nov 2012 20:54:47 UTC

New Jersey Allows Voting by E-Mail

Posted By Bruce Schneier

I'm not filled with confidence, but this seems like the best of a bunch of bad alternatives....

Mon, 05 Nov 2012 19:26:20 UTC

New WWII Cryptanalysis

Posted By Bruce Schneier

I'd sure like to know more about this: Government code-breakers are working on deciphering a message that has remained a secret for 70 years. It was found on the remains of a carrier pigeon that was discovered in a chimney, in Surrey, having been there for decades. It is thought the contents of the note, once decoded, could provide fresh...

Mon, 05 Nov 2012 12:19:55 UTC

On the Ineffectiveness of Airport Security Pat-Downs

Posted By Bruce Schneier

I've written about it before, but not half as well as this story: "That search was absolutely useless." I said. "And just shows how much of all of this is security theatre. You guys are just feeling up passengers for no good effect, which means that you get all the downsides of a search -- such as annoyed travellers who...

Fri, 02 Nov 2012 11:37:14 UTC

Loopholes

Posted By Bruce Schneier

Interesting This American Life show on loopholes. The first part is about getting around the Church's ban against suicide. The second part is about an interesting insurance scheme....

Fri, 02 Nov 2012 11:30:07 UTC

Friday Squid Blogging: Squid Costume

Posted By Bruce Schneier

This is great....

Thu, 01 Nov 2012 11:34:11 UTC

Peter Neumann Profile

Posted By Bruce Schneier

Really nice profile in the New York Times. It includes a discussion of the Clean Slate program: Run by Dr. Howard Shrobe, an M.I.T. computer scientist who is now a Darpa program manager, the effort began with a premise: If the computer industry got a do-over, what should it do differently? The program includes two separate but related efforts: Crash,...

Tue, 30 Oct 2012 17:57:30 UTC

Doping in Professional Sports

Posted By Bruce Schneier

I updated a 2006 essay of mine on the security issues around sports doping....

Tue, 30 Oct 2012 14:24:13 UTC

Rap News on Internet Surveillance

Posted By Bruce Schneier

Wow....

Tue, 30 Oct 2012 11:49:06 UTC

Dan Ariely on Dishonesty

Posted By Bruce Schneier

Good talk, and I've always liked these animators....

Mon, 29 Oct 2012 22:24:43 UTC

Detecting Fake Hurricane Photographs

Posted By Bruce Schneier

A short tutorial here. Actually, it's good advice even if there weren't a hurricane....

Mon, 29 Oct 2012 18:53:37 UTC

Protecting (and Collecting) the DNA of World Leaders

Posted By Bruce Schneier

There's a lot of hype and hyperbole in this story, but here's the interesting bit: According to Ronald Kessler, the author of the 2009 book In the Presidents Secret Service, Navy stewards gather bedsheets, drinking glasses, and other objects the president has touched­they are later sanitized or destroyed­in an effort to keep would be malefactors from obtaining his genetic material....

Mon, 29 Oct 2012 11:36:19 UTC

Sony Playstation 3 Master Key Leaked

Posted By Bruce Schneier

Oops....

Fri, 26 Oct 2012 21:26:20 UTC

Friday Squid Blogging: Squid from the Power Ranger Universe

Posted By Bruce Schneier

Ika Origami....

Fri, 26 Oct 2012 11:46:52 UTC

Hacking TSA PreCheck

Posted By Bruce Schneier

I have a hard time getting worked up about this story: I have X'd out any information that you could use to change my reservation. But it's all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps....

Thu, 25 Oct 2012 11:27:58 UTC

The Risks of Trusting Experts

Posted By Bruce Schneier

I'm not sure what to think about this story: Six Italian scientists and an ex-government official have been sentenced to six years in prison over the 2009 deadly earthquake in L'Aquila. A regional court found them guilty of multiple manslaughter. Prosecutors said the defendants gave a falsely reassuring statement before the quake, while the defence maintained there was no way...

Wed, 24 Oct 2012 18:27:15 UTC

Risks of Data Portability

Posted By Bruce Schneier

Peter Swire and Yianni Lagos have pre-published a law journal article on the risks of data portability. It specifically addresses an EU data protection regulation, but the security discussion is more general. ...Article 18 poses serious risks to a long-established E.U. fundamental right of data protection, the right to security of a person's data. Previous access requests by individuals were...

Wed, 24 Oct 2012 10:57:41 UTC

Weaponizing Office Supplies

Posted By Bruce Schneier

Now this is interesting....

Mon, 22 Oct 2012 12:18:53 UTC

Camera Jammer that Protects Licence Plates

Posted By Bruce Schneier

noPhoto reacts to a camera flash, and then jams the image with a bright light. The website makes the point that this is legal, but that can't last....

Fri, 19 Oct 2012 21:54:20 UTC

Friday Squid Blogging: Squid Insurance

Posted By Bruce Schneier

This was once a real insurance product. Squid Insurance Marketing was the low-end offering at Astonish, complete with the tagline "Nothing Kills a Squid!" As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 19 Oct 2012 12:45:59 UTC

Stoking Cyber Fears

Posted By Bruce Schneier

A lot of the debate around President Obama's cubsersecurity initiative center on how much of a burden it would be on industry, and how that should be financed. As important as that debate is, it obscures some of the larger issues surrounding cyberwar, cyberterrorism, and cybersecurity in general. It's difficult to have any serious policy discussion amongst the fear mongering....

Thu, 18 Oct 2012 11:11:51 UTC

Analysis of How Bitcoin Is Actually Used

Posted By Bruce Schneier

"Quantitative Analysis of the Full Bitcoin Transaction Graph," by Dorit Ron and Adi Shamir: Abstract. The Bitcoin scheme is a rare example of a large scale global payment system in which all the transactions are publicly accessible (but in an anonymous way). We downloaded the full history of this scheme, and analyzed many statistical properties of its associated transaction graph....

Wed, 17 Oct 2012 11:23:52 UTC

Genetic Privacy

Posted By Bruce Schneier

New report from the Presidential Commission for the Study of Biothethical Issues. It's called "Privacy and Progress in Whole Genome Sequencing." The Commission described the rapid advances underway in the field of genome sequencing, but also noted growing concerns about privacy and security. The report lists twelve recommendations to improve current practices and to help safeguard privacy and security, including...

Tue, 16 Oct 2012 11:12:52 UTC

Studying Zero-Day Attacks

Posted By Bruce Schneier

Interesting paper: "Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World," by Leyla Bilge and Tudor Dumitras: Abstract: Little is known about the duration and prevalence of zeroday attacks, which exploit vulnerabilities that have not been disclosed publicly. Knowledge of new vulnerabilities gives cyber criminals a free pass to attack any target of their choosing,...

Mon, 15 Oct 2012 18:21:40 UTC

Apple Turns on iPhone Tracking in iOS6

Posted By Bruce Schneier

This is important: Previously, Apple had all but disabled tracking of iPhone users by advertisers when it stopped app developers from utilizing Apple mobile device data via UDID, the unique, permanent, non-deletable serial number that previously identified every Apple device. For the last few months, iPhone users have enjoyed an unusual environment in which advertisers have been largely unable to...

Mon, 15 Oct 2012 12:02:08 UTC

Master Keys

Posted By Bruce Schneier

Earlier this month, a retired New York City locksmith was selling a set of "master keys" on eBay: Three of the five are standard issue for members of the FDNY, and the set had a metal dog tag that was embossed with an FDNY lieutenant's shield number, 6896. The keys include the all-purpose "1620," a master firefighter key that with...

Sat, 13 Oct 2012 12:28:56 UTC

Another Liars and Outliers Review

Posted By Bruce Schneier

I was reviewed in Science: Thus it helps to have a lucid and informative account such as Bruce Schneier's Liars and Outliers. The book provides an interesting and entertaining summary of the state of play of research on human social behavior, with a special emphasis on trust and trustworthiness. [...] Free from preoccupations and personal attachments to any of the...

Fri, 12 Oct 2012 21:17:00 UTC

Friday Squid Blogging: Squid Car

Posted By Bruce Schneier

A squid art car. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 11 Oct 2012 12:03:15 UTC

"Ask Nicely" Doesn't Work as a Security Mechanism

Posted By Bruce Schneier

Apple's map application shows more of Taiwan than Google Maps: The Taiwanese government/military, like many others around the world, requests that satellite imagery providers, such as Google Maps, blur out certain sensitive military installations. Unfortunately, Apple apparently didn't get that memo. [...] According to reports the Taiwanese defence ministry hasn't filed a formal request with Apple yet but thought it...

Wed, 10 Oct 2012 13:18:42 UTC

The Insecurity of Networks

Posted By Bruce Schneier

Not computer networks, networks in general: Findings so far suggest that networks of networks pose risks of catastrophic danger that can exceed the risks in isolated systems. A seemingly benign disruption can generate rippling negative effects. Those effects can cost millions of dollars, or even billions, when stock markets crash, half of India loses power or an Icelandic volcano spews...

Tue, 09 Oct 2012 11:31:43 UTC

Story of a CIA Burglar

Posted By Bruce Schneier

This is a fascinating story of a CIA burglar, who worked for the CIA until he tried to work against the CIA. The fact that he stole code books and keys from foreign embassies makes it extra interesting, and the complete disregard for the Constitution at the end makes it extra scary....

Mon, 08 Oct 2012 13:12:38 UTC

New Developments in Captchas

Posted By Bruce Schneier

In the never-ending arms race between systems to prove that you're a human and computers that can fake it, here's a captcha that tests whether you have human feelings. Instead of your run-of-the-mill alphanumeric gibberish, or random selection of words, the Civil Rights Captcha presents you with a short blurb about a Civil Rights violation and asks you how you...

Fri, 05 Oct 2012 21:38:19 UTC

Friday Squid Blogging: Giant Squid Engraving from the 1870s

Posted By Bruce Schneier

Neat book illustration. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 05 Oct 2012 18:24:43 UTC

When Will We See Collisions for SHA-1?

Posted By Bruce Schneier

On a NIST-sponsored hash function mailing list, Jesse Walker (from Intel; also a member of the Skein team) did some back-of-the-envelope calculations to estimate how long it will be before we see a practical collision attack against SHA-1. I'm reprinting his analysis here, so it reaches a broader audience. According to E-BASH, the cost of one block of a SHA-1...

Fri, 05 Oct 2012 12:44:48 UTC

Maps Showing Spread of ZeroAccess Botnet

Posted By Bruce Schneier

The folks at F-Secure have plotted ZeroAccess infections across the U.S. and across Europe. It's interesting to see, but I'm curious to see the data normalized to the number of computers on the Internet....

Thu, 04 Oct 2012 20:35:10 UTC

Tradecraft and Terrorism

Posted By Bruce Schneier

Interesting....

Wed, 03 Oct 2012 15:00:21 UTC

Authentication Stories

Posted By Bruce Schneier

Anecdotes from Asia on seals versus signatures on official documents....

Tue, 02 Oct 2012 21:50:11 UTC

Keccak is SHA-3

Posted By Bruce Schneier

NIST has just announced that Keccak has been selected as SHA-3. It's a fine choice. I'm glad that SHA-3 is nothing like the SHA-2 family; something completely different is good. Congratulations to the Keccak team. Congratulations -- and thank you -- to NIST for running a very professional, interesting, and enjoyable competition. The process has increased our understanding about the...

Tue, 02 Oct 2012 14:41:26 UTC

2013 U.S. Homeland Security Budget

Posted By Bruce Schneier

Among other findings in this CBO report: Funding for homeland security has dropped somewhat from its 2009 peak of $76 billion, in inflation-adjusted terms; funding for 2012 totaled $68 billion. Nevertheless, the nation is now spending substantially more than what it spent on homeland security in 2001. Note that this is just direct spending on homeland security. This does not...

Mon, 01 Oct 2012 18:12:55 UTC

Security Question Cartoon

Posted By Bruce Schneier

Funny....

Mon, 01 Oct 2012 11:52:27 UTC

Scary iPhone Malware Story

Posted By Bruce Schneier

This story sounds pretty scary: Developed by Robert Templeman at the Naval Surface Warfare Center in Indiana and a few buddies from Indiana University, PlaceRader hijacks your phone's camera and takes a series of secret photographs, recording the time, and the phone's orientation and location with each shot. Using that information, it can reliably build a 3D model of your...

Thu, 27 Sep 2012 18:14:22 UTC

NPR on Biometric Data Collection

Posted By Bruce Schneier

Interesting Talk of the Nation segment....

Thu, 27 Sep 2012 14:10:59 UTC

Replacing Alice and Bob

Posted By Bruce Schneier

A proposal to replace cryptography's Alice and Bob with Sita and Rama: Any book on cryptography invariably involves the characters Alice and Bob. It is always Alice who wants to send a message to Bob. This article replaces the dramatis personnae of cryptography with characters drawn from Hindu mythology....

Wed, 26 Sep 2012 12:11:15 UTC

Using Agent-Based Simulations to Evaluate Security Systems

Posted By Bruce Schneier

Kay Hamacher and Stefan Katzenbeisser, "Public Security: Simulations Need to Replace Conventional Wisdom," New Security Paradigms Workshop, 2011. Abstract: Is more always better? Is conventional wisdom always the right guideline in the development of security policies that have large opportunity costs? Is the evaluation of security measures after their introduction the best way? In the past, these questions were frequently...

Tue, 25 Sep 2012 18:29:10 UTC

Quantum Cryptography

Posted By Bruce Schneier

Long article on quantum cryptography and cryptanalysis....

Tue, 25 Sep 2012 12:40:52 UTC

Homomorphic Encryption

Posted By Bruce Schneier

Good summary article....

Mon, 24 Sep 2012 18:09:24 UTC

Security Vulnerability in Windows 8 Unified Extensible Firmware Interface (UEFI)

Posted By Bruce Schneier

This is the first one discovered, I think....

Mon, 24 Sep 2012 11:59:58 UTC

SHA-3 to Be Announced

Posted By Bruce Schneier

NIST is about to announce the new hash algorithm that will become SHA-3. This is the result of a six-year competition, and my own Skein is one of the five remaining finalists (out of an initial 64). It's probably too late for me to affect the final decision, but I am hoping for "no award." It's not that the new...

Fri, 21 Sep 2012 21:30:53 UTC

Friday Squid Blogging: Beached Firefly Squid

Posted By Bruce Schneier

Pretty photo of firefly squid beached along a coast. I've written about firefly squid before. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 21 Sep 2012 20:29:25 UTC

Another Review of Liars and Outliers

Posted By Bruce Schneier

I usually don't post reviews of Liars and Outliers -- they're all here -- but I am particularly proud of this one....

Fri, 21 Sep 2012 11:45:47 UTC

Accountable Algorithms

Posted By Bruce Schneier

Ed Felten has two posts about accountable algorithms. Good stuff....

Thu, 20 Sep 2012 11:02:44 UTC

The NSA and the Risk of Off-the-Shelf Devices

Posted By Bruce Schneier

Interesting article on how the NSA is approaching risk in the era of cool consumer devices. There's a discussion of the president's network-disabled iPad, and the classified cell phone that flopped because it took so long to develop and was so clunky. Turns out that everyone wants to use iPhones. Levine concluded, "Using commercial devices to process classified phone calls,...

Wed, 19 Sep 2012 17:31:26 UTC

Analysis of PIN Data

Posted By Bruce Schneier

An analysis of 3.4 million four-digit PINs. ("1234" is the most common: 10.7% of all PINs. The top 20 PINs are 26.8% of the total. "8068" is the least common PIN -- that'll probably change now that the fact is published.)...

Wed, 19 Sep 2012 09:41:36 UTC

Recent Developments in Password Cracking

Posted By Bruce Schneier

A recent Ars Technica article made the point that password crackers are getting better, and therefore passwords are getting weaker. It's not just computing speed; we now have many databases of actual passwords we can use to create dictionaries of common passwords, or common password-generation techniques. (Example: dictionary word plus a single digit.) This really isn't anything new. I wrote...

Tue, 18 Sep 2012 21:37:55 UTC

Friday Squid Blogging: Octonaut

Posted By Bruce Schneier

A space-traveling squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Mon, 17 Sep 2012 12:03:54 UTC

Diamond Swallowing as a Ruse

Posted By Bruce Schneier

It's a known theft tactic to swallow what you're stealing. It works for food at the supermarket, and it also can work for diamonds. Here's a twist on that tactic: Police say he could have swallowed the stone in an attempt to distract the diamond's owner, Suresh de Silva, while his accomplice stole the real gem. Mr de Silva told...

Fri, 14 Sep 2012 21:15:29 UTC

Friday Squid Blogging: Giant Squid Museum

Posted By Bruce Schneier

In Valdés, Spain. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 14 Sep 2012 19:20:59 UTC

Schneier on Security on Elementary

Posted By Bruce Schneier

Two of my books can be seen in the background in CBS' new Sherlock Holmes drama, Elementary. A copy of Schneier on Security is prominently displayed on Sherlock Holmes' bookshelf. You can see it in the first few minutes of the pilot episode. The show's producers contacted me early on to ask permission to use my books, so it didn't...

Fri, 14 Sep 2012 16:23:20 UTC

Man-in-the-Middle Bank Fraud Attack

Posted By Bruce Schneier

This sort of attack will become more common as banks require two-factor authentication: Tatanga checks the user account details including the number of accounts, supported currency, balance/limit details. It then chooses the account from which it could steal the highest amount. Next, it initiates a transfer. At this point Tatanga uses a Web Inject to trick the user into believing...

Fri, 14 Sep 2012 11:47:58 UTC

UGNazi

Posted By Bruce Schneier

Good article on the hacker group UGNazi....

Thu, 13 Sep 2012 18:20:33 UTC

Estimating the Probability of Another 9/11

Posted By Bruce Schneier

This statistical research says once per decade: Abstract: Quantities with right-skewed distributions are ubiquitous in complex social systems, including political conflict, economics and social networks, and these systems sometimes produce extremely large events. For instance, the 9/11 terrorist events produced nearly 3000 fatalities, nearly six times more than the next largest event. But, was this enormous loss of life statistically...

Thu, 13 Sep 2012 11:15:57 UTC

Steganography in the Wild

Posted By Bruce Schneier

Steganographic information is embedded in World of Warcraft screen shots....

Wed, 12 Sep 2012 17:55:56 UTC

Stopping Terrorism

Posted By Bruce Schneier

Nice essay on the futility of trying to prevent another 9/11: "Never again." It is as simplistic as it is absurd. It is as vague as it is damaging. No two words have provided so little meaning or context; no catchphrase has so warped policy discussions that it has permanently confused the public's understanding of homeland security. It convinced us...

Wed, 12 Sep 2012 11:23:16 UTC

A Real Movie-Plot Threat Contest

Posted By Bruce Schneier

The "Australia's Security Nightmares: The National Security Short Story Competition" is part of Safeguarding Australia 2012. To aid the national security community in imagining contemporary threats, the Australian Security Research Centre (ASRC) is organising Australia's Security Nightmares: The National Security Short Story Competition. The competition aims to produce a set of short stories that will contribute to a better conception...

Tue, 11 Sep 2012 17:38:40 UTC

New Attack Against Chip-and-Pin Systems

Posted By Bruce Schneier

Well, new to us: You see, an EMV payment card authenticates itself with a MAC of transaction data, for which the freshly generated component is the unpredictable number (UN). If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and...

Tue, 11 Sep 2012 11:45:18 UTC

Security at the 9/11 WTC Memorial

Posted By Bruce Schneier

There's a lot: Advance tickets are required to enter this public, outdoor memorial. To book them, youre obliged to provide your home address, email address, and phone number, and the full names of everyone in your party. It is strongly recommended that you print your tickets at home, which is where you must leave explosives, large bags, hand soap, glass...

Mon, 10 Sep 2012 11:51:47 UTC

Another Stuxnet Post

Posted By Bruce Schneier

Larry Constantine disputes David Stanger's book about Stuxnet: So, what did he get wrong? First of all, the Stuxnet worm did not escape into the wild. The analysis of initial infections and propagations by Symantec show that, in fact, that it never was widespread, that it affected computers in closely connected clusters, all of which involved collaborators or companies that...

Fri, 07 Sep 2012 21:41:03 UTC

Friday Squid Blogging: Controlling Squid Chromatophores with Music

Posted By Bruce Schneier

Wacky. Other stories about the story. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 07 Sep 2012 12:10:06 UTC

Hacking Marathon Races

Posted By Bruce Schneier

Truly bizarre story of someone who seems to have figured out how to successfully cheat at marathons. The evidence of his cheating is overwhelming, but no one knows how he does it....

Thu, 06 Sep 2012 17:31:43 UTC

CSOs/CISOs Wanted: Cloud Security Questions

Posted By Bruce Schneier

I'm trying to separate cloud security hype from reality. To that end, I'd like to talk to a few big corporate CSOs or CISOs about their cloud security worries, requirements, etc. If you're willing to talk, please contact me via e-mail. Eventually I will share the results of this inquiry. Thank you....

Thu, 06 Sep 2012 11:48:48 UTC

Database of 12 Million Apple UDIDs Haked

Posted By Bruce Schneier

In this story, we learn that hackers got their hands on a database of 12 million Apple Apple Unique Device Identifiers (UDIDs) by hacking an FBI laptop. When I first read the story, my questions were not about the hack but about the data. Why does an FBI agent have user identification information about 12 million iPhone users on his...

Wed, 05 Sep 2012 19:04:29 UTC

Wall Street Journal Review of Liars and Outliers

Posted By Bruce Schneier

Liars and Outliers (along with two other books: Kip Hawley's memoir of his time at the TSA and Against Security, by Harvey Molotch) has been reviewed in the Wall Street Journal....

Wed, 05 Sep 2012 11:06:03 UTC

Hacking Brain-Computer Interfaces

Posted By Bruce Schneier

In this fascinating piece of research, the question is asked: can we surreptitiously collect secret information from the brains of people using brain-computer interface devices? One article: A team of security researchers from Oxford, UC Berkeley, and the University of Geneva say that they were able to deduce digits of PIN numbers, birth months, areas of residence and other personal...

Tue, 04 Sep 2012 14:04:49 UTC

Eye Twitch Patterns as a Biometric

Posted By Bruce Schneier

Yet another biometric: eye twitch patterns: ...a person's saccades, their tiny, but rapid, involuntary eye movements, can be measured using a video camera. The pattern of saccades is as unique as an iris or fingerprint scan but easier to record and so could provide an alternative secure biometric identification technology. Probably harder to fool than iris scanners....

Fri, 31 Aug 2012 21:22:07 UTC

Friday Squid Blogging: "The Seasick Squid"

Posted By Bruce Schneier

A fable. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 31 Aug 2012 14:20:06 UTC

Conversation about Liars and Outliers on The WELL

Posted By Bruce Schneier

I'm on The WELL right now -- for the next week or so -- discussing my new book with anyone who wants to participate. I'm also at Dragon*Con this weekend in Atlanta....

Thu, 30 Aug 2012 14:22:54 UTC

The Psychological Effects of Terrorism

Posted By Bruce Schneier

Shelly C. McArdle, Heather Rosoff, Richard S. John (2012), "The Dynamics of Evolving Beliefs, Concerns Emotions, and Behavioral Avoidance Following 9/11: A Longitudinal Analysis of Representative Archival Samples," Risk Analysis v. 32, pp. 744­761. Abstract: September 11 created a natural experiment that enables us to track the psychological effects of a large-scale terror event over time. The archival data came...

Wed, 29 Aug 2012 11:37:46 UTC

Shared Lock

Posted By Bruce Schneier

A reader sent me this photo of a shared lock. It's at the gate of a large ranch outside of Victoria, Texas. Multiple padlocks secure the device, but when a single padlock is removed, the center pin can be fully lifted and the gate can be opened. The point is to allow multiple entities (oil and gas, hunting parties, ranch...

Tue, 28 Aug 2012 15:38:30 UTC

The Importance of Security Engineering

Posted By Bruce Schneier

In May, neuroscientist and popular author Sam Harris and I debated the issue of profiling Muslims at airport security. We each wrote essays, then went back and forth on the issue. I don't recommend reading the entire discussion; we spent 14,000 words talking past each other. But what's interesting is how our debate illustrates the differences between a security engineer...

Tue, 28 Aug 2012 00:06:22 UTC

Fear and Imagination

Posted By Bruce Schneier

Interesting anecdote from World War II....

Fri, 24 Aug 2012 21:32:51 UTC

Friday Squid Blogging: Squid Sacrifices Arms to Avoid Predators

Posted By Bruce Schneier

The squid Octopoteuthis deletron will drop portions of an arm to escape from a predator. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 24 Aug 2012 18:18:45 UTC

Internet Safety Talking Points for Schools

Posted By Bruce Schneier

A surprisingly sensible list. E. Why are you penalizing the 95% for the 5%? You don't do this in other areas of discipline at school. Even though you know some students will use their voices or bodies inappropriately in school, you don't ban everyone from speaking or moving. You know some students may show up drunk to the prom, yet...

Fri, 24 Aug 2012 11:27:07 UTC

Fear and How it Scales

Posted By Bruce Schneier

Nice post: The screaming fear in your stomach before you give a speech to 12 kids in the fifth grade is precisely the same fear a presidential candidate feels before the final debate. The fight-or-flight reflex that speeds up your heart when you're about to get a speeding ticket you don't deserve isn't very different than the chemical reaction in...

Thu, 23 Aug 2012 18:23:14 UTC

Exaggerating Cybercrime

Posted By Bruce Schneier

Finally, someone takes a look at the $1 trillion number government officials are quoting as the cost of cybercrime. While it's a good figure to scare people, it doesn't have much of a basis in reality....

Thu, 23 Aug 2012 11:43:42 UTC

Video Filter that Detects a Pulse

Posted By Bruce Schneier

Fascinating. How long before someone claims he can use this technology to detect nervous people in airports?...

Wed, 22 Aug 2012 17:34:51 UTC

Five "Neglects" in Risk Management

Posted By Bruce Schneier

Good list, summarized here: 1. Probability neglect  people sometimes dont consider the probability of the occurrence of an outcome, but focus on the consequences only. 2. Consequence neglect  just like probability neglect, sometimes individuals neglect the magnitude of outcomes. 3. Statistical neglect  instead of subjectively assessing small probabilities and continuously updating them, people choose to use rules-of-thumb...

Wed, 22 Aug 2012 11:09:11 UTC

Poll: Americans Like the TSA

Posted By Bruce Schneier

Gallup has the results: Despite recent negative press, a majority of Americans, 54%, think the U.S. Transportation Security Administration is doing either an excellent or a good job of handling security screening at airports. At the same time, 41% think TSA screening procedures are extremely or very effective at preventing acts of terrorism on U.S. airplanes, with most of the...

Tue, 21 Aug 2012 18:42:31 UTC

Is iPhone Security Really this Good?

Posted By Bruce Schneier

Simson Garfinkel writes that the iPhone has such good security that the police can't use it for forensics anymore: Technologies the company has adopted protect Apple customers' content so well that in many situations it's impossible for law enforcement to perform forensic examinations of devices seized from criminals. Most significant is the increasing use of encryption, which is beginning to...

Tue, 21 Aug 2012 10:53:54 UTC

Help Cryptanalyze Gauss

Posted By Bruce Schneier

Kaspersky is looking for help decrypting the Gauss payload....

Mon, 20 Aug 2012 18:05:08 UTC

Passive Sensor that Sees Through Walls

Posted By Bruce Schneier

A new technology uses the radiation given off by wi-fi devices to sense the positions of people through a one-foot-thick brick wall....

Mon, 20 Aug 2012 11:36:29 UTC

The View from an Israeli Security Checkpoint

Posted By Bruce Schneier

This is an extraordinary (and gut-wrenching) first-person account of what it's like to staff an Israeli security checkpoint. It shows how power corrupts: how it's impossible to make humane decisions in such a circumstance....

Fri, 17 Aug 2012 21:16:40 UTC

Friday Squid Blogging: Efforts to Film a Live Giant Squid

Posted By Bruce Schneier

Japanese researchers are attempting to film the elusive giant squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 17 Aug 2012 11:39:14 UTC

$200 for a Fake Security System

Posted By Bruce Schneier

This is pretty funny: Moving red laser beams scare away potential intruders Laser beams move along floor and wall 180 degrees Easy to install, 110v comes on automatically w/timer Watch the video. This is not an alarm, and it doesn't do anything other than the laser light show. But, as the product advertisement says, "perception can be an excellent deterrent...

Thu, 16 Aug 2012 18:52:38 UTC

Rudyard Kipling on Societal Pressures

Posted By Bruce Schneier

In the short story "A Wayside Comedy," published in 1888 in Under the Deodars, Kipling wrote: You must remember, though you will not understand, that all laws weaken in a small and hidden community where there is no public opinion. When a man is absolutely alone in a Station he runs a certain risk of falling into evil ways. This...

Thu, 16 Aug 2012 11:49:54 UTC

An Analysis of Apple's FileVault 2

Posted By Bruce Schneier

This is an analysis of Apple's disk encryption program, FileVault 2, that first appeared in the Lion operating system. Short summary: they couldn't break it. (Presumably, the version in Mountain Lion isn't any different.)...

Wed, 15 Aug 2012 19:23:52 UTC

Lousy Password Security on Tesco Website

Posted By Bruce Schneier

Good post, not because it picks on Tesco but because it's filled with good advice on how not to do it wrong....

Wed, 15 Aug 2012 13:57:59 UTC

Sexual Harassment at DefCon (and Other Hacker Cons)

Posted By Bruce Schneier

Excellent blog post by Valerie Aurora about sexual harassment at the DefCon hackers conference. Aside from the fact that this is utterly reprehensible behavior by the perpetrators involved, this is a real problem for our community. The response of "this is just what hacker culture is, and changing it will destroy hackerdom" is just plain wrong. When swaths of the...

Wed, 15 Aug 2012 10:59:19 UTC

Liars and Outliers on Special Discount

Posted By Bruce Schneier

Liars and Outliers has been out since late February, and while it's selling great, I'd like it to sell better. So I have a special offer for my regular readers. People in the U.S. can buy a signed copy of the book for $11, Media Mail postage included. (Yes, I'm selling the book at a loss.) People in other countries...

Tue, 14 Aug 2012 19:27:23 UTC

Schneier in the News

Posted By Bruce Schneier

Here are links to three news articles about me, and two video interviews with me....

Tue, 14 Aug 2012 18:16:15 UTC

Measuring Cooperation and Defection using Shipwreck Data

Posted By Bruce Schneier

In Liars and Outliers, I talk a lot about social norms and when people follow them. This research uses survival data from shipwrecks to measure it. The authors argue that shipwrecks can actually tell us a fair bit about human behavior, since everyone stuck on a sinking ship has to do a bit of cost-benefit analysis. People will weigh their...

Tue, 14 Aug 2012 11:00:34 UTC

Cryptocat

Posted By Bruce Schneier

I'm late writing about this one. Cryptocat is a web-based encrypted chat application. After Wired published a pretty fluffy profile on the program and its author, security researcher Chris Soghoian wrote an essay criticizing the unskeptical coverage. Ryan Singal, the editor (not the writer) of the Wired piece, responded by defending the original article and attacking Soghoian. At this point,...

Mon, 13 Aug 2012 17:41:37 UTC

Preventive vs. Reactive Security

Posted By Bruce Schneier

This is kind of a rambling essay on the need to spend more on infrastructure, but I was struck by this paragraph: Here's a news flash: There are some events that no society can afford to be prepared for to the extent that we have come to expect. Some quite natural events -- hurricanes, earthquakes, tsunamis, derechos -- have such...

Mon, 13 Aug 2012 11:57:01 UTC

U.S. and China Talking About Cyberweapons

Posted By Bruce Schneier

Stuart Baker calls them "proxy talks" because they're not government to government, but it's a start....

Fri, 10 Aug 2012 21:02:56 UTC

Friday Squid Blogging: Dumpling Squid

Posted By Bruce Schneier

The sex life of the dumpling squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 Aug 2012 18:22:46 UTC

Termite Suicide Bombers

Posted By Bruce Schneier

Some termites blow themselves up to expel invaders from their nest....

Fri, 10 Aug 2012 10:51:17 UTC

11-Year-Old Bypasses Airport Security

Posted By Bruce Schneier

Sure, stories like this are great fun, but I don't think it's much of a security concern. Terrorists can't build a plot around random occasional security failures....

Thu, 09 Aug 2012 18:46:02 UTC

Rolling Stone Magazine Writes About Computer Security

Posted By Bruce Schneier

It's a virus that plays AC/DC, so it makes sense. Surreal, though. Another article....

Thu, 09 Aug 2012 11:32:29 UTC

Detecting Spoofed GPS Signals

Posted By Bruce Schneier

This is the latest in the arms race between spoofing GPS signals and detecting spoofed GPS signals. Unfortunately, the countermeasures all seem to be patent pending....

Wed, 08 Aug 2012 18:04:58 UTC

Chinese Gang Sells Fake Professional Certifications

Posted By Bruce Schneier

They were able to hack into government websites: The gangs USP, and the reason it could charge up to 10,000 yuan (£1,000) per certificate, was that it could hack the relevant government site and tamper with the back-end database to ensure that the fake certs name and registration number appeared legitimate. The gang made £30M before being arrested....

Wed, 08 Aug 2012 11:31:24 UTC

Yet Another Risk of Storing Everything in the Cloud

Posted By Bruce Schneier

A hacker can social-engineer his way into your cloud storageand delete everything you have. It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud....

Tue, 07 Aug 2012 18:45:30 UTC

Peter Swire Testifies on the Inadequacy of Privacy Self-Regulation

Posted By Bruce Schneier

Ohio State University Law Professor Peter Swire testifies before Congress on the inadequacy of industry self-regulation to protect privacy....

Tue, 07 Aug 2012 12:14:03 UTC

Verifying Elections Using Risk-Limiting Auditing

Posted By Bruce Schneier

Interesting article on using risk-limiting auditing in determining if an election's results are likely to be valid. The risk, in this case, is in the chance of a false negative, and the election being deemed valid. The risk level determines the extent of the audit....

Mon, 06 Aug 2012 16:22:12 UTC

Breaking Microsoft's PPTP Protocol

Posted By Bruce Schneier

Some things never change. Thirteen years ago, Mudge and I published a paper breaking Microsoft's PPTP protocol and the MS-CHAP authentication system. I haven't been paying attention, but I presume it's been fixed and improved over the years. Well, it's been broken again. ChapCrack can take captured network traffic that contains a MS-CHAPv2 network handshake (PPTP VPN or WPA2 Enterprise...

Mon, 06 Aug 2012 11:43:27 UTC

State-by-State Report on Electronic Voting

Posted By Bruce Schneier

The Verified Voting Foundation has released a comprehensive state-by-state report on electronic voting machines (report, executive summary, and news coverage). Let's hope it does some good....

Fri, 03 Aug 2012 21:08:24 UTC

Friday Squid Blogging: SQUIDS and Quantum Computing

Posted By Bruce Schneier

It seems that quantum computers might use superconducting quantum interference devices (SQUIDs). As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 Aug 2012 17:57:09 UTC

Unsafe Safes

Posted By Bruce Schneier

In a long article about insecurities in gun safes, there's this great paragraph: Unfortunately, manufacturers and consumers are deceived and misled into a false sense of security by electronic credentials, codes, and biometrics. We have seen this often, even with high security locks. Our rule: electrons do not open doors; mechanical components do. If you can compromise the mechanisms then...

Fri, 03 Aug 2012 11:03:04 UTC

Overreaction and Overly Specific Reactions to Rare Risks

Posted By Bruce Schneier

Horrific events, such as the massacre in Aurora, can be catalysts for social and political change. Sometimes it seems that they're the only catalyst; recall how drastically our policies toward terrorism changed after 9/11 despite how moribund they were before. The problem is that fear can cloud our reasoning, causing us to overreact and to overly focus on the specifics....

Thu, 02 Aug 2012 19:19:59 UTC

Court Orders TSA to Answer EPIC

Posted By Bruce Schneier

Year ago, EPIC sued the TSA over full body scanners (I was one of the plantiffs), demanding that they follow their own rules and ask for public comment. The court agreed, and ordered the TSA to do that. In response, the TSA has done nothing. Now, a year later, the court has again ordered the TSA to answer EPIC's position....

Thu, 02 Aug 2012 18:08:30 UTC

Hotel Door Lock Vulnerability

Posted By Bruce Schneier

The attack only works sometimes, but it does allow access to millions of hotel rooms worldwide that are secured by Onity brand locks. Basically, you can read the unit's key out of the power port on the bottom of the lock, and then feed it back to the lock to authenticate an open command using the same power port....

Thu, 02 Aug 2012 11:23:40 UTC

Profile on Eugene Kaspersky

Posted By Bruce Schneier

Wired has an interesting and comprehensive profile on Eugene Kaspersky. Especially note Kaspersky Lab's work to uncover US cyberespionage against Iran, Kaspersky's relationship with Russia's state security services, and the story of the kidnapping of Kaspersky's son, Ivan. Kaspersky responded (not kindly) to the article, and the author responded to the response....

Wed, 01 Aug 2012 18:34:23 UTC

Lone Shooters and Body Armor

Posted By Bruce Schneier

The new thing about the Aurora shooting wasn't the weaponry, but the armor: What distinguished Holmes wasn't his offense. It was his defense. At Columbine, Harris and Klebold did their damage in T-shirts and cargo pants. Cho and Loughner wore sweatshirts. Hasan was gunned down in his Army uniform. Holmes' outfit blew these jokers away. He wore a ballistic helmet,...

Wed, 01 Aug 2012 12:17:47 UTC

On Soft Targets

Posted By Bruce Schneier

Stratfor has an interesting article....

Tue, 31 Jul 2012 16:11:42 UTC

Fake Irises Fool Scanners

Posted By Bruce Schneier

We already know you can wear fake irises to fool a scanner into thinking you're not you, but this is the first fake iris you can use for impersonation: to fool a scanner into thinking you're someone else....

Tue, 31 Jul 2012 11:30:42 UTC

Hacking Tool Disguised as a Power Strip

Posted By Bruce Schneier

This is impressive: The device has Bluetooth and Wi-Fi adapters, a cellular connection, dual Ethernet ports, and hacking and remote access tools that let security professionals test the network and call home to be remotely controlled via the cellular network. The device comes with easy-to-use scripts that cause it to boot up and then phone home for instructions. A "text-to-bash"...

Mon, 30 Jul 2012 17:40:17 UTC

Fear-Mongering at TED

Posted By Bruce Schneier

This TED talk trots out the usual fear-mongering that technology leads to terrorism. The facts are basically correct, but there are no counterbalancing facts, and the conclusions all one-sided. I'm not impressed with the speaker's crowdsourcing solution, either. Sure, crowdsourcing is a great tool for a lot of problems, but it's not the single thing that's going to protect us...

Mon, 30 Jul 2012 12:34:40 UTC

Detroit Bomb Threats

Posted By Bruce Schneier

There have been a few hoax bomb threats in Detroit recently (Windsor tunnel, US-Canada bridge, Tiger Stadium). The good news is that police learned; during the third one, they didn't close down the threatened location....

Fri, 27 Jul 2012 21:26:34 UTC

Friday Squid Blogging: Tentacle Doorstop

Posted By Bruce Schneier

Now this is neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 27 Jul 2012 19:17:17 UTC

Liars and Outliers Summed Up in Two Comic Strips

Posted By Bruce Schneier

I don't know the context, but these strips sum up my latest book nicely....

Fri, 27 Jul 2012 14:42:07 UTC

Criminals Using Commercial Spamflooding Services

Posted By Bruce Schneier

Cybercriminals are using commercial spamflooding services to distract their victims during key moments of a cyberattack. Clever, but in retrospect kind of obvious....

Thu, 26 Jul 2012 11:55:10 UTC

Police Sting Operation Yields No Mobile Phone Thefts

Posted By Bruce Schneier

Police in Hastings, in the UK, outfitted mobile phones with tracking devices and left them in bars and restaurants, hoping to catch mobile phone thieves in the act. But no one stole them: Nine premises were visited in total and officers were delighted that not one of the bait phones was 'stolen'. In fact, on nearly every occasion good hearted...

Wed, 25 Jul 2012 11:42:46 UTC

Making Handcuff Keys with 3D Printers

Posted By Bruce Schneier

Handcuffs pose a particular key management problem. Officers need to be able to unlock handcuffs locked by another officer, so they're all designed to be opened by a standard set of keys. This system only works if the bad guys can't get a copy of the key, and modern handcuff manufacturers go out of their way to make it hard...

Tue, 24 Jul 2012 11:28:28 UTC

Implicit Passwords

Posted By Bruce Schneier

This is a really interesting research paper (article here) on implicit passwords: something your unconscious mind remembers but your conscious mind doesn't know. The Slashdot post is a nice summary: A cross-disciplinary team of US neuroscientists and cryptographers have developed a password/passkey system that removes the weakest link in any security system: the human user. It's ingenious: The system still...

Mon, 23 Jul 2012 11:15:59 UTC

How the Norwegians Reacted to Terrorism

Posted By Bruce Schneier

An antidote to the American cycle of threat, fear, and overspending in response to terrorism is this, about Norway on the first anniversary of its terrorist massacre: And at the political level, the Prime Minister Jens Stoltenberg pledged to do everything to ensure the country's core values were not undermined. "The Norwegian response to violence is more democracy, more openness...

Fri, 20 Jul 2012 21:17:07 UTC

Friday Squid Blogging: Preserved Squid

Posted By Bruce Schneier

Science or art? As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 19 Jul 2012 11:46:23 UTC

Camera-Transparent Plastic

Posted By Bruce Schneier

I just wrote about the coming age of invisible surveillance. Here's another step along that process. The material is black in color and cannot be seen through with the naked eye. However, if you point a black and white camera at a sheet of Black-Ops Plastic, it becomes transparent allowing the camera to record whatever is on the other side....

Wed, 18 Jul 2012 14:27:13 UTC

Chinese Airline Rewards Crew for Resisting Hijackers

Posted By Bruce Schneier

Normally, companies instruct their employees not to resist. But Hainan Airlines did the opposite: Two safety officers and the chief purser got cash and property worth 4m yuan ($628,500; £406,200) each. The rest got assets worth 2.5m yuan each. That's a lot of money, especially in China. I'm sure it will influence future decisions by crew, and even passengers, about...

Mon, 16 Jul 2012 18:59:02 UTC

Remote Scanning Technology

Posted By Bruce Schneier

I don't know if this is real or fantasy: Within the next year or two, the U.S. Department of Homeland Security will instantly know everything about your body, clothes, and luggage with a new laser-based molecular scanner fired from 164 feet (50 meters) away. From traces of drugs or gun powder on your clothes to what you had for breakfast...

Fri, 13 Jul 2012 21:53:36 UTC

Friday Squid Blogging: Barbecued Squid -- New Summer Favorite

Posted By Bruce Schneier

In the UK, barbecued squid is in: Sales of squid have tripled in recent months due to the growing popularity of Mediterranean food and the rise of the Dukan diet, as calamari looks set to become the barbecue hit of the summer....

Fri, 13 Jul 2012 11:51:20 UTC

Hacking BMW's Remote Keyless Entry System

Posted By Bruce Schneier

It turns out to be surprisingingly easy: The owner, who posted the video at 1addicts.com, suspects the thieves broke the glass to access the BMW's on-board diagnostics port (OBD) in the footwell of the car, then used a special device to obtain the car's unique key fob digital ID and reprogram a blank key fob to start the car. It...

Thu, 12 Jul 2012 17:59:35 UTC

All-or-Nothing Access Control for Mobile Phones

Posted By Bruce Schneier

This paper looks at access control for mobile phones. Basically, it's all or nothing: either you have a password that protects everything, or you have no password and protect nothing. The authors argue that there should be more user choice: some applications should be available immediately without a password, and the rest should require a password. This makes a lot...

Thu, 12 Jul 2012 14:47:50 UTC

Dropped USB Sticks in Parking Lot as Actual Attack Vector

Posted By Bruce Schneier

For years, it's been a clever trick to drop USB sticks in parking lots of unsuspecting businesses, and track how many people plug them into computers. I have long argued that the problem isn't that people are plugging the sticks in, but that the computers trust them enough to run software off of them. This is the first time I've...

Wed, 11 Jul 2012 17:39:21 UTC

Petition the U.S. Government to Force the TSA to Follow the Law

Posted By Bruce Schneier

This is important: In July 2011, a federal appeals court ruled that the Transportation Security Administration had to conduct a notice-and-comment rulemaking on its policy of using "Advanced Imaging Technology" for primary screening at airports. TSA was supposed to publish the policy in the Federal Register, take comments from the public, and justify its policy based on public input. The...

Wed, 11 Jul 2012 12:49:46 UTC

Cryptanalyze the Agrippa Code

Posted By Bruce Schneier

William Gibson's Grippa Code is available for cryptanalysis. Break the code, win a prize....

Tue, 10 Jul 2012 09:33:49 UTC

Attacking Fences

Posted By Bruce Schneier

From an article on the cocaine trade between Mexico and the U.S.: "They erect this fence," he said, "only to go out there a few days later and discover that these guys have a catapult, and they're flinging hundred-pound bales of marijuana over to the other side." He paused and looked at me for a second. "A catapult," he repeated....

Mon, 09 Jul 2012 17:36:20 UTC

Sensible Comments about Terrorism

Posted By Bruce Schneier

Two, at least: "Bee stings killed as many in UK as terrorists, says watchdog." "Americans Are as Likely to Be Killed by Their Own Furniture as by Terrorism." Is this a new trend in common sense? In case you forgot, here's a comprehensive list of ridiculous predictions about terrorist attacks (and an essay). And here's the best data on U.S....

Mon, 09 Jul 2012 11:02:43 UTC

Students Hack DHS Drone

Posted By Bruce Schneier

A team at the University of Texas successfully spoofed the GPS and took control of a DHS drone, for about $1,000 in off-the-shelf parts. Does anyone think that the bad guys won't be able to do this?...

Fri, 06 Jul 2012 21:58:09 UTC

Friday Squid Blogging: Dissecting a Squid

Posted By Bruce Schneier

This was suprisingly interesting. When a body is mysterious, you cut it open. You peel back the skin and take stock of its guts. It is the science of an arrow, the epistemology of a list. There and here and look: You tick off organs, muscles, bones. Its belly becomes fact. It glows like fluorescent lights. The air turns aseptic...

Fri, 06 Jul 2012 19:44:49 UTC

Me on Military Cyberattacks and Cyberweapons Treaties

Posted By Bruce Schneier

I did a short Q&A for Network World....

Fri, 06 Jul 2012 14:40:08 UTC

Naming Pets

Posted By Bruce Schneier

Children are being warned that the name of their first pet should contain at least eight characters and a digit....

Thu, 05 Jul 2012 11:17:04 UTC

So You Want to Be a Security Expert

Posted By Bruce Schneier

I regularly receive e-mail from people who want advice on how to learn more about computer security, either as a course of study in college or as an IT person considering it as a career choice. First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating...

Tue, 03 Jul 2012 11:22:50 UTC

Commercial Espionage Virus

Posted By Bruce Schneier

It's designed to steal blueprints and send them to China. Note that although this is circumstantial evidence that the virus is from China, it is possible that the Chinese e-mail accounts that are collecting the blueprints are simply drops, and the controllers are elsewhere on the planet....

Mon, 02 Jul 2012 18:10:23 UTC

On Fear

Posted By Bruce Schneier

A poet reflects on the nature of fear....

Mon, 02 Jul 2012 11:20:35 UTC

WEIS 2012

Posted By Bruce Schneier

Last week I was at the Workshop on Economics and Information Security in Berlin. Excellent conference, as always. Ross Anderson liveblogged the event; see the comments for summaries of the talks. On the second day, Ross and I debated -- well, discussed -- cybersecurity spending. A the first WEIS, he and I had a similar discussion: I argued that we...

Fri, 29 Jun 2012 21:14:36 UTC

Friday Squid Blogging: Another Giant Squid Found

Posted By Bruce Schneier

A dead 13-foot-long giant squid has been found off the coast of New South Wales. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 29 Jun 2012 19:47:28 UTC

FireDogLake Book Salon for Liars and Outliers

Posted By Bruce Schneier

Here's the permalink....

Fri, 29 Jun 2012 11:35:28 UTC

On Securing Potentially Dangerous Virology Research

Posted By Bruce Schneier

Abstract: The problem of securing biological research data is a difficult and complicated one. Our ability to secure data on computers is not robust enough to ensure the security of existing data sets. Lessons from cryptography illustrate that neither secrecy measures, such as deleting technical details, nor national solutions, such as export controls, will work. --------- Science and Nature have...

Thu, 28 Jun 2012 13:50:43 UTC

Nuclear Fears

Posted By Bruce Schneier

Interesting review -- by David Roepik -- of The Rise of Nuclear Fear, by Spencer Weart: Along with contributing to the birth of the environmental movement, Weart shows how fear of radiation began to undermine society's faith in science and modern technology. He writes "Polls showed that the number of Americans who felt 'a great deal' of confidence in science...

Wed, 27 Jun 2012 11:35:37 UTC

Top Secret America on the Post-9/11 Cycle of Fear and Funding

Posted By Bruce Schneier

I'm reading Top Secret America: The Rise of the New American Security State, by Dana Priest and William M. Arkin. Both work for The Washington Post. The book talks about the rise of the security-industrial complex in post 9/11 America. This short quote is from Chapter 3: Such dread was a large part of the post-9/11 decade. A culture of...

Wed, 27 Jun 2012 11:30:31 UTC

Russian Nuclear Launch Code Backup Procedure

Posted By Bruce Schneier

If the safe doesn't open, use a sledgehammer: The sledgehammer's existence first came to light in 1980, when a group of inspecting officers from the General Staff visiting Strategic Missile Forces headquarters asked General Georgy Novikov what he would do if he received a missile launch order but the safe containing the launch codes failed to open. Novikov said he...

Tue, 26 Jun 2012 18:57:43 UTC

E-Mail Accounts More Valuable than Bank Accounts

Posted By Bruce Schneier

This informal survey produced the following result: "45% of the users found their email accounts more valuable than their bank accounts." The author believes this is evidence of some sophisticated security reasoning on the part of users: From a security standpoint, I cant agree more with these people. Email accounts are used most commonly to reset other websites account passwords,...

Tue, 26 Jun 2012 11:39:19 UTC

Stratfor on the Phoenix Serial Flashlight Bomber

Posted By Bruce Schneier

Interesting....

Mon, 25 Jun 2012 16:17:21 UTC

Resilience

Posted By Bruce Schneier

There was a conference on resilience (highlights here, and complete videos here) earlier this year. Here's an interview with professor Sander van der Leeuw on the topic. Although he never mentions security, it's all about security. Any system, whether its the financial system, the environmental system, or something else, is always subject to all kinds of pressures. If it can...

Mon, 25 Jun 2012 11:58:25 UTC

Op-ed Explaining why Terrorism Doesn't Work

Posted By Bruce Schneier

Good essay by Max Abrams. I've written about his research before....

Fri, 22 Jun 2012 21:03:07 UTC

Friday Squid Blogging: Giant Mutant Squid at the Queen's Jubilee

Posted By Bruce Schneier

I think this is a parody, but you can never be sure. Millions of Britons turned out for the Queens four-day celebrations, undaunted by the 500-foot mutant squid that was destroying London. Huge crowds of well-wishers lined the banks of the Thames on Sunday to watch a spectacular flotilla, continuing to cheer and wave even as tentacles thicker than tree...

Fri, 22 Jun 2012 19:01:47 UTC

Colbert Report on the Orangutan Cyberthreat

Posted By Bruce Schneier

Very funny video exposé of the cyberthreat posed by giving iPads to orangutans. Best part is near the end, when Richard Clarke suddenly realizes that he's being interviewed about orangutans -- and not the Chinese....

Fri, 22 Jun 2012 12:20:20 UTC

Economic Analysis of Bank Robberies

Posted By Bruce Schneier

Yes, it's clever: The basic problem is the average haul from a bank job: for the three-year period, it was only £20,330.50 (~$31,613). And it gets worse, as the average robbery involved 1.6 thieves. So the authors conclude, "The return on an average bank robbery is, frankly, rubbish. It is not unimaginable wealth. It is a very modest £12,706.60 per...

Thu, 21 Jun 2012 18:03:03 UTC

Far-Fetched Scams Separate the Gullible from Everyone Else

Posted By Bruce Schneier

Interesting conclusion by Cormac Herley, in this paper: "Why Do Nigerian Scammers Say They are From Nigeria?" Abstract: False positives cause many promising detection technologies to be unworkable in practice. Attackers, we show, face this problem too. In deciding who to attack true positives are targets successfully attacked, while false positives are those that are attacked but yield nothing. This...

Thu, 21 Jun 2012 10:51:50 UTC

Apple Patents Data-Poisoning

Posted By Bruce Schneier

It's not a new idea, but Apple Computer has received a patent on "Techniques to pollute electronic profiling": Abstract: Techniques to pollute electronic profiling are provided. A cloned identity is created for a principal. Areas of interest are assigned to the cloned identity, where a number of the areas of interest are divergent from true interests of the principal. One...

Wed, 20 Jun 2012 18:19:50 UTC

Rand Paul Takes on the TSA

Posted By Bruce Schneier

Paul Rand has introduced legislation to rein in the TSA. There are two bills: One bill would require that the mostly federalized program be turned over to private screeners and allow airports ­ with Department of Homeland Security approval ­ to select companies to handle the work. This seems to be a result of a fundamental misunderstanding of the economic...

Wed, 20 Jun 2012 12:27:22 UTC

Switzerland National Defense

Posted By Bruce Schneier

Interesting blog post about this book about Switzerland's national defense. To make a long story short, McPhee describes two things: how Switzerland requires military service from every able-bodied male Swiss citizen -- a model later emulated and expanded by Israel -- and how the Swiss military has, in effect, wired the entire country to blow in the event of foreign...

Tue, 19 Jun 2012 18:02:20 UTC

Attack Against Point-of-Sale Terminal

Posted By Bruce Schneier

Clever attack: When you pay a restaurant bill at your table using a point-of-sale machine, are you sure it's legit? In the past three months, Toronto and Peel police have discovered many that aren't. In what is the latest financial fraud, crooks are using distraction techniques to replace merchants' machines with their own, police say. At the end of the...

Tue, 19 Jun 2012 12:11:14 UTC

The Failure of Anti-Virus Companies to Catch Military Malware

Posted By Bruce Schneier

Mikko Hyponnen of F-Secure attempts to explain why anti-virus companies didn't catch Stuxnet, DuQu, and Flame: When we went digging through our archive for related samples of malware, we were surprised to find that we already had samples of Flame, dating back to 2010 and 2011, that we were unaware we possessed. They had come through automated reporting mechanisms, but...

Mon, 18 Jun 2012 17:38:17 UTC

England's Prince Phillip on Security

Posted By Bruce Schneier

On banning guns: "If a cricketer, for instance, suddenly decided to go into a school and batter a lot of people to death with a cricket bat,which he could do very easily, I mean, are you going to ban cricket bats?" In a Radio 4 interview shortly after the Dunblane shootings in 1996. He said to the interviewer off-air afterwards:...

Mon, 18 Jun 2012 11:40:18 UTC

Honor System Farm Stands

Posted By Bruce Schneier

Many roadside farm stands in the U.S. are unmanned. They work on the honor system: take what you want, and pay what you owe. And today at his farm stand, Cochran says, just as at the donut shop years ago, most customers leave more money than they owe. That doesn't surprise social psychologist Michael Cunningham of the University of Louisville...

Fri, 15 Jun 2012 21:02:33 UTC

Friday Squid Blogging: Woman's Mouth Inseminated by Cooked Squid

Posted By Bruce Schneier

This story is so freaky I'm not even sure I want to post it. But if I don't, you'll all send me the links. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 15 Jun 2012 19:55:06 UTC

FireDogLake Book Salon for Liars and Outliers

Posted By Bruce Schneier

On Sunday, I will be participating in a public discussion about my new book on the FireDogLake website. James Fallows will be the moderator, and I will be answering questions from all comers -- you do have to register an ID, though -- from 5:00 - 7:00 EDT. Stop by and join the discussion....

Fri, 15 Jun 2012 11:51:32 UTC

Rare Rational Comment on al Qaeda's Capabilities

Posted By Bruce Schneier

From "CNN national security analyst" Peter Bergen: Few Americans harbor irrational fears about being killed by a lightning bolt. Abu Yahya al-Libi's death on Monday should remind them that fear of al Qaeda in its present state is even more irrational. Will anyone listen?...

Thu, 14 Jun 2012 17:27:14 UTC

Cheating in Online Classes

Posted By Bruce Schneier

Interesting article: In the case of that student, the professor in the course had tried to prevent cheating by using a testing system that pulled questions at random from a bank of possibilities. The online tests could be taken anywhere and were open-book, but students had only a short window each week in which to take them, which was not...

Thu, 14 Jun 2012 11:40:29 UTC

Cyberwar Treaties

Posted By Bruce Schneier

We're in the early years of a cyberwar arms race. It's expensive, it's destabilizing, and it threatens the very fabric of the Internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat. If you read the press and listen to government leaders, we're already in the middle of a...

Wed, 13 Jun 2012 17:08:44 UTC

Teaching the Security Mindset

Posted By Bruce Schneier

In 2008 I wrote about the security mindset and how difficult it is to teach. Two professors teaching a cyberwarfare class gave an exam where they expected their students to cheat: Our variation of the Kobayashi Maru utilized a deliberately unfair exam -- write the first 100 digits of pi (3.14159...) from memory and took place in the pilot offering...

Wed, 13 Jun 2012 11:45:30 UTC

High-Quality Fake IDs from China

Posted By Bruce Schneier

USA Today article: Most troubling to authorities is the sophistication of the forgeries: Digital holograms are replicated, PVC plastic identical to that found in credit cards is used, and ink appearing only under ultraviolet light is stamped onto the cards. Each of those manufacturing methods helps the IDs defeat security measures aimed at identifying forged documents. The overseas forgers are...

Tue, 12 Jun 2012 10:09:50 UTC

Israel Demanding Passwords at the Border

Posted By Bruce Schneier

There have been a bunch of stories about employers demanding passwords to social networking sites, like Facebook, from prospective employees, and several states have passed laws prohibiting this practice. This is the first story I've seen of a country doing this at its borders. The country is Israel, and they're asking for passwords to e-mail accounts....

Mon, 11 Jun 2012 11:36:49 UTC

Changing Surveillance Techniques for Changed Communications Technologies

Posted By Bruce Schneier

New paper by Peter P. Swire -- "From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud": Abstract: This paper explains how changing technology, especially the rising adoption of encryption, is shifting law enforcement and national security lawful access to far greater emphasis on stored records, notably records stored in the cloud. The...

Fri, 08 Jun 2012 21:28:48 UTC

Friday Squid Blogging: Baby Opalescent Squid

Posted By Bruce Schneier

Baby squid larvae are transparent after they hatch, so you can see the chromataphores (color control mechanisms) developing after a few days. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 08 Jun 2012 11:43:22 UTC

The Catastrophic Consequences of 9/11

Posted By Bruce Schneier

This is an interesting essay -- it claims to be the first in a series -- that looks at the rise of "homeland security" as a catastrophic consequence of the 9/11 terrorist attacks: In this usage catastrophic is not a pejorative, it is a description of an atypically radical shift in perception and behavior from one condition to another very...

Thu, 07 Jun 2012 11:15:06 UTC

Homeland Security as Security Theater Metaphor

Posted By Bruce Schneier

Look at the last sentence in this article on hotel cleanliness: "I relate this to homeland security. We are not any safer, but many people believe that we are," he said. It's interesting to see the waste-of-money meme used so cavalierly....

Wed, 06 Jun 2012 14:36:46 UTC

Ghostery

Posted By Bruce Schneier

Ghostery is a Firefox plug-in that tracks who is tracking your browsing habits in cyberspace. Here's a TED talk by Gary Kovacs, the CEO of Mozilla Corp., on it. I use AdBlock Plus, and dump my cookies whenever I close Firefox. Should I switch to Ghostery? What do other people do for web privacy?...

Tue, 05 Jun 2012 18:16:59 UTC

Security and Human Behavior (SHB 2012)

Posted By Bruce Schneier

I'm at the Fifth Interdisciplinary Workshop on Security and Human Behavior, SHB 2012. Google is hosting this year, at its offices in lower Manhattan. SHB is an invitational gathering of psychologists, computer security researchers, behavioral economists, sociologists, law professors, business school professors, political scientists, anthropologists, philosophers, and others -- all of whom are studying the human side of security --...

Tue, 05 Jun 2012 11:07:26 UTC

Interesting Article on Libyan Internet Intelligence Gathering

Posted By Bruce Schneier

This is worth reading, for the insights it provides on how a country goes about monitoring its citizens in the information age: a combination of targeted attacks and wholesale surveillance. I'll just quote one bit, this list of Western companies that helped: Amesys, with its Eagle system, was just one of Libya's partners in repression. A South African firm called...

Mon, 04 Jun 2012 11:36:33 UTC

The Unreliability of Eyewitness Testimony

Posted By Bruce Schneier

Interesting article: The reliability of witness testimony is a vastly complex subject, but legal scholars and forensic psychologists say it's possible to extract the truth from contradictory accounts and evolving memories. According to Barbara Tversky, professor emerita of psychology at Stanford University, the bottom line is this: "All other things equal, earlier recountings are more likely to be accurate than...

Mon, 04 Jun 2012 11:21:58 UTC

Flame

Posted By Bruce Schneier

Flame seems to be another military-grade cyber-weapon, this one optimized for espionage. The worm is at least two years old, and is mainly confined to computers in the Middle East. (It does not replicate and spread automatically, which is certainly so that its controllers can target it better and evade detection longer.) And its espionage capabilities are pretty impressive. We'll...

Fri, 01 Jun 2012 21:40:38 UTC

Friday Squid Blogging: Mimicking Squid Camouflage

Posted By Bruce Schneier

Interesting: Cephalopods - squid, cuttlefish and octopuses - change colour by using tiny muscles in their skins to stretch out small sacs of black colouration. These sacs are located in the animal's skin cells, and when a cell is ready to change colour, the brain sends a signal to the muscles and they contract. This makes the sacs expand and...

Fri, 01 Jun 2012 18:08:17 UTC

Obama's Role in Stuxnet and Iranian Cyberattacks

Posted By Bruce Schneier

Really interesting article....

Fri, 01 Jun 2012 11:48:41 UTC

The Vulnerabilities Market and the Future of Security

Posted By Bruce Schneier

Recently, there have been several articles about the new market in zero-day exploits: new and unpatched computer vulnerabilities. It's not just software companies, who sometimes pay bounties to researchers who alert them of security vulnerabilities so they can fix them. And it's not only criminal organizations, who pay for vulnerabilities they can exploit. Now there are governments, and companies who...

Thu, 31 May 2012 18:19:52 UTC

Tax Return Identity Theft

Posted By Bruce Schneier

I wrote about this sort of thing in 2006 in the UK, but it's even bigger business here: The criminals, some of them former drug dealers, outwit the Internal Revenue Service by filing a return before the legitimate taxpayer files. Then the criminals receive the refund, sometimes by check but more often though a convenient but hard-to-trace prepaid debit card....

Thu, 31 May 2012 11:17:28 UTC

Bar Code Switching

Posted By Bruce Schneier

A particularly clever form of retail theft -- especially when salesclerks are working fast and don't know the products -- is to switch bar codes. This particular thief stole Lego sets. If you know Lego, you know there's a vast price difference between the small sets and the large ones. He was caught by in-store surveillance....

Wed, 30 May 2012 17:54:29 UTC

The Psychology of Immoral (and Illegal) Behavior

Posted By Bruce Schneier

When I talk about Liars and Outliers to security audiences, one of the things I stress is our traditional security focus -- on technical countermeasures -- is much narrower than it could be. Leveraging moral, repetitional, and institutional pressures are likely to be much more effective in motivating cooperative behavior. This story illustrates the point. It's about the psychology of...

Wed, 30 May 2012 11:44:56 UTC

The Problem of False Alarms

Posted By Bruce Schneier

The context is tornado warnings: The basic problem, Smith says, it that sirens are sounded too often in most places. Sometimes they sound in an entire county for a warning that covers just a sliver of it; sometimes for other thunderstorm phenomena like large hail and/or strong straight-line winds; and sometimes for false alarm warnings ­ warnings for tornadoes that...

Tue, 29 May 2012 19:07:49 UTC

Backdoor Found in Chinese-Made Military Silicon Chips

Posted By Bruce Schneier

We all knew this was possible, but researchers have found the exploit in the wild: Claims were made by the intelligence agencies around the world, from MI5, NSA and IARPA, that silicon chips could be infected. We developed breakthrough silicon chip scanning technology to investigate these claims. We chose an American military chip that is highly secure with sophisticated encryption...

Tue, 29 May 2012 11:03:48 UTC

Interview with a Safecracker

Posted By Bruce Schneier

The legal kind. It's interesting: Q: How realistic are movies that show people breaking into vaults? A: Not very! In the movies it takes five minutes of razzle-dazzle; in real life it's usually at least a couple of hours of precision work for an easy, lost combination lockout. [...] Q: Have you ever met a lock you couldn't pick? A:...

Mon, 28 May 2012 11:58:33 UTC

My Last Post About Ethnic Profiling at Airports

Posted By Bruce Schneier

Remember my rebuttal of Sam Harris's essay advocating the profiling of Muslims at airports? That wasn't the end of it. Harris and I conducted a back-and-forth e-mail discussion, the results of which are here. At 14,000+ words, I only recommend it for the most stalwort of readers....

Fri, 25 May 2012 21:01:55 UTC

Friday Squid Blogging: Squid Ink from the Jurassic

Posted By Bruce Schneier

Seems that squid ink hasn't changed much in 160 million years. From this, researchers argue that the security mechanism of spraying ink into the water and escaping is also that old. Simon and his colleagues used a combination of direct, high-resolution chemical techniques to determine that the melanin had been preserved. The researchers also compared the chemical composition of the...

Fri, 25 May 2012 11:43:23 UTC

The Explosive from the Latest Foiled Al Qaeda Underwear Bomb Plot

Posted By Bruce Schneier

Interesting: Although the plot was disrupted before a particular airline was targeted and tickets were purchased, al Qaeda's continued attempts to attack the U.S. speak to the organization's persistence and willingness to refine specific approaches to killing. Unlike Abdulmutallab's bomb, the new device contained lead azide, an explosive often used as a detonator. If the new underwear bomb had been...

Thu, 24 May 2012 16:31:46 UTC

The Ubiquity of Cyber-Fears

Posted By Bruce Schneier

A new study concludes that more people are worried about cyber threats than terrorism. ...the three highest priorities for Americans when it comes to security issues in the presidential campaign are: Protecting government computer systems against hackers and criminals (74 percent) Protecting our electric power grid, water utilities and transportation systems against computer or terrorist attacks (73 percent) Homeland security...

Thu, 24 May 2012 11:17:59 UTC

The Banality of Surveillance Photos

Posted By Bruce Schneier

Interesting essay on a trove on surveillance photos from Cold War-era Prague. Cops, even secret cops, are for the most part ordinary people. Working stiffs concerned with holding down jobs and earning a living. Even those who thought it was important to find enemies recognized the absurdity of their task. I take photos all the time and these empty blurry...

Wed, 23 May 2012 17:32:12 UTC

Lessons in Trust from Web Hoaxes

Posted By Bruce Schneier

Interesting discussion of trust in this article on web hoaxes. Kelly's students, like all good con artists, built their stories out of small, compelling details to give them a veneer of veracity. Ultimately, though, they aimed to succeed less by assembling convincing stories than by exploiting the trust of their marks, inducing them to lower their guard. Most of us...

Wed, 23 May 2012 12:25:35 UTC

Privacy Concerns Around "Social Reading"

Posted By Bruce Schneier

Interesting paper: "The Perils of Social Reading," by Neil M. Richards, from the Georgetown Law Journal. Abstract: Our law currently treats records of our reading habits under two contradictory rules ­ rules mandating confidentiality, and rules permitting disclosure. Recently, the rise of the social Internet has created more of these records and more pressures on when and how they should...

Tue, 22 May 2012 18:10:22 UTC

Racism as a Vestigal Remnant of a Security Mechanism

Posted By Bruce Schneier

"Roots of Racism," by Elizabeth Culotta in Science: Our attitudes toward outgroups are part of a threat-detection system that allows us to rapidly determine friend from foe, says psychologist Steven Neuberg of ASU Tempe. The problem, he says, is that like smoke detectors, the system is designed to give many false alarms rather than miss a true threat. So outgroup...

Tue, 22 May 2012 11:24:51 UTC

Security Incentives and Advertising Fraud

Posted By Bruce Schneier

Details are in the article, but here's the general idea: Let's follow the flow of the users: Scammer buys user traffic from PornoXo.com and sends it to HQTubeVideos. HQTubeVideos loads, in invisible iframes, some parked domains with innocent-sounding names (relaxhealth.com, etc). In the parked domains, ad networks serve display and PPC ads. The click-fraud sites click on the ads that...

Mon, 21 May 2012 15:32:57 UTC

Portrait of a Counterfeiter

Posted By Bruce Schneier

Interesting article from Wired....

Fri, 18 May 2012 21:26:57 UTC

Friday Squid Blogging: Squid Scalp Massager

Posted By Bruce Schneier

Cheap! As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 18 May 2012 11:06:51 UTC

Kip Hawley Reviews Liars and Outliers

Posted By Bruce Schneier

In his blog: I think the most important security issues going forward center around identity and trust. Before knowing I would soon encounter Bruce again in the media, I bought and read his new book Liars & Outliers and it is a must-read book for people looking forward into our security future and thinking about where this all leads. For...

Thu, 17 May 2012 17:28:45 UTC

Cybersecurity at the Doctor's Office

Posted By Bruce Schneier

I like this essay because it nicely illustrates the security mindset....

Thu, 17 May 2012 12:20:14 UTC

Rules for Radicals

Posted By Bruce Schneier

It was written in 1971, but this still seems like a cool book: For an elementary illustration of tactics, take parts of your face as the point of reference; your eyes, your ears, and your nose. First the eyes: if you have organized a vast, mass-based people's organization, you can parade it visibly before the enemy and openly show your...

Wed, 16 May 2012 18:50:05 UTC

USB Drives and Wax Seals

Posted By Bruce Schneier

Need some pre-industrial security for your USB drive? How about a wax seal? Neat, but I recommend combining it with encryption for even more security!...

Wed, 16 May 2012 11:15:10 UTC

Security Vulnerabilities in Airport Full-Body Scanners

Posted By Bruce Schneier

According to a report from the DHS Office of Inspector General: Federal investigators "identified vulnerabilities in the screening process" at domestic airports using so-called "full body scanners," according to a classified internal Department of Homeland Security report. EPIC obtained an unclassified version of the report in a FOIA response. Here's the summary....

Tue, 15 May 2012 11:17:04 UTC

U.S. Exports Terrorism Fears

Posted By Bruce Schneier

To New Zealand: United States Secretary of Homeland Security Janet Napolitano has warned the New Zealand Government about the latest terrorist threat known as "body bombers." [...] "Do we have specific credible evidence of a [body bomb] threat today? I would not say that we do, however, the importance is that we all lean forward." Why the headline of this...

Mon, 14 May 2012 11:19:44 UTC

The Trouble with Airport Profiling

Posted By Bruce Schneier

Why do otherwise rational people think it's a good idea to profile people at airports? Recently, neuroscientist and best-selling author Sam Harris related a story of an elderly couple being given the twice-over by the TSA, pointed out how these two were obviously not a threat, and recommended that the TSA focus on the actual threat: "Muslims, or anyone who...

Fri, 11 May 2012 21:58:04 UTC

Friday Squid Blogging: New Book on Squid

Posted By Bruce Schneier

Kraken: The Curious, Exciting, and Slightly Disturbing Science of Squid. And a review. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 11 May 2012 11:42:22 UTC

Smart Phone Privacy App

Posted By Bruce Schneier

MobileScope looks like a great tool for monitoring and controlling what information third parties get from your smart phone apps: We built MobileScope as a proof-of-concept tool that automates much of what we were doing manually; monitoring mobile devices for surprising traffic and highlighting potentially privacy-revealing flows [...] Unlike PCs, we have little control over the underlying privacy and security...

Thu, 10 May 2012 10:46:52 UTC

Security Fail

Posted By Bruce Schneier

Funny....

Wed, 09 May 2012 11:24:17 UTC

RuggedCom Inserts Backdoor into Its Products

Posted By Bruce Schneier

All RuggedCom equipment comes with a built-in backdoor: The backdoor, which cannot be disabled, is found in all versions of the Rugged Operating System made by RuggedCom, according to independent researcher Justin W. Clarke, who works in the energy sector. The login credentials for the backdoor include a static username, "factory," that was assigned by the vendor and can't be...

Tue, 08 May 2012 18:14:17 UTC

A Foiled Terrorist Plot

Posted By Bruce Schneier

We don't know much, but here are my predictions: There's a lot more hyperbole to this story than reality. The explosive would have either 1) been caught by pre-9/11 security, or 2) not been caught by post-9/11 security. Nonetheless, it will be used to justify more invasive airport security....

Tue, 08 May 2012 12:03:52 UTC

Overreacting to Potential Bombs

Posted By Bruce Schneier

This is a ridiculous overreaction: The police bomb squad was called to 2 World Financial Center in lower Manhattan at midday when a security guard reported a package that seemed suspicious. Brookfield Properties, which runs the property, ordered an evacuation as a precaution. That's the entire building, a 44-story, 2.5-million-square-foot office building. And why? The bomb squad determined the package...

Mon, 07 May 2012 11:52:51 UTC

Naval Drones

Posted By Bruce Schneier

With all the talk about airborne drones like the Predator, it's easy to forget that drones can be in the water as well. Meet the Common Unmanned Surface Vessel (CUSV): The boat -- painted in Navy gray and with a striking resemblance to a PT boat -- is 39 feet long and can reach a top speed of 28 knots....

Fri, 04 May 2012 21:01:04 UTC

Friday Squid Blogging: Squid Bicycle Parking Sculpture

Posted By Bruce Schneier

Neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 04 May 2012 18:31:57 UTC

Tampon-Shaped USB Drive

Posted By Bruce Schneier

This vendor is selling a tampon-shaped USB drive. Although it's less secure now that there are blog posts about it....

Fri, 04 May 2012 11:31:19 UTC

Facial Recognition of Avatars

Posted By Bruce Schneier

I suppose this sort of thing might be useful someday. In Second Life, avatars are easily identified by their username, meaning police can just ask San Francisco-based Linden Labs, which runs the virtual world, to look up a particular user. But what happens when virtual worlds start running on peer-to-peer networks, leaving no central authority to appeal to? Then there...

Thu, 03 May 2012 11:22:45 UTC

Criminal Intent Prescreening and the Base Rate Fallacy

Posted By Bruce Schneier

I've often written about the base rate fallacy and how it makes tests for rare events -- like airplane terrorists -- useless because the false positives vastly outnumber the real positives. This essay uses that argument to demonstrate why the TSA's FAST program is useless: First, predictive software of this kind is undermined by a simple statistical problem known as...

Wed, 02 May 2012 17:41:39 UTC

Al Qaeda Steganography

Posted By Bruce Schneier

The reports are still early, but it seems that a bunch of terrorist planning documents were found embedded in a digital file of a porn movie. Several weeks later, after laborious efforts to crack a password and software to make the file almost invisible, German investigators discovered encoded inside the actual video a treasure trove of intelligence -- more than...

Wed, 02 May 2012 12:10:38 UTC

Cybercrime as a Tragedy of the Commons

Posted By Bruce Schneier

Two very interesting points in this essay on cybercrime. The first is that cybercrime isn't as big a problem as conventional wisdom makes it out to be. We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority....

Tue, 01 May 2012 12:31:44 UTC

When Investigation Fails to Prevent Terrorism

Posted By Bruce Schneier

I've long advocated investigation, intelligence, and emergency response as the places where we can most usefully spend our counterterrorism dollars. Here's an example where that didn't work: Starting in April 1991, three FBI agents posed as members of an invented racist militia group called the Veterans Aryan Movement. According to their cover story, VAM members robbed armored cars, using the...

Mon, 30 Apr 2012 11:52:17 UTC

JCS Chairman Sows Cyberwar Fears

Posted By Bruce Schneier

Army General Martin E. Dempsey, the chairman of the Joint Chiefs of Staff, said: A cyber attack could stop our society in its tracks. Gadzooks. A scared populace is much more willing to pour money into the cyberwar arms race....

Sat, 28 Apr 2012 00:57:28 UTC

Vote for Liars and Outliers

Posted By Bruce Schneier

Actionable Books is having a vote to determine which of four books to summarize on their site. If you are willing, please go there and vote for Liars and Outliers. (Voting requires a Facebook ID.) Voting closes Monday at noon EST, although I presume they mean EDT....

Fri, 27 Apr 2012 16:32:49 UTC

Friday Squid Blogging: Chesapeake Bay Squid

Posted By Bruce Schneier

Great pictures. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 27 Apr 2012 11:53:30 UTC

Attack Mitigation

Posted By Bruce Schneier

At the RSA Conference this year, I noticed a trend of companies that have products and services designed to help victims recover from attacks. Kelly Jackson Higgins noticed the same thing: "Damage Mitigation as the New Defense." That new reality, which has been building for several years starting in the military sector, has shifted the focus from trying to stop...

Thu, 26 Apr 2012 11:57:58 UTC

Biometric Passports Make it Harder for Undercover CIA Officers

Posted By Bruce Schneier

Last year, I wrote about how social media sites are making it harder than ever for undercover police officers. This story talks about how biometric passports are making it harder than ever for undercover CIA agents. Busy spy crossroads such as Dubai, Jordan, India and many E.U. points of entry are employing iris scanners to link eyeballs irrevocably to a...

Wed, 25 Apr 2012 11:51:32 UTC

Fear and the Attention Economy

Posted By Bruce Schneier

danah boyd is thinking about -- in a draft essay, and as a recording of a presentation -- fear and the attention economy. Basically, she is making the argument that the attention economy magnifies the culture of fear because fear is a good way to get attention, and that this is being made worse by the rise of social media....

Tue, 24 Apr 2012 11:43:44 UTC

Amazing Round of "Split or Steal"

Posted By Bruce Schneier

In Liars and Outliers, I use the metaphor of the Prisoner's Dilemma to exemplify the conflict between group interest and self-interest. There are a gazillion academic papers on the Prisoner's Dilemma from a good dozen different academic disciplines, but the weirdest dataset on real people playing the game is from a British game show called Golden Balls. In the final...

Mon, 23 Apr 2012 11:18:12 UTC

Alan Turing Cryptanalysis Papers

Posted By Bruce Schneier

GCHQ, the UK government's communications headquarters, has released two new -- well, 70 years old, but new to us -- cryptanalysis documents by Alan Turing. The papers, one entitled The Applications of Probability to Crypt, and the other entitled Paper on the Statistics of Repetitions, discuss mathematical approaches to code breaking. [...] According to the GCHQ mathematician, who identified himself...

Fri, 20 Apr 2012 21:49:34 UTC

Friday Squid Blogging: Extracting Squid Ink

Posted By Bruce Schneier

How to extract squid ink. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 20 Apr 2012 17:48:07 UTC

Liars & Outliers Update

Posted By Bruce Schneier

Liars & Outliers has been available for about two months, and is selling well both in hardcover and e-book formats. More importantly, I'm very pleased with the book's reception. The reviews I've gotten have been great, and I read a lot of tweets from people who have enjoyed the book. My goal was to give people new ways to think...

Fri, 20 Apr 2012 11:19:44 UTC

TSA Behavioral Detection Statistics

Posted By Bruce Schneier

Interesting data from the U.S. Government Accounting Office: But congressional auditors have questions about other efficiencies as well, like having 3,000 "behavior detection" officers assigned to question passengers. The officers sidetracked 50,000 passengers in 2010, resulting in the arrests of 300 passengers, the GAO found. None turned out to be terrorists. Yet in the same year, behavior detection teams apparently...

Thu, 19 Apr 2012 18:03:11 UTC

Dance Moves As an Identifier

Posted By Bruce Schneier

A burglar was identified by his dance moves, captured on security cameras: "The 16-year-old juvenile suspect is known for his 'swag,' or signature dance move," Heyse said, "and [he] does it in the hallways at school." Presumably, although the report doesn't make it clear, a classmate or teacher saw the video, recognized the distinctive swag and notified authorities. But is...

Thu, 19 Apr 2012 10:52:09 UTC

Smart Meter Hacks

Posted By Bruce Schneier

Brian Krebs writes about smart meter hacks: But it appears that some of these meters are smarter than others in their ability to deter hackers and block unauthorized modifications. The FBI warns that insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software readily available on the Internet....

Wed, 18 Apr 2012 18:30:47 UTC

Password Security at Linode

Posted By Bruce Schneier

Here's something good: We have implemented sophisticated brute force protection for Linode Manager user accounts that combines a time delay on failed attempts, forced single threading of log in attempts from a given remote address, and automatic tarpitting of requests from attackers. And this: Some of you may have noticed a few changes to the Linode Manger over the past...

Wed, 18 Apr 2012 11:49:43 UTC

Stolen Phone Database

Posted By Bruce Schneier

This article talks about a database of stolen cell phone IDs that will be used to deny service. While I think this is a good idea, I don't know how much it would deter cell phone theft. As long as there are countries that don't implement blocking based on the IDs in the databases -- and surely there will always...

Tue, 17 Apr 2012 18:22:44 UTC

Forever-Day Bugs

Posted By Bruce Schneier

That's a nice turn of phrase: Forever day is a play on "zero day," a phrase used to classify vulnerabilities that come under attack before the responsible manufacturer has issued a patch. Also called iDays, or "infinite days" by some researchers, forever days refer to bugs that never get fixed­--even when they're acknowledged by the company that developed the software....

Tue, 17 Apr 2012 11:15:38 UTC

Outliers in Intelligence Analysis

Posted By Bruce Schneier

From the CIA journal Studies in Intelligence: "Capturing the Potential of Outlier Ideas in the Intelligence Community." In war you will generally find that the enemy has at any time three courses of action open to him. Of those three, he will invariably choose the fourth. Helmuth Von Moltke With that quip, Von Moltke may have launched a spirited debate...

Mon, 16 Apr 2012 17:29:40 UTC

Hawley Channels His Inner Schneier

Posted By Bruce Schneier

Kip Hawley wrote an essay for the Wall Street Journal on airport security. In it, he says so many sensible things that people have been forwarding it to me with comments like "did you ghostwrite this?" and "it looks like you won an argument" and "how did you convince him?" (Sadly, the essay was published in the Journal, which means...

Mon, 16 Apr 2012 10:55:15 UTC

How Information Warfare Changes Warfare

Posted By Bruce Schneier

Really interesting paper on the moral and ethical implications of cyberwar, and the use of information technology in war (drones, for example): "Information Warfare: A Philosophical Perspective," by Mariarosaria Taddeo, Philosophy and Technology, 2012. Abstract: This paper focuses on Information Warfare -- the warfare characterised by the use of information and communication technologies. This is a fast growing phenomenon, which...

Fri, 13 Apr 2012 21:48:05 UTC

Friday Squid Blogging: Squid Fiction

Posted By Bruce Schneier

Great short story in Nature. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 13 Apr 2012 19:11:30 UTC

Me at RSA 2012

Posted By Bruce Schneier

This is not a video of my talk at the RSA Conference earlier this year. This is a 16-minute version of that talk -- TED-like -- that the conference filmed the day after for the purpose of putting it on the Internet. Today's Internet threats are not technical; they're social and political. They aren't criminals, hackers, or terrorists. They're the...

Fri, 13 Apr 2012 12:08:15 UTC

Disguising Tor Traffic as Skype Video Calls

Posted By Bruce Schneier

One of the problems with Tor traffic is that it can de detected and blocked. Here's SkypeMorph, a clever system that disguises Tor traffic as Skype video traffic. To prevent the Tor traffic from being recognized by anyone analyzing the network flow, SkypeMorph uses what's known as traffic shaping to convert Tor packets into User Datagram Protocol packets, as used...

Thu, 12 Apr 2012 18:34:02 UTC

Bomb Threats As a Denial-of-Service Attack

Posted By Bruce Schneier

The University of Pittsburgh has been the recipient of 50 bomb threats in the past two months (over 30 during the last week). Each time, the university evacuates the threatened building, searches it top to bottom -- one of the threatened buildings is the 42-story Cathedral of Learning -- finds nothing, and eventually resumes classes. This seems to be nothing...

Thu, 12 Apr 2012 11:38:56 UTC

Brian Snow on Cybersecurity

Posted By Bruce Schneier

Interesting video of Brian Snow speaking from last November. (Brian used to be the Technical Director of NSA's Information Assurance Directorate.) About a year and a half ago, I complained that his words were being used to sow cyber-fear. This talk -- about 30 minutes -- is a better reflection of what he really thinks....

Wed, 11 Apr 2012 18:25:54 UTC

"Raise the Crime Rate"

Posted By Bruce Schneier

I read this a couple of months ago, and I'm still not sure what I think about it. It's definitely of the most thought-provoking essays I've read this year. According to government statistics, Americans are safer today than at any time in the last forty years. In 1990, there were 2,245 homicides in New York City. In 2010, there were...

Wed, 11 Apr 2012 14:57:15 UTC

A Heathrow Airport Story about Trousers

Posted By Bruce Schneier

Usually I don't bother posting random stories about dumb or inconsistent airport security measures. But this one is particularly interesting: "Sir, your trousers." "Pardon?" "Sir, please take your trousers off." A pause. "No." "No?" The security official clearly was not expecting that response. He begins to look like he doesn't know what to do, bless him. "You have no power...

Tue, 10 Apr 2012 15:21:50 UTC

Teenagers and Privacy

Posted By Bruce Schneier

Good article debunking the myth that young people don't care about privacy on the Intenet. Most kids are well aware of risks, and make "fairly sophisticated" decisions about privacy settings based on advice and information from their parents, teachers, and friends. They differentiate between people they don't know out in the world (distant strangers) and those they don't know in...

Mon, 09 Apr 2012 12:45:06 UTC

Laptops and the TSA

Posted By Bruce Schneier

The New York Times tries to make sense of the TSA's policies on computers. Why do you have to take your tiny laptop out of your bag, but not your iPad? Their conclusion: security theater....

Fri, 06 Apr 2012 21:14:23 UTC

Friday Squid Blogging: Squid Art

Posted By Bruce Schneier

Happy Easter. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 06 Apr 2012 16:03:38 UTC

A Systems Framework for Catastrophic Disaster Response

Posted By Bruce Schneier

The National Academies Press has published Crisis Standards of Care: A Systems Framework for Catastrophic Disaster Response. When a nation or region prepares for public health emergencies such as a pandemic influenza, a large-scale earthquake, or any major disaster scenario in which the health system may be destroyed or stressed to its limits, it is important to describe how standards...

Fri, 06 Apr 2012 10:35:08 UTC

James Randi on Magicians and the Security Mindset

Posted By Bruce Schneier

Okay, so he doesn't use that term. But he explains how a magician's inherent ability to detect deception can be useful to science. We can't make magicians out of scientists -- we wouldn't want to -- but we can help scientists "think in the groove" -- think like a magician. And we should. We are not scientists ­ with a...

Thu, 05 Apr 2012 17:42:06 UTC

Helen Nussenbaum, Privacy, and the Federal Trade Commission

Posted By Bruce Schneier

Good article....

Thu, 05 Apr 2012 11:19:30 UTC

JetBlue Captain Clayton Osbon and Resilient Security

Posted By Bruce Schneier

This is the most intelligent thing I've read about the JetBlue incident where a pilot had a mental breakdown in the cockpit: For decades, public safety officials and those who fund them have focused on training and equipment that has a dual-use function for any hazard that may come our way. The post-9/11 focus on terrorism, with all the gizmos...

Wed, 04 Apr 2012 17:34:27 UTC

The Battle for Internet Governance

Posted By Bruce Schneier

Good article on the current battle for Internet governance: The War for the Internet was inevitable -- a time bomb built into its creation. The war grows out of tensions that came to a head as the Internet grew to serve populations far beyond those for which it was designed. Originally built to supplement the analog interactions among American soldiers...

Wed, 04 Apr 2012 11:07:36 UTC

Lost Smart Phones and Human Nature

Posted By Bruce Schneier

Symantec deliberately "lost" a bunch of smart phones with tracking software on them, just to see what would happen: Some 43 percent of finders clicked on an app labeled "online banking." And 53 percent clicked on a filed named "HR salaries." A file named "saved passwords" was opened by 57 percent of finders. Social networking tools and personal e-mail were...

Tue, 03 Apr 2012 19:01:02 UTC

Law Enforcement Forensics Tools Against Smart Phones

Posted By Bruce Schneier

Turns out the password can be easily bypassed: XRY works by first jailbreaking the handset. According to Micro Systemation, no backdoors created by Apple used, but instead it makes use of security flaws in the operating system the same way that regular jailbreakers do. Once the iPhone has been jailbroken, the tool then goes on to brute-force the passcode, trying...

Tue, 03 Apr 2012 11:53:15 UTC

Computer Forensics: An Example

Posted By Bruce Schneier

Paul Ceglia's lawsuit against Facebook is fascinating, but that's not the point of this blog post. As part of the case, there are allegations that documents and e-mails have been electronically forged. I found this story about the forensics done on Ceglia's computer to be interesting....

Mon, 02 Apr 2012 12:56:45 UTC

Buying Exploits on the Grey Market

Posted By Bruce Schneier

This article talks about legitimate companies buying zero-day exploits, including the fact that "an undisclosed U.S. government contractor recently paid $250,000 for an iOS exploit." The price goes up if the hack is exclusive, works on the latest version of the software, and is unknown to the developer of that particular software. Also, more popular software results in a higher...

Fri, 30 Mar 2012 21:28:52 UTC

Friday Squid Blogging: How Squid Hear

Posted By Bruce Schneier

Interesting research: The squid use two closely spaced organs called statocysts to sense sound. "I think of a statocyst as an inside-out tennis ball," explains Dr Mooney. "It's got hairs on the inside and this little dense calcium stone that sits on those hair cells. "What happens is that the sound wave actually moves the squid back and forth, and...

Thu, 29 Mar 2012 19:07:38 UTC

Summer Schools in Cryptography and Software Security at Penn State

Posted By Bruce Schneier

Normally I just delete these as spam, but this summer program for graduate students 1) looks interesting, and 2) has some scholarship money available....

Thu, 29 Mar 2012 11:53:30 UTC

Harms of Post-9/11 Airline Security

Posted By Bruce Schneier

As I posted previously, I have been debating former TSA Administrator Kip Hawley on the Economist website. I didn't bother reposting my opening statement and rebuttal, because -- even thought I thought I did a really good job with them -- they were largely things I've said before. In my closing statement, I talked about specific harms post-9/11 airport security...

Wed, 28 Mar 2012 11:05:26 UTC

SHARCS Conference

Posted By Bruce Schneier

Last weekend was the 2012 SHARCS (Special-Purpose Hardware for Attacking Cryptographic Systems) conference. The presentations are online....

Tue, 27 Mar 2012 11:46:48 UTC

The Effects of Data Breach Litigation

Posted By Bruce Schneier

"Empirical Analysis of Data Breach Litigation," Sasha Romanosky, David Hoffman, and Alessandro Acquisti: Abstract: In recent years, a large number of data breaches have resulted in lawsuits in which individuals seek redress for alleged harm resulting from an organization losing or compromising their personal information. Currently, however, very little is known about those lawsuits. Which types of breaches are litigated,...

Mon, 26 Mar 2012 18:02:24 UTC

Congressional Testimony on the TSA

Posted By Bruce Schneier

I was supposed to testify today about the TSA in front of the House Committee on Oversight and Government Reform. I was informally invited a couple of weeks ago, and formally invited last Tuesday: The hearing will examine the successes and challenges associated with Advanced Imaging Technology (AIT), the Screening of Passengers by Observation Techniques (SPOT) program, the Transportation Worker...

Mon, 26 Mar 2012 11:38:16 UTC

Rare Spanish Enigma Machine

Posted By Bruce Schneier

This is a neat story: A pair of rare Enigma machines used in the Spanish Civil War have been given to the head of GCHQ, Britain's communications intelligence agency. The machines - only recently discovered in Spain - fill in a missing chapter in the history of British code-breaking, paving the way for crucial successes in World War II. Fun...

Fri, 23 Mar 2012 21:18:40 UTC

Friday Squid Blogging: Giant Squid Eyes

Posted By Bruce Schneier

It seems that the huge eyes of the giant squid are optimized to see sperm whales....

Fri, 23 Mar 2012 11:33:14 UTC

The Economist Debate on Airplane Security

Posted By Bruce Schneier

On The Economist website, I am currently debating Kip Hawley on airplane security. On Tuesday we posted our initial statements, and today (London time) we posted our rebuttals. We have one more round to go. I've set it up to talk about the myriad of harms airport security has caused: loss of trust in government, increased fear, creeping police state,...

Thu, 22 Mar 2012 12:17:05 UTC

Can the NSA Break AES?

Posted By Bruce Schneier

In an excellent article in Wired, James Bamford talks about the NSA's codebreaking capability. According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the...

Wed, 21 Mar 2012 19:36:19 UTC

Another Liars and Outliers Excerpt

Posted By Bruce Schneier

IT World published an excerpt from Chapter 4....

Wed, 21 Mar 2012 11:26:26 UTC

Unprinter

Posted By Bruce Schneier

A way to securely erase paper: "The key idea was to find a laser energy level that is high enough to ablate - or vaporise - the toner that at the same time is lower than the destruction threshold of the paper substrate. It turns out the best wavelength is 532 nanometres - that's green visible light - with a...

Tue, 20 Mar 2012 13:52:05 UTC

Hacking Critical Infrastructure

Posted By Bruce Schneier

A otherwise uninteresting article on Internet threats to public infrastructure contains this paragraph: At a closed-door briefing, the senators were shown how a power company employee could derail the New York City electrical grid by clicking on an e-mail attachment sent by a hacker, and how an attack during a heat wave could have a cascading impact that would lead...

Mon, 19 Mar 2012 19:33:02 UTC

Avi Rubin on Computer Security

Posted By Bruce Schneier

Avi Rubin has a TEDx talk on hacking various computer devices: medical devices, automobiles, police radios, smart phones, etc....

Mon, 19 Mar 2012 11:38:58 UTC

Australian Security Theater

Posted By Bruce Schneier

I like the quote at the end of this excerpt: Aviation officials have questioned the need for such a strong permanent police presence at airports, suggesting they were there simply "to make the government look tough on terror". One senior executive said in his experience, the officers were expensive window-dressing. "When you add the body scanners, the ritual humiliation of...

Fri, 16 Mar 2012 21:57:45 UTC

Friday Squid Blogging: Squid-Shaped USB Drive

Posted By Bruce Schneier

It looks great. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 16 Mar 2012 18:15:24 UTC

BitCoin Security Musings

Posted By Bruce Schneier

Jon Callas talks about BitCoin's security model, and how susceptible it would be to a Goldfinger-style attack (destroy everyone else's BitCoins)....

Fri, 16 Mar 2012 12:09:58 UTC

Non-Lethal Heat Ray

Posted By Bruce Schneier

The U.S. military has a non-lethal heat ray. No details on what "non-lethal" means in this context....

Thu, 15 Mar 2012 19:35:42 UTC

Assorted Schneier News Stories

Posted By Bruce Schneier

I have several stories in the news (and one podcast), mostly surrounding the talks I gave at the RSA Conference last month....

Thu, 15 Mar 2012 11:16:13 UTC

More "Liars and Outliers" Links

Posted By Bruce Schneier

First, five new reviews of the book. Second, four new AV interviews about the book. Third, I take the Page 99 Test....

Wed, 14 Mar 2012 11:22:09 UTC

On Cyberwar Hype

Posted By Bruce Schneier

Good article by Thomas Rid on the hype surrounding cyberwar. It's well worth reading. And in a more academic paper, published in the RUSI Journal, Thomas Rid and Peter McBurney argue that cyber-weapons aren't all that destructive and that we've been misled by some bad metaphors. Some fundamental questions on the use of force in cyberspace are still unanswered. Worse,...

Tue, 13 Mar 2012 19:01:46 UTC

A Negative Liars and Outliers Review

Posted By Bruce Schneier

Ths person didn't like it at all. It'll go up on the book's webpage, along with all the positive reviews....

Tue, 13 Mar 2012 11:22:26 UTC

The Security of Multi-Word Passphrases

Posted By Bruce Schneier

Interesting research on the security of passphrases. From a blog post on the work: We found about 8,000 phrases using a 20,000 phrase dictionary. Using a very rough estimate for the total number of phrases and some probability calculations, this produced an estimate that passphrase distribution provides only about 20 bits of security against an attacker trying to compromise 1%...

Mon, 12 Mar 2012 21:30:34 UTC

Video Shows TSA Full-Body Scanner Failure

Posted By Bruce Schneier

The Internet is buzzing about this video, showing a blogger walking through two different types of full-body scanners with metal objects. Basically, by placing the object on your side, the black image is hidden against the scanner's black background. This isn't new, by the way. This vulnerability was discussed in a paper published last year by the Journal of Transportation...

Mon, 12 Mar 2012 11:35:12 UTC

Jamming Speech with Recorded Speech

Posted By Bruce Schneier

This is cool: The idea is simple. Psychologists have known for some years that it is almost impossible to speak when your words are replayed to you with a delay of a fraction of a second. Kurihara and Tsukada have simply built a handheld device consisting of a microphone and a speaker that does just that: it records a person's...

Fri, 09 Mar 2012 22:01:37 UTC

Friday Squid Blogging: Humboldt Squid Can Dive to 1.5 km

Posted By Bruce Schneier

Yet another impressive Humboldt squid feat: "We've seen them make really impressive dives up to a kilometre and a half deep, swimming straight through a zone where there's really low oxygen," the Hopkins Marine Station researcher said. "They're able to spend several hours at this kilometre-and-a-half-deep, and then they go back up and continue their normal daily swimming behaviour. It's...

Fri, 09 Mar 2012 19:40:25 UTC

Liars and Outliers: Book Excerpt

Posted By Bruce Schneier

Gizmodo published the beginning of Chapter 17: the last chapter....

Thu, 08 Mar 2012 12:50:26 UTC

Cloud Computing As a Man-in-the-Middle Attack

Posted By Bruce Schneier

This essay uses the interesting metaphor of the man-in-the-middle attacker to describe cloud providers like Facebook and Google. Basically, they get in the middle of our interactions with others and eavesdrop on the data going back and forth....

Wed, 07 Mar 2012 19:35:11 UTC

NSA's Secure Android Spec

Posted By Bruce Schneier

The NSA has released its specification for a secure Android. One of the interesting things it's requiring is that all data be tunneled through a secure VPN: Inter-relationship to Other Elements of the Secure VoIP System The phone must be a commercial device that supports the ability to pass data over a commercial cellular network. Standard voice phone calls, with...

Wed, 07 Mar 2012 12:14:28 UTC

How Changing Technology Affects Security

Posted By Bruce Schneier

Security is a tradeoff, a balancing act between attacker and defender. Unfortunately, that balance is never static. Changes in technology affect both sides. Society uses new technologies to decrease what I call the scope of defection -- what attackers can get away with -- and attackers use new technologies to increase it. What's interesting is the difference between how the...

Tue, 06 Mar 2012 19:22:57 UTC

The Keywords the DHS Is Using to Analyze Your Social Media Posts

Posted By Bruce Schneier

According to this document, received by EPIC under the Freedom of Information Act, the U.S. Department of Homeland Security is combing through the gazillions of social media postings looking for terrorists. A partial list of keywords is included in the document (pages 2023), and is reprinted in this blog post....

Tue, 06 Mar 2012 12:20:29 UTC

Comic: Movie Hacking vs. Real Hacking

Posted By Bruce Schneier

Funny....

Mon, 05 Mar 2012 19:30:02 UTC

Themes from the RSA Conference

Posted By Bruce Schneier

Last week was the big RSA Conference in San Francisco: something like 20,000 people. From what I saw, these were the major themes on the show floor: Companies that deal with "Advanced Persistent Threat." Companies that help you recover after you've been hacked. Companies that deal with "Bring Your Own Device" at work, also known as consumerization. Who else went...

Mon, 05 Mar 2012 12:45:51 UTC

British Anti-Theft Briefcase from the 1960s

Posted By Bruce Schneier

Fantastic....

Fri, 02 Mar 2012 22:41:45 UTC

Friday Squid Blogging: Squid Vision

Posted By Bruce Schneier

Some squid can see aspects of light that are invisible to humans, including polarized light. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 02 Mar 2012 19:21:49 UTC

Liars and Outliers: The Big Idea

Posted By Bruce Schneier

My big idea is a big question. Every cooperative system contains parasites. How do we ensure that society's parasites don't destroy society's systems? It's all about trust, really. Not the intimate trust we have in our close friends and relatives, but the more impersonal trust we have in the various people and systems we interact with in society. I trust...

Fri, 02 Mar 2012 12:11:46 UTC

GPS Spoofers

Posted By Bruce Schneier

Great movie-plot threat: Financial institutions depend on timing that is accurate to the microsecond on a global scale so that stock exchanges in, say, London and New York are perfectly synchronised. One of the main ways of doing this is through GPS, and major financial institutions will have a GPS antenna on their main buildings. "They are always visible because...

Thu, 01 Mar 2012 19:32:57 UTC

State Department Redacts Wikileaks Cables

Posted By Bruce Schneier

The ACLU filed a FOIA request for a bunch of cables that Wikileaks had already released complete versions of. This is what happened: The agency released redacted versions of 11 and withheld the other 12 in full. The five excerpts below show the government's selective and self-serving decisions to withhold information. Because the leaked versions of these cables have already...

Thu, 01 Mar 2012 12:39:45 UTC

Detect Which Social Networking Sites Website Visitors Are Logged Into

Posted By Bruce Schneier

Clever hack....

Wed, 29 Feb 2012 13:11:17 UTC

FBI Special Agent and Counterterrorism Expert Criticizes the TSA

Posted By Bruce Schneier

Good essay. Nothing I haven't said before, but it's good to hear it from someone with a widely different set of credentials than I have....

Tue, 28 Feb 2012 12:43:08 UTC

"Cyberwar Is the New Yellowcake"

Posted By Bruce Schneier

Good essay on the dangers of cyberwar rhetoric -- and the cyberwar arms race....

Mon, 27 Feb 2012 18:30:37 UTC

Liars and Outliers: Interview on The Browser

Posted By Bruce Schneier

I was asked to talk about five books related to privacy. You're best known as a security expert but our theme today is "trust". How would you describe the connection between the two? Security exists to facilitate trust. Trust is the goal, and security is how we enable it. Think of it this way: As members of modern society, we...

Mon, 27 Feb 2012 11:49:52 UTC

U.S. Federal Court Rules that it is Unconstitutional for the Police to Force Someone to Decrypt their Laptop

Posted By Bruce Schneier

A U.S. Federal Court ruled that it is unconstitutional for the police to force someone to decrypt their laptop computer: Thursdays decision by the 11th U.S. Circuit Court of Appeals said that an encrypted hard drive is akin to a combination to a safe, and is off limits, because compelling the unlocking of either of them is the equivalent of...

Fri, 24 Feb 2012 22:08:07 UTC

Friday Squid Blogging: Squid Can Fly to Save Energy

Posted By Bruce Schneier

There's a new study that shows that squid are faster in the air than in the water. Squid of many species have been seen to 'fly' using the same jet-propulsion mechanisms that they use to swim: squirting water out of their mantles so that they rocket out of the sea and glide through the air. Until now, most researchers have...

Fri, 24 Feb 2012 21:18:30 UTC

Liars and Outliers News

Posted By Bruce Schneier

The book is selling well. (Signed copies are still available on the website.) All the online stores have it, and most bookstores as well. It is available in Europe and elsewhere outside the U.S. And for those who wanted a DRM-free electronic copy, it's available on the OReilly.com bookstore for $11.99. I have collected four new reviews. And a bunch...

Fri, 24 Feb 2012 20:56:52 UTC

Press Mentions

Posted By Bruce Schneier

One article on me, and a podcast about my RSA talk next week....

Fri, 24 Feb 2012 19:37:50 UTC

Mention of Cryptography in a Rap Song

Posted By Bruce Schneier

The new movie Safe House features the song "No Church in the Wild," by Kanye West, which includes this verse: I live by you, desire I stand by you, walk through the fire Your love is my scripture Let me into your encryption...

Fri, 24 Feb 2012 13:06:19 UTC

Computer Security when Traveling to China

Posted By Bruce Schneier

Interesting: When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film. He leaves his cellphone and laptop at home and instead brings "loaner" devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables...

Thu, 23 Feb 2012 18:29:46 UTC

Another Piece of the Stuxnet Puzzle

Posted By Bruce Schneier

We can now conclusively link Stuxnet to the centrifuge structure at the Natanz nuclear enrichment lab in Iran. Watch this new video presentation from Ralph Langner, the researcher who has done the most work on Stuxnet. It's a long clip, but the good stuff is between 21:00 and 29:00. The pictures he's referring to are still up. My previous writings...

Thu, 23 Feb 2012 12:27:50 UTC

Mobile Malware Is Increasing

Posted By Bruce Schneier

According to a report by Juniper, mobile malware is increasing dramatically. In 2011, we saw unprecedented growth of mobile malware attacks with a 155 percent increase across all platforms. Most noteworthy was the dramatic growth in Android Malware from roughly 400 samples in June to over 13,000 samples by the end of 2011. This amounts to a cumulative increase of...

Wed, 22 Feb 2012 12:53:59 UTC

John Nash's 1955 Letter to the NSA

Posted By Bruce Schneier

Fascinating....

Tue, 21 Feb 2012 13:36:38 UTC

"1234" and Birthdays Are the Most Common PINs

Posted By Bruce Schneier

Research paper: "A birthday present every eleven wallets? The security of customer-chosen banking PINs," by Joseph Bonneau, Sören Preibusch, and Ross Anderson: Abstract: We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression...

Mon, 20 Feb 2012 12:30:58 UTC

Covert Communications Channel in Tarsiers

Posted By Bruce Schneier

Marissa A. Ramsier, Andrew J. Cunningham, Gillian L. Moritz, James J. Finneran, Cathy V. Williams, Perry S. Ong, Sharon L. Gursky-Doyen, and Nathaniel J. Dominy (2012), "Primate communication in the pure ultrasound," Biology Letters. Abstract: Few mammals -- cetaceans, domestic cats and select bats and rodents -- can send and receive vocal signals contained within the ultrasonic domain, or pure...

Fri, 17 Feb 2012 22:37:21 UTC

Friday Squid Blogging: Squid Desk Lamp

Posted By Bruce Schneier

Beautiful sculpture. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 17 Feb 2012 19:45:41 UTC

What Is a Suspicious-Looking Package, Anyway?

Posted By Bruce Schneier

Funny comic....

Fri, 17 Feb 2012 12:25:49 UTC

Self-Domestication in Bonobos and Other Animals

Posted By Bruce Schneier

Self-domestication happens when the benefits of cooperation outweigh the costs: But why and how could natural selection tame the bonobo? One possible narrative begins about 2.5 million years ago, when the last common ancestor of bonobos and chimpanzees lived both north and south of the Zaire River, as did gorillas, their ecological rivals. A massive drought drove gorillas from the...

Thu, 16 Feb 2012 18:22:26 UTC

Cryptanalysis of Satellite Phone Encryption Algorithms

Posted By Bruce Schneier

From the abstract of the paper: In this paper, we analyze the encryption systems used in the two existing (and competing) satphone standards, GMR-1 and GMR-2. The first main contribution is that we were able to completely reverse engineer the encryption algorithms employed. Both ciphers had not been publicly known previously. We describe the details of the recovery of the...

Thu, 16 Feb 2012 12:51:51 UTC

Lousy Random Numbers Cause Insecure Public Keys

Posted By Bruce Schneier

There's some excellent research (paper, news articles) surveying public keys in the wild. Basically, the researchers found that a small fraction of them (27,000 out of 7.1 million, or 0.38%) share a common factor and are inherently weak. The researchers can break those public keys, and anyone who duplicates their research can as well. The cause of this is almost...

Wed, 15 Feb 2012 19:11:06 UTC

Dumb Risk of the Day

Posted By Bruce Schneier

Geotagged images of children: Joanne Kuzma of the University of Worcester, England, has analyzed photos that clearly show children's faces on the photo sharing site Flickr. She found that a significant proportion of those analyzed were geotagged and a large number of those were associated with 50 of the more expensive residential zip codes in the USA. The location information...

Wed, 15 Feb 2012 13:09:22 UTC

The Sudafed Security Trade-Off

Posted By Bruce Schneier

This writer wrestles with the costs and benefits of tighter controls on pseudoephedrine, a key chemical used to make methamphetamine: Now, personally, I sincerely doubt that the pharmaceutical industry has reliable estimates of how many of their purchasers actually have colds--or that they would share data indicating that half of their revenues came from meth cooks. But let's say this...

Tue, 14 Feb 2012 18:36:11 UTC

SSL Traffic Analysis on Google Maps

Posted By Bruce Schneier

Interesting....

Tue, 14 Feb 2012 13:12:53 UTC

Trust Requires Transparency

Posted By Bruce Schneier

Adam Shostack explains to Verisign that trust requires transparency. This is a lesson Path should have learned....

Mon, 13 Feb 2012 20:53:30 UTC

Liars and Outliers Update

Posted By Bruce Schneier

Liars and Outliers is available. Amazon and Barnes & Noble have ben shipping the book since the beginning of the month. Both the Kindle and the Nook versions are available for download. I have received 250 books myself. Everyone who read and commented on a draft will get a copy in the mail. And as of today, I have shipped...

Mon, 13 Feb 2012 11:20:24 UTC

What Happens When the Court Demands You Decrypt a Document and You Forget the Key?

Posted By Bruce Schneier

Last month, a U.S. court demanded that a defendent surrender the encryption key to a laptop so the police could examine it. Now it seems that she's forgotten the key. What happens now? It seems as if this excuse would always be available to someone who doesn't want the police to decrypt her files. On the other hand, it might...

Fri, 10 Feb 2012 22:04:47 UTC

Friday Squid Blogging: Squid's Beard

Posted By Bruce Schneier

It's an acoustic bluegrass band. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 Feb 2012 20:08:22 UTC

Captchas

Posted By Bruce Schneier

Funny....

Fri, 10 Feb 2012 12:21:14 UTC

Securing iPads for Exams

Posted By Bruce Schneier

Interesting blog post about locking down an iPad so students can take exams on them....

Thu, 09 Feb 2012 12:10:35 UTC

Security Implications of "Lower-Risk Aircraft"

Posted By Bruce Schneier

Interesting paper: Paul J. Freitas (2012), "Passenger aviation security, risk management, and simple physics," Journal of Transportation Security. Abstract: Since the September 11, 2001 suicide hijacking attacks on the United States, preventing similar attacks from recurring has been perhaps the most important goal of aviation security. In addition to other measures, the US government has increased passenger screening requirements to...

Wed, 08 Feb 2012 12:46:04 UTC

Solving the Underlying Economic Problem of Internet Piracy

Posted By Bruce Schneier

This essay is definitely thinking along the correct directions....

Tue, 07 Feb 2012 11:53:41 UTC

Error Rates of Hand-Counted Voting Systems

Posted By Bruce Schneier

The error rate for hand-counted ballots is about two percent. All voting systems have nonzero error rates. This doesn't surprise technologists, but does surprise the general public. There's a myth out there that elections are perfectly accurate, down to the single vote. They're not. If the vote is within a few percentage points, they're likely a statistical tie. (The problem,...

Mon, 06 Feb 2012 19:23:27 UTC

The Failure of Two-Factor Authentication

Posted By Bruce Schneier

In 2005, I wrote an essay called "The Failure of Two-Factor Authentication," where I predicted that attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint. This BBC article describes exactly that: After logging in to the bank's real site, account holders are being tricked...

Fri, 03 Feb 2012 22:18:41 UTC

Friday Squid Blogging: Clothing that Keeps an Exercise Journal

Posted By Bruce Schneier

It's called Squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 Feb 2012 20:49:54 UTC

The Problems of Too Much Information Sharing

Posted By Bruce Schneier

Funny. Fake, but funny....

Fri, 03 Feb 2012 16:49:08 UTC

VeriSign Hacked, Successfully and Repeatedly, in 2010

Posted By Bruce Schneier

Reuters discovered the information: The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published. The company, unsurprisingly,...

Thu, 02 Feb 2012 15:04:12 UTC

Prisons in the U.S.

Posted By Bruce Schneier

Really good article on the huge incarceration rate in the U.S., its causes, its effects, and its value: Over all, there are now more people under "correctional supervision" in America -- more than six million -- than were in the Gulag Archipelago under Stalin at its height. That city of the confined and the controlled, Lockuptown, is now the second...

Wed, 01 Feb 2012 12:05:59 UTC

The Idaho Loophole

Posted By Bruce Schneier

Brian C. Kalt (2012), "The Idaho Loophole," Georgetown Law Journal, Vol. 93, No. 2. Abstract: This article argues that there is a 50-square-mile swath of Idaho in which one can commit felonies with impunity. This is because of the intersection of a poorly drafted statute with a clear but neglected constitutional provision: the Sixth Amendment's Vicinage Clause. Although lesser criminal...

Tue, 31 Jan 2012 23:03:31 UTC

Possibly the Most Incompetent TSA Story Yet

Posted By Bruce Schneier

The storyline: TSA screener finds two pipes in passenger's bags. Screener determines that they're not a threat. Screener confiscates them anyway, because of their "material and appearance." Because they're not actually a threat, screener leaves them at the checkpoint. Everyone forgets about them. Six hours later, the next shift of TSA screeners notices the pipes and -- not being able...

Tue, 31 Jan 2012 17:13:27 UTC

Biases in Forensic Science

Posted By Bruce Schneier

Some errors in forensic science may be the result of the biases of the medical examiners: Though they cannot prove it, Dr Dror and Dr Hampikian suspect the difference in contextual information given to the examiners was the cause of the different results. The original pair may have subliminally interpreted ambiguous information in a way helpful to the prosecution, even...

Mon, 30 Jan 2012 19:59:42 UTC

Liars and Outliers Update

Posted By Bruce Schneier

According to my publisher, the book was printed last week and the warehouse is shipping orders to booksellers today. Amazon is likely to start shipping books on Thursday. (Yes, Amazon's webpage claims that the book will be published on February 21, 2012, but they'll ship copies as soon as they get them -- this ain't Harry Potter.) The Kindle edition...

Mon, 30 Jan 2012 16:52:01 UTC

British Tourists Arrested in the U.S. for Tweeting

Posted By Bruce Schneier

Does this story make sense to anyone? The Department of Homeland Security flagged him as a potential threat when he posted an excited tweet to his pals about his forthcoming trip to Hollywood which read: 'Free this week, for quick gossip/prep before I go and destroy America'. After making their way through passport control at Los Angeles International Airport (LAX)...

Mon, 30 Jan 2012 12:02:49 UTC

The Nature of Cyberwar

Posted By Bruce Schneier

This was pretty good, I thought: However, it may be difficult to write military doctrine for many aspects of cyberconflict that are truly revolutionary. Here are no fewer than 10 to consider: The Internet is an artificial environment that can be shaped in part according to national security requirements. The blinding proliferation of technology and hacker tools makes it impossible...

Fri, 27 Jan 2012 12:39:16 UTC

Password Sharing Among American Teenagers

Posted By Bruce Schneier

Interesting article from the New York Times on password sharing as a show of affection. "It's a sign of trust," Tiffany Carandang, a high school senior in San Francisco, said of the decision she and her boyfriend made several months ago to share passwords for e-mail and Facebook. "I have nothing to hide from him, and he has nothing to...

Thu, 26 Jan 2012 16:36:32 UTC

Evidence on the Effectiveness of Terrorism

Posted By Bruce Schneier

Readers of this blog will know that I like the works of Max Abrams, and regularly blog them. He has a new paper (full paper behind paywall) in Defence and Peace Economics, 22:6 (2011), 58394, "Does Terrorism Really Work? Evolution in the Conventional Wisdom since 9/11, Defence and Peace Economics": The basic narrative of bargaining theory predicts that, all else...

Wed, 25 Jan 2012 19:56:57 UTC

Federal Judge Orders Defendant to Decrypt Laptop

Posted By Bruce Schneier

A U.S. federal judge has ordered a defendent to decrypt her laptop....

Wed, 25 Jan 2012 18:54:19 UTC

Supreme Court Rules that GPS Tracking Requires a Warrant

Posted By Bruce Schneier

The U.S Supreme Court has ruled that the police cannot attach a GPS tracking device to a car without a warrant....

Wed, 25 Jan 2012 12:44:26 UTC

Research into an Information Security Risk Rating

Posted By Bruce Schneier

The NSF is funding research on giving organizations information-security risk ratings, similar to credit ratings for individuals: Existing risk management techniques are based on annual audits and only provide a snapshot of a partner's security posture. However, new vulnerabilities are discovered everyday and the industry needs a solution that enables a business to continuously monitor changing risk posture of all...

Tue, 24 Jan 2012 12:46:08 UTC

Using Plant DNA for Authentication

Posted By Bruce Schneier

Turns out you can create unique signatures from plant DNA. The idea is to spray this stuff on military components in order to verify authentic items and detect counterfeits, similar to SmartWater. It's a good idea in theory, but my guess is that the security is not going to center around counterfeiting the plant DNA, but rather in subverting the...

Mon, 23 Jan 2012 17:49:29 UTC

Authentication by "Cognitive Footprint"

Posted By Bruce Schneier

DARPA is funding research into new forms of biometrics that authenticate people as they use their computer: things like keystroke patterns, eye movements, mouse behavior, reading speed, and surfing and e-mail response behavior. The idea -- and I think this is a good one -- is that the computer can continuously authenticate people, and not just authenticate them once when...

Fri, 20 Jan 2012 12:39:45 UTC

The Continued Militarization of the U.S. Police

Posted By Bruce Schneier

The state of Texas gets an armed PT boat. I guess armed drones weren't enough for them....

Thu, 19 Jan 2012 19:02:09 UTC

The Onion on Facebook

Posted By Bruce Schneier

Funny news video on Facebook and the CIA....

Thu, 19 Jan 2012 12:36:38 UTC

Using False Alarms to Disable Security

Posted By Bruce Schneier

I wrote about this technique in Beyond Fear: Beginning Sunday evening, the robbers intentionally set off the gallery's alarm system several times without entering the building, according to police. The security staffers on duty, who investigated and found no disturbances, subsequently disabled at least one alarm. The burglars then entered through a balcony door....

Tue, 17 Jan 2012 22:10:01 UTC

Going Dark to Protest SOPA/PIPA

Posted By Bruce Schneier

Tomorrow, from 8 am to 8 pm EDT, this site, Schneier on Security, is going on strike to protest SOPA and PIPA. In doing so, I'll be joining Wikipedia (in English), BoingBoing, WordPress, and many others. A list of participants, and HTML and JavaScript code for anyone who wants to participate, can be found here....

Tue, 17 Jan 2012 18:29:58 UTC

Tor Opsec

Posted By Bruce Schneier

Good operational security guide to Tor....

Tue, 17 Jan 2012 13:31:14 UTC

The Importance of Good Backups

Posted By Bruce Schneier

Thankfully, this doesn't happen very often: A US man who had been convicted on a second-degree murder charge will get a new trial after a computer virus destroyed transcripts of court proceedings....

Mon, 16 Jan 2012 15:58:56 UTC

PCI Lawsuit

Posted By Bruce Schneier

This is a first: ...the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to...

Fri, 13 Jan 2012 22:19:13 UTC

Friday Squid Blogging: Argentina Attempts a Squid Blockage against the Falkland Islands

Posted By Bruce Schneier

Yet another story that combines squid and security. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 13 Jan 2012 18:58:24 UTC

Recovering a Hacked Gmail Account

Posted By Bruce Schneier

Long (but well-written and interesting) story of someone whose Gmail account was hacked and erased, and eventually restored. Many interesting lessons about the security of largely support-free cloud services....

Fri, 13 Jan 2012 12:58:01 UTC

"Going Dark" vs. a "Golden Age of Surveillance"

Posted By Bruce Schneier

It's a policy debate that's been going on since the crypto wars of the early 1990s. The FBI, NSA, and other agencies continue to claim they're losing their ability to engage in surveillance: that it's "going dark." Whether the cause of the problem is encrypted e-mail, digital telephony, or Skype, the bad guys use it to communicate, so we need...